Interac Verified Services Privacy Policy
Last Updated: October 1, 2024
Introduction
At 2859824 Ontario Limited (“Interac”, “we” or “us”), a subsidiary of Interac Corp., we respect your personal information, and we take steps to ensure the proper use, protection and security of personal information placed in our care.
This Privacy Policy explains our personal information collection, use and disclosure policies and practices in connection with the Interac Verified™ app (the “Verified App”) and related features, functionalities or services, and the Interac® document verification service, Interac Verified™ credential (“Verified Credential”), and Interac® sign-in service (collectively, “Services”), in order to help you understand how we handle personal information you provide to us when you use our Services. For information on other Interac products and services, please see: Interac.ca Privacy Policy. This Privacy Policy does not apply to, and we are not responsible for, any third-party websites, products, or services. We urge you to carefully review the privacy practices of any third-party who you authorize to collect, receive, use, communicate, disclose or otherwise process your personal information.
This Privacy Policy does not apply to the Interac® verification service, except as otherwise noted. For details on how your personal information is managed in connection with the Interac verification service, please refer to the Interac verification service Privacy Notice.
Contents
To learn more about how your personal information is handled by Interac in connection with the Services, please click through the following sections:
- What is personal information
- What types of personal information we collect and why
a. Information Collected from Your Financial Institution
b. Information Collected from You Directly
c. Information Collected from Your Devices - How we use your personal information
- Why we share your personal information
d. Service providers
e. Relying Parties in connection with Interac Verified Credential
f. Fraud Investigations
g. Business transfers - Biometric processing for Interac document verification service
h. Collection and Use of Biometric Data
i. Third-Party Vendors
j. Retention and Security - How long we keep your personal information
- How we protect your personal information
- Your rights and choices over your personal information
- When we transfer your personal information
- Additional notices for Quebec users
- Updates to this Privacy Policy
- How to contact us
1. What is personal information
Personal information means any information, in any form, that is about an individual, who is identifiable using that information alone or in combination with other available information.
2. What types of personal information we collect and why
We collect information about you from a variety of sources in connection with the Services, including information provided to us by Your Financial Institution (as defined below) and information collected directly from you and your devices.
For clarity, Interac collects information about you on multiple occasions, over time, each time that you use the Services, as necessary to fulfill the purposes set out in this Privacy Policy, or as otherwise required or permitted by applicable law.
You should be aware that Interac relies on the accuracy of information provided to us by you and, if applicable, Your Financial Institution. You should take steps to ensure that such information is correct, including updating and verifying the information about you that is held by Your Financial Institution.
a. Information Collected from Your Financial Institution
When you create a Verified Credential or use the Interac sign-in service to access eligible websites operated by or on behalf of the Government of Canada, you will be asked to select and authenticate yourself with one or more banks with which you have a relationship (collectively, “Your Financial Institution”).
- Interac sign-in service: For the Interac sign-in service, we do not receive any personal information from Your Financial Institution. Our role is to facilitate the secure transmission of authentication data between Your Financial Institution and the Government of Canada using anonymous identifiers. The information exchanged during this process may include an anonymous session identifier, your language preference, and your IP address, and is used to provide and maintain the security and integrity of the Interac sign-in service.
- Interac Verified Credential: For the Verified Credential, we receive certain information from Your Financial Institution, such as family name, given name, and date of birth. This information is used to verify the information you provide directly to us. For details on how your personal information is managed in connection with the Interac verification service, please refer to the Interac verification service Privacy Notice.
b. Information Collected from You Directly
You may provide us with certain information directly from time-to-time, when you register to use our Services, update or otherwise make changes to your profile or account associated with the Services. For example, when you register for our Services, you will be required to provide information such as your name, email address, and contact information. This information is used to create and manage your account, authenticate your identity, and provide you with access to our Services.
When you create a Verified Credential, you will be asked to provide certain information, such as a photo of your government-issued ID and a video selfie, for document and identity verification purposes. To verify your identity, we use facial recognition technology to extract and compare your facial biometric data from these images, as detailed in the “Biometric Processing for Interac document verification service” section below.
Once your document and identity have been verified, information on the image captured of your government-issued ID, such as your contact information, demographic data, date of birth, sex/gender, height, signature, ID number, date of issuance, date of expiry, and other information contained on or associated with your ID, will be used to confirm the validity of your identification to prevent fraud. Your family name, given name, date of birth and photo, along with the image of your government issued ID, will form part of your Verified Credential.
c. Information Collected from Your Devices
When you use our Services, certain information is collected automatically from the device you use, including through cookies, to measure and improve the performance of the Services, personalize your experience, enhance security, and enable certain features and functions of our Services. Such information includes:
- device ID and type; operating system type and version, and other operating system information; browser type and version and other information about your browser;
- internet protocol (IP) address; and the region or general location where your computer or device is accessing the internet based on your IP address (country, province, city, postal code); and
- information about how users interact with our Services, such as the date and time when you use the Services, number and type of actions conducted via the Services, time spent using the Services, and access status (e.g. your ability to access the Services or receipt of an error message).
The data described above may also be used to generate aggregate statistical data, for the purposes described below under “How we use your personal information”.
In addition to the above, if you create a profile associated with the Services and choose to enable biometric authentication, Interac or its service providers will receive confirmation of identity from the device that you use to access the Services. For clarity, neither Interac nor its service providers will receive or have access to biometric information, but rather, such information will remain only on your device and only confirmation of identity verification (or notice of failure to authenticate identity) will be transmitted to Interac.
3. How we use your personal information
We will only use your personal information to provide the Services and perform related activities, and for other purposes as required or permitted by applicable law, including to:
- operate and facilitate your use of the Services, including to verify your identity, authenticate you, create and maintain your profile or account associated with the Services (where applicable), and respond to requests received;
- prevent and detect fraud, unauthorized transactions, and otherwise protect you and other users of our products, services and websites from fraud and other wrongful or illegal activities, claims and other liabilities;
- carry out our obligations that may arise from any agreements we have entered into with you, Your Financial Institution, Relying Parties or other third parties;
- contact and correspond with you including (without limitation) emailing you to confirm your email address and sending communications regarding your profile or account associated with the Services (e.g., security alerts), where applicable;
- investigate complaints, disputes or other customer service issues related to the Services;
- manage risk exposure with respect to the integrity and security of the Services and our other products, including (without limitation) to help diagnose problems with our server, administer the Verified App, analyze trends, prevent and detect attacks on our Verified App or other digital properties or attempts at fraud;
- comply with legal and regulatory requirements;
- manage our business needs, such as monitoring, analyzing, testing and improving our products and services, the performance and functionality of our Services, and the performance and functionality of our infrastructure; and
- generate aggregate statistical data so that it cannot be used to identify you as an individual. The anonymized and aggregated data will then be used to evaluate, improve and market our Services, including to monitor and improve the utility, security, content, and user experience, and to develop additional products, services and content. Without limiting the above, anonymized and aggregated data may be used for the purposes of assembling statistical reporting for our participating financial institutions and governmental authorities, conducting market research respecting our products and services, and compiling statistical analysis of the behaviour of users or groups of users. For clarity, this aggregated data will not be used for specific targeted advertisements to you.
Without limiting the above, we compile, analyze and combine different categories of data that we collect from all of the sources described in this Privacy Policy for the purposes of risk assessments, as well as to detect and prevent fraud. We may also use information collected in connection with the Services to detect and prevent fraud across other Interac products and services (e.g., Interac e-Transfer), as well as to develop fraud detection models and countermeasure rules.
In particular, when you use our Services, we may use technology that includes functions that allow you to be located, identified, and profiled for fraud purposes. This technology is activated when you consent to the collection, use and disclosure of your personal information in accordance with the Interac Verified Services Privacy Agreement, and will then be active whenever you use the Services unless and until you withdraw your consent. In addition, we may use personal information collected as part of the Services to make fraud and transaction approval decisions based exclusively on automated processing of your information.
Interac will obtain your prior consent to collect, use or disclose your personal information in accordance with its legal obligations, except where your consent is not required by applicable law.
If you choose to create a Verified Credential, you may share your Verified Credential with Relying Parties to facilitate transactions with you, verify your identity, determine your eligibility for products or services, or for other purposes disclosed to you by Relying Parties when they request your Verified Credential. We may also share your information with third parties for the purpose of assisting in the investigation and resolution of complaints, disputes or customer service requests that you have submitted to such third parties, which relate to the Services.
Information disclosed to third parties will be outside Interac’s control and will be handled in accordance with the third party’s own privacy policies and procedures, which may differ from Interac’s. If you have questions about how a Relying Party will handle your personal information, you should contact them directly.
a. Service Providers
We need the help of our service providers to be able to offer the Services. We share your personal information with our service providers who perform services for the purposes described in this Privacy Policy. We limit the information provided to these service providers to that which is reasonably necessary for them to perform their functions and require these service providers by contract to only process personal information in accordance with our instructions and in compliance with applicable laws. We also require them to safeguard the security and confidentiality of the personal information they process on our behalf.
In particular, we use service providers to facilitate identity verification and biometric authentication, as well as for data analytics and fraud analysis. We also use third party data centers and customer service support, as well as third party software for event logging, IP traffic interception and network security.
b. Relying Parties in connection with Interac Verified Credential
If you choose to create a Verified Credential, you may share your Verified Credential (e.g., your name, date of birth, and other identity attributes) with third parties, such as financial institutions, telecommunications service providers, online merchants, government departments and agencies, and other participating entities (“Relying Parties”), that you authorize via the Verified App. These Relying Parties use this information to facilitate transactions with you, verify your identity, determine your eligibility for products or services, or for other purposes disclosed to you by Relying Parties when they request your Verified Credential. However, once you share your Verified Credential with a Relying Party, the information is outside Interac’s control. We are not responsible for the actions or omissions of Relying Parties, including for any use or disclosure of your personal information (or failure to protect your personal information) by a Relying Party. If you have questions about how a Relying Party will handle your personal information, you should contact them directly.
c. Fraud Investigations
To the extent permitted by applicable law, we disclose information that we, in good faith, believe is appropriate in investigations of fraud or other wrongful or illegal activity or to conduct investigations of violations of the terms and conditions for using our products and services. At our sole discretion, subject to any legal restrictions, we may report suspicious activity relating to fraud or other wrongful or illegal activities to the appropriate legal authorities, to our participating financial institutions and other third parties. For example, we may report suspicious activities where we believe those activities could result in physical harm or financial loss to any person. We may also report activities that we view as a pattern of fraudulent, wrongful or illegal behaviour.
d. Business Transfers
We may be involved in the sale, transfer or reorganization of some or all of our business at some time in the future. As part of that sale, transfer or reorganization, we may disclose your personal information to the acquiring organization but will take any measures required by applicable law in connection with such disclosures.
e. Required or Permitted by Law; Dispute Resolution
We may disclose your personal information to a government institution that has asserted its lawful authority to obtain the information, or where we are permitted to do so pursuant to applicable law and have reasonable grounds to believe the information could be useful in the investigation of unlawful activity, or to legal authorities, government officials or third parties where necessary to comply with a subpoena or warrant or an order made by a court, person or any other body with jurisdiction to compel the provision of information. We may also disclose your personal information in order to comply with court rules and regulations regarding the provision of records and information or as otherwise permitted or required by law.
We may also disclose your personal information to other third parties for the purpose of assisting with the investigation or resolution of complaints, disputes or other customer service issues related to the Services.
5. Biometric Processing for Interac document verification service
The Interac document verification service provides secure identity and document verification for the creation of your Verified Credential. This service uses facial recognition technology to verify your identity. We will obtain your express consent before collecting or processing your biometric data, in compliance with applicable laws.
Please note that in some cases, Relying Parties may offer alternative methods for identity verification that do not involve biometric data. For information about these alternatives, please contact the Relying Party directly.
a. Collection and Use of Biometric Data
To verify your identity when using the Interac Document Verification Service to create a Verified Credential, we will request that you take a clear photo of your government-issued ID and record a brief video selfie. Facial recognition technology will then be used to extract and compare your facial biometric data (i.e., a unique vector or digital representation of your facial features) from these images to confirm that the identity on your ID matches your selfie.
b. Third-Party Vendors
We work with trusted third-party vendors to facilitate the identity and document verification process. These vendors are contractually bound to comply with our instructions and applicable laws and to implement appropriate safeguards to protect your personal information.
c. Retention and Security
Third-party vendors will securely delete your biometric data within 7 days of completion of the verification process. During this time, third-party vendors may retain the data, including other information collected during the process, for the purpose of resolving any technical or other issues that may arise during the identity verification process and improving the accuracy and reliability of the service.
To prevent fraud, we may retain your photo and video selfie for up to 60 days after the verification process is complete. Your information may be stored or processed in jurisdictions outside your province, territory, or country of residence.
We take steps to securely store and process your personal information and limit access to authorized personnel. For more details on our security practices, see the “How we protect your personal information” section.
6. How long we keep your personal information
Your personal information is retained for as long as reasonably necessary to fulfill the relevant purposes set out in this Privacy Policy and in order to comply with Interac’s legal or regulatory obligations. When determining the retention period, we consider factors including the nature and length of our relationship with you, possible re-enrolment with our products or services, the impact if we delete some information about you, mandatory retention periods, and statutory limitation periods. As always, once archived, your personal information is kept secure.
In particular, without limiting the above, your transactional logs related to the Verified Credential (e.g., date and time of the transaction, name of the Relying Party, type of credential verified) will be retained for 7 years to comply with legal and regulatory requirements, support audits and investigations, and prevent and detect fraud. The Verified Credential (e.g., name, date of birth, or other identity attributes) is securely stored on your device and will automatically expire after 12 months, unless you delete it earlier or the credential’s specified expiration date occurs sooner.
7. How we protect your personal information
We take precautions to protect your personal information against unauthorized access, disclosure, inappropriate alteration, and misuse. We maintain appropriate physical, technological, organizational and administrative safeguards to help protect your personal information. We update and test our security technology, standards and processes on an ongoing basis.
Transmission methods used to transfer information over the Internet, or methods of electronic storage, are not 100% secure. Although we implement measures to protect your personal information, we cannot fully ensure or warrant the security of any information you transmit or provide to us, and you do so at your own risk. We cannot guarantee that information may not be accessed, disclosed, altered, or destroyed by breach of our safeguards. In particular, we cannot eliminate the risk of unauthorized transactions, especially if: (a) you use the Services on a public, work or shared device, (b) you share the login credentials for your profile associated with the Services (“Login Credentials”) with another person; or (c) an unauthorized person obtains access to your personal device or your Login Credentials.
You play a valuable part in security. After you have finished using the Services, you should log out and exit your browser to prevent unauthorized users from returning to your online session. If you are accessing the Services via a mobile device, you should ensure that your device’s privacy settings are set in accordance with your privacy preferences. If you believe your personal information has been compromised or that someone has improperly used or provided information to Interac about you that you did not authorize, please contact us as set out in this Privacy Policy.
8. Your rights and choices over your personal information
Under certain circumstances and in accordance with applicable privacy laws, you are entitled to certain rights over your own personal information, as listed below. Please refer to the “How to contact us” section below, to exercise these rights.
- Right of access – You have the right to be informed of the existence, use and disclosure of your personal information by us, including a listing of the third-party organizations with whom the information has been shared. You can also access your information and may be entitled to receive a copy of your information.
- Right to challenge accuracy – You have the right to challenge the accuracy, completeness and currency of your personal information in our possession.
- Right to rectification of errors – When you demonstrate the inaccuracy or incompleteness of your personal information held by us, we must correct the inaccuracies and/or add a notation to the information, as appropriate.
- Right to limit use of personal information – As a condition of providing you access to the Services, we cannot require that you allow us to process your personal information beyond that which is required to fulfil the explicitly specified and legitimate purposes.
- Right to withdraw consent – If we rely on your consent to collect, use, or disclose your personal information, you are able to withdraw consent at any time, subject to certain requirements and limitations under applicable law. Please note that withdrawing your consent may affect our ability to provide you with the Services you have requested. In some circumstances, we may still be required to retain certain information in backups or as necessary to comply with legal or regulatory obligations, even after you withdraw your consent.
- Right to make a complaint – You have the right to be able to address data protection issues with our Privacy Office and you also have the right to make a complaint to the relevant data protection authority.
There are some exceptions to these rights. For example, without limitation, some information may not be accessed or deleted if it contains personal information of other persons or if we are required by law to keep it. In addition, you may have other rights pursuant to applicable laws in the province or territory where you are located, including in connection with automated processing of your personal information, automated decision-making, and the right to request access to or transfer of your information in a structured, commonly used technological format, unless doing so raises serious practical difficulties.
If you wish to exercise your rights described above or require further information regarding your rights or circumstances that may limit the rights you can exercise, please contact us as set out in this Privacy Policy.
9. When we transfer your personal information
Some of the information you provide to us may be shared with our service providers that are located outside of Canada. Such service providers are subject to contractual requirements and restrictions governing their processing of personal information, including obligations to safeguard the security and confidentiality of such personal information. You should be aware that information that is transferred or stored outside Canada may be accessible to courts, law enforcement and national authorities in other countries, in accordance with local laws and regulations.
10. Additional notices for Quebec users
Your information may be communicated outside Quebec, including to other provinces or countries. Some of our service providers that collect information about you in connection with their services are also located in the United States.
Your information will be accessible to Interac employees who have a need to access such information to perform their duties. In addition, certain insights derived from your information will be available to other Interac personnel.
You may find more information regarding the roles and responsibilities of Interac personnel with respect to personal information at Roles and Responsibilities of Interac Personnel Throughout the Lifecycle of Personal Information.
11. Updates to this Privacy Policy
Interac may review this Privacy Policy periodically to reflect changes in privacy regulations and in our practices. We will post a prominent notice of any relevant and material changes to this Privacy Policy when they occur and indicate when the Privacy Policy was most recently updated. We will obtain consent to any material changes to how we collect, use, share or otherwise process your personal information when required by applicable law.
12. How to contact us
At Interac, the person in charge of the protection of personal information is Rebecca Ma, Chief Privacy and Compliance Officer.
In the event that you:
- Have any questions about this Privacy Policy, our privacy policies or practices, or about the collection or handling of your personal information in connection with the Services (including if you have questions about the collection, use, disclosure or storage of your personal information by our service providers outside Canada, or want to obtain written information about such service providers);
- Want to withdraw consent to continued collection, use, disclosure or other processing of your personal information;
- Want to access, update, or correct your personal information, or exercise any other rights you may have under applicable laws; or
- Want to make a complaint respecting Interac’s handling of your personal information or otherwise challenge Interac’s compliance with applicable data protection legislation,
please feel free to contact our Privacy Office by email at privacy@interac.ca, or write to us at:
Privacy Office Interac Corp.
Royal Bank Plaza, North Tower, P.O. Box 45 200 Bay Street, Suite 2400
Toronto, Ontario M5J 2J1 Canada
You may also find more information regarding the process for making inquiries or complaints with respect to your personal information at Process for Handling Inquiries and Complaints.