SCOPE
This Privacy Policy applies to Personal Data (defined below) processed by Civic Technologies, Inc. (“Civic,” “we,” “us,” and “our”) in the course of providing our Uniqueness Verification service (the “Service”), which allows individuals to validate their uniqueness and receive a Civic Pass. This Privacy Policy explains what Personal Data we collect, how we use and share that data, and your choices concerning our data practices solely with respect to the Service.
Before using the Service or submitting any Personal Data to us, please review this Privacy Policy carefully. By using the Service, you agree to the practices described in this Privacy Policy. If you do not agree to this Privacy Policy, you may not access or use the Service.
IMPORTANT: Part of our Services involve determining your eligibility to receive a Civic Pass. We determine this eligibility by automatically comparing your biometric data (your FaceMap, discussed below) against all previously enrolled FaceMaps to detect duplicate enrollments. By using the Services, you explicitly consent to this automated decision-making, including our use of biometric information in making this decision.
PERSONAL DATA WE COLLECT
When you use this Service, we collect information that alone or in combination with other information in our possession personally identifies you (“Personal Data”). The Personal Data collected during these interactions will generally include:
Information You Provide to Us.
Biometric Information. To use the Service, you must provide a recording of your face (“3D FaceScan”). We use the 3D FaceScan to create a topology of your face (“FaceMap”), which we retain to provide the Service. The FaceMap is not an image of your face and cannot be used without Civic-controlled tools (cannot be used outside of Civic’s servers). An image of your face cannot be regenerated from a FaceMap. No other Biometric Data will be retained by Civic.
IMPORTANT: By accepting our Terms of Service and Privacy Policy, you consent to the extraction and processing of the biometric data contained therein as set forth in this Privacy Policy and our Biometric Privacy Notice.
Civic uses tools provided by FaceTec, a third-party service provider, to capture and process your Biometric Data. Your biometric data is not accessible to or shared with FaceTec or its subcontractors. Civic will not provide FaceTec with any personally identifiable data and FaceTec will not collect nor solicit any personally identifiable data from Civic.
Wallet Information. As you use the Service, we collect information about your cryptocurrency wallet(s) to link your Civic Pass to or perform proof of wallet ownership checks.
Communications with Us. We may collect Personal Data from you such as email address, phone number, or mailing address when you request information about this Service, sign up for our newsletter, request customer or technical support, or otherwise communicate with us.
Customer Service and Support. If you interact with Civic’s customer service and support, we may collect the information you provide to our representatives.
Information We Collect Through Your Use of the Services.
We may collect certain information automatically when you use the Service. This information may include your Internet protocol (IP) address, Technologies including cookies, and other information about how you use the Service. Information we collect may be associated with your account and the devices you use.
Analytics. We may use Google Analytics and other service providers to collect information regarding behavior and demographics on our Services. For more information about Google Analytics, please visit www.google.com/policies/privacy/partners/. You may be able opt out of Google’s collection and processing of data generated by your use of the Site by going to http://tools.google.com/dlpage/gaoptout.
Cookies. Cookies are small text files placed in visitors’ device browsers to store their preferences. Most browsers allow you to block and delete cookies. However, if you do that, the Services may not work properly.
HOW WE USE YOUR INFORMATION.
We may process Personal Data for a variety of business purposes. Under certain data privacy laws, our use of your data may be allowed under certain legal bases. The legal bases for processing Personal Data are
Consent – your freely given, specific, informed and unambiguous indication of your wishes by which you agree to the processing of Personal Data.
Contract – We need to process your Personal Data for performance of a contract or processes the information at your request prior to entering into a contract.
Legal Obligation – Processing is necessary to comply with a legal obligation.
Vital Interests – your (or someone else’s) health, safety or other vital interests require processing Personal Data.
Public Interest – We need to process Personal Data to carry out a task that’s in the public interest.
Legitimate Interest – Processing Personal Data is in our legitimate interests.
We may process your Personal data for the purposes below. For each purpose, the legal basis for our processing is listed in parentheses:
To provide the Service or Information Requested.
Fulfill our contract with you (Consent, Contract);
Verify your “uniqueness” (Consent, Contract, Legitimate Interest);
Manage your information (Consent, Contract, Legitimate Interest);
Respond to questions, comments, and other requests (Consent; Contract);
Provide access to certain areas, functionalities, and features of our Service (Consent, Contract); and
Answer requests for customer or technical support (Consent, Contract, Legitimate Interest).
Administrative Purposes.
Research and development (including marketing research), network and information security, and prevention of fraud or misuse of our Service (Consent, Contract, Legal Obligation, Legitimate Interest);
Measure interest and engagement in the Services (Legitimate Interest);
Develop new products and services (Legitimate Interest);
Improve our products and services (Consent, Legitimate Interest);
Ensure internal quality control and safety (Consent, Legitimate Interest);
Verify company information and individual identity (Consent, Legal Obligation, Legitimate Interest);
Carry out audits (Consent, Legal Obligation, Legitimate Interest);
Communicate with you about activities on the Services and changes to our agreements (Consent, Legitimate Interest);
Prevent and prosecute potentially prohibited or illegal activities (Legal Obligation; Legitimate Interest);
Respond to regulatory requests (Legal Obligation Legitimate Interest);
Enforce our agreements (Legal Obligation, Legitimate Interest); and
Comply with our legal obligations (Legal Obligation; Legitimate Interest).
De-identified and Aggregated Information Use.
We may use Personal Data and other information about you to create de-identified and/or aggregated information, such as de-identified location information, de-identified or aggregated trends, reports, or statistics, or other analyses we create. De-identified and/or aggregated information is not Personal Data, and we may use and disclose such information in a number of ways, including research, internal analysis, analytics, and any other legally permissible purposes.
Technologies. Our uses of Technologies fall into the following general categories:
Operationally Necessary. This includes Technologies that allow you access to our Service that are required to identify irregular behavior, prevent fraudulent activity, and improve security or that allow you to make use of the Services functions.
Performance Related. We may use Technologies to assess the performance of our Services, including as part of our analytic practices to help us understand how our visitors use the Services.
Functionality Related. We may use Technologies that allow us to offer you enhanced functionality when accessing or using our Services. This may include identifying you when you sign into our Services and keeping track of your specified preferences or past pages viewed.
Consent. Civic may use Personal Data for other purposes that are disclosed to you at the time you provide Personal Data or with your consent.
HOW WE DISCLOSE YOUR INFORMATION.
We may disclose any of the Personal Data we collect about you as set forth below:
Notice Regarding Use of Blockchain. The holdings and transactions associated with a wallet address are publicly available on the blockchain. Therefore, information about your holdings and transactions will be accessible to third parties due to the nature of the blockchain.
Service Providers. We may share Personal Data we collect about you with our third-party service providers. The types of service providers to whom we entrust Personal Data include service providers for: (i) the provision of the Services; (ii) the provision of information, products, and other services you have requested; (iii) uniqueness verification services; (iv) marketing and advertising; (v) customer service activities; and (vi) the provision of IT and related services. We take commercially reasonable steps to ensure our service providers adhere to the security standards we apply to your Personal Data.
Affiliates. We may share Personal Data with our affiliated entities that control us, are controlled by us, or are under common control with us.
Disclosures to Protect Us or Others. We may access, preserve, and disclose your Personal Data if we believe doing so is required or appropriate to: (i) comply with a legal obligation, including law enforcement or national security requests and legal process, such as a court order or subpoena; (ii) protect your, our, or others’ rights, property, or safety; (iii) to collect amounts owed to us; (iv) when we believe disclosure is necessary or appropriate to prevent financial loss or legal liability, or in connection with an investigation or prosecution of suspected or actual illegal activity; or (v) if we, in good faith, believe that disclosure is otherwise necessary or advisable.
Merger, Sale, or Other Asset Transfers. If we are involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, purchase or sale of assets, or transition of service to another provider, then your information may be shared, sold or transferred as part of such a transaction as permitted by law and/or contract.
INTERNATIONAL DATA TRANSFERS.
All information processed by us may be transferred, processed, and stored anywhere in the world, including but not limited to, the United States and other countries. If you are accessing our Services from the European Economic Area (“EEA”) or other regions with laws governing data collection and use, please note that your Personal Data will be transferred to and stored in the United States as necessary for the purposes described in this Privacy Policy. The United States may have data protection laws less stringent than or otherwise different from the laws in effect in the country in which you are located. Where we transfer your Personal Data out of the country in which you reside we will take steps designed to ensure that your Personal Data receives an adequate level of security protection where it is processed and your rights continue to be protected.
YOUR CHOICES.
General. In certain circumstances providing Personal Data is optional. However, if you choose not to provide Personal Data that is needed to use some features of our Service, you may be unable to use those features. You can also contact us at privacy@civic.com or using the contact information listed below to ask us to update or correct your Personal Data. You may have the right to object to or opt out of certain uses of your Personal Data. Where you have consented to the processing of your Personal Data, you may withdraw that consent at any time by contacting us at privacy@civic.com or using the contact information listed below.
Mobile Devices. We may send you push notifications through our App. You may at any time opt out from receiving these types of communications by changing the settings on your mobile device. With your permission, we may also collect precise location information if you use our App. You may opt-out of this collection by changing the settings on your mobile device.
Technologies and Personalized Advertising. If you would like to opt-out of the Technologies we employ on the Services, you may do so by blocking, disabling, or deleting them as your browser or device permits. Please note that cookie-based opt-outs are not effective on mobile applications. However, you may opt-out of personalized advertisements on some mobile applications by following the instructions for Android and iOS.
The online advertising industry also provides websites from which you may opt-out of receiving targeted ads from advertisers that participate in self-regulatory programs. You can access these, and also learn more about targeted advertising and consumer choice and privacy, at www.networkadvertising.org/managing/opt_out.asp, http://www.youronlinechoices.eu/ and www.aboutads.info/choices/.
Please note you must separately opt out in each browser and on each device.
“Do Not Track”. Do Not Track (“DNT”) is a privacy preference that users can set in certain web browsers. Please note that we do not respond to or honor DNT signals or similar mechanisms transmitted by web browsers.
DATA RETENTION.
We retain the Personal Data we receive for as long as you use our Service, or as necessary to fulfill the purpose(s) for which it was collected, or to comply with applicable laws. Typically, we will securely retain information collected until such time that you request that your data be deleted. Where required by law, we will delete your information within the required period.
SECURITY OF YOUR INFORMATION.
We take steps that we deem as commercially reasonable in an effort to ensure that your information, including Personal Data, is treated securely and in accordance with this Privacy Policy. Unfortunately, the Internet cannot be guaranteed to be 100% secure or error free, and we cannot ensure or warrant the security or integrity of any information you provide to us. To the fullest extent permitted by applicable law, we do not accept liability for unauthorized disclosure. In addition, we are not responsible for circumvention of any privacy settings or security measures contained on the Services or third-party websites.
By using the Services or providing Personal Data to us, you agree that we may communicate with you electronically regarding security, privacy, and administrative issues relating to your use of the Services. If we learn of a security system’s breach, we may attempt to notify you electronically by sending a notice through the Services or by sending an email to you.
THIRD-PARTY WEBSITES/APPLICATIONS.
The Service may contain links to other websites/applications and other websites/applications may reference or link to our Service. These third-party services are not controlled by us. We encourage our users to read the privacy policies of each website and application with which they interact. We do not endorse, screen or approve, and are not responsible for the privacy practices or content of such other websites or applications. Visiting these other websites or applications is at your own risk.
CHILDREN’S INFORMATION.
The Service is not directed to children under 13 who reside in the United States or individuals under 16 in other jurisdictions (or other age as required by local law), and we do not knowingly collect Personal Data from children. If you have reason to believe that a child under the age of 13 has provided us with Personal Data through the Service, you may contact us at privacy@civic.com. If we learn that we have collected any child’s Personal Data in violation of applicable law, we will promptly take steps to delete such information.
INTERNATIONAL PRIVACY RIGHTS.
Under certain data privacy laws, including the General Data Protection Regulation for users in the EEA, you may have the right to exercise certain privacy rights available to you under applicable data protection laws. We will process your request in accordance with applicable data protection laws. We may need to retain certain information for record-keeping purposes or to complete transactions that you began prior to requesting any deletion.
Right not to provide consent or to withdraw consent. We may seek to rely on your consent in order to process certain Personal Data. Where we do so, you have the right not to provide your consent or to withdraw your consent at any time. This does not affect the lawfulness of the processing based on consent before its withdrawal.
Right of access and/or portability. You may have the right to access the Personal Data that we hold about you and, in some limited circumstances, have that data provided to you so that you can provide or “port” that data to another provider.
Right of erasure. In certain circumstances, you may have the right to the erasure of Personal Data that we hold about you (for example if it is no longer necessary for the purposes for which it was originally collected).
Right to object to processing. You may have the right to request that Civic stop processing your Personal Data and/or to stop sending you marketing communications.
Right to rectification. You may have the right to require us to correct any inaccurate or incomplete personal information.
Right to restrict processing. You may have the right to request that we restrict processing of your Personal Data in certain circumstances (for example, where you believe that the Personal Data we hold about you is not accurate or lawfully held).
Right to a manual review of automated decisions. If we have determined you are not eligible to receive a Civic Pass or if your Civic Pass was frozen or revoked based on our automatic decision-making procedures, you may have the right to request a manual review.
Right to lodge a complaint to your local Data Protection Authority. If you are an EEA resident, you have the right to complain to a data protection authority about our collection and use of your Personal Data.
RESIDENTS OF CALIFORNIA
This section is applicable to residents of California. If you are a resident of California, you have certain rights described below. The following do not apply to individuals who do not live in California on a permanent basis.
Rights Provided By California Civil Code Section 1798.83
A California resident who has provided personal data to a business with whom he/she has established a business relationship for personal, family, or household purposes (a “California Customer”) may request information about whether the business has disclosed personal information to any third parties for the third parties’ direct marketing purposes. In general, if the business has made such a disclosure of personal data, upon receipt of a request by a California Customer, the business is required to provide a list of all third parties to whom personal data was disclosed in the preceding calendar year, as well as a list of the categories of personal data that were disclosed. We do not disclose personal information to any third party for their direct marketing purposes.
Rights Under the California Consumer Privacy Act
This section of our Privacy Policy provides California residents with a comprehensive description of our online and offline practices regarding the collection, use, disclosure, and sale of personal information and the rights of California consumers regarding their personal information under the California Consumer Privacy Act (“CCPA”). This section applies to all California residents (but not including legal entities, such as companies). The section will not apply, however, if we do not collect any personal information about you or if all of the information we collect is exempt from the statute (for example, the CCPA does not protect information that is already protected by certain other privacy laws, and it does not protect information that is already publicly available). “Personal information,” for purposes of this section regarding the rights of California residents, does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
In the past 12 months we may have collected the following categories of information:
Identifiers such as your name, identifier Internet Protocol address, email address, account name, driver’s license number, passport number, or other similar identifiers.
Characteristics of protected classifications under California or federal law, such as your age and national origin.
Biometric information.
Internet or other electronic network activity information.
Geolocation data.
Audio, electronic, visual, thermal, olfactory, or similar information.
All such information was collected from sources as described in the section “Personal Data We Collect” and for the purposes described in the section “How We Use Information We Collect”. We only disclose such information to third parties as described in the section “How We Disclose Your Information”. We do not sell personal information.
Under the CCPA, California residents have the following rights:
Right to know about personal information collected, disclosed, or sold. California residents have the right to request that we disclose what personal information it collects, uses, discloses, and sells. This is called the “Right to Know”. Under the Right to Know, you can request a listing of the types of personal information we have collected about you, the sources of that information, how we use the information (e.g., our business or commercial purposes for collecting or selling personal information), other individuals and business with whom we share personal information, and the specific pieces of personal information that we have collected about you. In certain cases, a Request to Know may be denied, for example, if we cannot verify your identity or if providing you the information could create an unreasonable risk to someone’s security (for example, we do not want very sensitive information disclosed inappropriately). If we deny your request, we will explain why we denied it. If we deny a request, we will still try to provide you as much of the information as we can, but we will withhold the information subject to denial.
Right to request deletion of personal information about you. California consumers have a right to request the deletion of their personal information that we have collected or maintain. In certain cases, a request for deletion may be denied, for example, if we cannot verify your identity, the law requires that we maintain the information, or if we need the information for internal purposes such as providing services. If we deny your request, we will explain why we denied it and delete any other information that is not protected from deletion.
Right to opt-out of the sale of personal information. California consumers have a right to opt-out of the sale of their personal information by businesses. We do not sell personal information, however, so opt-out is not relevant.
Right to non-discrimination for the exercise of a consumer’s privacy rights. You have a right not to receive discriminatory treatment by us for exercising any of your privacy rights conferred by the CCPA. We will not discriminate against any California consumer because such person exercised any of the consumer’s rights under CCPA, including, but not limited to:
Denying goods or services.
Charging different prices or rates for goods and services, including through the use of discounts or other benefits or imposing penalties.
Providing a different level or quality of goods or services.
Suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services.
We may, however, charge a different price or rate, or provide a different level or quality of goods or services, if that difference is related to the value provided to you by your data.
If you would like, you may designate an authorized agent to make a request under the CCPA on your behalf. We will deny requests from agents that do not submit proof of authorization from you. To verify that an authorized agent has authority to act for you, we may require a copy of a power of attorney or require that you provide the authorized agent with written permission and verify your own identity with us.
HOW TO EXERCISE YOUR RIGHTS
To exercise any of the rights above including under the CCPA, contact us at privacy@civic.com or using the contact information listed below. Please identify yourself and specify your request. If you have a password protected account, we may generally use your account information to verify your identity. If not, we may ask you to provide additional verification information. What we request will depend on the nature of your request, how sensitive the information is, and how harmful unauthorized disclosure or deletion would be.
We use commercially reasonable efforts to delete your Personal Data as required but may retain records necessary to comply with a governmental authority or applicable federal, state, or local law. Where legally permitted, we may decline to process requests, including requests that are unreasonably repetitive or systematic, require disproportionate technical effort, or jeopardize the privacy of others.
CHANGES TO OUR PRIVACY POLICY.
We may revise this Privacy Policy from time to time at our sole discretion. When we do, we will post an updated version on this page, unless another type of notice is required by applicable law. You understand and agree that you will be deemed to have accepted the updated Privacy Policy if you continue to use the Services after the new Privacy Policy takes effect.
CONTACT US.
If you have any questions about our privacy practices or this Privacy Policy, or you would like to exercise your rights described above, please contact us at:
Civic Technologies Inc.,
Attn: Data Protection Officer
548 Market St #45306
San Francisco, CA 94104-5401
Email: privacy@civic.com
Due to Office of Foreign Assets Control (OFAC) restrictions, Civic is unsupported for nationals and residents of the following countries: Bangladesh, Belarus, China, Cuba, Iran, North Korea, Russia, South Sudan, Sudan, Syria.
Civic Passes cannot be issued if a VPN is detected.