Privacy Policy | CertifID

CertifID, Inc. Privacy Policy

Effective Date: May 1, 2026 | Last Updated: May 1, 2026

This document contains three parts, each with its own anchor URL:

Part I: General Privacy Policy | Part II: GLBA Consumer Privacy Notice (#glba-notice) | Part III: Biometric Information Privacy Policy (#biometric-policy)

‍

TABLE OF CONTENTS

Part I — General Privacy Policy

Your Acceptance of These Terms
Categories of Personal Information We Collect
Business and Commercial Purposes for Collection
Categories of Third Parties With Whom We Share Information
NACHA TPSP, BSA Recordkeeping, and OFAC Screening Disclosures
Social Security Number Verification Disclosures (eCBSV)
Driver's License Verification Disclosures (AAMVA DLDV)
Telecommunications Carrier Identity Verification Disclosures
Sensitive Personal Information (CCPA / CPRA)
Sources for Personal Information
Data Retention Schedule
Your Privacy Rights
Data Security
Cookies and Tracking Technologies
Children Under 13
Changes to This Policy
Dispute Resolution
Contact Information
‍

Part II — Consumer Privacy Notice (Gramm-Leach-Bliley Act)

FACTS — What CertifID Does With Your Personal Information
Reasons We Can Share Your Personal Information
Who We Are / What We Do / Definitions
Other Important Information (State-Specific)
NACHA Third-Party Service Provider Disclosure
‍

Part III — Biometric Information Privacy Policy

Purpose and Scope
Definitions
Biometric Data We Collect
Purpose of Collection and Use
Written Consent Requirement
Disclosure to Third Parties
Retention Schedule and Destruction Guidelines
Storage and Protection of Biometric Data
Your Rights
Dispute Resolution
Changes to This Policy

‍

PART I — General Privacy Policy

1. Your Acceptance of These Terms‍

This Privacy Policy ("Policy") describes how CertifID, Inc., together with its subsidiaries and affiliates (collectively, "CertifID," "we," "us," or "our"), collects, uses, shares, retains, and protects your personal information when you access or use our website at www.certifid.com, the CertifID platform, and any related products and services (collectively, the "Services"). This Policy is incorporated by reference into CertifID's Terms of Service (www.certifid.com/company/terms-of-service), Enterprise End User License Agreement, and any Master Services Agreement between CertifID and an enterprise customer. When CertifID processes personal information on behalf of an enterprise customer (such as a title company, settlement agent, or lender), CertifID acts as a service provider or data processor with respect to that information, and the enterprise customer's own privacy notice governs its collection and use of your personal information.

This Policy consists of three parts. Part I (below) is CertifID's general Privacy Policy. Part II is CertifID's Consumer Privacy Notice required by the Gramm-Leach-Bliley Act (GLBA) and its implementing regulation, Regulation P (12 CFR Part 1016). Part III is CertifID's Biometric Information Privacy Policy required by the Illinois Biometric Information Privacy Act (740 ILCS 14), the Texas Capture or Use of Biometric Identifier Act (Tex. Bus. & Com. Code §503.001), the Washington Biometric Identifiers statute (RCW 19.375), and similar laws. Each Part has its own anchor URL so that it may be linked, referenced, and delivered independently where required.

By accessing or using the Services, you accept the practices described in this Policy. If you do not agree, you must not access or use the Services. Certain verification activities — facial recognition through CertifID Match, Social Security number verification through the Social Security Administration's eCBSV program, and telecommunications-carrier-based identity verification — require separate affirmative consent collected at the point of collection, described in Sections 6 and 8 of this Part and in Part III (biometric).
‍‍

2. Categories of Personal Information We Collect

The categories of personal information we collect depend on which Services you use and how you interact with us. The table below describes each category, illustrative examples, collection status, and sources. This section aligns with the category-level specificity required under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).

Category	Examples	Collected?	Source(s)
Identifiers	Real name, alias, postal address, email address, telephone number, IP address, driver's license number, passport number	Yes	Directly from you; from the entity requesting verification; from public records
Government-Issued Identification	Driver's license, passport, state ID (number and image)	Yes	Directly from you
Protected Classification Characteristics	Date of birth, gender, citizenship (as shown on identification documents)	Yes	From identification documents you provide
Biometric Information	Facial geometry (faceprint) from selfie via CertifID Match; liveness detection data	Yes	Directly from you during CertifID Match verification — see Part III
Financial Information	Bank account numbers, routing numbers, wire transfer details, mortgage payoff amounts, transaction amounts, originator and beneficiary information for funds-transfer records	Yes	Directly from you; from the entity requesting verification; from banking partners and mortgage servicers
Internet or Network Activity	Browsing history on CertifID websites, platform interactions, device identifiers, browser type and version	Yes	Automatically collected through cookies and similar technologies
Geolocation Data	Approximate location (from IP); precise location only with permission	Yes	Automatically; with permission for precise location
Sensory Data	Photographs of identification documents; selfie photographs for CertifID Match	Yes	Directly from you during verification
Professional or Employment Information	Job title and company name of the requesting party's contact person	Yes	From the entity requesting verification
Telecommunications Carrier Information	Mobile number, name, address, email, network status, customer type, mobile device identifiers, subscriber account status, account tenure, SIM-swap indicators, line type, subscriber name match	Yes, when carrier verification is used — see Section 8	From your wireless carrier and CertifID's carrier identity verification service provider
Social Security Number	SSN for verification against SSA records via eCBSV	Only when requested and consented to — see Section 6	Directly from you with explicit written consent
Inferences	Risk scores, fraud likelihood assessments, identity confidence scores	Yes	Generated internally from the categories above
Sanctions Screening Result	Match / no-match against U.S. Treasury Office of Foreign Assets Control (OFAC) lists and similar government lists	Yes, on parties to a transaction	Generated internally from the categories above using OFAC-provided lists

‍

3. Business and Commercial Purposes for Collection

We use the personal information we collect for the following purposes:

Verifying the identity of individuals in connection with real estate, mortgage payoff, wire transfer, and other financial transactions facilitated through the CertifID platform
Generating identity confidence and fraud-risk scores to help detect and prevent fraud and to verify identities prior to funds movement
Detecting, preventing, and investigating fraud, including wire fraud, identity theft, synthetic identity fraud, and business email compromise
Facilitating payment processing and wire transfer verification through our banking partners
Administering the wire fraud insurance program underwritten by Lloyd's of London (currently through Casper Speciality Syndicate #7935, or such successor underwriter as may be designated from time to time)
Complying with applicable laws and regulations, including the Bank Secrecy Act / Anti-Money Laundering rules (31 CFR Part 1010), NACHA Operating Rules, Know Your Customer (KYC) obligations, OFAC sanctions screening, and the Travel Rule recordkeeping requirement at 31 CFR §1010.410(f)
Responding to lawful requests from government agencies, law enforcement, and courts
Communicating with you about your transactions, account, and customer support matters
Improving the security, performance, and user experience of our Services
Marketing our products and services to existing customers, and conducting joint marketing with financial institutions (see Part II for opt-out mechanics under GLBA)
‍

4. Categories of Third Parties With Whom We Share Information

We share personal information with the following categories of third parties for the purposes described. CertifID does not "sell" or "share" personal information as those terms are defined by the CCPA/CPRA. CertifID does not use or disclose personal information for cross-context behavioral advertising. We honor Global Privacy Control (GPC) signals. See Cookies (Section 13) for details.

Category of Third Party	What We Share	Purpose
Identity Verification Service Providers	Name, DOB, government ID information, biometric data (faceprint), phone number	To process identity verification requests, including facial recognition matching and document authentication
SSN Verification Service Provider	Name, SSN, DOB — only with explicit consent	To submit the eCBSV query to the Social Security Administration (see Section 6 for detailed disclosures)
Driver's License and ID Verification (AAMVA DLDV via CertifID's DLDV connection)	Driver's license/state ID number, name, date of birth, issuing jurisdiction — only with explicit consent	To submit the DLDV query to the issuing state DMV via AAMVA (see Section 7 for detailed disclosures)
Telecommunications Carriers and Carrier Identity Services	Mobile number and related subscriber account information — only with explicit consent	To verify phone number ownership, detect SIM swaps, and confirm subscriber identity (see Section 8 for detailed disclosures)
Banking Partners and Payment Processors	Bank account numbers, routing numbers, originator and beneficiary information, transaction details	To process wire transfers, verify account ownership, facilitate payments, and satisfy BSA Travel Rule recordkeeping requirements (see Section 5)
E-Signature Service Providers.	Signer name, email, IP address, document packet metadata, and signed documents as necessary for secure execution.	To enable secure e-signatures and document workflows integrated into the Services (e.g., DocuSign) in accordance with the provider’s end-user terms presented at the point of signature.
Instant Payment and ACH Gateways.	Bank account tokens or identifiers, account/routing numbers, payment order information, and transaction metadata.	To facilitate digital payments (e.g., earnest money deposits) and to comply with applicable ACH and faster-payment network rules; subject to NACHA and BSA retention as described in Section 5
Bank Account Linking Service Providers	Bank account credentials or tokenized bank account identifiers — only with your explicit consent	To verify bank-account ownership for wire transfer verification. If CertifID uses a third-party bank-linking service (such as Plaid), that provider's end-user agreement will be presented at the time of linking and governs the provider's use of your information.
Requesting Parties (Title Companies, Settlement Agents, Lenders, Real Estate Professionals)	Verification results, identity confidence information	To complete the identity and wire instruction verification initiated by these parties
Mortgage Servicers and Lenders	Loan numbers, property addresses, payoff request information	To verify mortgage payoff information through CertifID's PayoffProtect service
Insurance Underwriters (currently Lloyd's of London / Casper Speciality Syndicate #7935, or successor)	Transaction details, verification results, claim-related information	To underwrite, investigate, adjust, and administer CertifID's wire fraud insurance coverage
Credit Reporting Agencies and Anti-Fraud Consortia	As permitted by law	To comply with regulatory obligations and to participate in industry fraud-prevention networks
U.S. Treasury Department (OFAC) — via our sanctions screening provider	Names, addresses, and other identifying information of parties to a transaction	To screen transactions against OFAC sanctions lists as required by 31 CFR Chapter V (see Section 5)
Government and Regulatory Authorities	As required by law, subpoena, or court order	Legal compliance, including BSA/AML, OFAC, FinCEN reporting, and law enforcement requests
Analytics and Service Providers (e.g., Google Analytics)	De-identified usage data, device information, browsing behavior	Service operation and improvement — does not include identity verification information
Affiliates of CertifID	Personal information as described above	Our everyday business purposes

‍

5. NACHA TPSP, BSA Recordkeeping, and OFAC Screening Disclosures

5.1 NACHA Third-Party Service Provider Status

CertifID, Inc. operates as a Third-Party Service Provider (TPSP) and Third-Party Sender (TPS) under the NACHA Operating Rules. In this capacity, CertifID:

Processes ACH Entries and performs functions on behalf of, or in association with, Originators, Originating Depository Financial Institutions (ODFIs), and Receiving Depository Financial Institutions (RDFIs)
Is bound by the NACHA Operating Rules applicable to the functions it performs
Maintains safeguards to protect the confidentiality and integrity of account numbers, routing numbers, and other financial information used in ACH transactions
Complies with NACHA data security requirements, including encryption of sensitive financial information in transit and at rest
Is registered as a TPSP/TPS with its ODFI partner(s) in accordance with NACHA Operating Rules
Maintains commercially reasonable fraud detection and prevention controls as required by NACHA Operating Rules

CertifID's role as a NACHA TPSP is distinct from, and does not imply, the status of a "money transmitter" under state money services business laws. CertifID does not perform money transmission; payments are initiated based on user instructions and processed and disbursed by CertifID's third-party banking partner(s).

5.2 Bank Secrecy Act Recordkeeping and the Travel Rule

CertifID is subject to the recordkeeping, record-retention, and information-transmittal requirements of the Bank Secrecy Act ("BSA") and its implementing regulations at 31 CFR Chapter X. For any funds transfer or transmittal of funds of $3,000 or more, the BSA "Travel Rule" (31 CFR §1010.410(f)) requires CertifID to collect, retain, and — in certain circumstances — transmit to other financial institutions in the payment chain the following information about the transaction:

The name, address, and (if the payment order is in writing) the account number of the originator
The amount and the execution date of the payment order
Any payment instructions received with the payment order from the originator
The identity of the beneficiary's bank
Either the name and address, the account number, or (if none of the above) other identifying information of the beneficiary

CertifID retains these records for a period of five (5) years, consistent with the BSA record-retention requirement at 31 CFR §1010.430. Information collected for Travel Rule purposes is used solely for BSA/AML compliance, for the administration of the underlying transaction, and to respond to lawful requests from government authorities; it is not used for marketing, profiling, or any other purpose.

5.3 OFAC Sanctions Screening

As part of CertifID's BSA/AML compliance program, CertifID screens parties to a transaction (and, where applicable, related transaction information) against sanctions lists maintained by the U.S. Treasury Department's Office of Foreign Assets Control ("OFAC"), including the Specially Designated Nationals (SDN) List, the Consolidated Sanctions List, and any other list as required by 31 CFR Chapter V.

If a transaction or a party to a transaction generates a potential match to an OFAC-administered list, CertifID may: (a) block or reject the transaction; (b) hold transaction information and conduct additional review in accordance with OFAC guidance; and (c) report the potential match to OFAC as required by law. Blocked transactions cannot be unblocked without authorization from OFAC. CertifID may not be able to disclose to you, or to another party to the transaction, that a transaction has been rejected or blocked due to OFAC sanctions, or that information has been reported to OFAC, to the extent disclosure is prohibited by law.

5.4 Information Reporting to FinCEN

CertifID is required to file reports with the Financial Crimes Enforcement Network ("FinCEN") in certain circumstances, including Suspicious Activity Reports ("SARs") under 31 CFR §1022.320. Where CertifID files a SAR, CertifID is prohibited by 31 USC §5318(g)(2) from disclosing that fact to you or any person involved in the transaction. Information reported to FinCEN is used by the U.S. Treasury and law enforcement authorities for BSA/AML purposes.

For questions about CertifID's BSA/AML and NACHA compliance, contact compliance@certifid.com.

6. Social Security Number Verification Disclosures (eCBSV)

As part of CertifID's identity verification services, and only when explicitly requested by the party requesting verification and with your explicit written consent, CertifID uses the Social Security Administration's (SSA) Electronic Consent Based Social Security Number Verification service ("eCBSV") to verify that the name, date of birth, and Social Security Number ("SSN") you provide match the information in SSA records. The eCBSV service is authorized under the Economic Growth, Regulatory Relief, and Consumer Protection Act (Pub. L. 115-174, §215).

When CertifID uses eCBSV	CertifID submits SSN-verification queries to eCBSV only when all of the following conditions are met: (a) the party requesting verification (e.g., your title company, settlement agent, or lender) has specifically requested SSN verification for your transaction; (b) no alternative identity verification method is sufficient for the verification purpose; and (c) you have affirmatively consented through the dedicated consent screen described below.
What information is shared	When you consent to eCBSV verification, CertifID transmits the following information to its designated eCBSV service provider, which in turn submits a query to the SSA: Your full legal name Your date of birth Your Social Security Number The SSA returns a single-field response indicating whether the combination of name, DOB, and SSN matches SSA records, including, where applicable, the basis for a no-match response. The SSA does not return any other information about you, including information about your employment history, earnings, benefits, citizenship, or immigration status.
SSA Consent	Authorization for the Social Security Administration to Disclose Your Social Security Number Verification I authorize the Social Security Administration (SSA) to verify and disclose to CertifID, Inc. through Socure, Inc., their service provider, for the purpose of verifying my identity in connection with a financial transaction facilitated through the CertifID platform whether the name, Social Security Number (SSN) and date of birth I have submitted matches information in SSA records, including the basis for a no-match response. My consent is for a one-time validation within the next 90 days.
Additional disclosures	You understand that the Social Security Administration is not a party to, and does not endorse, the underlying transaction between you and CertifID, Inc. The SSA's verification response is not a guarantee of identity and does not verify citizenship or immigration status. By providing your consent electronically, you agree that your electronic signature has the same legal meaning, validity, and effect as a handwritten signature under the Electronic Signatures in Global and National Commerce Act (E-SIGN), 15 U.S.C. §7001 et seq.
Retention and use	Your SSN is transmitted solely to the SSA for the one-time eCBSV query. CertifID retains only the verification result (match / no-match) as described in the Data Retention Schedule in Section 11. Your SSN is not shared with, or available to, the party that requested the verification.
Your choices	You may decline SSN verification. Declining may affect the identity verification flow for your transaction; the party requesting verification may offer alternative identity verification methods. You may revoke your consent at any time by contacting privacy@certifid.com, but revocation will not affect the lawfulness of any verification completed prior to revocation.

‍

7. Driver's License Verification Disclosures (AAMVA DLDV)

As part of CertifID's identity verification services, and only when explicitly requested by the party requesting verification and with your explicit written consent, CertifID uses the American Association of Motor Vehicle Administrators' ("AAMVA") Driver's License Data Verification ("DLDV") Service to verify that the driver's license number, name, date of birth, and issuing jurisdiction you provide match the information in the issuing state DMV's records. AAMVA's DLDV Service connects CertifID in real time to participating state motor vehicle agencies and returns a match/no-match result for each data element — no underlying DMV record data is disclosed to CertifID.

When CertifID uses AAMVA DLDV	CertifID submits driver's license data verification queries to AAMVA's DLDV Service only when: (a) the party requesting verification has enabled driver's license verification; (b) you have provided explicit written consent; and (c) the jurisdiction issuing your DL/ID participates in the AAMVA DLDV network.
What information is transmitted	When you consent to DLDV verification, CertifID transmits the following information to AAMVA via its DLDV connection: (i) driver's license or state ID number; (ii) your full legal name; (iii) date of birth; and (iv) the issuing jurisdiction/state. AAMVA routes the query to the issuing state DMV and returns a match/no-match flag for each submitted data element. CertifID retains only the verification result (match/no-match flag). No underlying DMV record data is released to CertifID.
Legal authority	The DLDV Service operates pursuant to the Driver's Privacy Protection Act (DPPA), 18 U.S.C. §§ 2721-2725, and applicable state motor vehicle record laws. Authorized permissible purposes include identity verification in connection with financial transactions.
Consent	When you consent to DLDV verification, CertifID obtains your written consent that: (i) you authorize the transmission of your DL/ID data elements to AAMVA and the issuing state DMV for verification; (ii) AAMVA is not a party to, and does not endorse, any underlying transaction; and (iii) the verification result is a match/no-match flag only — no DMV record data is disclosed to CertifID.
Retention and use	Your DL/ID number and the data elements transmitted are used solely for AAMVA DLDV verification. CertifID retains the verification result for the period specified in its Data Retention Schedule (see Section 11).
Your choices	You may decline driver's license data verification. Declining may affect the identity verification workflow for the applicable transaction. It will not prevent you from using CertifID services that do not require DL/ID verification.

‍

8. Telecommunications Carrier Identity Verification Disclosures

As part of CertifID's identity verification and fraud detection services, CertifID may query information about your telephone number from your wireless carrier through a carrier identity verification service provider. The authorization language below describes how CertifID and your wireless carrier work together to verify your identity and help prevent fraud. This authorization is the industry-standard language required by U.S. wireless carriers before they will honor identity verification queries through their identity verification programs.

Authorization to Obtain Wireless Subscriber Information

We may use information on file with your wireless operator to further verify your identity and to protect against or prevent actual or potential fraud or unauthorized use of the Services. By using the Services, You authorize your wireless carrier to use or disclose information about your account and your wireless device (such as your mobile number, name, address, email, network status, customer type, mobile device identifiers and other device and subscriber status information), if available, to CertifID, Inc. or its service providers for the duration of your business relationship, solely to help them identify you or your wireless device and to prevent fraud. See our Privacy Policy for how we treat your data.

Additional fraud-detection signals

In addition to the wireless subscriber account information described in the authorization above, CertifID's carrier identity verification may return the following additional signals for fraud-detection purposes:

Account tenure — length of time the phone number has been associated with the current subscriber
SIM-swap indicator — whether the phone number has been recently ported or transferred to a different carrier
Line type — whether the phone number is mobile, landline, or VoIP
Subscriber name match — whether the name on the wireless account matches the name provided for the transaction
CertifID does not receive your call records, text message contents, voicemail contents, browsing history, location history, or any other communications content.

Managing Your Carrier Privacy Settings

The major U.S. wireless carriers each operate identity verification programs. Your participation in these programs is controlled by you directly with your carrier:

AT&T	AT&T's Identity Verification setting is enabled by default for AT&T subscribers. You may manage this setting through your AT&T account at att.com under Profile > Privacy Choices.
Verizon	Verizon's Identity Verification Service enrolls Verizon Wireless postpaid and prepaid consumers by default. You may opt out through My Verizon under Account > Manage Privacy Settings.
T-Mobile	You may manage T-Mobile privacy settings, including identity verification, through the T-Mobile app or website under Account > Profile Settings > Privacy and Notifications > Privacy Dashboard .
US Cellular and other carriers	If your wireless service is provided by US Cellular or another carrier, similar identity verification programs may or may not be available. Consult your carrier's privacy settings for details.

If you have opted out of your carrier's identity verification program, CertifID's carrier verification step may not return usable results, and alternative verification methods may be required. Your carrier's privacy settings are controlled by you directly with your carrier; CertifID is not able to modify them on your behalf.

How CertifID uses carrier-provided information

The verification result is used solely for fraud detection and identity verification for the specific transaction in which verification is requested.
The information is not sold, leased, or shared for marketing purposes.
The information is not used for behavioral profiling or to build a profile about you beyond the identity verification result.
The information is retained for the period described in the Data Retention Schedule in Section 11 ("Carrier verification results"), after which it is permanently destroyed.

Your choices

You may decline carrier identity verification. Declining may affect the identity verification flow for your transaction; the party requesting verification may offer alternative identity verification methods. You may also manage whether your carrier shares information with identity verification services by adjusting your carrier's privacy settings, as described above.

9. Sensitive Personal Information (CCPA / CPRA)

For California residents, the following categories collected by CertifID qualify as "sensitive personal information" under the CCPA/CPRA:

Sensitive PI Category	Collected?	Purpose / Use Limitation
Social Security number	Yes — only with explicit consent for eCBSV verification	Used solely for SSN verification against SSA records. See Section 6.
Driver's license / state ID / passport number	Yes	Used for identity verification; retained per Data Retention Schedule (Section 11).
Financial account credentials (account + routing number)	Yes	Used for wire transfer verification and payment processing.
Precise geolocation (within 1,850 feet)	Only with explicit permission	Used for fraud detection (verifying user is in expected location).
Biometric information processed for identification	Yes (CertifID Match)	Used solely for identity verification; governed by Part III.
Contents of mail, email, and text messages	No	N/A
Genetic data	No	N/A
Racial or ethnic origin	Not intentionally collected; may appear on ID documents	Not used for any purpose.
Religious or philosophical beliefs	No	N/A
Union membership	No	N/A

‍
CertifID uses sensitive personal information only as necessary to perform the identity verification and fraud prevention services you have requested, and for purposes authorized by the CCPA/CPRA. You may limit the use and disclosure of your sensitive personal information by contacting privacy@certifid.com.

10. Sources for Personal Information

Directly from you (e.g., when you submit identity verification, bank account information, or documents)
From the party requesting verification (title companies, settlement agents, lenders, mortgage servicers, real estate professionals)
From public records and commercially available data sources
From identity verification service providers
From credit bureaus, banking partners, and mortgage servicers
From the Social Security Administration through its eCBSV program (verification result only — see Section 6)
From AAMVA's Driver's License Data Verification (DLDV) Service, via the issuing state motor vehicle agency (match/no-match result only — see Section 7)
From your telecommunications carrier through its identity verification program (see Section 8)
From OFAC and other U.S. Treasury sanctions lists, via our sanctions screening provider (see Section 5.3)
Automatically through your use of our website and platform (cookies, log files, device identifiers)

11. Data Retention Schedule

We retain personal information only for as long as necessary to fulfill the purposes for which it was collected, subject to the following schedule. When retention periods overlap, the longest applicable period controls. Retention is enforced through automated deletion and secure destruction processes. Biometric-specific retention details also appear in Part III, Section 7; the two schedules are aligned.

Data Category	Retention Period	Legal Basis
Biometric data (facial geometry / faceprint)	3 years from last interaction OR 1 year after purpose is satisfied, whichever is first	BIPA 740 ILCS 14/15(a); TX CUBI §503.001
Selfie photographs and ID document images	90 days from verification completion	Data minimization
Bank account and routing numbers	5 years from last transaction	BSA/AML record retention (31 CFR 1010.430)
BSA Travel Rule records (originator/beneficiary information for wires ≥ $3,000)	5 years from transaction date	31 CFR §1010.430; §1010.410(f)
SSN (if collected via eCBSV)	Destroyed immediately after verification; result retained for 5 years	SSA CBSV requirements; BSA/AML
Driver's license / state ID number and data elements (if collected via AAMVA DLDV)	Destroyed immediately after verification; result retained for 5 years	DPPA; AAMVA DLDV program requirements; DPPA
Wire transfer records	5 years from transaction date	BSA/AML record retention; NACHA Operating Rules
Identity verification results	5 years from verification date	BSA/AML; regulatory examination
Carrier verification results	5 years from verification date	BSA/AML; NACHA Operating Rules
OFAC screening records	5 years from transaction date (10 years for blocked transactions)	31 CFR §501.601
SARs and related supporting documentation	5 years from date of filing	31 USC §5318(g); 31 CFR §1022.320
Website usage data (cookies, analytics)	13 months from collection	Industry standard; CCPA/GDPR best practice
Customer account information	Duration of relationship plus 5 years	BSA/AML; contractual obligations
Audit logs (access to personal information)	7 years from log creation	SOC 2 requirements; regulatory examination

‍

‍
12. Your Privacy Rights

All Consumers

Right to Know. You may request that CertifID disclose the categories and specific pieces of personal information we have collected about you, the sources of that information, the purposes of collection, and the categories of third parties with whom we have shared it.
Right to Delete. You may request that CertifID delete personal information collected from you, subject to exceptions (e.g., information required for legal compliance, ongoing transaction completion, or fraud prevention).
Right to Opt Out of Sharing. Where we share personal information with nonaffiliated third parties for purposes other than processing your transaction, you may opt out. See Part II for the opt-out mechanics under the Gramm-Leach-Bliley Act. Contact privacy@certifid.com or visit www.certifid.com/privacy-preferences.
Right to Non-Discrimination. CertifID will not discriminate against you for exercising any of your privacy rights.

California Residents (CCPA / CPRA)

Right to know what personal information is collected, used, shared, or sold
Right to delete personal information held by CertifID and our service providers
Right to opt out of the sale or sharing of personal information — note that CertifID does not sell or share personal information for cross-context behavioral advertising as defined by the CCPA/CPRA
Right to correct inaccurate personal information
Right to limit use and disclosure of sensitive personal information (see Section 9)
Right to non-discrimination for exercising CCPA rights
Right to opt out of automated decision-making technology. CertifID uses automated processes to generate risk scores, fraud likelihood assessments, and identity confidence scores. You may request information about the logic involved in such decision-making and may request to opt out of decisions based solely on automated processing where permitted by applicable law. Contact privacy@certifid.com to submit a request.

To exercise your California privacy rights, contact privacy@certifid.com, call 1-616-816-1668, or visit www.certifid.com/privacy/ccpa. We will respond within 45 days of receipt of a verifiable request.

Residents of certain U.S. states (including, for example, Colorado, Connecticut, Oregon, Texas, and Virginia) may have rights to access, correct, delete, obtain a portable copy of personal information, opt out of targeted advertising, opt out of certain profiling in furtherance of decisions that produce legal or similarly significant effects, and appeal our response to a request. You may submit a request at privacy@certifid.com . If we deny your request, you may appeal by replying to our decision email with ‘Appeal’ in the subject line or by writing to the Privacy Office. Where CertifID processes personal information as a service provider/processor on behalf of an enterprise customer, we will direct you to that customer to exercise your rights.

Illinois Residents (BIPA)

If CertifID has collected your biometric data through CertifID Match, you have the rights described in Part III, including the right to information about your biometric data, the right to deletion, and the right to withdraw consent. Illinois residents retain a private right of action for violations of BIPA.

Vermont Residents

CertifID will not share information we collect about Vermont residents with nonaffiliated companies except as permitted by law.

‍
Nevada Residents
‍
Nevada residents may submit a verified request directing CertifID not to sell any covered information that CertifID has collected or will collect about the consumer, pursuant to Nevada Revised Statutes Chapter 603A. CertifID does not currently sell covered information as defined by Nevada law. You may also request to be placed on our internal Do Not Call list. To exercise either right, contact privacy@certifid.com.
‍
Residents of Other States With Privacy Laws
‍
If you reside in a state that has enacted a comprehensive consumer privacy law — including but not limited to Colorado, Connecticut, Delaware, Indiana, Iowa, Montana, New Hampshire, New Jersey, Oregon, Tennessee, Texas, Utah, or Virginia — you may have additional rights with respect to your personal information, such as the right to access, correct, delete, or obtain a portable copy of your data, and the right to opt out of targeted advertising, profiling, or the sale of personal information. Where CertifID processes personal information as a service provider or processor on behalf of an enterprise customer, we will direct you to that customer to exercise your rights. To exercise any such rights, contact privacy@certifid.com. We will respond within the timeframe required by your state's applicable law. If your request is denied, you may appeal the decision by contacting privacy@certifid.com with the subject line "Privacy Rights Appeal."
‍
We verify your identity before processing a request using information reasonably related to your account or transaction. If we cannot verify your identity to a reasonable degree of certainty, we will inform you and explain what additional information is needed. If you use an authorized agent, we may require proof of authorization and verification of your identity. We endeavor to respond within 45 days (or the period required by law) and will notify you if we need additional time.

13. Data Security

CertifID protects personal information using administrative, technical, and physical safeguards designed to meet or exceed the requirements of GLBA (16 CFR Part 314), NACHA Operating Rules, and the controls described in our SOC 2 Type II attestation. These include encryption at rest (AES-256) and in transit (TLS 1.2 or higher); multi-factor authentication for systems that store or process personal information; role-based access controls and the principle of least privilege; continuous logging and audit of access to personal information; data loss prevention (DLP) controls; regular penetration testing and third-party security audits; and a comprehensive information security management system (ISMS) maintained by CertifID's security team. Additional security controls specific to biometric data are described in Part III, Section 8.

Security and compliance documentation (SOC 2 Type II report, penetration test summaries, policies) is available to customers under NDA through our Trust Center on Whistic.

Geographic Scope

The Services are intended for use within the United States. CertifID does not knowingly collect personal information from individuals located outside the United States. If you access the Services from outside the United States, you do so at your own risk and are responsible for compliance with applicable local laws. By using the Services from within the United States, you consent to the collection, processing, and storage of your personal information within the United States.

‍
14. Cookies and Tracking Technologies

We use cookies, pixels, and similar technologies to operate the website, remember preferences, measure usage, and enable security features such as session management. You may control cookies through your browser settings. Disabling cookies may affect the functionality of the Services. We honor Global Privacy Control (GPC) signals as described at www.certifid.com/privacy/ccpa. CertifID does not currently respond to Do-Not-Track (DNT) browser signals because no uniform industry standard for DNT compliance has been adopted.

15. Children Under 13

The Services are not directed at, or intended for, individuals under 13. We do not knowingly collect personal information from children under 13 in accordance with the Children's Online Privacy Protection Act (COPPA). We do not knowingly sell or share the personal information of consumers under 13 years of age, as required by the CCPA/CPRA. If we become aware that we have collected personal information from an individual under 13, we will delete it promptly.

‍
16. Changes to This Policy

We may update this Policy (or any of its three Parts) from time to time. Material changes will be notified by posting the updated Policy on our website and updating the Effective Date above. Where a change materially affects processing of biometric data, we will request your renewed consent before continuing to process that data (see Part III, Section 11).

17. Dispute Resolution

Disputes arising from your use of the Services are governed by the Dispute Resolution and Arbitration Agreement set forth in CertifID's Terms of Service at www.certifid.com/company/terms-of-service, including the binding arbitration provision, the class-action waiver, and the one-year limitations period, subject to any non-waivable rights under applicable state law (including the private right of action under the Illinois Biometric Information Privacy Act). Disputes over unauthorized electronic fund transfers from a consumer bank account are governed by the error-resolution procedures in the Consumer EFT Error Resolution subsection of our Terms of Service at www.certifid.com/company/terms-of-service#error-resolution-notice, which procedures are in addition to (and not a replacement for) the general dispute-resolution framework in our Terms of Service.‍
‍

18. Contact Information

Questions, requests, and complaints regarding this Policy may be directed to:

CertifID, Inc. — Privacy Office
3601 South Congress Ave, Austin, TX 78704
Corporate headquarters: 1410 Plainfield Ave, Grand Rapids, MI 49505
Email: privacy@certifid.com
Phone: 1-616-816-1668

‍

PART II — Consumer Privacy Notice

Gramm-Leach-Bliley Act — Regulation P Model Form

This Part is delivered annually to active users and is independently referenced.

This Part II is CertifID's Consumer Privacy Notice under the Gramm-Leach-Bliley Act (GLBA) and its implementing regulation, Regulation P (12 CFR Part 1016). It follows the federal model form prescribed in Appendix A of Regulation P so that it qualifies for the safe harbor available to institutions that use the model form substantially verbatim. This Part is a self-contained notice; readers may consume it independently of Parts I and III. Definitions used in this Part ("affiliates," "nonaffiliates," "joint marketing") apply only within this Part.

FACTS

WHAT DOES CERTIFID, INC. DO WITH YOUR PERSONAL INFORMATION?

Why?

Financial companies choose how they share your personal information. Federal law gives consumers the right to limit some but not all sharing. Federal law also requires us to tell you how we collect, share, and protect your personal information. Please read this notice carefully to understand what we do.

What?

The types of personal information we collect and share depend on the product or service you have with us. This information can include: Social Security number and government-issued identification numbers; name, address, email address, and telephone number; bank account numbers, routing numbers, and wire transfer information; account balances and transaction history; biometric information (facial geometry via CertifID Match); device information, IP address, and geolocation data; driver's license information including photo and physical characteristics; credit and payment history (when applicable).

How?

All financial companies need to share customers' personal information to run their everyday business. In the section below, we list the reasons financial companies can share their customers' personal information; the reasons CertifID chooses to share; and whether you can limit this sharing.

Reasons we can share your personal information

Reason	Does CertifID share?	Can you limit this sharing?
For our everyday business purposes — such as to process your transactions, maintain your account(s), respond to court orders and legal investigations, or report to credit bureaus	Yes	No
For our marketing purposes — to offer our products and services to you	Yes	No
For joint marketing with other financial companies	Yes	No
For our affiliates' everyday business purposes — information about your transactions and experiences	Yes	No
For our affiliates' everyday business purposes — information about your creditworthiness	No	We don't share
For our affiliates to market to you	No	We don't share
For nonaffiliates to market to you	No	We don't share
Questions? Call 1-616-816-1668 or go to www.certifid.com/privacy-preferences

‍

Who We Are and What We Do

Who is providing this notice?	CertifID, Inc., including its subsidiaries and affiliates that provide identity verification, wire transfer verification, mortgage payoff verification, and payment processing services.
How does CertifID protect my personal information?	To protect your personal information from unauthorized access and use, we use security measures that comply with federal law. These measures include computer safeguards such as encryption (SSL/TLS), SOC 2 Type II certified controls, firewalls, secured cloud infrastructure, and employee access controls. We maintain a comprehensive information security management system (ISMS) and undergo regular third-party security audits.
How does CertifID collect my personal information?	We collect your personal information, for example, when you: Submit identity verification through the CertifID platform; Provide bank account information for wire transfer verification; Use CertifID Match for biometric facial recognition verification; Complete a wire transfer or payment transaction through our platform; Provide mortgage payoff information for verification; Interact with our website, mobile applications, or customer support. We also collect your personal information from others, such as credit bureaus, affiliates, title companies, settlement agents, mortgage servicers, the Social Security Administration through the eCBSV program, your telecommunications carrier through its identity verification program, and other companies.
Why can't I limit all sharing?	Federal law gives you the right to limit only: Sharing for affiliates' everyday business purposes — information about your creditworthiness; Affiliates from using your information to market to you; and Sharing for nonaffiliates to market to you. State laws and individual companies may give you additional rights to limit sharing. See the "Other Important Information" section below for your rights under state law.
What happens when I limit sharing for an account I hold jointly with someone else?	Your choices will apply to everyone on your account.

‍

Definitions

Term	Definition
Affiliates	Companies related by common ownership or control. They can be financial and nonfinancial companies. CertifID, Inc.'s affiliates include CertifID, Inc. and CertifID Insurance Services.
Nonaffiliates	Companies not related by common ownership or control. They can be financial and nonfinancial companies. CertifID does not share with nonaffiliates so they can market to you.
Joint marketing	A formal agreement between nonaffiliated financial companies that together market financial products or services to you. Our joint marketing partners include title insurance companies, settlement service providers, and mortgage lenders.

‍

Other Important Information

For Vermont Residents: We will not share information we collect about Vermont residents with companies outside of CertifID except as permitted by law.
For California Residents: We will not share information we collect about you with nonaffiliates except as permitted by law. For additional details regarding your California privacy rights, please see our California Consumer Privacy Act (CCPA) disclosure at www.certifid.com/privacy/ccpa.
For Nevada Residents: You may request to be placed on our internal Do Not Call list by contacting privacy@certifid.com or 1-616-816-1668.

NACHA Third-Party Service Provider Disclosure

CertifID, Inc. operates as a Third-Party Service Provider (TPSP) under the NACHA Operating Rules. As a TPSP, CertifID processes Entries and/or performs functions on behalf of, or in association with, an Originator, an ODFI, or a Receiving Depository Financial Institution (RDFI). CertifID is bound by the ACH Rules applicable to the functions it performs and maintains appropriate safeguards in accordance with NACHA requirements, including the protection of account numbers and routing numbers used in ACH transactions. See Part I, Section 5 for the complete NACHA TPSP, BSA Recordkeeping, and OFAC screening disclosures.

‍

‍PART III — Biometric Information Privacy Policy

CertifID Match — Facial Recognition Verification
This Part is CertifID's public written policy under BIPA 740 ILCS 14/15(a), TX CUBI §503.001, and WA RCW 19.375.

1. Purpose and Scope

CertifID, Inc. ("CertifID," "we," "us," or "our") respects the privacy of individuals whose biometric information we collect and process. This Part III describes our practices regarding the collection, use, storage, retention, disclosure, and destruction of biometric identifiers and biometric information (collectively, "Biometric Data") through our CertifID Match facial recognition verification service.

This Part applies to all individuals who use CertifID Match as part of our identity verification services, regardless of the state in which they reside. It is designed to comply with the Illinois Biometric Information Privacy Act (740 ILCS 14/1 et seq.) ("BIPA"), the Texas Capture or Use of Biometric Identifier Act (Tex. Bus. & Com. Code §503.001) ("CUBI"), the Washington Biometric Identifiers statute (RCW 19.375), the Colorado Privacy Act biometric provisions, and other applicable state and federal laws governing biometric data. This Part is CertifID's "written policy, made available to the public" for purposes of BIPA §15(a).

‍
2. Definitions

"Biometric Identifier" means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. For CertifID Match, this specifically includes the mathematical representation (faceprint) derived from a scan of facial geometry.

"Biometric Information" means any information, regardless of how it is captured, converted, stored, or shared, based on an individual's biometric identifier used to identify an individual. For CertifID Match, this includes the facial geometry template extracted from the user's selfie photograph and the comparison result against the government-issued identification document.

"CertifID Match" means CertifID's identity verification feature that uses facial recognition technology to compare a live selfie photograph captured by the user against the photograph on the user's government-issued identification document (e.g., driver's license, passport) to verify the user's identity.

‍
3. Biometric Data We Collect

When you use CertifID Match, we collect and process the following Biometric Data:

Facial Geometry Scan: a mathematical representation of your facial features (approximately 68 landmarks), derived from the selfie you capture.
Facial Comparison Template: a biometric template generated from your facial geometry scan, compared against the photograph on your government-issued identification document.
Liveness Detection Data: information used to confirm that a live person is present — not a photograph, video, or digital reproduction — which may include motion analysis, texture analysis, and depth estimation data.
Verification Result: the match / no-match determination resulting from the comparison.

4. Purpose of Collection and Use

CertifID collects and uses Biometric Data solely for the following purposes:

To verify your identity as part of a real estate wire transfer, mortgage payoff, or other financial transaction facilitated through the CertifID platform
To prevent fraud, including wire fraud, identity theft, and synthetic identity fraud
To comply with applicable laws, regulations, and industry standards, including the Bank Secrecy Act/Anti-Money Laundering requirements, NACHA Operating Rules, and Know Your Customer (KYC) obligations
To fulfill the identity verification request initiated by the CertifID customer with whom you are conducting business

CertifID does NOT use Biometric Data for marketing purposes, behavioral profiling, surveillance, or any purpose other than those listed above.

‍
5. Written Consent Requirement

CertifID will not collect, capture, or otherwise obtain your Biometric Data without first:

Informing you in writing (including electronically) that Biometric Data is being collected and stored
Informing you in writing (including electronically) of the specific purpose and length of time for which your Biometric Data is being collected, stored, and used
Receiving your informed written consent (including electronic consent) to the collection and storage of your Biometric Data
Biometric Data Consent Notice (displayed in-product before selfie capture)

CertifID uses facial recognition technology to verify your identity. By proceeding, you acknowledge and agree that:

CertifID will capture a scan of your facial geometry from the selfie you provide and create a mathematical representation (faceprint) of your facial features.
Your faceprint will be compared to the photograph on the government-issued identification document you provide to verify that you are the person depicted on the document.
Your Biometric Data will be stored for a period not to exceed three (3) years from the date of your last interaction with CertifID, or one (1) year after the purpose for which it was collected has been satisfied, whichever occurs first, after which it will be permanently destroyed.
Your Biometric Data may be disclosed to CertifID's third-party identity verification service provider(s) [PROVIDER NAME(S) — to be finalized by legal/vendor team] solely for the purpose of processing the facial recognition comparison. These providers are contractually bound to comply with this Part III.
Your Biometric Data will NOT be sold, leased, traded, or otherwise used for profit.
You may decline this verification. If you decline, alternative identity verification methods may be available through the requesting party (e.g., your title company or settlement agent).

In the CertifID Match user experience, the user must affirmatively check "I have read and understand the above notice. I consent to CertifID's collection, use, storage, and sharing of my Biometric Data as described above and in CertifID's Biometric Information Privacy Policy" and select "I Agree — Proceed to Verification" before any biometric collection occurs. An "I Do Not Consent" option is always presented.

‍
6. Disclosure to Third Parties

CertifID will not sell, lease, trade, or otherwise profit from any individual's Biometric Data. CertifID will not disclose or disseminate any individual's Biometric Data unless one or more of the following conditions is met:

The individual (or the individual's legally authorized representative) has provided informed written consent to the disclosure
The disclosure completes a financial transaction requested or authorized by the individual
The disclosure is required by state or federal law, or municipal ordinance
The disclosure is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction

When CertifID discloses Biometric Data to a third-party service provider for processing, that provider is contractually required to: (a) comply with this Part III and all applicable biometric privacy laws; (b) use the Biometric Data solely for the contracted purpose; and (c) permanently destroy the Biometric Data upon completion of the contracted purpose or within 24 hours, whichever is sooner.

‍
7. Retention Schedule and Destruction Guidelines

CertifID shall retain Biometric Data only as long as necessary to fulfill the purpose for which it was collected, subject to the following retention schedule. This schedule is consistent with, and provides additional specificity beyond, the retention schedule in Part I, Section 11.

Data Type	Maximum Retention Period	Destruction Method
Facial geometry template (faceprint)	3 years from last interaction with CertifID, OR 1 year after the purpose for collection is satisfied, whichever is first	Permanent deletion from all systems, including backups, within 30 days of retention period expiration
Selfie photograph	90 days from verification completion	Permanent deletion from all systems, including backups
Liveness detection data	30 days from verification completion	Permanent deletion from all systems
Verification result (match/no-match)	Duration of the underlying transaction relationship plus 5 years for regulatory compliance	Permanent deletion upon expiration
Government-issued ID photograph	90 days from verification completion	Permanent deletion from all systems, including backups

‍
When the initial purpose for collecting Biometric Data has been satisfied, or within the applicable retention period stated above (whichever occurs first), CertifID shall permanently and irreversibly destroy the Biometric Data by: (a) overwriting the data with random values; (b) deleting all copies from production systems, backup systems, disaster recovery systems, and any other storage media; and (c) directing all third-party processors to certify in writing that they have completed destruction of any Biometric Data in their possession.

8. Storage and Protection of Biometric Data

CertifID stores, transmits, and protects Biometric Data using a standard of care that is the same as or more protective than the standard of care used by CertifID to store, transmit, and protect other confidential and sensitive information, including:

AES-256 encryption at rest for all Biometric Data
TLS 1.2 or higher encryption in transit
Access controls limiting Biometric Data access to authorized personnel with a documented business need
Multi-factor authentication required for all systems that store or process Biometric Data
SOC 2 Type II certified infrastructure and controls
Regular penetration testing and vulnerability assessments
Audit logging of all access to Biometric Data
Data loss prevention (DLP) controls to prevent unauthorized exfiltration

9. Your Rights

Right to Information: You may request information about whether CertifID possesses your Biometric Data and, if so, the categories of Biometric Data held, the purpose for which it is held, and the applicable retention period.

Right to Deletion: You may request permanent destruction of your Biometric Data at any time by contacting privacy@certifid.com or 1-616-816-1668. We will comply within 30 days, subject to any legal or regulatory obligation to retain such data.

Right to Withdraw Consent: You may withdraw your consent to the collection and use of your Biometric Data at any time. Withdrawal will not affect the lawfulness of processing conducted prior to withdrawal. Withdrawal may prevent you from using CertifID Match for future identity verifications.

Right to Non-Discrimination: CertifID will not discriminate against you for exercising any of your rights under this Part III.

10. Dispute Resolution

Disputes arising out of or relating to this Part III are governed by the Dispute Resolution and Arbitration Agreement in CertifID's Terms of Service at www.certifid.com/company/terms-of-service, including the binding arbitration provision, class-action waiver, and one-year limitations period, subject to any non-waivable rights under applicable state biometric-privacy law (including the private right of action under Illinois BIPA).

11. Changes to This Policy

CertifID may update this Part III from time to time. Material changes will be notified by posting the revised policy on our website and updating the Effective Date. If a change materially affects the collection, use, or sharing of Biometric Data, we will request your renewed consent to the updated policy before continuing to process your Biometric Data.