Usage Policy

1.1 Transparency

Customers must clearly inform individuals about the identity verification process, including what information will be collected, how it will be used, and who will have access to it. Transparency builds trust and ensures compliance with POPIA.

• Clearly explain the verification process to users
• Provide accessible privacy notices in plain language
• Disclose data sharing practices with third parties
• Make contact information readily available for privacy inquiries

1.3 Responsible Data Handling

Our customers must handle personal information with the highest level of care and security. This includes implementing appropriate technical and organisational measures to protect against unauthorised access, loss, or misuse.

• Implement robust data security measures
• Limit access to personal information on a need-to-know basis
• Regularly review and update security practices
• Report data breaches promptly to affected individuals and authorities

1.4 Privacy by Design

Privacy considerations must be integrated into all verification processes from the outset. This means collecting only necessary information, minimising data retention, and providing individuals with meaningful control over their personal information.

• Collect only data necessary for the stated purpose
• Implement data minimisation practices
• Enable user control over personal information
• Design systems with privacy safeguards built-in

2.1 API Keys and Integrations

• API keys must be kept confidential and used only from secure server-side systems.
• Each API request must be tied to a documented lawful purpose and permitted use case.
• Production retries must use idempotency where supported to prevent duplicate charges or duplicate processing.
• Customers must not expose API keys in client-side code, public repositories, browser apps, or mobile apps.

2.2 Companies Running Multiple Checks

• Customers must have an internal policy or workflow that defines who may run checks and for what purpose.
• Repeated, batch, or operational checks must be proportionate, purpose-specific, and limited to the data needed for the stated fraud-prevention, KYC, onboarding, compliance, or account-ownership purpose.
• Customers must keep evidence of the lawful basis, notice, consent where required, internal approval, or customer instruction that supports the checks.
• Customers may not use multiple checks to build unauthorised profiles, marketing lists, surveillance databases, or unrelated risk scores.

2.3 Audit Metadata

VerifyNow may retain audit metadata for API and dashboard checks, including request identifiers, user or API-key owner, report type, selected purpose, timestamps, credit usage, status, and lawful-basis or consent attestations. VerifyNow does not store full verification reports by default after delivery.

2.1 Mandatory Disclosure

Individuals must be informed about the following before their personal information is collected or processed:

• The purpose of identity verification
• Types of documents and biometric data to be collected
• How personal information will be processed and stored
• Who will have access to the information
• Data retention periods
• Rights to access, correct, or delete personal information
• Contact details for privacy-related inquiries

2.2 Biometric Data Collection

Special care must be taken when collecting biometric data, including facial images and document scans. Users must be explicitly informed about:

• The requirement to provide a "live selfie" or photograph
• How facial recognition technology will be used
• Whether biometric templates will be stored or processed
• Security measures protecting biometric data

2.3 Sample Notice and Consent Language

We recommend using clear, accessible language when giving notice and when obtaining consent for workflows where consent is required. Here are sample consent statements in English and Afrikaans:

3.1 South African Law Compliance

All customers operating in South Africa must comply with applicable local laws, including but not limited to:

• Protection of Personal Information Act (POPIA): Comprehensive data protection requirements
• Financial Intelligence Centre Act (FICA): KYC and AML compliance obligations
• Electronic Communications and Transactions Act (ECTA): Electronic document requirements
• Promotion of Access to Information Act (PAIA): Information access rights
• Consumer Protection Act (CPA): Consumer rights and fair business practices

3.3 International Operations

Customers operating across multiple jurisdictions must ensure compliance with all applicable data protection and privacy laws in each jurisdiction where they collect or process personal information.

• Research and comply with local data protection requirements
• Implement appropriate cross-border data transfer mechanisms
• Respect varying consent and notice requirements
• Maintain documentation of legal compliance efforts

3.4 Regulatory Cooperation

Customers must cooperate with regulatory authorities and law enforcement agencies as required by law, while maintaining appropriate protections for personal information.

4.1 Minimum Age Requirements

Verify Now services must not be used to collect or process personal information from individuals under the age of 18 without appropriate parental consent. Special protections apply to children's personal information.

4.2 Detection and Response

If customers discover that personal information has been collected from a minor without proper lawful basis or required parental consent, they must:

• Immediately notify Verify Now of the incident
• Cease all processing of the minor's personal information
• Securely delete the information unless retention is required by law
• Implement measures to prevent future incidents
• Report the incident to parents/guardians and relevant authorities as required

4.3 Parental Rights

Parents and guardians have enhanced rights regarding their children's personal information, including the right to access, correct, and request deletion of their child's information at any time.

5.1 Security Requirements

Customers must implement appropriate technical and organisational measures to protect personal information processed through Verify Now services:

• Encryption of personal data in transit and at rest
• Access controls and authentication measures
• Regular security assessments and updates
• Staff training on data protection practices
• Incident response and breach notification procedures

5.2 Breach Notification

In the event of a personal data breach, customers must notify Verify Now within 24 hours and affected individuals without undue delay, in accordance with POPIA requirements. Verify Now commits to notifying customers of any breach affecting their data within 48 hours of confirmation.

7.1 Regular Audits

Verify Now reserves the right to conduct periodic audits of customer practices to ensure compliance with this Usage Policy and applicable data protection laws.

7.2 Violation Response

Violations of this Usage Policy may result in:

• Warning notices and required corrective action
• Suspension of services pending remediation
• Termination of customer relationship
• Reporting to relevant regulatory authorities