Home

Privacy

This Privacy Policy, together with the related clauses of the Terms and Conditions, describes how we protect your privacy and how we use your Information and Data in the provision of the Identity Service. Our design of a digital identity service is based on the belief that your personal data and information belongs to you and you alone. All data we have about you is protected and processed in accordance with applicable law, as follows.

Fate of Personal Data Following the Discontinuation of the YRIS Service

Preamble

This policy explains, in a simple and clear manner, what happens to your personal data after the permanent discontinuation of the YRIS service, a digital identity service managed by IDnow SAS.

As part of the YRIS service, IDnow SAS collected and processed personal data.

This policy defines the terms applicable to the processing of personal data collected during the provision of the YRIS service, from the date of permanent discontinuation of said service, set for 31 July 2026 (hereinafter the “Discontinuation Date”).

Article 1 — Data concerned

This policy applies to all personal data collected by IDnow SAS as part of the YRIS service, namely:

Data category

  • Civil status, identity and identification data ex : Image of the identity document, video of the identity document, information extracted from the document, video challenge
  • Historical connection data ex : Shared data, connected services
  • Contact / connection data ex : Email address, telephone number

It applies to any natural person who has created a YRIS digital identity, regardless of the date on which their account was created.

Creating a YRIS digital identity involves the creation of an evidence file: an archive that records the information linked to your identification journey. This file is not intended for everyday use: it exists solely to enable a dispute to be resolved or to respond to legal proceedings, should this become necessary.

There are two types of evidence files:

  • File linked to identity verification — “low” level: When you created your digital identity by submitting your identity data online, the service verified its authenticity. At the end of this verification, a decision was issued and an evidence file was created.
  • File linked to the use of your electronic identification means: When your digital identity is deleted — whether by you, by an authorised IDnow agent, or automatically by the service — a file is created. It includes, in particular, the history of your connections and the associated evidence.

Article 2 — Why can the data no longer be used?

he YRIS service had two reasons for using your data:

  1. To verify your identity when creating your YRIS digital identity;
  2. To manage your digital identity so that you could access online services.

Since the discontinuation of the service, these reasons no longer exist. IDnow therefore no longer has a legal justification for retaining your data.

Article 3 — What will actually happen to your data?

3.1 — General principle: deletion of data

As from the service discontinuation date, your data will be permanently deleted.

3.2 — Exception: retention due to a legal obligation

Certain data must be retained due to a legal obligation, even after the discontinuation of the YRIS service:

  • File linked to identity verification: the data contained in this file must be retained for a period of 10 years from the creation of your YRIS digital identity.
  • File linked to the use of your electronic identification means: the data contained in this file must be retained for a period of 5 years from the deletion of your YRIS digital identity.

An ongoing or foreseeable dispute may require their preservation for evidentiary purposes.

In these cases, the data concerned is isolated, access is strictly restricted, and the data is deleted once the obligation or dispute has ended.

Article 4 — Users’ rights before and after the Discontinuation Date

4.1 — Before the Discontinuation Date of the YRIS Service

Until the Discontinuation Date, users have all of their GDPR rights:

  • Right of access (Article 15 GDPR): to obtain a copy of the data processed concerning them;
  • Right to erasure (Article 17 GDPR): to request the early deletion of their data;
  • Right to rectification (Article 16 GDPR);
  • Right to restriction of processing (Article 18 GDPR);
  • Right to object (Article 21 GDPR).

IDnow SAS undertakes to process any request within one month of receipt (a period that may be extended by two months in the event of complexity, with prior notice to the user).

4.2 — After the Discontinuation Date of the YRIS Service

From the Discontinuation Date, as the data will have been permanently deleted, IDnow SAS will no longer be able to respond to requests concerning this data.

Article 5 — How to exercise rights and contact details

For any request relating to the exercise of their rights or for any question concerning this policy, users may contact IDnow’s Data Protection Officer (DPO):

By email: dpo@idnow.io
By post: IDnow DPO — 122 Rue Robert Keller — 35510 Cesson-Sévigné, France

In the event of an unsatisfactory response, users retain the right to lodge a complaint with the CNIL:

Online: https://www.cnil.fr/fr/plaintes
By post: Commission Nationale de l’Informatique et des Libertés — 3 Place de Fontenoy — TSA 80715 — 75334 Paris Cedex 07

Article 6 — Secure deletion and traceability

Data deletion is carried out according to technical procedures that guarantee the irreversibility of the erasure (e.g. multiple overwriting, cryptographic destruction of encryption keys).

Purpose of the processing

YRIS is an identity provider that allows you to create and use a digital identity.

The resulting treatment consists of 2 complementary operations:

  • Verification of the user’s identity by means of partially automated controls, reviewed, completed and validated by a human operator;
  • Management of the user’s identity life cycle (in particular management of user requests: support, revocation, etc.).

Processed data

According to the CNIL, the categories of data collected in the context of the use of YRIS are the following:

  • Marital status, Identity, Identification data, Images ► image of the identity document, videos of the identity document, information extracted from it and video challenge
  • Login data ► email address and phone number
  • Internet ►cookie consent and browsing data on this site only.

Mandatory nature of data collection: the collection of the first two categories of data is mandatory to create a YRIS identity. However, the collection of navigation data is not compulsory: the user can refuse the deposit of a cookie in his browser on his first visit to the site, used exclusively for audience measurement purposes.

Automated decision-making: provides the possibility of automated decision making, if the user so chooses.

People involved

The data processing concerns any user who wishes to create an YRIS digital identity.

Recipients of the data

The data is collected by the company IDnow, which acts here as a Data Controller in the sense of the General Data Protection Regulation (GDPR). In order to improve its machine learning and deep learning technologies, the first category of data mentioned above is exploited exclusively by the IDnow R&D team.

The storage of (fully anonymized) audience measurement data is provided by the company Google. Google acts as a subcontractor on behalf of IDnow and processes the data in accordance with IDnow guidelines. In this sense, we retain full rights to collect, access, store and delete your data at any time.

Duration of data retention

IDnow applies the RGPD’s retention period limitation principle to data processed in connection with the provision of the service:

  • Information extracted from the identity document: 5 years, in accordance with the requirements of the European eIDAS regulation
  • Email address and phone number: 5 years
  • Title images and video challenge: 96 hours
  • Consent cookie: 13 months, in accordance with French law

Security

In accordance with the RGPD, IDnow and all subcontractors under its responsibility are bound by a security obligation. The following measures – non-exhaustive list – are therefore implemented:

  • The protection (“encryption”) of your data exchanged between your browser and our services is provided by HTTPS
  • Duplication of data so that it remains available in the event of a disaster
  • ISO 27001:2017 security certification for the data center used by IDnow hosting users’ digital identity, as well as for the systems, applications, personnel, technology, processes and data centers on which Google Analytics relies.

Your rights concerning you

If you have any questions about this Privacy Policy or if you would like more information about how your information is used or shared, please feel free to contact us using the following information:

What the law says: You can access and obtain a copy of the data concerning you, object to the processing of this data, have it rectified or deleted. You also have the right to limit the processing of your data.

Understand your rights and freedoms

Exercising your rights: IDnow’s Data Protection Officer (DPO) is your contact for any request to exercise your rights regarding this processing.

  • Contact the DPO electronically: dpo@idnow.io
  • Contact the DPO by mail: IDnow DPO, 122 rue Robert Keller, 35510 Cesson-Sévigné, France

If you feel, after contacting us, that your rights regarding your data are not being respected, you may submit a complaint to the Commission Nationale de l’Informatique et des Libertés.

The application

Download the free mobile application and follow the instructions

YRIS is available for all mobile carriers

Download on the App Store
Get it on Google Play