Last Revised: October 21, 2021

PLEASE READ THIS PRIVACY POLICY CAREFULLY BEFORE USING THE SERVICES

VeriKlick LLC (“VeriKlick” “we,” “us,” or “our”), recognizes the importance of your privacy. This Privacy Policy outlines the types of Personally Identifying Information (“PII”) we gather when you use our website at: www.VeriKlick.com as well as any website made available by VeriKlick with this Privacy Policy (collectively, the “Website”) and how we use that information. It is important to review this Privacy Policy in its entirety and it should be read in conjunction with our Website Terms of Use, into which this Policy is incorporated by reference.

As part of the operation of the Website, certain pieces of information are gathered about the users (individually, “you” or a “User” and collectively, “Users”). This Privacy Policy contains explanations regarding the types of information collected, what is done with such information, and how to correct or change the information. By using our Website, you agree to the terms of this Policy. This Policy may change from time to time (see below, “Changes to this Policy”). Your continued use of our Website after we make changes is deemed to be acceptance of those changes, so please check the Policy periodically for updates.

This Policy applies to information we collect on this Website or in emails and other electronic messages between you and this Website, and information gathered when you interact with our advertising on third-party websites if such advertisements include links to this Policy. This Policy does not apply to information collected by us offline or through any other means, including on any other website operated by VeriKlick or any third party, or information collected by any third party through any application or content (including advertising) that may link to or be accessible from the Website (for further information, see below, “Third-party Websites”).

The Information We Collect Introduction

Privacy and the protection of personal data (or “personally identifiable information” or simply “PII”) are very important to VeriKlick LLC, (“VeriKlick”). This Privacy Policy explains the personal data VeriKlick collects in its database, why we collect it, how we process it, and how we protect and manage it over time.

VeriKlick is a software company specializing in Audio, Video, Face, and Voice biometric technology. Our products are commonly used by our clients and partners to evaluate speech samples to help verify or identify their end customers, as well as to help identify instances where identity fraud may be occurring within their customer base.

Since our inception in 2018, VeriKlick has designed and built our software offerings with strong data security and protection of individual privacy in mind.

This Privacy Policy applies to all VeriKlick clients and partners, and whenever appropriate, to their end customers.

VeriKlick’s Role as a Custodian

VeriKlick offers its voice biometric software products via our Software-as-a-Service (“SaaS”) delivery model, which utilizes a standard request-response exchange through our secure API. All requests for VeriKlick’s services are made by software applications that are fully created, controlled, and managed by our clients and partners on behalf of their end customers. VeriKlick is therefore a business-to-business (B2B) entity. Veriklick Offers Service of Voice and Face recognition to their Clients solely for the purpose of Identity verification of the person attending the Interviews for their internal purpose or Customer base. Veriklick has no role to play beyond that.

Due to this technical relationship with our clients and partners, VeriKlick further recognizes our unique role as that of “custodian” for the data that is sent to us. At no point does VeriKlick own any of the data which is sent to us by our clients and partners. We instead are custodians of the data clients and partners send to us, managing it as they instruct us to, either by API instruction or in writing. More information about VeriKlick’s role as custodian is provided in the remainder of this document.

Types of Information Collected

Our Customers collect Personally Identifying Information that you provide to VeriKlick. “Personally Identifying Information” is information that individually identifies you, such as your:

• First and last name;
• physical address;
• phone number;
• e-mail address;
• comments or messages provided in free-form text fields; and any other information that would allow someone to identify or contact you.
• Voice enrollment for Voice biometrics and Picture ID for Face biometrics enrollment You may provide us Personal Information when you:
• request information;
• schedule a demonstration;
• submit an employment application; or
• subscribe to our emails.
• Attend Video or Phone interviews with our clients\users

The information that you provide in each case will vary, and of course, you may choose not to provide VeriKlick with Personally-Identifying Information. In some cases, you may be able to provide Personal Information via email or free-form text fields, such as contacting VeriKlick to request further information. When providing your Personal Information, please provide only relevant information and do not provide unnecessary sensitive information, such as Social Security numbers, credit card information or other sensitive personal data.

Personal Data We Collect FACE Enrollment and biometrics

Veriklick collects the absolute minimum amount of personal data possible, and only enough to perform the vision biometric processing that our clients and partners require. This includes:

• Image/Video samples, which are typically provided as data files (JPG, MP4, etc) or URL links to such files.
• Required or optional text-based descriptions of image/video sample content. Image/Video samples are used by Veriklick and Third-party to build templates for the persons submitted by our client and partner systems. Image/Video samples are also used within various statistical and deep learning processes to create classification models, scoring models, and support other vision biometric functions within Veriklick PaaS. Image/Video samples can also be used when troubleshooting support requests made by our clients and partners, as well as to help Camvi make improvements to the quality of AI modeling capabilities.
• Classification data may be used internally by the Veriklick PaaS to make certain processes more efficient. For example, if attempting to match an image sample to templates in a large database, we may use gender classification information to remove non-matching templates from consideration – and provide a faster response.
• Given the nature of Veriklick business, we also use image/video data and generalized internal system statistics to analyze our performance, meet information security and legal obligations, research alternative ways for us to offer our services, and other related tasks central to maintaining, operating and improving our core technology.

Access to Service – for Face Biometrics

Subject to these Terms, and during the applicable Subscription Term, Customer may access and use the Service for your own business purposes in accordance with these Terms and pursuant to the terms of any outstanding Order, including such features and functions as the Order requires. The rights granted to you are non-exclusive, non-sublicensable, and non-transferrable.

(a) Users are granted access, by Veriklick, to the user interfaces of the Service for the purpose of evaluating/testing the Applicants and Video and voice interviews.

(b) Customer products and services that access the Service do so directly via REST API (Data Encryption).

(c) Customer provides such products and services to their End Users directly.

(d) Veriklick will send data to third party services that will administer the Service for the Customer and will provide any and all End Users in the form of “Customer/Use-Case Keys” (“CUC-Keys”) to enable Customer to segregate usage by End User and/or Users usage.

End-User Consent – By Clicking on the link You will provide CONSENT to use your Picture ID for enrollment and verification purpose

Responsibility for Customers – You are solely responsible for your relationship with your End Users, and how they use your products and services which use our Service.

Credentials – You must require that all Users keep their login credentials (username, password), API Keys and Keys strictly confidential and do not share such information with any unauthorized person or entity. Usernames are issued to individual, named persons and may not be shared. API and Keys are issued to You specifically to be used within your products and services. You are responsible and liable for any and all actions taken using login credentials, and any charges incurred by use of the API/CUC Keys, issued to you, and you agree to notify us immediately of any unauthorized use and to use best efforts to stop said breach. Domain Name Ownership – Where you are required to specify a domain for the operation of the Service, we may verify that you own or control that domain. If you do not own or control the domain you specify, then we will have no obligation to provide you with the Service.

Acceptable Use and Restrictions – Customer shall comply with the AUP. Except as otherwise expressly permitted in these Terms or applicable Order, you will not: (a) reproduce, modify, adapt or create derivative works of the Service; (b) rent, lease, distribute, sell, sublicense, transfer or provide access to the Service to a third party; (c) interfere with or otherwise circumvent mechanisms in the Service intended to limit

Compliance with Laws – In its use of the Service, Customer shall comply with all applicable laws, including without limitation laws governing the protection of personally identifiable information and other laws applicable to the protection of Customer Data.

Risk of Exposure – User\Customer recognizes and agrees that hosting data online involves risks of unauthorized disclosure or exposure and that, in accessing and using the Service, the Customer assumes such risks. Provider offers no representation, warranty, or guarantee that Customer Data will not be exposed or disclosed through errors or the actions of third parties.

Transaction Data. A “transaction” in the Veriklick database refers to an individual session where an API call is made by a client or partner application to a Veriklick product. A typical example is an automated identification application that prompts users to take a screen shot, selfie or a short video clip. These interactions typically occur over the course of several seconds up to a couple minutes. When finished, Veriklick can provide a verification score through third-party services back to the client or partner system, etc. The samples and calculations associated with such uses are stored as unique transactions for logging, analysis, reporting and billing.

The default retention policy for data related to Face biometrics is 365 days for all transaction data as the Services user interface requires such data in order to present certain usage statistics and performance measures over a rolling twelve (12) month period. This default can be changed by mutual written agreement, but must always be sufficiently long enough to allow adequate time for Veriklick and its clients and partners to investigate any transaction-specific inquiries, validate monthly itemized billing, etc.

• Enrollment Data. Enrollment in the context of Veriklick Service refers to the process of creating a template from one or more source files sent to us by client and partner systems.

By default, Veriklick keeps all source files that were used to create an individual template for as long as our clients and partners wish to keep the user’s template active with the Veriklick System. There are several reasons for this: Templates can be “adapted” periodically over time by dynamically rebuilding them as the end customer uses the system. As an example, adaptation is very useful to model changes to images/videos that occur as the subjects visual appearance changes over time. As Veriklick\Third party changes its existing vision biometric technology or introduces new vision biometric processing algorithms, it is useful to automatically re-enroll subjects as a matter of convenience.

To address disaster recovery (DR) guidelines, should Veriklick database of templates get corrupted, we will be able to recover them by running recovery scripts against source files, again as a matter of convenience to our clients and partners.

Upon written request, Veriklick at privacy@veriklick.com can provide clients with the option to NOT store image/video samples associated with Persons. The caveat is that the advantages listed above will NOT be available to the client or partner for any of its applications’ End Users. In the context of the information provided above, the Veriklick\Third party can configure the Service to destroy all image/video files immediately and not store them. A source file that is sent to the System can be processed and destroyed within memory and never be written anywhere. Again, due to the nature of Veriklick’s business, there are several disadvantages to this approach. However, the decision remains available to our clients and partners upon written request.

• Derived Personal Data. All derived data is created as part of normal transaction processing that occurs at the direction of client and partner system requests. Thus, the data retention policy for these elements is inherited by the settings used for Transaction Data.

• Administrative Data. Any administrative (contact) data is retained in Veriklick database for the life of the active contract with the respective client or partner. In some cases, there are data retention policies or legal requirements to store data after it is no longer actively being used. In these cases, and upon written request by our client or partner, Veriklick will implement a custom retention period. However, under no circumstances will Camvi modify a data retention period to exceed terms allowed by Applicable Law.

Personal Data We Collect For Voice Enrollment and Biometrics

VeriKlick collects the absolute minimum amount of personal data possible, only enough to perform the voice biometric processing that our clients and partners require:

• Speech samples, which are typically provided as WAV files or via media streaming
• Optional text-based descriptions of speech sample content
• Optional telephone numbers for certain client applications

NOTE: Personal data (PII) is only sent to the third party Platform via our secure API and is always associated with a “hashed” user id. This hashed user id is generated and managed by our clients and partners, so they are the only ones who know how to associate VeriKlick Platform information back to actual individuals.

Personal Data We Derive For Voice biometrics

This additional category of Personal Data is also considered in the context of this Privacy Policy. Derived personal data is created by the normal operation of our software products. Examples include:

• Voiceprints. A voiceprint (or “template” or “model”) is the output of our voice biometric software processing that represents the unique vocal characteristics of an individual user.
• Classification Data. VeriKlick’s voice biometric technology also can “classify” speech samples that are sent via one of our published APIs.

How We Use Personal Data For Voice Enrollment and biometrics

VeriKlick only uses the data we collect and derive to provide the specific services our clients and partners contract with us for:

• Speech Samples. Speech samples (WAV files) are used by VeriKlick to build voiceprints for the end users of our client and partner systems. Speech samples are also used within various statistical and deep learning processes to create classification models, scoring models, and support other voice biometric functions within VeriKlick’s platform. Speech samples can also be used when troubleshooting support requests made by our clients and partners, as well as to help VeriKlick make improvements to the quality of our signal processing and deep learning modeling capabilities.
• Classification Data. Classification data is used internally by the VeriKlick Platform to make certain processes more efficient. For example, if attempting to match a male’s speech sample to voiceprints in the database.
• Content Descriptions (Optional). For clients using active prompting, we can optionally accept content descriptions when their samples are sent to the VeriKlick Platform.
• Telephone Numbers (Optional). Telephone numbers are needed by third-party partners of VeriKlick to support optional telephone and interactive voice response (IVR) functions within our system. For instance, if one of our clients or partner systems requests that we place an automated outbound call to one of their end users to obtain speech samples from them for verification purposes, we need an appropriate phone number to provide to an IVR and telephone partner to honor this request. Veriklick outbound calls are also used to register voice sample for Voice Verification

Given the nature of VeriKlick’s business, we also use speech data and generalized internal system statistics to analyze our performance, meet information security and legal obligations, research alternative ways for us to offer our services, and other related tasks central to maintaining, operating, and improving our core technology.

Information We Collect Automatically When You Use the Website

When you access or use the Website, we may automatically collect information about you using automated tools called cookies detailed below. These cookies may collect information about your behavior and your computer system, such as your internet address (IP Address), the pages you have viewed, and the actions you have taken while using the Website. We also use services to analyze activity that collects information from you through the use of tags. A tag is a specific string of numbers and letters that is assigned to your computer or device, but does not name you. The tag allows us to track usage data of the Website, such as date and time of visit, duration of visit, Website traffic patterns, type of browser used, operating system/platform used, IP address, and websites that referred computer or device. This is reported in the aggregate and is not specific to you. This data is relied on to inform us how users are using the Website and to help us improve the Website. Some of the cookies we use to automatically collect information about you may include:

1.Cookies. A “cookie” is a small data file transmitted from a website to your device’s hard drive. Cookies are usually defined in one of two ways, and we may use both of them: (1) session cookies, which do not stay on your device after you close your browser, and (2) persistent cookies, which remain on your device until you delete them or they expire. We use the following categories of cookies on our Website.
1.Strictly Necessary Cookies. These cookies are essential in order to enable you to move around the Website and use its features. Without these cookies, services you have requested, such as maintaining a record of your purchased items (e.g. a shopping cart), cannot be provided. 2. Performance Cookies. These cookies collect anonymous information on how people use our Website to help us understand how you arrive at our site, browse or use our Website and highlight areas where we can improve, such as navigation. The data stored by these cookies never shows personal details from which your individual identity can be established.
2. Functionality Cookies. These cookies remember choices you make such as the country from which you visit our Website, your preferred language, and your search parameters. This information can then be used to provide you with an experience more appropriate to your selections and to make your visits to our Website more tailored to your preferences. The information in these cookies may be anonymized. These cookies cannot track your browsing activity on other websites.
3. Targeting Cookies or Advertising Cookies. These cookies collect information about your browsing habits in order to make advertising more relevant to you and your interests. They are also used to limit the number of times you see an advertisement as well as help measure the effectiveness of an advertising campaign. The cookies are usually placed by third-party advertising networks. One such trusted third-party partner is Google Analytics. The Website sends aggregated, non-Personal Information to Google Analytics for the purpose of providing us with the ability to conduct technical and statistical analysis on the Website’s performance. For more information on how Google Analytics supports the Website and uses information sent from the Website, please review Google’s privacy policy available at https://policies.google.com/technologies/partner-sites. Of course, if you do not wish to have cookies on your devices, you may turn them off at any time by modifying your internet browser’s settings. However, by disabling cookies on your device, you may be prohibited from full use of the Website’s features or lose access to some functionality.

• Web Beacons. A Web Beacon is an electronic image. Web Beacons can track certain things from your computer and can report activity back to a web server allowing us to understand some of your behavior. If you choose to receive emails from us, we may use Web Beacons to track your reaction to our emails. We may also use them to track if you click on the links and at what time and date you do so. Some of our third-party marketing partners may use Web Beacons to track your interaction with online advertising banners on our Website. This information is only collected in aggregate form and will not be linked to your Personal Information. Please note that any image file on a webpage can act as a Web Beacon.
• Embedded Web Links. Links provided in our emails and, in some cases, on third-party websites may include tracking technology embedded in the link. The tracking is accomplished through a redirection system. The redirection system allows us to understand how the link is being used by email recipients. Some of these links will enable us to identify that you have personally clicked on the link and this may be attached to the Personal Information that we hold about you. This data is used to improve our service to you and to help us understand the performance of our marketing campaigns.
• Third-party Websites and Services. We work with a number of service providers of marketing communications technology. These service providers may use various data collection methods to improve the performance of the marketing campaigns we are contracting them to provide. The information collected can be gathered on our Website and also on the websites where our marketing communications are appearing. For example, we may collect data where our banner advertisements are displayed on third-party websites.
• Social Media Features and Widgets. The Website includes social media features and widgets. These features may collect your IP address, which page you are visiting through the Website, other information, and may set a cookie to enable the feature to function properly. Social media functions are either hosted by a third party or hosted directly through the Website. Your interactions with these features are governed by the privacy policy of the company providing them.

Using the Information

Use in General. We may use your information for a variety of purposes, including to:

• Provide, operate, maintain and improve the Website;
• Respond to your comments, questions, and requests and to provide customer service and support;
• Prevent potentially illegal activities;
• Fulfill your requests;
• Provide information that is relevant to you;
• Monitor and analyze trends, usage, and activities in connection with the Website and for marketing or advertising purposes; and
• For other purposes about which we notify you.
• Use of Aggregate or De-Identified Information. In addition to the individual data use described in this Privacy Policy, we may aggregate information about you and other individual users together, or otherwise de-identify the information about you, so that the information does not identify you personally. We may use information in these forms for a variety of purposes, including for research and analysis, administration of the Website, and advertising.

Sharing and Disclosure of Information

VeriKlick complies with all Federal and State laws concerning data protection. We will not share Personally Identifying Information about you with any third parties except as described in this Privacy Policy. We will share your Personal Information with the following third parties in order to fulfill the service that they provide to us. These third-parties are under contract to keep your Personal Information secure and not to use it for any reason other than to fulfill the service we have requested from them.

• Service Providers. We may share your Personally Identifying Information with third-party vendors, contractors, and other service providers working on behalf of VeriKlick and require access to your Personally Identifying Information to carry out that work.
• Compliance with Laws. We may disclose your Personally Identifying Information to a third party if (1) we believe that disclosure is reasonably necessary to comply with any applicable law, regulation, legal process or governmental request, (2) to enforce our agreements, policies, or Terms of Use, (3) to investigate and help prevent security threats, fraud, or other malicious activity, (4) to protect the rights or personal safety of VeriKlick employees, or (5) to respond to an emergency which we believe in good faith requires us to disclose such information to assist in preventing the death or serious bodily injury of any person.
• Affiliates. We may share information we have collected under this Privacy Policy with affiliates of VeriKlick for use as otherwise described in this Privacy Policy.

There are circumstances where VeriKlick may decide to buy, sell, or reorganize its business in selected countries. Under these circumstances, it may be necessary to share or receive Personal Information with prospective or actual partners or affiliates. In such circumstances, VeriKlick will ensure your information is used in accordance with this Policy.

For those customers that would like more information about our use of Customer Account Data or Customer Usage Data, you have the ability to request:

• that we provide details about the categories of personal information that we collect about you, including how we collect and share it;
• that we provide you access to the personal information we collect about you; and
• that we delete the personal information we have about you.

Sharing of Personal and Derived Data

VeriKlick never shares any of the personal data we collect or derive with any outside companies. The data that client and partner systems send to us never leaves VeriKlick computing systems, unless an authorized client or partner administrative user logs into one of VeriKlick’s administrative tools to download audio samples for troubleshooting (listening) purposes, run a report, etc.

Since VeriKlick’s voiceprints are unable to be used or interpreted by any system other than VeriKlick software, we have specifically designed our products to NOT be able to export voiceprints for anyone, at any time. Contact Information. Contact information provided to VeriKlick is only used to get back in touch with individuals who request that we do so (most typically through the “Contact Us” method on the VeriKlick website). For our clients and partners, their contact information is only used for legal documents, billing purposes, and normal business communications to support our contractual obligations. Any contact information received by VeriKlick is never sold or provided to any third parties for any reason.

Third-Party Websites

On occasion, the Website provides “hyperlinks” to third-party websites. For example, VeriKlick contracts with a third party to host its open employment positions and process any applications for those positions. Please note that VeriKlick does not endorse these websites and is not responsible in any way for the privacy practices of other websites and recommends you review the privacy policies of those other companies’ websites before using them.

Consent and Access & Control for Personal Data

As noted previously, all data that VeriKlick collects are provided by users under the control of our clients and partners. In the context of API-based data, VeriKlick in fact has no idea who ANY client or partner end customers are related to the speech samples being submitted. Thus, it is impossible for VeriKlick to provide data collection choices, or direct access and control information, to end users of our technology.

Consent. Management of the initial and on-going consent of any end customer of our clients and partners to participate in a voice biometric process, is ultimately the responsibility of our clients and partners. Thus, any end customers who have concerns about consent should contact the appropriate organization directly.

Access and Control. VeriKlick does provide a variety of access and control tools to authorized administrative users of our clients and partners – so that they are able to fulfill legal obligations they have regarding their use of VeriKlick technology relative to their end customers’ personal data. These tools allow authorized users to create individual entries in VeriKlick’s database on behalf of their end customers, edit or modify relevant user data, report on this data, or delete this data (in its entirety). In other words, VeriKlick provides full control over all user data that is contained in our systems – to our clients and partners. Thus, any end users of our client and partner systems who have concerns regarding access to, and control of, their personal data should contact the appropriate organization directly.

How VeriKlick Secures Data

VeriKlick takes information security very seriously and has implemented numerous processes and policies to protect the data that is sent to our system or derived internally by normal operations. These are broken into three categories: Physical, Network, and Application. We limit 3rd party sharing and utilize technological controls wherever appropriate that include encryption and data anonymization techniques. Unfortunately, no data storage system, or system of transmitting data over the Internet or wireless network, can be guaranteed to be 100% secure, and no security system can prevent all security breaches. As a result, we do not and cannot guarantee the security of our servers, the means by which personal information is transmitted between your computer or device and our servers, or any personal information provided to us or to any third party to or in connection with the Website or otherwise.

Security. VeriKlick’s U.S. data centers are in AWS NORTH AMERICA REGION and TWILIO Please read Twilio Privacy Policy Twilio Privacy Statement

Please read AWS Data Privacy Policy Data Privacy – Amazon Web Services (AWS)

Network Security. VeriKlick’s hosting servers are deployed behind dedicated firewalls. Firewalls are deployed to prevent unwanted traffic from reaching our servers. These devices enforce the use of the HTTPS protocol for all API communications to VeriKlick’s data centers. Note that securing data in transit is mandatory for any VeriKlick product (all traffic must be HTTPS).
In addition to requiring HTTPS communications, several other levels of network security occur at the software level. First, within our data centers, network traffic and intrusion detection monitoring is being performed constantly (24×365) by our monitoring team. Second, there are periodic penetration tests that are performed by third party companies. And third, all VeriKlick APIs require the mandatory use of security tokens for access; no tasks can be performed without supplying active and valid tokens provisioned by VeriKlick.

Network Security. VeriKlick’s hosting servers are deployed behind dedicated firewalls. Firewalls are deployed to prevent unwanted traffic from reaching our servers. These devices enforce the use of the HTTPS protocol for all API communications to VeriKlick’s data centers. Note that securing data in transit is mandatory for any VeriKlick product (all traffic must be HTTPS).

In addition to requiring HTTPS communications, several other levels of network security occur at the software level. First, within our data centers, network traffic and intrusion detection monitoring is being performed constantly (24×365) by our monitoring team. Second, there are periodic penetration tests that are performed by third party companies. And third, all VeriKlick APIs require the mandatory use of security tokens for access; no tasks can be performed without supplying active and valid tokens provisioned by VeriKlick.

Clients and partners who elect to deploy VeriKlick products within their own data center(s) should plan to provide similar levels of hardware- and software-based network security protocols.

Application Security. VeriKlick’s software products have multiple built-in features to help further secure our customer and partner data. These occur at the data model, voiceprint, and application level.

Voiceprints. VeriKlick’s voiceprints are natively secure. Voiceprints are voice recordings – they are converted to mathematical models of the unique elements of a person’s speech which are derived from either a “feature extraction” process or a “deep learning” process, depending on the core voice biometric technology being used. Voiceprints can’t be listened to and cannot be reverse-engineered into speech. VeriKlick uses a third party proprietary voiceprint data storage format that is not published and which can only be interpreted by an active instance of Third party voice biometric engine. So, in the highly unlikely event that someone ever obtained access to the third party voiceprint, there is nothing they could do with it.

How Long We Store Your Customer Account Data

We will store your Customer Account Data as long as needed to provide you with our services and to operate our business. If you ask Veriklick to delete specific personal information from your Customer Account Data (see ‘How To Make Choices About Your Customer Account Data’ below), we will honor this request unless deleting that information prevents us from carrying out necessary business functions, like billing for our services, calculating taxes, or conducting required audits.

Data Retention Policy

VeriKlick only stores personal data as is needed by our clients and partners to meet various contractual and legal obligations they are subject to. There are a wide range of needs and situations to address that go beyond the scope of this document; however, some of the more common considerations include:

• User Transaction Data. A “transaction” in the VeriKlick database refer to an individual session where an end user provides audio samples via a client or partner application to a VeriKlick product. A typical example is an automated IVR process or mobile application that prompts users to speak various phrases. These interactions typically occur over the course of several seconds up to a couple minutes. When finished, VeriKlick can create a voiceprint, or provide a verification score back to the client or partner system, etc. The samples and calculations associated with these individual sessions are bundled into a unique transaction for logging, analysis, and reporting. 1. The default retention policy is 365 days for all client and partner transaction data. This is generally adequate time to allow for VeriKlick and its clients and partners to investigate any transaction-specific inquiries, validate monthly itemized billing, etc. Note: this default can be changed upon written client request.
• Enrollment Data. Enrollment in the context of VeriKlick systems refers to the process of creating a voiceprint from one or more samples of speech sent to us by client and partner systems. These speech samples are typically provided as WAV audio files or via media streaming.
  1. By default, VeriKlick keeps all source WAV files or media streams that were used to create an individual voiceprint for as long as our clients and partners wish to keep the user’s voiceprint active with the VeriKlick System. There are several reasons for this:
  • Voiceprints can be “adapted” periodically over time by dynamically rebuilding them as the end customer uses the system. As an example, adaptation is very useful to model changes to speech samples that occur as end customers change their cell phones periodically, or change carriers, or move to a new city, etc.
  • As VeriKlick changes its existing voice biometric technology, or introduces new voice biometric processing algorithms, it is useful to automatically re-enroll end customers as a matter of convenience.
  • To address disaster recovery (DR) guidelines, should VeriKlick’s database of voiceprints get corrupted, we will be able to recover them by running recovery scripts against source WAV files, again as a matter of convenience to end users.
  2. Upon written request, VeriKlick can provide clients with the option to NOT store speech samples associated with end customer enrollment. The caveat is that the advantages listed above will NOT be available to the client or partner for any of its applications’ users.
• Speech Samples. In the context of the information provided above, VeriKlick has settings to destroy all WAV files or media streams immediately – and not store them within transactions, or for enrollment, or any other means. Source audio that is sent to our system can be processed and destroyed within memory and never be written anywhere.
  Again, due to the nature of VeriKlick’s business, there are several disadvantages to this approach. However, the decision remains available to our clients and partners upon written request.
  • Derived Personal Data. All derived data is created as part of normal transaction processing that occurs at the direction of client and partner system requests. Thus, the data retention policy for these elements is inherited by the settings used for User Transaction Data.
  • Administrative Data. Any administrative (contact) data is retained in VeriKlick’s database for the life of the active contract with the respective client or partner.

In some cases, there are data retention policies or legal requirements to store data after it is no longer actively being used. In these cases, and upon written request by our client or partner, VeriKlick will implement a custom retention period. However, under no circumstances will VeriKlick modify a data retention period to exceed terms allowed by Applicable Law.

Disposal of Personal Data

When personal data is no longer needed, VeriKlick provides numerous mechanisms to dispose of it properly. Personal data is stored at different levels within our database, so disposal mechanisms vary. Examples include:

• Individual Users. Once an end user ceases using a client or partner application, the client or partner can delete the user from the active system. This API-driven process is performed by the client or partner application, not VeriKlick. All references to the user will be deleted (User ID, all related transaction data, all voiceprints, and all source speech samples). Destruction of this information is immediate and cannot be reversed.
• Application User Groups. The VeriKlick system is designed to support multiple tenants (applications) so that we can provide custom processing based on different audio sources, dialects, application usage scenarios, and the like. It is possible to delete an entire application user group when that application is no longer needed. This process is initiated by VeriKlick upon written authorization from a client or partner, and includes all references to all users in the application group. It is immediate and cannot be reversed.
• Customers. Clients and partners of VeriKlick’s products are stored as “customers” in the database. The contact information of our clients and partners are used for billing purposes only. Every customer must have at least one active application user group, and at least one active user in each application user group, for billing to occur. It is not unusual for customers to have multiple application user groups. Should a customer or partner ceases to do business with VeriKlick, we will delete them from the database upon mutual, written agreement. NOTE: as part of this process, we also delete all application user groups and related individual users. This is an immediate process and cannot be reversed.

Other Disposal Notes:

• In cases where disposal of personal data conflicts with retention policies defined by Applicable Law, VeriKlick will work with its clients and partners to develop an appropriate disposal strategy.
• Should a request be made to terminate a contract with VeriKlick, VeriKlick’s default data disposal policy will be to immediately dispose of all Customer data (and related Application User Group and Individual User data). Clients and Partners can formally request that this process not occur for a period of 15 days following the effective termination date – to allow time for them to download available personal data from the VeriKlick system.

Children

VeriKlick and its software products are not directed at children. We are a B2B provider of software designed for adults. We do not knowingly collect information from or about children under 13 years of age, and use of our services by children under 13 years of age is forbidden.

Changes to Privacy Policy

VeriKlick reserves the right to modify this Privacy Policy at any time. Any updates to the Privacy Policy will be posted here, and if VeriKlick determines the changes are significant, VeriKlick will notify its clients and partners by email at least thirty (30) days prior to the implementation of the changes.

Should any client or partner object to the changes, email us at privacy@veriklick.com and we will contact you to discuss the matter further. Continued use of VeriKlick’s software services covered under this Privacy Policy after the effective date of the changes constitutes acceptance and agreement to the terms of the updated Privacy Policy.

Your California Rights

Pursuant to California Civil Code Section § 1798.83, we will not disclose or share your Personal Information with third parties for the purposes of third-party marketing to you without your prior consent.
Other than as disclosed in this Policy, the Website does not track users over time and across third-party websites to provide targeted advertising. Therefore, the Website does not operate any differently when it receives Do Not Track (“DNT”) signals from your internet web browser.

If you are a California consumer as defined by the California Consumer Privacy Act of 2018, you may be afforded additional rights with respect to your “Personal Information” as that term is explicitly defined under California law. Any Personal Information we collect is collected for the commercial purpose of effectively operating the Website, communicating with you, as well as enabling you to learn more about, and benefit from, our services. You may exercise each of your rights as identified below, subject to our verification of your identity.

Access: You may email us at privacy@VeriKlick.com to request a copy of the Personal Information our Website databases currently contain.

Prohibit Data Sharing. When applicable, you may prohibit the sharing of your Personal Information by submitting a request via email to privacy@VeriKlick.com. In your email, please explain how you wish us to prohibit the sharing of your personal data, and which categories of third parties you want to prohibit from receiving your Personal Information. When such prohibitions are not possible to provide our services to you, we will advise you accordingly. You can then choose to exercise any other rights under this Policy.

Portability. Upon request and when possible, we can provide you with copies of your Personal Information. You may submit a request via email to privacy@VeriKlick.com. When such a request cannot be honored, we will advise you accordingly. You can then choose to exercise any other rights under this Policy.

Deletion. If you should wish to cease use of our Website and have your Personal Information deleted from our Website, then you may submit a request by emailing us at privacy@VeriKlick.com. Upon receipt of such a request for deletion, we will confirm receipt and will confirm once your Personal Information has been deleted. Where applicable, we will ensure such changes are shared with trusted third parties.

We do not sell your Personal Information. If we ever decide to sell Personal Information, we will provide you notice and update this Privacy Policy. In addition, we will post a link entitled “Do Not Sell My Personal Information” by which you can opt out of any such selling of your Personal Information.

In addition, if a California resident exercises his or her rights under California law, including the CCPA (“California Consumer Privacy Act”), we shall not discriminate against that California resident by denying our goods or services, charging different prices or rates to similarly situated consumers, providing a different level or quality of our goods or services, or taking any other adverse action.

Transfer and Storage of Information

Your use of the Website may involve your personal information being transferred to, and processed in, ‎countries other than the country in which you reside. These countries may have data protection laws ‎that are different to the laws of your country (and, in some cases, may not be as protective).‎ We are headquartered in the United States, and our Website and Services are hosted in the United States. This means that if you use our Website or Services, and if we collect your ‎personal information through the means described in this Statement, your personal information will ‎be processed by us in the United States. To ensure adequate data protection, as required by global data protection laws, we have put a legal data transfer mechanism in place with which to transfer your personal information from other applicable jurisdictions to the United States. This statement and data transfer mechanism will be provided upon request.

For Website Visitors in the European Union (“EU”)

Under the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, or “GDPR”), individuals in the EU are afforded specific rights with respect to their Personal Information, or “personal data” as defined under the GDPR. For the purposes of this Policy, VeriKlick operates as a data controller. Any personal data we collect from you is processed in the United States and under the terms of this Policy.

Any personal data we collect from you is processed in the legitimate interest of our business and providing our services to you as the lawful means of such processing. You may always withdraw your consent to our use of your personal data as described below. We will only retain your personal data for the time necessary to provide you the information and services to which you have consented, to comply with the law and in accordance with your rights below.

The Data Controller is: VeriKlick, Inc.

One Gateway Center

Suite 2600 Newark, NJ 07102 privacyeu@VeriKlick.com

You can exercise any of the following rights, subject to verification of your identity, by notifying us as described below:

• Automated Processing and Decision-Making. You may email us at privacyeu@VeriKlick.com to request that we stop using your personal data for automated processing, such as profiling. In your email, please explain how you wish us to restrict automated processing of your personal data. When such restrictions are not possible, we will advise you accordingly. You can then choose to exercise any other rights under this Policy, to include withdrawing your consent to the processing of your personal data.
• Correction or Rectification. You can correct what personal data our Website database currently contains by accessing your account directly, or by emailing us at privacyeu@VeriKlick.com to request that we correct or rectify any personal data that you have provided to us. We may not accommodate a request to change information if we believe the change would violate any law or legal requirement or cause information to be incorrect. Where applicable, we will ensure such changes are shared with trusted third parties.
• Restrict Processing. When applicable, you may restrict the processing of your personal data by submitting a request via email to privacyeu@VeriKlick.com. In your email, please explain how you wish us to restrict processing of your personal data. When such restrictions are not possible, we will advise you accordingly. You can then choose to exercise any other rights under this Policy, to include withdrawing your consent to the processing of your personal data. Where applicable, we will ensure such changes are shared with trusted third parties.
• Object to Processing. When applicable, you have the right to object to the processing of your personal data by submitting a request via email to privacyeu@VeriKlick.com. When such objections are not possible, we will advise you accordingly. You can then choose to exercise any other rights under this Policy, to include withdrawing your consent to the processing of your personal data. Where applicable, we will ensure such changes are shared with trusted third parties.
• Portability. Upon request and when possible, we can provide you with copies of your personal data. You may submit a request via email to privacyeu@VeriKlick.com. When such a request cannot be honored, we will advise you accordingly. You can then choose to exercise any other rights under this Policy, to include withdrawing your consent. Where applicable, we will ensure such changes are shared with any trusted third parties.
• Withdraw Consent. At any time, you may withdraw your consent to our processing of your personal data through this Website by notifying us via email at privacyeu@VeriKlick.com. Using the same email address associated with your Website account, simply type the words “WITHDRAW CONSENT” in the subject line of your email. Upon receipt of such a withdrawal of consent, we will confirm receipt and proceed to stop processing your personal data. Where applicable, we will ensure such changes are shared with trusted third parties.
• Erasure. If you should wish to cease use of our Website and have your personal data deleted from our Website, then you may submit a request by emailing us at privacyeu@VeriKlick.com. Upon receipt of such a request for erasure, we will confirm receipt and will confirm once your personal data has been deleted. Where applicable, we will ensure such changes are shared with trusted third parties.

Submit Complaints or Questions. If you wish to raise a complaint on how we have handled your personal data, you can contact us as described below under “Accountability, Compliance and Contact.” If you reside in a European Union member state, you may also lodge a complaint with the supervisory authority in your country.

EU-U.S. Privacy Shield Framework

VeriKlick participates in and complies with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union, the United Kingdom, and Switzerland to the United States. VeriKlick has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. VeriKlick is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC). If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit the Department of Commerce’s Privacy Shield website.

Please direct any inquiries or complaints regarding our compliance with the Principles to privacy@VeriKlick.com. VeriKlick designated independent Privacy Shield dispute resolution provider. Under certain conditions specified by the Principles, you may also be able to invoke binding arbitration to resolve your complaint. If VeriKlick shares EU Data with a third-party service provider that processes the data solely on VeriKlick behalf, then VeriKlick may be held liable for that third party’s processing of EU Data in violation of the Principles, unless VeriKlick can prove that it is not responsible for the event giving rise to the damage.

Users Located in Australia

If you are a User who accesses our Website in Australia, this section applies to you. We are subject to the operation of the Privacy Act 1988 (“Australian Privacy Act”).

Here are the specific points you should be aware of:

We will not use or disclose Personal Information for the purpose of our direct marketing to you unless:

• you have consented to receive direct marketing;
• you would reasonably expect us to use your personal details for marketing; or
• we believe you may be interested in the material but it is impractical for us to obtain your consent.

You may opt out of any marketing materials we send to you through an unsubscribe mechanism. If you have requested not to receive further direct marketing messages, we may continue to provide you with messages that are not regarded as “direct marketing” under the Australian Privacy Act, including changes to our terms, system alerts, and other information related to your account as permitted under the Australian Privacy Act and the Spam Act 2003 (Cth).

• Our servers are located in the United States. In addition, we or our subcontractors may use cloud technology to store or process Personal Information, which may result in storage of data outside Australia. It is not practicable for us to specify in advance which country will have jurisdiction over this type of offshore activity. All of our subcontractors, however, are required to comply with the Australian Privacy Act in relation to the transfer or storage of Personal Information overseas.
• We may also share your Personal Information outside of Australia to our business operations in other countries. While it is not practicable for us to specify in advance each country where your Personal Information may be disclosed, typically we may disclose your Personal Information to the United States, Canada and the European Union.
• You may access the Personal Information we hold about you. If you wish to access your Personal Information, you may do so by emailing us at privacy@VeriKlick.com. We will respond to all requests for access within a reasonable time.

If you think the information we hold about you is inaccurate, out of date, incomplete, irrelevant, or misleading, we will take reasonable steps, consistent with our obligations under the Australian Privacy Act, to correct that information upon your request. If you find that the information we have is not up to date or is inaccurate or incomplete, please contact us in writing at privacy@VeriKlick.com, so we can update our records. We will respond to all requests for correction within a reasonable time.

If you are unsatisfied with our response to a privacy matter, you may consult either an independent advisor or contact the Office of the Australian Information Commissioner for additional help. We will provide our full cooperation if you pursue this course of action.

Location of VeriKlick Services

VeriKlick Corporate headquarters is based in the State of New Jersey within the United States. VeriKlick provides access to their Products and Services within the United States, India, Australia, Canada, European Union, United Kingdom, and Mexico. Users’ acknowledge that VeriKlick does not warrant or represent that this Policy, or the Products and Services use of Personal Information, complies with the laws of any other jurisdiction. Further, Users’ acknowledge that Personal Information will be obtained and processed in accordance with this Policy, irrespective of where such information may otherwise be stored.

Safeguards

VeriKlick protects your Personally Identifying Information by using safeguards that it has determined are appropriate to the sensitivity of the information. Unfortunately, neither VeriKlick network nor data transmission over the Internet can be guaranteed to be 100% secure. If you ever feel your information has been compromised or is at risk, please notify us via the “Accountability, Compliance and Contact” information section below.

Accuracy

You have the right to update, modify, amend, or correct errors in your Personally Identifying Information by contacting VeriKlick. We strive to maintain and process your information accurately. We have processes in place to maintain all of our information in accordance with relevant data governance frameworks and legal requirements. We employ technologies designed to help us maintain information accuracy on input and processing.

Accessing Your Personally Identifying Information Once Given

If you believe your Personally Identifying Information is inaccurate, you may contact VeriKlick to amend or delete your Personally Identifying Information. You have the right to request information about the existence, use, and disclosure of your Personally Identifying Information and to challenge the accuracy and completeness of your Personally Identifying Information, and to have your Personally Identifying Information amended where inaccurate or deleted from VeriKlick database. To do so, simply e-mail VeriKlick at the e-mail address set forth in this Privacy Policy.

Changes to This Policy

Please note this Privacy Policy is subject to change from time to time.

Accountability, Compliance and Contact

VeriKlick takes our responsibility to protect your information very seriously. VeriKlick reassures our compliance with this Privacy Policy and applicable legal standards to keep your information secure. For additional questions or inquiries, please direct in the following manner:

Located in the United States, India, and Canada. All questions and inquiries can be directed to a VeriKlick representative at privacy@VeriKlick.com.