1. Introduction

Fyio Technologies Limited (“Fyio”, “we”, “us”, “our”) is committed to protecting and respecting your privacy.

Fyio provides a secure ecosystem that enables individuals and organisations to store, verify, manage and control access to identity documents and other sensitive personal data.

This Privacy Policy explains:

  • What personal data we collect
  • How and why we process it
  • The lawful bases we rely on
  • How we protect it
  • Your rights under applicable data protection laws

This Policy applies to:

  • Visitors to our websites
  • Users of the Fyio consumer app
  • Enterprise customers using Fyio Pro
  • Individuals whose data is processed as part of identity verification services

This Policy is designed to comply with:

  • UK GDPR
  • EU GDPR (where applicable)
  • Data Protection Act 2018
  • Applicable international data transfer requirements
2. Data Controller and Contact Details Legal Entity:

Fyio Technologies Limited

International House

64 Nile Street

London N1 7SR

United Kingdom

Email: admin@fyio.app 

Fyio acts as:

  • Controller for consumer app users 
  • Processor for Fyio Pro enterprise customers (see Section 11)

If you have questions regarding this policy or wish to exercise your rights, contact us using the details above.

You have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) or your local supervisory authority.

3. Categories of Personal Data We Collect

We may collect and process the following categories:

3.1 Identity and Contact Data

  • Name
  • Date of birth
  • Email address
  • Telephone number

3.2 Account Data

  • Login credentials (securely stored)
  • Subscription status

3.3 Transaction Data

  • Subscription history

3.4 Technical Data

  • IP address
  • Device identifiers
  • Browser type and version
  • Operating system
  • Log data
  • Usage analytics

3.5 Identity Verification Data

Where identity verification services are used, we may process the following categories of identity verification data: 

  • Passport or driving licence data 
  • National ID document data
  • Document images
  • Facial images (including selfies or video capture)
  • Liveness detection outputs, verification results
  • Fraud detection indicators

Identity verification services are delivered through carefully selected third-party identity verification providers. These providers may process and securely store identity verification data on our behalf in order to:

  • Perform document authentication
  • Conduct biometric comparison and liveness checks
  • Generate verification outcomes
  • Maintain audit and compliance records
  • Prevent fraud and identity misuse

We require such providers to maintain appropriate technical and organisational security measures and to process personal data only in accordance with applicable data protection law and our written instructions where they act as our processors.

Where these providers act on our behalf as data processors, they do so under written agreements that are intended to comply with applicable data protection requirements, including Article 28 UK GDPR and, where relevant, EU GDPR. Where a provider acts as an independent controller in relation to its own legal, regulatory, fraud prevention, or risk management obligations, its processing of personal data will be governed by its own privacy notice and legal responsibilities.

3.6 Personal Data Obtained from Third Parties [Article 14 Disclosure)]

In some cases, Fyio receives or otherwise processes personal data about individuals from sources other than the individual directly, including:

  • Enterprise customers (for example, where your employer or contracting organisation uses Fyio Pro)
  • Identity verification and fraud prevention partners
  • Publicly available or legally accessible sources, where permitted by law

Where personal data is introduced into or generated within the Fyio ecosystem through consumer or enterprise workflows, Fyio will process that data for the following purposes:

  • To provide identity verification, authentication, and fraud prevention services
  • To operate, secure, and maintain the Fyio platform
  • To manage permissions, controlled access, auditability, and enterprise system integrity
  • To comply with legal, regulatory, and audit obligations
  • To support enterprise customers in accordance with documented instructions

The categories of personal data obtained may include identity information, contact details, account and workflow data, identity document data, biometric data (where applicable), verification results, fraud indicators, and technical metadata.

Where protected document data is hosted or rendered within the Fyio ecosystem, Fyio does not ordinarily view the underlying document content unless access is explicitly granted by the data originator for a defined purpose, or where access is otherwise lawfully required.

The lawful bases for such processing are determined by the context in which the data is processed and may include performance of a contract, compliance with legal obligations, legitimate interests (including fraud prevention and platform security), and, where applicable, explicit consent or special category processing conditions under Article 9 UK/EU GDPR.

Where Fyio acts as a data processor, personal data is processed solely on the documented instructions of the relevant enterprise customer, who acts as the data controller and is responsible for providing primary privacy information to affected individuals.

Personal data obtained from third parties is retained only for as long as necessary for the purposes described in this Policy, subject to legal requirements and enterprise customer instructions.

Individuals retain their rights under applicable data protection law, including the right to access, rectify, erase, restrict, or object to the processing of their personal data. Where Fyio acts as a processor, requests may be referred to the relevant data controller.

If required, Fyio will provide this information to individuals within the timeframes and in the manner required by Article 14 UK/EU GDPR, unless an exemption applies.

3.7 Biometric Data and Identity Verification

Where a Fyio Pro customer uses Fyio identity verification functionality to verify the passport or other identity document of an employee, contractor, attendee, or other authorised individual, Fyio may facilitate facial comparison and related identity verification steps through the Fyio Pro and Fyio consumer app environment.

Where facial comparison technology is used, the categories of biometric data processed may include:

  • Facial geometry extracted from images
  • Biometric templates, where applicable
  • Liveness detection outputs, where applicable
  • Verification results and associated fraud indicators

Where such biometric data is processed for the purpose of uniquely identifying or authenticating an individual, it may constitute special category personal data under Article 9 UK GDPR. Fyio will process such biometric data only where it has identified both a valid Article 6 lawful basis and an applicable Article 9 condition.

The applicable Article 9 condition will depend on the context of the verification workflow and the role of the relevant parties. Where appropriate, Fyio or the relevant Fyio Pro customer may rely on the individual’s explicit consent under Article 9(2)(a) UK GDPR. Where appropriate and lawful, Fyio or the relevant Fyio Pro customer may instead rely on Article 9(2)(g) UK GDPR together with a relevant condition in Schedule 1 to the Data Protection Act 2018, including conditions relating to the prevention of fraud, the prevention or detection of unlawful acts, protecting the public, or regulatory requirements, where the statutory requirements for that condition are met.

Where reliance is placed on explicit consent for biometric processing, that consent must be specific to the biometric verification step, clearly presented, capable of being refused or withdrawn in accordance with applicable law, and supported by an alternative non-biometric route where necessary to ensure that consent is freely given and valid.

Where reliance is placed on Article 9(2)(g) UK GDPR and a Schedule 1 condition, the relevant controller will ensure that the processing is necessary, proportionate, and properly documented for the purpose relied upon, and will maintain an Appropriate Policy Document where required by the Data Protection Act 2018.

Fyio supports a controlled-access model in which the data originator, including the Fyio consumer app user who uploaded or anchored the relevant identity document, retains control over access to the underlying document content. Fyio does not ordinarily view the underlying document content unless access is explicitly granted by the data originator for a defined purpose or where such access is otherwise lawfully required.

Where a Fyio Pro user requires third-party viewing of a passport or other protected identity document for a lawful purpose, the Fyio Pro user may notify the relevant Fyio consumer app user and request that the consumer app user grant time-bound viewing access to that third party. Any such access must be limited to an authorised purpose, restricted in duration, and subject to the access controls and audit features of the platform.

Fyio may process biometric data, verification results, access permissions, audit records, and related technical metadata for the purposes of:

  • Carrying out identity verification, authentication, and fraud prevention checks
  • Enabling controlled, time-bound, and auditable access to protected identity data
  • Operating, securing, and maintaining the Fyio platform and associated workflows
  • Maintaining system integrity, accountability, and verification records
  • Complying with applicable legal, regulatory, and audit obligations

Where Fyio acts as a data processor, such processing is carried out solely on the documented instructions of the relevant Fyio Pro customer, who acts as the data controller and is responsible for determining the applicable Article 6 lawful basis and Article 9 condition for the verification activity, for maintaining any required Appropriate Policy Document, and for providing primary privacy information to affected individuals. Where Fyio processes limited personal data for its own purposes, including platform security, fraud prevention, auditability, service integrity, and legal compliance, it will do so only to the extent permitted by applicable law and subject to appropriate technical and organisational safeguards.

Personal data and biometric data processed in connection with identity verification and controlled third-party access will be retained only for as long as necessary for the purposes described in this Policy, subject to applicable legal requirements, retention obligations, and customer instructions.

Individuals retain their rights under applicable data protection law, including, where applicable, the right to withdraw consent and the rights of access, rectification, erasure, restriction, and objection. Where Fyio acts as a processor, requests may be referred to the relevant data controller. Where Fyio is required to respond directly, it will do so in accordance with applicable law.

3.8 User Content

When you use the Fyio consumer app to upload documents or personal data (“User Content”), that content is transmitted to and stored securely on Fyio-managed systems. User Content is encrypted in transit and encrypted at rest. Fyio may access User Content only to the limited extent necessary to operate, secure, maintain and support the service, including storing and delivering files, generating previews, performing integrity and security checks, responding to support requests, and complying with applicable law. Access to User Content is restricted by technical and organisational controls. Fyio does not sell your User Content and does not share it with third parties except where necessary to provide the service, where you direct us to do so, or where disclosure is required by applicable law pursuant to valid legal process. Enterprise (Fyio Pro) environments operate under separate controller/processor arrangements as set out in Section 11.”

3.9 Marketing and Communications Data

  • Preferences
  • Communication history
  • Survey responses
4. Lawful Basis for Processing

We rely on the following lawful bases:

4.1 Contract

Where processing is necessary to provide our services.

4.2 Legal Obligation

Where required by law (e.g., fraud prevention, regulatory compliance).

4.3 Legitimate Interests

Including:

  • Platform security
  • Fraud detection
  • Service improvement
  • Enterprise system integrity
  • Business continuity

We conduct balancing assessments where required.

Where Fyio relies on legitimate interests as a lawful basis for processing, those interests include:

  • Protecting the security, integrity, and resilience of the Fyio platform
  • Preventing, detecting, and investigating fraud, identity misuse, and unlawful activity
  • Ensuring the safety and reliability of identity verification and data-sharing services
  • Maintaining auditability, system performance, and business continuity
  • Improving and developing services in a measured and privacy-respectful manner

In each case, processing is limited to what is necessary for the stated purpose and is subject to appropriate technical and organisational safeguards.

Fyio has carried out legitimate interests assessments where required and has concluded that these interests do not override the fundamental rights and freedoms of individuals. Individuals may object to processing based on legitimate interests, and such objections will be considered in accordance with applicable data protection law.

4.4 Consent

Where required (e.g., marketing communications, certain biometric processing contexts).

4.5 Special Category Data and Biometric Processing

Where biometric data is processed for the purpose of uniquely identifying or authenticating an individual, it may constitute special category personal data under Article 9 UK/EU GDPR.

In such cases, Fyio will identify and rely on:

  • A valid Article 6 lawful basis for the processing, and
  • Where required, an applicable Article 9 condition for processing special category data.

Depending on the context, the applicable Article 9 condition may include:

  • Explicit consent, where biometric verification is offered on a consent basis and such consent is valid under applicable law, or
  • Another condition permitted by Article 9 UK/EU GDPR and, where relevant, Schedule 1 to the Data Protection Act 2018.

Where Fyio acts as a data processor, the relevant enterprise customer, as data controller, remains responsible for determining the appropriate Article 6 lawful basis and any applicable Article 9 condition for the relevant verification activity.

Further detail on the principal processing activities, lawful bases, and any applicable special category conditions is set out in the Lawful Basis and Special Category Condition Mapping Table below.

4.6 Lawful Basis and Special Category Condition Mapping Table

Processing activity Typical role of Fyio Article 6 lawful basis Article 9 condition where special category data is involved Notes
Create and manage Fyio consumer accountControllerContractNot usually applicableNecessary to provide the Fyio service requested by the user.
Store, organise, render, and manage user-uploaded documents within the Fyio ecosystemController for consumer service functionsContractNot usually applicable, unless the document itself contains special category dataFyio does not ordinarily view underlying document content unless access is granted by the data originator or otherwise lawfully required.
Operate controlled access, time-bound sharing, permission management, and audit logsController for platform operations; processor where done solely for enterprise customer workflowContract and/or Legitimate InterestsNot usually applicable unless special category data is actively processed beyond hosting/renderingLegitimate interests may apply to auditability, access integrity, misuse prevention, and service resilience.
Platform security, threat monitoring, misuse detection, fraud detection, enterprise system integrity, and business continuityControllerLegitimate Interests; Legal Obligation where specifically required by lawArticle 9 not usually applicable unless special category biometric or other special category data is actively analysed for these purposesSupported by legitimate interests assessments where required. Individuals may object where legitimate interests is relied upon.
Service improvement, troubleshooting, testing, analytics, and measured product developmentControllerLegitimate InterestsArticle 9 not usually applicable unless special category data is used, which should be avoided unless clearly justifiedProcessing should be limited, proportionate, and privacy respectful.
Marketing communications to prospects or usersControllerConsent, where required by applicable law; Legitimate Interests where permitted for limited B2B communicationsNot applicableAlign with PECR/e-privacy rules where relevant.
Identity verification requested by a Fyio Pro customer using document and facial comparisonUsually processor for enterprise workflow; controller for limited own purposes such as security and fraud preventionDetermined by the relevant controller; typically Contract, Legal Obligation, or Legitimate Interests depending on the use caseExplicit Consent under Article 9(2)(a) where biometric verification is offered on a consent basis; or Article 9(2)(g) with a relevant Schedule 1 DPA 2018 condition where lawful and necessaryThe ICO says biometric recognition requires both an Article 6 basis and a separate Article 9 condition; explicit consent is often the most appropriate condition, but other conditions may apply depending on context. (ICO)
Biometric verification in contexts where the individual is given a genuine choice and a suitable alternative routeProcessor for enterprise workflow or controller where Fyio determines the means and purposeConsent or another valid Article 6 basis identified by the controllerExplicit Consent under Article 9(2)(a)Best fit where the biometric step is optional and refusal does not create unfair detriment. The ICO stresses that explicit consent must be valid and freely given. (ICO)
Biometric verification for fraud prevention, identity assurance, prevention or detection of unlawful acts, or similar high-trust regulated workflowsUsually processor for enterprise workflow; controller only for its own limited purposesLegal Obligation and/or Legitimate Interests and/or Contract, depending on the controller’s purposeArticle 9(2)(g) plus a relevant Schedule 1 DPA 2018 substantial public interest condition, where the statutory requirements are metUse only where necessary, proportionate, and supportable on the facts. An Appropriate Policy Document is generally required for substantial public interest conditions. (ICO)
Biometric or identity verification in employment-linked or workforce onboarding contexts run by a Fyio Pro customerUsually processorDetermined by enterprise customer as controller; may include Legal Obligation, Contract, or Legitimate Interests depending on the caseMay include Explicit Consent, or an employment / regulatory / substantial public interest condition where applicable and lawfulEnterprise customers remain responsible for determining the correct Article 6 basis and Article 9 condition where Fyio acts as processor. The DPA 2018 also contains employment-related Schedule 1 conditions in appropriate cases. (Legislation.gov.uk)
Third-party viewing of protected identity documents where a Fyio Pro user requests lawful viewing and the consumer user grants time-bound accessUsually processor for enterprise workflow; controller for limited platform controls and loggingContract and/or Legitimate Interests; or Legal Obligation where required by lawNot automatically applicable merely because the document may contain special category data; if special category data is actively processed beyond controlled hosting/rendering, a relevant Article 9 condition is requiredAccess must be lawful, purpose-limited, time-bound, and auditable. Fyio does not ordinarily view the document content unless access is granted or otherwise lawfully required.
Compliance with regulatory, audit, anti-fraud, and law enforcement response obligationsController and/or processor depending on contextLegal Obligation; Legitimate Interests in some casesRelevant Article 9 condition if special category data is processed for that purposeRetain only what is necessary and document the basis relied upon.
Handling data subject rights requestsController and/or processor depending on roleLegal ObligationArticle 9 condition not usually separately relied upon for the response itselfWhere Fyio acts as processor, requests may be referred to the relevant controller.
5. How We Collect Data
  • Directly from you (account creation, uploads, verification)
  • Automatically (cookies, logs, analytics)
  • From enterprise customers (where you are an employee/contractor)
  • From verification partners and fraud prevention services
  • From publicly available sources (for fraud detection, where lawful)
6. How We Use Personal Data

We use personal data to:

  • Register and manage accounts
  • Provide identity verification services
  • Facilitate secure document storage and access control
  • Enable time-bound data access to view
  • Maintain audit logs
  • Prevent fraud
  • Ensure platform integrity
  • Improve services
  • Comply with legal obligations
  • Support enterprise customers

We do not sell personal data.

7. User Content and Access Controls

Users retain control over documents uploaded to the Fyio platform.

Fyio does not access user documents except:

  • Where necessary to provide technical support at your request
  • To maintain system integrity or investigate security incidents
  • To comply with legal obligations
  • Where required under processor instructions from enterprise customers

Access is strictly role-based, logged, and subject to confidentiality controls.

8. Automated Decision-Making

Identity verification may involve automated processing.

Where verification produces a “pass/fail” or confidence score, or fraud or risk indicator:

  • It may involve automated decision-making
  • It may significantly affect you where used by enterprise clients

In broad terms, this automated processing may evaluate information such as the authenticity of an identity document, whether a facial image appears to match the document presented, whether liveness or anti-spoofing checks are satisfied, whether the data submitted is internally consistent, and whether fraud indicators or technical anomalies are detected. The automated output is designed to support identity verification and fraud prevention within the relevant workflow.

Automated verification outcomes are not necessarily final or irreversible. Depending on the context, a verification result may be reviewed, repeated, supplemented with additional information, or referred for human assessment. Whether the outcome is binding will depend on how the relevant Fyio Pro customer uses that result in its own decision-making process.

Fyio does not state that every pass/fail or risk output will amount to a solely automated decision with legal or similarly significant effect for the purposes of Article 22 UK/EU GDPR. Where Article 22 applies, Fyio or the relevant controller will ensure that appropriate safeguards are available, including a means to request human review, express a point of view, and contest the decision. The ICO says that Article 22 applies only to decisions made solely by automated means with legal or similarly significant effects, and that meaningful human involvement takes processing outside those stricter rules.

Where Article 22 applies, you have the right to:

  • Obtain meaningful information about the logic involved
  • Request human review
  • Contest the decision

Requests can be made via admin@fyio.app

9. International Transfers

Personal data may be transferred to and processed in countries outside the United Kingdom and/or the European Economic Area (“EEA”).

Where personal data is transferred outside the UK or EEA, we rely on one or more of the following safeguards:

  • UK International Data Transfer Agreement (IDTA)
  • EU Standard Contractual Clauses (SCCs)
  • Adequacy decisions issued by the UK Government or European Commission (as applicable)
  • Supplementary technical and organisational safeguards where required

Personal data is primarily hosted on infrastructure located within the European Economic Area (currently Ireland). Transfers from the UK to the EEA are permitted under UK adequacy regulations.

Where users access our services from outside the UK or EEA, or where service providers are located outside those jurisdictions, personal data may be transferred to those locations in order to provide our services.

Where US-based service providers are used (for example, analytics or infrastructure providers), we rely primarily on SCCs and/or the UK IDTA together with supplementary safeguards where required. We monitor regulatory developments relating to transatlantic data transfer frameworks and update our safeguards as necessary.

Copies of relevant transfer safeguards may be requested by contacting admin@fyio.app

10. Security Measures

We implement appropriate technical and organisational measures, including:

  • Encryption in transit and at rest
  • Role-based access control
  • Secure API gateways
  • Segregated production environments
  • 24/7 monitoring
  • Vulnerability scanning
  • Penetration testing
  • Incident response procedures
  • Data minimisation
  • Staff confidentiality obligations
  • Vendor risk assessments

Security controls are reviewed regularly in accordance with risk assessments.

11. Fyio Pro – Controller and Processor Roles

Where Fyio Pro is used by enterprise customers:

  • The enterprise customer acts as Data Controller
  • Fyio acts as Data Processor

Processing is governed by a Data Processing Agreement (DPA) compliant with Article 28(3) UK/EU GDPR.

Our DPA includes:

  • Processing only on documented instructions
  • Confidentiality obligations
  • Security commitments
  • Subprocessor transparency
  • Assistance with data subject rights
  • Breach notification
  • Audit rights
  • Data return/deletion at contract end

A list of subprocessors is available upon request.

12. Data Retention

We retain personal data only for as long as necessary for the purposes for which it is processed.

Retention periods vary depending on the nature of the data, the purpose of processing, legal and regulatory requirements, Fyio’s operational needs, and, where Fyio acts as processor, the documented instructions and retention settings of the relevant enterprise customer.

Typical retention periods and controls are set out below:

Category Retention Basis / Control Retention
Account dataHard legal minimums and Fyio contractual recordsRetained for the life of the account and for a limited post-account period where necessary for legal, accounting, audit, or dispute-resolution purposes, typically up to 6 years
Verification recordsHard legal minimums and/or configurable enterprise-controlled retentionRetained for as long as necessary for verification, fraud prevention, audit, legal defence, and compliance purposes, subject to applicable law and, where Fyio acts as processor, the relevant enterprise customer’s documented retention settings
Biometric templatesSession-limited by default; configurable enterprise-controlled retention where lawfully requiredRetained only for the period necessary to complete the relevant verification process unless a longer retention period is required by law or validly configured by the relevant enterprise customer in accordance with applicable law.
Audit and security logsFyio operational logsRetained for a limited period necessary to maintain security, investigate misuse, preserve auditability, and support system integrity, with periods varying by log type and typically ranging from 12 to 24 months
Support recordsFyio operational recordsRetained for as long as necessary to manage and evidence support interactions, typically up to 3 years unless longer retention is required for legal or complaint-handling purposes
Marketing dataConsent / preference managementRetained until you opt out, unsubscribe, withdraw consent, or object, with minimal suppression data retained afterwards where necessary to honour that choice

Where Fyio acts as processor within Fyio Pro environments, retention is primarily determined by the relevant enterprise customer’s documented instructions and configured retention settings, subject to applicable law and Fyio’s own limited retention of operational, security, audit, and backup data where necessary.

Backups are securely cycled and deleted in accordance with Fyio’s backup and retention schedule and are not intended to be used as a separate long-term archive except where required for resilience, recovery, legal, or compliance purposes.

13. Your Rights

Under applicable data protection law, you may have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Erase data, where applicable
  • Restrict processing
  • Object to processing
  • Data portability, where applicable
  • Withdraw consent, where consent is relied upon
  • Not be subject to unlawful solely automated decisions, where applicable

Requests can be made via admin@fyio.app. Fyio may request reasonable identity verification before fulfilling a request.

Where Fyio acts as data controller, Fyio will assess and respond to rights requests in accordance with applicable law. Where Fyio acts as data processor for a Fyio Pro enterprise customer, the relevant enterprise customer acts as data controller and remains primarily responsible for determining the outcome of the request. In such cases, Fyio may refer the request to that enterprise customer or assist the enterprise customer in responding in accordance with documented instructions and applicable law.

14. Cookies

We use cookies for:

  • Authentication
  • Security
  • Analytics
  • Performance

You can manage cookie preferences through browser settings.

See our separate Cookie Policy.

15. Changes to This Policy

We may update this Privacy Policy periodically.

Material changes will be notified via our website or platform.

The “Last Updated” date reflects the current version.

16. Children

Fyio’s services are not intended for children. Where Fyio relies on consent in relation to an online service offered directly to a child in the UK, a child aged 13 or over may provide their own consent, subject to applicable law. Where a child is under 13, such consent must be provided or authorised by a person with parental responsibility, where consent is the relevant lawful basis.

Fyio does not knowingly collect children’s personal data without a valid lawful basis and, where applicable, an appropriate consent mechanism or other lawful authorisation.

17. Complaints

If you are not satisfied with our response, you may contact:

UK Information Commissioner’s Office (ICO)

www.ico.org.uk