This notice explains how Prove Identity, Inc., Prove Identity Ltd, and its affiliates and/or subsidiaries (collectively, “Prove,” “the Company,” “we,” “us,” or “our”) collects, uses, shares, and retains personal information about your use of our websites and branded social media pages, as well as when you receive emails, texts, faxes or have other communications with us (collectively, our “Sites”).

This notice explains when you access or use our Sites:

• What personal information we collect about you;
• How we use your personal information; and
• How you access and update that information along with your other privacy-related rights.

You should make sure that you have read and understood this notice to understand how Prove collects, uses, discloses, and retains your personal information.

This notice does not apply:

• When Prove processes your personal information as part of our identity verification, authentication, and onboarding solutions (our “Solutions”) that we provide to businesses and their affiliates (our “Clients”). The privacy notice about our Solutions is available at Solutions Privacy Notice.
• To our job application and recruitment process. The privacy notice for our recruitment process is available at Recruitment Privacy Notice.
• To any personal information you post to the public areas of our Sites. This includes, but is not limited to, comments to social media platforms and other public forums. Comments posted to public areas may be viewed, accessed, and used by third parties subject to the privacy practices and policies of the platform and/or forum.

Global privacy and data protection laws use terms like “controller” or “business” and “processor” or “service provider” to define the ways in which different parties process your personal information. A controller or business decides why and how to process your personal information. A processor or service provider processes your personal information on behalf of a controller, based on the controller’s instructions.

Prove is the Controller of the personal information that we collect and process in relation to your use of our Sites. If you would like to contact us, you can email us at privacy@prove.com or by other communication channels listed under the Contact Us section below.

It is important to know that there may be certain circumstances where more than one controller processes your personal information (sometimes called joint controllers or co-controllers). In these situations, we act as an independent controller of the processes explained in this notice. This means we determine the purposes and means of processing your personal information independently from the other controllers. We are not responsible for other controllers’ processes as each controller is responsible for meeting their own obligations under applicable global privacy and data protection laws.

While the types of Personal Information we collect and use depends on how you access or use our Sites, we may have collected and used the following Personal Information about you within the last twelve (12) months:

We may also collect:

• Statistics or aggregated information.Statistical or aggregated data does not directly identify a specific person, but we may derive non-personal statistical or aggregated data from personal information. For example, we may aggregate personal information to calculate the percentage of users accessing a specific feature of our Sites.
• Technical information.Technical information includes information about your internet connection and usage details about your interactions with our Sites, such as clickstream information to, through, and from our Sites (including date and time), products that you view or search for; page response times, download errors, length of your visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), or methods used to browse away from a page.

If we combine or connect non-personal statistical or technical data with personal information so that it directly or indirectly identifies you, we treat the combined information as personal information.

Special Category Data.For the access or use of its Sites, Prove does not directly or intentionally collect, store, process, and transmit any of the other following special categories of personal information: racial or ethnic origin, political opinions, religious, philosophical beliefs, or other beliefs of a similar nature, trade union membership, physical or mental health or condition, biometric data, sex life or sexual orientation, genetic data, or data on criminal convictions.

Minors’ Data.Our Sites are not intended for use by nor directed to individuals under the age of 18. If we learn that we have inadvertently processed personal information from individuals under the age of 18, we will delete the personal information in compliance with applicable law.

How We Collect Your Personal Information

Prove collects most of your personal information directly from the following sources:

Directly from you. We collect information about you when you interact with our Sites such as when you submit a request to speak with one of our experts, create or update your developer account, access our Trust Center, register or join a waitlist for one of our events, join our improve global community, or create, upload, or post content to our Sites, including reviews, media such as photos, videos, or audio recordings.

Automatically Through Our Sites.As you navigate through and interact with our Sites, we may use automatic data collection technologies to collect information that may include personal information. Information collected automatically may include usage details, IP addresses, operating system, and browser type, and information collected through cookies, web beacons, and other tracking technologies, including device type/model/manufacturer, a unique identifier (e.g., a persistent device identifier or an Ad ID), details of your interactions with our Sites, such as traffic data, logs, and other communication data, and which resources and features that you access and use. See Cookies and Other Tracking Technologies and How We Use Your Personal Information for more details.

Our Service Providers, Business Partners and Other Third Parties.We may also receive personal information about you through service providers and other third parties that collect it on our behalf, such as email platform providers, content delivery services, promotions services, analytics, security and anti-fraud services, and data brokers. We may also receive personal information from our business partners that we engage to share consumer information with us, including your personal preferences and demographic information so we can better provide you with a personalized experience. In both cases, we will comply with applicable laws to ensure that those third parties have represented to us that they have the right to disclose your personal information to us.

When you interact with our Sites, Prove or Prove’s third parties may automatically collect and use your personal information through a variety of commonly used tracking technologies, such as cookies, web beacons, pixels, tags, file information, geolocation, and similar technology (collectively, “Cookies”).

What are Cookies? Cookies are small text files that websites place on your device as you are browsing. They are processed and stored by the web browser on your device.We may use cookies to tell us, for example, whether you have visited us before or if you are a new visitor and to help us identify site features in which you may have the greatest interest.

Cookies may enhance your online experience by saving your preferences while you are visiting a particular site. Those cookies are set by us and called first party cookies. We also use third party cookies – which are cookies from a domain different than the domain of the website you are visiting.

Prove uses both session-based and persistent Cookies on our websites. Session-based Cookies are temporary and expire once you close your browser (or once your session ends). Persistent Cookies remain on your hard drive until you erase them or your browser does, depending on the cookie’s expiration date. All persistent cookies have an expiration date written into their code, but their duration can vary.

Similar Tracking Technologies. Pages of our websites also use web beacons, pixels and similar tracking technologies. These tracking technologies are invisible images or pieces of code embedded into the website used to collect data for analytics to enhance your experience, analyze site traffic, and track usage.

For example, Prove has a pixel provided by a third-party company, called NextRoll, implemented in the header of our websites. Whenever you visit any page on our websites, the pixel captures your on-site only behavior allowing NextRoll to generate insights and grow its advertising reach to our prospects. No data is stored by NextRoll and the data is only related to behaviour on our websites (e.g. what pages and links are clicked on in what order or which pages are never visited).

Why We Use Cookies

We use Cookies for several different purposes:

• Essential (Strictly Necessary). These Cookies are managed by Prove and are necessary to ensure our Sites operate effectively. These Cookies are managed by us and provide basic functionality such as security, network management, and accessibility. If you prevent these Cookies in your browser settings, we can't guarantee how our websites or the security on our websites will perform during your visit.
• Personalization. These Cookies are managed by Prove and allow our Sites to remember choices you’ve made or information you gave in the past such as the language you prefer or the region you are in. We use preference cookies to provide an enhanced and more personal user experience. If you do not allow these Cookies, then certain features on our websites may not be available or function properly.
• Analytics. These Cookies collect information about how you use our website like which pages you visit and if you experience any technical issues or errors. They allow us to count visits and traffic sources so we can measure and improve the performance of our websites and content. These Cookies are managed for us by third parties.
• Targeted Advertising (Marketing). These Cookies are managed by third-parties to deliver advertising that is more relevant to you and your interests, and are used to recognize devices not only when you use our Sites, but also when you use other third-party websites and services. These Cookies may also be used to limit the number of times you see an advertisement and to measure the effectiveness of advertising campaigns.

As mentioned in How We Collect Your Personal Information, we may collect analytics data or use third party analytics tools through third parties, such as: Clearbit, Google, Hotjar, Hubspot, LinkedIn, Microsoft, Segment, and/or ZoomInfo. These third parties help us measure traffic and usage trends for our Sites and understand more about the demographics of the visitors to our Sites.

Do Not Track

>We and other third parties may use cookies on our Sites that collect information about your browsing activities over time and across different websites following your use of the Sites. We respond to “Do Not Track” (DNT) signals. If you are using a browser that sends a Do Not Track signal, it will automatically be applied to in your consent settings.

Online Advertising

Prove may permit third party online advertising networks, social media companies, and other third party services to collect personal information through Cookies related to your visit to our Sites so that they may play or display ads that may be relevant to your interests on our Sites as well as on other websites or apps, or on other devices you may use. This information may also be used to make the advertisements you see online more relevant to your interests. For example, third parties may utilize certain forms of display advertising and other advanced features through Google Analytics, such as Remarketing with Google Analytics, Google Display Network Impression Reporting, and Google Analytics Demographics and Interest Reporting. These features enable third parties to inform, optimize, and display ads based on your past visits to our Sites.

To learn more about interest-based advertising and how you may be able to opt-out of some of this advertising, you may visit the Network Advertising Initiative’s online resources at http://www.networkadvertising.org/choices, and/or the Digital Advertising Alliance’s resources at https://optout.aboutads.info/. You may control your advertising preferences or opt-out of certain Google advertising Solutions by visiting the Google Ads Preferences Manager, available at https://google.com/ads/preferences/ as of the effective date of this notice.

Online Advertising

You can change your cookie preferences on our Sites by going to our consent settings.

Internet browsers also allow you to change your cookie settings. These settings are usually found in the 'options' or 'preferences' menu of your internet browser. You can manually delete cookies, or use your browser settings to specify which types of cookies may or may not be placed or to automatically delete cookies. In order to understand these settings, the following links may be helpful.

• Cookie settings in Microsoft Edge
• Cookie settings in Firefox
• Cookie settings in Chrome
• Cookie settings in Safari

You can also learn more about adjusting your cookie preferences under the “Help” option in your browser.

If you use your browser settings to block all cookies (including strictly necessary cookies), you may not be able to access all or parts of our websites.

We collect and use your personal information for business purposes and with the following legal bases:

In cases where our legal basis to collect and use your personal information is based on your consent, that consent may be revoked at any time by Contacting Us. Please note that if you withdraw your consent, we may not be able to provide you with an optimal user experience with our Sites.

We may share aggregated or otherwise anonymized information that does not reasonably identify you directly as an individual without restriction.

We may also share your personal information as described in this notice with:

• Our subsidiaries and affiliates. A list of Prove affiliates and subsidiaries is available here.
• Service providers and other third parties that support our company and provide services to us, and who are bound by contractual obligations to keep personal data confidential and use it only for the purposes for which we disclose it to them.
• To fulfill the purpose for which you provide it. For example, we may share your contact details with a venue that will host one of our events if you sign up to attend.
• For any other purpose disclosed by us when you provide the information.
• With your consent.
• Competent law enforcement bodies, regulators, public authorities, government agencies, courts, or other third parties (a) as required by applicable law or to meet national security, (b) to exercise, establish, or defend our legal rights, and/or (c) to protect your vital interests or those of any other person.
• To a third party in connection with a merger, acquisition, sale or disposal.

We will also share your personal information with third parties:

• Where required by law.
• Where it is in the public interest to do so.

Third party service providers, and other recipients may have their own privacy notices that govern their processing of your personal information. You should review those privacy notices for more information on their privacy practices.

Prove operates globally, which means your information may be stored and processed outside of the country or region where it was originally collected including in the United States. In some of these countries, you may have fewer rights in respect of your information than you do in your country of residence. Regardless of where your information is processed, we apply the same protections described in this notice. We comply with certain legal frameworks relating to the transfer of data, such as the frameworks described below.

Data Privacy Frameworks:

Prove complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF (UK Extension to the EU-U.S. DPF), and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce.

Prove has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal information received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF.

Prove has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal information received from Switzerland in reliance on the Swiss-U.S. DPF.

Where we transfer your personal information outside Europe, we will ensure that it is protected and transferred in a manner consistent with legal requirements applicable to the information. This can be done in a number of different ways, for instance:

• The country to which we send the personal information may be approved by the European Commission; or
• The recipient may have signed a contract based on “model contractual clauses” approved by the European Commission, obliging them to protect your personal information.

‍In other circumstances, the law may permit us to otherwise transfer your Personal Information outside Europe. In all cases, however, any transfer of your personal information will be compliant with applicable data protection law. You can request more details of the protection given to your personal information when it is transferred outside Europe (including a sample copy of the model contractual clauses) by using the details set out below in the “Contacting Us” section.

If your personal information is transferred to a third party under the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, or the Swiss-U.S. DPF, Prove remains liable if that third party (acting as an agent on our behalf) processes your personal information in a manner that is inconsistent with the DPF Principles unless we prove that we are not responsible for the event giving rise to the damage.

Prove commits to resolve complaints about your privacy and our processing of your personal information transferred to the United States pursuant to the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF. Individuals residing in the European Union, the United Kingdom, or Switzerland should first contact Prove with inquiries or complaints (see Contacting Us).

Prove further commits to to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs), the UK Information Commissioner’s Office (ICO), and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal information received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF.

If your complaint cannot be resolved through our internal process or the above-referenced panel, you may invoke binding arbitration in certain circumstances. For more information on arbitration requirements and procedures, see Annex I of the DPF.

If there is any conflict between the terms in this Privacy Notice and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the applicable Principles shall govern. To learn more about the Data Privacy Framework (DPF), and to view our certification, please visit the program’s website here.

The Federal Trade Commission has jurisdiction over Prove’s compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF.

Except as otherwise permitted or required by applicable law or regulatory requirements, Prove will retain your personal information only for as long as reasonably necessary to fulfill the purposes for which the personal information was collected (including, for the purpose of meeting any legal, accounting, or other reporting requirements or obligations).

If we no longer have an ongoing legitimate business purpose, we will delete your personal information, if possible, or we may make it anonymous or de-identify it so it cannot be associated with or tracked back to you.

Depending on where you reside, you may have (among others) the following privacy rights:

• The right to access, correct, or update your personal information.
• The right to request deletion of your personal information.
• The right to object to or restrict the processing of your personal information.
• The right to portability to move, copy, or transfer your personal information easily from one entity to another.
• The right not to be subject to decisions based solely on automated decision making, including profiling.
• The right to withdraw your consent to processing at any time.
• The right to lodge a complaint with your local supervisory authority.
• The right to opt-out of the selling or sharing of your personal information.
• The right to not be discriminated against for exercising your privacy rights and the right to appeal a decision we make with respect to your privacy rights.

For California Residents. We may allow certain online advertising partners to collect information from our Sites through Cookies to deliver ads which are more relevant to you and assist us with advertising-related analytics, which may be considered “selling” or “sharing" for targeted online advertising under certain laws. To opt out of this activity, you can change your cookie settings by going to our consent settings.

How to Exercise Your Rights

To exercise your rights as they relate to Prove’s processing of your personal information, please submit a request through our online portal. We will make every effort to fulfill your request. However, we may not be able to honor your request if applicable law does not grant you the right you are attempting to exercise.

Please also note that when you submit a rights request to us, we will take steps to verify your identity, including by validating your name and other contact details. You may also have the right to designate an authorized agent to help you exercise these consumer rights. To ensure the security of your personal information, we will generally ask you to verify your, or your authorized agent’s, request using the contact information you have already provided.

Prove maintains reasonable administrative, technical, and physical security measures to protect the confidentiality, integrity, and accessibility of your personal information. These measures include, but are not limited to:

• Implementation and maintenance of an information security program.
• Access policies and standards that comply with the principle of least privileged access.
• Industry standard encryption for data in transit and at rest, vulnerability management, patch management, and penetration testing.
• Annual business continuity, disaster recovery and incident response testing.
• Thorough assessment of our third party vendors prior to onboarding and on a regular basis thereafter (annually for all critical vendors).
• Employee training on information security and data privacy.

Prove may update this Website Privacy Notice periodically to reflect changes in our privacy program. You can see when it was last updated by checking the “Last Updated” date above.

To contact Prove’s privacy team, please email us atprivacy@prove.com or call 888-315-8780. You can also contact us by writing to:

Prove Identity, Inc.
245 Fifth Avenue,
20th Floor,
New York,
NY 10016

Prove has appointed Osano International Compliance Services Limited as our EU Representative. You can contact Osano in the EU by writing to:

Osano International Compliance Services Limited
ATTN: FX7B
25 North Wall Quay
Dublin 1
D01 H104

Prove has appointed Osano UK Compliance LTD as our UK Representative. You can contact Osano in the UK by writing to:

Osano UK Compliance LTD
ATTN: FX7B
42-46 Fountain Street
Belfast
Antrim
BT1 - 5EF

You can contact our data protection officer (DPO) at:

Osano UK Compliance LTD
VeraSafe
100 M Street S.E., Suite 600
Washington, D.C. 20003
+1 (617) 398-7067
experts@verasafe.com

This Solutions Privacy Notice sets out how Prove Identity, Inc. and its affiliates (“Prove,” “we,” “our,” or “us”) processes (which may include collection, use, transmission, transfer, storage, erasure, and/or destruction) your personal information while performing the services we offer to our business clients (“Client(s)”).

This Solutions Privacy Notice does not apply when you interact with our websites, branded social media pages, and self-service portals or communicate with us through email, text, chat, or similar methods. For more information on Prove’s processing of your personal information in that context, please see our Website Privacy Notice.

Prove’s platform provides authentication, identity verification, and fraud prevention products and solutions (our “Solutions”) to our Clients. Our platform’s foundational layer is Prove’s Global Identity Graph, which links a proprietary Prove ID to an individual’s tokenized identity.

Prove operates business-to-business (B2B) and does not provide Solutions directly to individual consumers. Rather, Prove’s Clients independently decide:

• What personal information they will provide to Prove to use our Solutions.
• Whether and under what circumstances a successful authentication or identity verification has occurred.

Global privacy and data protection laws use terms like “controller” or “business” and “processor” or “service provider” to define the ways in which different parties process your personal information. A controller or business decides why and how to process your personal information. A processor or service provider processes your personal information on behalf of a controller, based on the controller’s instructions.

Depending on the situation, Prove acts in both of these roles while processing your personal information as further outlined below.

Our Processor Role

When offering our Solutions to our Clients (who in turn offer those Solutions to you), Prove primarily acts as a processor or service provider. This means that we process your personal information on behalf of our Clients solely as instructed and only for the purposes specified. In this context, our Clients (as controllers) are responsible for identifying a legal basis for processing your personal information. In the United States, Prove always acts as a processor on behalf of our Clients.

Our Controller Role

Some privacy and data protection laws define the controller role broadly. For example, in the European Economic Area (EEA), Prove also handles your personal information as a controller in relation to our Global Identity Graph and the development and improvement of our Solutions. Our legal basis for processing your personal information is legitimate interests, which include trust and safety, identity authentication/verification, commerce enablement, and fraud prevention.

The personal information we collect and use will depend on the Solution(s) selected by the Client. The following personal information may have been collected or received indirectly while providing our Solutions during the prior 12-month period:

How We Collect Your Personal Information

• Personal Information Provided by Clients: Prove receives personal information from our Clients to provide our Solutions (“Client Data”).
• Insights Derived: Prove derives information from our analysis of Client and/or Third Party Data to identify behavioral patterns.
• Unique Tokenized Identifiers: We generate identifiers (Prove ID, Prove Key) associated with a phone number.
• Third Party Data: Obtained from public sources, partners, and mobile network operators.

Prove uses collected personal information for legitimate business purposes, including:

• Providing our Solutions and troubleshooting customer support.
• Developing, improving, testing, and expanding Solutions.
• Investigating suspected fraud.
• Managing business operations (billing, governance, legal compliance).

Automated Decision Making

Prove’s Solutions provide actionable intelligence and insights to our Clients. Each Client ultimately decides whether to proceed with your onboarding or transaction based on the information provided. If you have questions about the outcome of your verification check, please contact Prove’s Client directly.

When acting as a processor, we retain PI in accordance with Client instructions. Limited non-sensitive info (telephone, IP) may be retained for 13 months for troubleshooting and enhancement. Prove does not retain raw sensitive data such as social security numbers.

We may share your info with:

• Subsidiaries and affiliates for support and research.
• Our Clients for identity verification.
• Trusted third-party providers (cloud hosting, data providers).
• Law enforcement or regulators when required by law.

Our Solutions are not intended for use by nor directed to individuals under the age of 18. If we learn that we have inadvertently processed data from a minor, we will delete it in compliance with applicable law.

Prove complies with the EU-U.S. DPF, the UK Extension, and the Swiss-U.S. DPF as set forth by the U.S. Department of Commerce. Prove has certified that it adheres to the DPF Principles regarding processing received from the EU, UK, and Switzerland.

Unresolved privacy complaints can be referred to the panel established by the EU DPAs, the UK ICO, and the Swiss FDPIC. You may invoke binding arbitration in certain circumstances.

Measures include but are not limited to:

• Comprehensive information security program with annual audits.
• Access policies based on least privileged access.
• Industry standard encryption for data in transit and at rest.
• Incident response plans and vendor assessments.

Rights may include: access, correction, deletion, objection to processing, and data portability. To exercise your rights, please submit a request through our online portal. If the request relates to data processed for a Client, we will direct the request to that Client.

Email: privacy@prove.com or call 888-315-8780.

Prove Identity, Inc.
Attn: Chief Legal Officer
245 Fifth Avenue, 20th Floor, New York, NY 10016

DPO Contact: VeraSafe, 100 M Street S.E., Suite 600, Washington, D.C. 20003.