Onfido SDK Data Collection Overview
Introduction
Onfido's Identity Services help our clients to verify the identities of their end-users and perform checks related to an identity. To enable a client to integrate our Identity Services into their webapp or consumer app, Onfido offers clients the following SDKs (collectively, "Onfido SDKs"):
- Web SDK
- Android SDK
- iOS SDK
- React Native SDK
- Flutter SDK
In certain jurisdictions, there may be a legal obligation to provide an end-user with clear and comprehensive information about the data the Onfido SDKs collect from, or store on, the end user's device. While the client is solely responsible for complying with any such legal obligation Onfido has created this document to assist clients in understanding:
(a) the purposes for which data is collected (see the section below titled Data Collection Purposes)
(b) the data collected for each purpose (see the section below titled Data Collected); and
(c) how the data is collected (see the section below titled Data Collection Mechanisms).The client is also solely responsible for complying with any legal obligation that requires an end-user to provide their consent before the Onfido SDKs collect non-essential data from, or store non-essential data on, their device. If the client is subject to such a legal obligation and an end-user does not consent to the collection of data upon the occurrence of Behavioural Events, as described further below, the client may disable the collection of this data from that end-user's device (or switch off the collection of Behavioural Event data entirely) by contacting Onfido's Customer Support.
Please note that: (a) this document does not explain the personal information the client's end-users will need to submit via the Onfido SDKs for Onfido to provide its Identity Services. This information is contained in Onfido's Privacy Policy (available at https://onfido.com/privacy); (b) the client (as the "controller") is solely responsible for complying with any legal obligation that requires their end-users to be provided with information about how their personal information is collected and used for the purpose of providing Onfido's Identity Services.
Data Collection Purposes
The Onfido SDKs collect data for two purposes:
Essential Events: The data collected at each Essential Event is strictly necessary for Onfido to provide a client with the requested Identity Services. Without this data, the Onfido SDKs would not function and/or Onfido could not provide the client with the service. The section of this document titled "Data Collected at Essential Events" describes these Essential Events and lists the data collected when they occur.
Behavioural Events: The data collected at each Behavioural Event is used by Onfido for product and research purposes (for example, to improve its products/services and the overall end-user experience). The client controls whether this data is collected. The section of this document titled "Data Collected at Behavioural Events" describes these Behavioural Events and lists the data collected when they occur.
Data Collected
The Onfido SDKs collect data upon the occurrence of two types of event - Essential Events, and Behavioural Events.
Data Collected at Essential Events
Onfido SDKs collect data each time one of the following Essential Events occurs:
- The SDK is initialised (i.e. each time the client loads the SDK in their app)
- The SDK loads or terminates, a given module or task (i.e. each time the SDK executes the Document Capture or Face Capture tasks)
- The SDK is exited (i.e. each time an end-user decides not to proceed with the verification)
- The SDK returns an error (i.e. the SDK cannot proceed with the verification flow)
As part of Onfido's Device Intelligence service, a subset of the data listed in the table below is also collected at regular intervals by the Onfido SDKs to enable Onfido to detect fraud.
The table below describes what data the Onfido SDKs collect and from what source, upon the occurrence of each Essential Event.
| Source from which data is collected | Details of data collected |
|---|---|
| End-User Device / Browser | - Device information (model, manufacturer, CPU/GPU models, screen dimensions) - Browser type and version (WebApp only) - OS information (type/version, locale, language supported, theme used) - Device connectivity (speed of network only) - IP Address (truncated to provide country level information only) |
| Client's App / WebApp into which Onfido's SDK is integrated | - Application ID / name / version - HTTP referrer (for WebApp) - Permissions declared (app-level not by the end-user) - Min / target OS version required by embedding App |
| Onfido SDKs | - Identifiers of the Onfido SDK variant, version, distribution channel - Information about the module executed by the Onfido SDK (type, variant, version) - Information about the overall client integration with the SDK (callback enablement, analytics, logging) - Whether custom UI/text is used in the SDK |
| Onfido Services | - Client UUID - Applicant UUID - Anonymous UUID - Session UUID - Workflow run and task IDs (for Studio). Note that the 'Anonymous UUID' is also stored on the user's device to facilitate the recovery of Identify Verification flows as part of the browser's cookies. |
Data Collected at Behavioural Events
By default, the Onfido SDKs will collect data each time one of the following Behavioural Events occurs:
- End-user is shown a screen
- End-user is shown a validation or error warning
- End-user interacts with a button
These Behavioural Events arise at different stages (or "modules") of an end-user's journey through the Onfido SDK flow. The table below lists, for each module, additional module-specific data the Onfido SDKs collect (and from what source) upon the occurrence of a Behavioural Event. (Note that upon the occurrence of a Behavioural Event, the Onfido SDKs will also collect the data described in the Essential Events section above.)
| Onfido Identity Service Module | Source from which data is collected | Details of data collected at each Behavioural Event occurring within the Module |
|---|---|---|
| End-user is asked to grant device permissions (relevant if they need to capture an image of their ID document or Face) | End-user device | Depending on the Onfido Identity Service used, information about whether the following permissions are available, granted, declined or requested: - Camera permission info - Microphone permission info - Storage permission info - Gallery permission info |
| End-user opens Camera (relevant if they need to capture an image of their ID document or Face) | End-user device | - Information about the settings and capabilities of the device camera in use for a particular document or face live capture |
| End-user captures image of ID document | End-user device | - Information about the settings and capabilities of the device camera in use for a particular document live capture |
| End-user captures image of ID document | Onfido SDK | - Intermediate and final results of the various document detection processes performed on the end-user's device, including any feedback provided to the end-user on screen - Information about the processing configuration applied to a given capture session (feature enablement, thresholds, ML models used) |
| End-user captures image of Face | Onfido SDK | - Intermediate and final results of the various face detection processes performed on the end-user's device, including any feedback provided to the end-user on screen - Information about the processing configuration applied to a given capture session (feature enablement, thresholds, ML models used) |
| End-user signs a document with a Qualified Electronic Signature (QES) | Onfido SDK | - Information about the service provider (QTSP) selected by the user for QES processing |
Data Collection Mechanisms
Onfido SDKs rely on proprietary services to collect and communicate data to the Onfido backend. Onfido SDKs do not use third party cookies or similar tracking technologies to collect data.
