Latest version

1 Apr 2021

This Privacy Notice explains how Data Flow Verification Services (Hong Kong) Limited (hereafter, "DataFlow", "We" or "Us" collects and uses your personal data .

We operate the TrueProfile.io and DataFlowPlus.org domains and the Services that are provided therefrom. We are committed to protecting and respecting your privacy when We collect, handle, process, use and transfer your personal data.

Terms not defined herein shall have the same meaning as those in our Terms & Conditions for the Supply of Services.

  1. 1. PERSONAL DATA WE MAY COLLECT FROM YOU

    (A) Personal data we receive from you

    We may collect and process the following personal data that you provide to us:

    • Personal information which allows Us to determine the veracity or otherwise of documents and certificates relating to you under the broad categories of identity, professional, education, licence and good standing documents, including without limitation identification documents such as passports, driving licences and national identity cards, education certificates, professional experience certificates, professional licences, certificates of good standing, diplomas from accredited universities, reference letters from previous employers, licences from regulatory bodies (individually and collectively, once verified by us, referred to as "TrueProofs"). We may expand or adjust the categories and types of TrueProofs from time to time;
    • Other personal information that you provide to Us (in online or in physical format) including:
      • Information about your identity, including your name, title, images and descriptions of your likeness, date of birth or gender;
      • Your contact information, including your postal address, email address or telephone number; and
      • Payment details; and
    • Any correspondence We receive from you.

    (B) Personal data we collect about you

    We collect personal data about you from the following sources:

    • your customer transactions trail and purchase history;
    • your social media interactions with Us (e.g. if you "like" or "share" something you see on our social media platforms);
    • with your consent, information relating to your professional and educational history, any professional disciplinary sanctions taken against you via our CrossCheck service from the following public and private datasets:
      • Diploma mills/unaccredited universities;
      • Medical risk;
      • Suspect employers;
      • Suspect diploma mills/suspect unaccredited institutions and issuing authorities;
      • Professional misconduct;
      • Politically Exposed Persons (PEP);
      • Special interests;
      • Sanctions lists;
      • Other official lists;
      • Other exclusion lists
      • Any information you have made public (including social media content) including without limitation any information concerning or comprising illegal or unlawful behaviour;
      • Public information in open source media that is adverse to you;
      • Information on whether you have multiple identities or aliases; and
      • Positive indicators including charitable work and volunteering roles you have undertaken.
      • For further detail on the datasets please see this link;
    • your use of our website. In particular, We may collect:
      • technical information, including your IP address, browser type and version, device identifier, location and time zone setting, network and/or service provider, operating system and platform, page response times, and download errors;
      • information about your visit, including the websites you visit before and after our website and products you viewed or searched for; and
      • length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouseovers),. and methods used to browse away from the page, your response rate and reaction time to messages received; and
    • third parties who assist us in verifying the documents, certificates and other information that you provide to us, including universities, former employers and our service providers;
    • information we derive from the above, including without limitation your years of work experience and availability to work, any educational or employment inconsistencies and information on your aliases.

    We also collect the following types of sensitive personal data about you:

    • information relating to criminal convictions and offences contained in any publicly available and private databases collected with your consent as part of our CrossCheck service from the following public and private datasets:
      • Diploma mills/unaccredited universities;
      • Medical risk;
      • Suspect employers;
      • Suspect diploma mills/suspect unaccredited institutions and issuing authorities;
      • Professional misconduct;
      • Politically Exposed Persons (PEP);
      • Special interests;
      • Sanctions lists;
      • Other official lists;
      • Other exclusion lists;
      • Information you make public via the Internet; and
      • Public information in open source media that is adverse to you;
      • information concerning your sex life, sexual orientation, political opinions, religious or philosophical beliefs, collected with your consent as part of our CrossCheck service from information you make public via the Internet
    • information relating to your race or ethnicity, such as information relating to your nationality and country of birth.

    To learn more about how we use cookies or similar digital tracking technologies, please see section 7 below.

    You are not obliged to provide your personal data to us, but if you do not provide such data, We may be unable to offer some or all of our Services to you.

  2. 2. PURPOSES FOR WHICH YOUR PERSONAL DATA IS COLLECTED AND USED BY DATAFLOW

    We are required by law to provide you with information about the purposes for which We use your personal data and the legal justification for Us to use that personal data. For example, there may be a legal justification for Us to use your personal data where:

    • We need to use your information to perform a contract with you (and carry out the services under that contract with you, including the CrossCheck service);
    • You have given your consent to Us using your information;
    • Using your information is in our legitimate business interests (provided these interests are balanced against your rights); or
    • We need to process your personal information to comply with legal obligations to which We are subject.

    The table below sets out the different purposes for which We may use your personal information and the legal justifications for each one. Note that the purposes for which We use your personal information may change from time to time, in which case We will update this privacy notice (see further section 10 below).

    WE MAY USE YOUR PERSONAL DATA TO:LEGAL JUSTIFICATION
    To be able to provide the Services (currently known as TrueProfile.io and previously known and run as dataflowplus.org) to you.Performance of a contract with you
    To collect and compile statistical data on our user base.Necessary for our legitimate interests (to improve our services and for researching and analytical purposes)
    For delivery and improvement of online services available on our Website and subscription to our newsletter.Performance of a contract with you Necessary for our legitimate interests (to develop our business)
    To make disclosures as required by any applicable law, rules, regulations, codes of practice or guidelines or to assist in law enforcement purposes, investigations by police or other government or regulatory authorities in Hong Kong or elsewhere.Necessary to comply with a legal obligation
    For direct marketing by email, mail, fax, phone, SMS or other means in respect of DataFlow's Products and Services (as defined below) and those of the DataFlow Group (as defined at section 5 below).Consent
    To provide our CrossCheck service to you in order to cross reference and match the personal data you provide to us (your name and work history) to other personal data held about you in the datasets listed aboveConsent

    In respect of sensitive personal data, we may collect your sensitive personal data:

    PURPOSELEGAL JUSTIFICATION
    As part of providing the CrossCheck service to youConsent

    Further information about how We use your personal data for direct marketing purposes can be found in Section 3 below.

    Products and Services

    Data and identity management and verification services, employment and consultancy opportunities, educational opportunities, courses and content, loans for educational purposes; medical equipment, clothing and instruments; pharmaceutical products; banking, financial, investment and insurance products and services; travel services; housing; technology including hardware devices, plans for mobile phone plans, cable and satellite TV plans, internet packages and virtual private networks, home entertainment plans, application software and electronic games (the "Products and Services").

  3. 3. USE AND TRANSFER OF YOUR PERSONAL DATA FOR DIRECT MARKETING

    Provided you have given your consent, we intend to:

    • use your personal data to send you marketing messages by email, mail, fax, phone, SMS or other means in respect of DataFlow's Products and Services and those of the DataFlow Group;
    • share your personal data with the DataFlow Group for the marketing of their Products and Services and
    • use your personal data to send you and share with our business partner marketing messages by email, mail, fax phone, SMS or other means in respect of Products And Services offered by third parties that may be of interest and benefit to you.

    You can exercise your right to withdraw your consent at any time by contacting Us in writing to the Information Security Manager, DataFlow at privacy@trueprofile.io or write to Us at: Unit 9, Lower Ground Floor, Office Block One, Discovery Bay North, Discovery Bay, Hong Kong.

  4. 4. TRUEPROOF®S

    The TrueProfile.io service is built on an advanced digital solution on the Ethereum blockchain which results in enhanced security and a more streamlined verification process.

    All documents submitted to TrueProfile.io are screened and verified by the DataFlow Group (as they were under the previous iteration of the service at DataFlowPlus.org). Now, once verified, they become TrueProofs, which are stored in the TrueProfile.io cloud and accessible by you at TrueProfile.io. You can keep and carry forward your TrueProofs as a form of perpetual, portable credentials that can be accepted by prospective employers and principals. You can build up your collection of TrueProofs over the course of your career.

    A TrueProof may contain personal data about you, including without limitation your name, email address, birthday, birthplace, nationality, passport number, place(s) of education, qualifications attained, mode and period of study, qualification certificates, employer references, certificates of good standing and details of whether such data have been verified.

    TrueProfile.io Premium

    If you are a TrueProfile.io Premium user, the following features (which may be changed, added to or removed from time to time by DataFlow), which give you further control over your data, are available to you:

    • You will be able to download a legacy report or document that was uploaded by you under the previous DataFlowPlus service, but this time converted into a TrueProof format.
    • You and third party users will be able to verify TrueProofs conveniently at trueprofile.io/verify by uploading a PDF of a TrueProof and confirm that it was issued by TrueProfile.io, that it has not been tampered with and that its digital certificate has not been revoked.
    • Your profile will be highlighted in any recruitment search results performed by business partners.

    To ensure the security and anonymity of your data, each of your TrueProofs will be subject to hashing and verified by a TrueProfile.io digital signature and certificate. Hashing is used to create a short, fixed-length message from a file or block of data, which enables a party with the hash to verify the integrity and/or originator of a TrueProof. The hash of every TrueProof, along with TrueProfile.io’s unique digital signature, is added into a "smart contract" on the Ethereum blockchain. Blockchain technology has many advantages over traditional databases, the main advantages of which being:

    • The chained data blocks in the blockchain allow verification and information traceability within a trusted ecosystem, in a way that the blocks cannot be removed or altered, so that the system is essentially tamper-proof;
    • Asymmetric cryptography paired with chained data structures, helps to ensure the source and veracity of data; and
    • Consensus-based algorithms operated over peer-to-peer networks simplify operations in TrueProfile.io's distributed environment, where multiple parties may need to know the legitimacy of the same document or piece of data without having to repeat the same background checks.

    Your personal data is not exposed except to those parties to whom you permit it to be exposed. The nature of the technology allows for any third party in possession of a TrueProof and the required hash value to verify the authenticity of the document.

    Your personal data is not stored on the blockchain and only the hash value of the TrueProof is stored there permanently.

    Non-Premium

    If you are not a Premium user, your TrueProofs may not be added to the Ethereum blockchain and the above features might not be available to you. Technical verification of your TrueProofs will be possible by using a smart contract transaction at https://etherscan.io/address/0x000d2d31815990fca6f69dfd978c4d4a56b2ed6b. A tutorial on how to use this contract for verification purposes is available in our FAQs. Please note that this process will not be as simple and convenient as the Premium process under trueprofile.io/verify

    If you are a Premium user but your Premium subscription expires, your TrueProofs, once added to the blockchain, will remain on the blockchain, but the above features will not be available to you until you renew your subscription.

    If a human error occurs whereby a document is verified and becomes a TrueProof, the record of the verification of your TrueProof will remain on the blockchain but a further record will be added to state that the TrueProof has been revoked.

    The use of blockchain technology in delivering the Services will not affect our compliance with applicable data privacy laws.

    All Users

    Whether you are a TrueProfile.io Premium user or not, you may share a weblink to your Digital CV page, which includes your TrueProofs, with any prospective employer or third party platform. You will be able to control at any time what third parties can see on your profile via the Share Options page e.g. you may wish to share a restricted or full view of your Digital CV page or (in relation to certain third party platforms) to share individual TrueProofs only. Your Digital CV page is not shared with the public unless you share the weblink to your page yourself or specify that you wish to make your Digital CV page public in the Profile Visibility for recruitment purposes .You may change your settings to "private" at any time, in which case your Digital CV page and TrueProofs will only be visible and accessible to you

  5. 5. SHARING YOUR PERSONAL DATA WITH THIRD PARTIES

    To facilitate the purposes set out at section 2 above, we may share your personal data (whether within or outside Hong Kong) with:

    • DataFlow Verification Services LLC, DataFlow FZ LLC, DataFlow Services (India) Pvt Ltd and DataFlow Verification Services KSA Ltd (hereafter "Our Affiliates"), any subsidiary of Our Affiliates, and Our Affiliates' ultimate holding company and its subsidiaries (together, the "Dataflow Group");
    • our business partners that invite you to connect and to whom you consent to sharing your personal data via the "Connect" function on your Digital CV page (which consent you may revoke at any time, whereupon your personal data will no longer be visible to the business partner in question);
    • our business partners including those businesses who may send you a verification request or provide you with a voucher code to pay for our Services;
    • with your proper consent, those potential employers who are interested in contacting you based on viewing an anonymised version of your profile (including where you check the applicable option within the Profile Visibility on your Digital CV Page or where you respond to a message from a business partner sent via our website, whereupon your name and email address will be passed to that business partner to contact you for recruitment purposes, and therefore the information on your profile, including the number of TrueProofs, will be identifiable by the business partner as being connected to you) and you may adjust your Profile Visibility to (i) enable business partners to receive your contact information as soon as they indicate an interest in your profile by sending a message to you via our site; (ii) allow business partners to view an anonymised version only of your profile that does not identify you personally and disable the ability for a business partner to contact you for a period of between 3 and 12 months, after the expiration of which period the setting shall default to (i) i.e. all business partners will receive your contact information as soon as they indicate an interest in your profile; or (iii) disable the ability for a business partner to contact you indefinitely (i.e. until you change the settings).; and
    • Our partners, third party service providers and contractors. To see a list of the types of third parties we share data with for this purpose, please click here. You will be prompted if you are required to install a third party application or visit a third party website, or if your personal data is otherwise transferred to a third party via an interface in order for you to receive any of the Services. These third parties process your personal data solely upon our instructions, unless otherwise indicated to you. These third parties may engage subcontractors to process your personal data for the same purposes in accordance with applicable laws. You will be prompted where you are required to accept third party terms and conditions to receive any of the Services or where the collection and processing of your personal data is subject to a separate privacy policy.

    We reserve the right to hide your profile, or prevent certain elements of your profile from being seen by business partners for recruitment purposes, where we consider this to be in your interest.

    Where you are primarily located in the European Economic Area (EEA) and we transfer your personal data outside of the EEA to a jurisdiction which is not covered by an adequacy decision from the European Commission, we and our partners, third party service providers and contractors as appropriate put in place EU standard contractual clauses which are designed to ensure adequate safeguards for personal data transferred to such jurisdictions. A copy of these clauses is available here.

  6. 6. STORAGE AND RETENTION OF YOUR PERSONAL DATA

    All information you provide to Us is stored on our secure servers, which may be servers provided by one of our suppliers. Once We have received your information, We and our subcontractors will use strict procedures and security features to try to prevent unauthorized access.

    We will only retain your personal data for as long as necessary for the purpose for which that data was collected and to the extent permitted by applicable laws. For example, where we need to use your personal data to provide you with our service, this means we will retain that personal data for as long as we are providing you with the TrueProfile.io service (unless you ask for it to be deleted, or applicable laws require us to keep it for a longer or shorter period). When We no longer need to use personal data (for example, if you exercise your right to deletion of your personal data or cease to be a TrueProfile.io customer), We will remove it from our systems and records and/or take steps to anonymise it so that you can no longer be identified from it (unless We need to keep your information to comply with legal or regulatory obligations to which We are subject).

    You may request us to store documents that you upload (including certificates and reports) in respect of which you have not requested us to create a TrueProfile. We may in our discretion store such documents for you. However, you acknowledge and accept that our storage or processing of such information does not constitute DataFlow’s acceptance of the accuracy of any data that has not been verified and converted to a TrueProof and that such data will not be stored on the blockchain.

  7. 7. COOKIES, LOG - FILES, LOCATION DATA AND ACCESS TO PERSONAL DATA THROUGH SOCIAL MEDIA PLATFORMS

    If you visit any of our websites, We may collect information about your computer, including where available your Internet Protocol (IP) address, operating system and browser type and to report aggregate information to our advertisers, including number of visits, average time spent on the site, or pages viewed. This is statistical data about our users’ browsing actions and patterns that We use for research and service improvement purposes, and does not by itself identify any individual. It is therefore separate from your personal data. In rare instances, IP addresses may be used to help in deterring and/or preventing abusive or criminal activity on our Websites.

    Our websites use “cookies” (small data files placed on your computer’s hard drive) to distinguish you from other users of our website when you visit the Website again and to record your preferences. This helps Us to provide you with an enhanced experience when you browse our website and also allows Us to improve our site. The use of cookies means We can better serve you and/or maintain your information across multiple pages within or across one or more sessions. Most web browsers automatically accept cookies, but if you prefer, you can edit your browser options to block them in future. Cookies contain information about you and your preferences. Only the information provided by you or the choices you make while visiting a website can be stored in a cookie. For example, the site cannot determine your email address unless you choose to type it. Allowing a website to create a cookie does not give that or any other site access to the rest of your device, and only the site that created the cookie can read it.

    We may collect your location data in order to keep track of your activity patterns and preferences so that We can improve the level of service you receive. Your location data may be combined with other information We receive from third parties to provide you with a better service.

    Learn more about our cookies in our Cookie Policy.

    If you interact with Us on social media platforms (for example if you “Like” our Facebook Page or post on our timeline), we can interact with you and send you messages via these platforms. We will interact with you in accordance with the social media platform’s rules but We are not responsible for how the platform operators collect and handle your personal data. We are not responsible for what third parties post on our social media accounts.

  8. 8. YOUR RIGHTS

    You have the right to request access to and correction of your personal data if it is not accurate. Any such request may be made in writing and addressed to privacy@trueprofile.io.

    If you are in the European Economic Area, you have the following rights:

    • Access. You have the right to request a copy of the personal data We are processing about you. For your own privacy and security, at our discretion We may require you to prove your identity before providing the requested information. If you require multiple copies of your personal information, we may charge a reasonable administration fee.
    • Rectification. You have the right to have incomplete or inaccurate personal data that We process about you rectified.
    • Deletion. You have the right to request that We delete personal data that We process about you, except We are not obliged to do so if We need to retain such data in order to comply with a legal obligation or to establish, exercise or defend legal claims.
    • Restriction. You have the right to restrict our processing of your personal data where you believe such data to be inaccurate; our processing is unlawful; or that We no longer need to process such data for a particular purpose unless We are not able to delete the data due to a legal or other obligation or because you do not wish for Us to delete it.
    • Portability. You have the right to obtain personal data We hold about you, in a structured, electronic format, and to transmit such data to another data controller, where this is (a) personal data which you have provided to us, and (b) if We are processing that data on the basis of your consent or to perform a contract with you.
    • Objection. Where the legal justification for our processing of your personal data is our legitimate interest, you have the right to object to such processing on grounds relating to your particular situation. We will abide by your request unless We have compelling legitimate grounds for the processing which override your interests and rights, or if We need to continue to process the data for the establishment, exercise or defence of a legal claim.
    • Withdrawing Consent. If you have consented to our processing of your personal data, you have the right to withdraw your consent at any time, free of charge. This includes cases where you wish to opt out from marketing messages that you receive from us. You can unsubscribe from marketing communications at any time by following the instructions in any individual message.

    You can make a request to exercise any of these rights in relation to your personal data by contacting Us as indicated below at section 10.

    You also have the right to lodge a complaint with the local data protection authority if you believe that We have not complied with applicable data protection laws. Please click here for a list of local data protection authorities in EEA countries.

    We will share your personal data with prospective employers where you choose to make your TrueProfile page available to those employers, in accordance with section 4 above. Where you wish to exercise the rights described in this section in respect of any personal data you have chosen to share with prospective employers, please contact the relevant employers directly.

  9. 9. CHANGES TO OUR PRIVACY NOTICE

    This Privacy Notice may be updated from time to time. If we make changes to this Privacy Notice, we will notify you of these changes by email and post an alert on the home page of our Website. You may be subject to an earlier version of this Privacy Notice if you have not been notified of subsequent changes to the earlier notice

  10. 10. CONTACT US

    If you have any questions or concerns regarding this Privacy Notice or the data processing practices outlined herein, or if you want to exercise any of your rights, please contact us as follows privacy@trueprofile.io.