Privacy policy – Experian Candidate RTW App

UPDATED NOVEMBER 2025

1. Introduction

Experian takes data privacy seriously and this policy helps you understand what personal information is collected from you and how it is used. Your prospective employer (the “Employer”) is the Data Controller of your Right to Work check and has GDPR / UK Data Protection obligations for the data collected, how it’s stored, and your rights. Rightcheck Ltd (“Rightcheck”) is the software provider of the Experian RTW App and acts as Data Processor on behalf of the Employer.

2. How and why data is collected

Data is collected via the Experian Candidate RTW App which you download, and is used by your Employer in order to obtain their Statutory Excuse under the UK Right to Work legislation (see the Immigration, Asylum & Nationality Act 2006 etc.). The Employer determines the purpose of processing.

3. What information we collect

When you use the app, you may be asked to provide personal information and documents for a Right to Work check. Depending on which documents you provide, the following data may be collected:

• Your name, address, phone number, email address, date of birth, gender, birthplace, IP address
• Passport, visas, identity cards, residence cards, payslips, RTW Share code
• Biometric data (as used for face-image verification)
• Photographs or video images of your face and identity documents

4. Face Data (Photographs & Video of Your Face)

What face data we collect

When you use the app you may be required to submit:

• A selfie photograph of your face, and/or
• A short live-video recording of your face

These are collected in order to verify your identity and confirm you are a live person. We do not generate biometric templates, faceprints or similar mathematical representations of your face — we capture standard images / video only.

How we use your face data

Face images / video are used exclusively to:

1. Compare your live face to the image on your identity document.
2. Run a liveness check (i.e., ensure you are a live person, not a static photo or video replay).
3. Provide fraud and impersonation detection as part of the identity-verification process.
4. Allow your Employer to fulfil legally required identity & Right to Work checks.

We do not:

1. Use your face data for marketing purposes.
2. Use your face data for broad facial recognition across populations.
3. Create biometric templates, enrol you into biometric systems, or use your face for profiling.
4. Sell, licence or otherwise share your face data beyond what is needed for the check.

Sharing of face data

We do not share your face images or video with any external third parties or subprocessors. Processing of your face data is done only by Rightcheck on behalf of your Employer, and your Employer is the Data Controller. No external identity-verification vendor or sub-processor is used.

Storage of face data

All face images and video are stored securely on UK-based servers operated by Rightcheck under the Employer’s instructions. The data is encrypted in transit and at rest and access is strictly controlled.

Retention of face data

• If you are employed, your face image/video will be retained for the duration of your employment plus up to two (2) years, to enable your Employer to maintain the statutory excuse.
• If you are not subsequently employed, your Employer will instruct deletion of the data in accordance with their own retention policy.

Once deletion is instructed:

• Face images/video are removed from active systems, and
• Encrypted backup copies remain for up to 90 days for disaster-recovery purposes before being permanently deleted.

No biometric templates are stored by us.

5. Legal Basis for Processing

Your Employer (Data Controller) determines the lawful basis for processing. Typically this includes:

• Compliance with legal obligations (e.g., UK Right to Work data)
• The Employer’s legitimate interests (fraud prevention, identity verification)
• Consent (only if you provide optional data beyond the required check)

6. Data Storage and Retention

All personal data collected via the app is processed and stored in the United Kingdom on secure, encrypted servers under Rightcheck’s control, in line with your Employer’s instructions. Retention periods are defined by your Employer and may differ depending on whether you become employed. Only encrypted backup recovery data may remain for up to 90 days after the active data is deleted.

7. Sharing Your Information

Your personal data is shared only with your Employer (Data Controller). Rightcheck (Data Processor) does not share data with third-party national or international service providers external to this arrangement, nor does it sell, licence or broker your personal data.

8. Your Rights

You, as the “Data Subject”, have the following rights under UK Data Protection law (subject to exemptions):

• Right to access the personal data we hold about you
• Right to request correction of inaccurate data
• Right to request erasure of data that is no longer necessary
• Right to request restriction of processing or to object
• If processing is based on consent, right to withdraw consent
• Where applicable, right to data portability

Requests should be made to your Employer (the Data Controller) in the first instance, who will liaise with Rightcheck (Data Processor) as required.

9. Children’s Privacy

The app is not intended for individuals under 16 unless required by employment laws and with appropriate parental or guardian consent as required by your Employer.

10. Changes to this Policy

We may update this Privacy Policy from time to time. The date at the top reflects the most recent update. When we make material changes, we will post the updated policy on this page and may notify you through the app or by email.