FinAuth Personal Information and Privacy Protection Policy
Last Updated: November 6, 2025
Foreword
Yuanli Technology Singapore Pte. Ltd. and its affiliates (hereinafter referred to as “we” or “Yuanli Technology”) respect and are committed to protecting personal information and privacy. The FinAuth SDK (hereinafter referred to as the “SDK”) is a third-party face-recognition KYC verification SDK launched by Yuanli Technology, designed to provide Clients with comprehensive end-to-cloud KYC verification services. To clarify the personal information processing practices that may be involved in this SDK, we have formulated the FinAuth Personal Information and Privacy Protection Policy (hereinafter referred to as the “FinAuth Policy”) to introduce the detailed rules regarding the collection, use, retention, and other processing activities within this SDK.
In addition, in specific business scenarios built upon or further developed based on this SDK, our clients (hereinafter referred to as “Clients”) or we may separately provide end users (hereinafter referred to as “Users” or “you”) with specific privacy policies or similar legal documents. You should also carefully and thoroughly read such privacy policies or similar legal documents applicable to those scenarios to ensure that you are fully informed of all relevant practices regarding personal information processing. The FinAuth Policy applies solely to this SDK and is completely independent from any privacy policies or similar legal documents that our Clients or any third parties may or are required to provide to you.
We highlight personal sensitive information in bold italics for your special attention. If Clients or Users have any questions, comments, or suggestions regarding this Policy, you may contact us at any time through the communication channels provided in the FinAuth Policy.
Summary
1. As a third-party face-recognition KYC verification SDK, when you use the products, features, or services of Clients that have integrated the FinAuth services, we will process the information required for the Client’s use of FinAuth, as well as any information required by applicable laws and regulations, strictly in accordance with the Client’s instructions. Such processing may involve your personal sensitive information, including, for example, your name, ID number, facial images, and facial recognition features required for face-verification scenarios. You may refuse such processing; however, doing so may result in your inability to complete certain business processes required by the Client in specific scenarios and may affect your access to or use of the relevant features or services. We have further clarified these circumstances throughout the FinAuth Policy, and key clauses relating to your personal information rights have been highlighted in bold for your special attention.
2. For efficiency and accuracy, we generally recommend that you exercise your personal information rights directly through the Client whose product or service you are using. You may also submit your rights requests through the channels described in the FinAuth Policy, and we will promptly forward your request to the relevant Client and provide necessary assistance to facilitate their response.
3. To carry out the business processes described in the FinAuth Policy, to provide or optimize services, and to safeguard your property and account security, we may need to request certain permissions on your device. Sensitive permissions—such as access to the camera, microphone, or photo library—will only be invoked within the scope of your explicit authorization. You may review and manage the permissions granted to us at any time through your device’s operating system settings, where the granted permission types and their purposes are clearly listed.
The FinAuth Policy is intended to help Clients and Users understand the following:
1.How we collect and use personal information
2.How we retain and disclose your personal information
3.How we protect your personal information
4.How personal information is transferred globally
5.Your rights regarding personal information
6.How we process children’s personal information
7.How to contact us
8.How the FinAuth Policy is updated
In the FinAuth Policy, “Personal Information” refers to any information recorded electronically or by other means that relates to an identified or identifiable natural person, excluding information that has been anonymized.
Unless the laws and regulations of the country, organization, or region relevant to our service provision specify otherwise regarding user consent for personal information within their jurisdiction, FinAuth engages in a variety of business collaborations with customers across different service scenarios. Together with our customers and suppliers, we ensure that any personal information collected and processed has been obtained with your full and valid authorization and consent.
With respect to this SDK, either we or our customers may collect and use certain personal information about you, including:
1) Facial Image-Related Technical Applications
To provide capabilities related to facial image technologies, we may process the original images, videos, or other data you or our customers provide to further identify and extract facial key points and other facial recognition features. These features are used to implement specific functions such as facial comparison and liveness detection. Please understand that this SDK is part of FinAuth’s AI capabilities platform; if you refuse to provide original images, videos, or other relevant data, the aforementioned functionalities cannot be performed.
Please note that we primarily utilize advanced algorithms and models, such as neural networks, to provide technical capabilities to our customers. These functionalities may involve the processing of facial recognition features and other biometric information, which constitutes sensitive personal information. Regarding how biometric information is collected and used under specific products and/or services that you directly use, we recommend that you carefully review the relevant rules applicable to those products and/or service scenarios (usually communicated to you by our customers) before deciding whether to consent to such processing.
2) Identity Document Information Recognition Applications
To provide capabilities related to identity document information recognition, we may further process the original document images, names, ID numbers, and other data proactively provided by our customers to identify and extract document information (including photos and textual information on the ID) for the purpose of identity verification and information collection. These functionalities may involve processing identity document information and other personal identity information, which constitute sensitive personal information. Please understand that this SDK is part of FinAuth’s AI capabilities platform; if you refuse to provide the relevant data, the aforementioned functionalities cannot be performed.
3) Applications for Ensuring Technical Process Security
Given the business scenarios of the customers we serve (e.g., financial credit scenarios), we may, when necessary, additionally collect certain application information (including installed abnormal applications, abnormal files, and abnormal system processes), as well as device and system information (including gyroscope sensor data, number of sensors, presence of Bluetooth/flashlight, battery charging status and method, Android ID, device network VPN and proxy information, creation/modification times and IDs of specific system files). This information, combined with the specific records generated during facial image, identity document, and related technical applications, is used for proactive defense functions such as attack and anomaly detection, response, and evidence preservation.
Please note that, while striving to maintain the efficiency of the technical application processes, these proactive defense functionalities may affect your ability to successfully complete the technical application process, and thus impact your ability to use, or the extent to which you can use, the specific products and/or services provided by our customers. We again recommend that you carefully review the relevant rules applicable to such scenarios (usually communicated by our customers) before deciding whether to consent to or withdraw such processing.
[Notice
Regarding Sensitive Personal Information]
Your name, identification number, facial images, and facial recognition
features provided during your use of FinAuth’s facial verification and liveness
detection functions may constitute sensitive personal information
under the laws and regulations of certain countries, regions, or
organizations. You should decide whether to provide such information only
after being fully informed and giving your explicit consent. If you choose not
to provide this information, you will be unable to complete the corresponding
facial verification or access related services.
The specific information regarding this SDK product is set out in the table below. If you are an app developer using the relevant SDK products, you are required to fulfill the corresponding notification obligations to end users through your privacy policy or equivalent legal documentation, and ensure that your app’s collection and use of personal information adheres to the principles of lawfulness, legitimacy, necessity, and good faith.
|
Purpose / Function |
Triggering Scenario (When Collected) |
Personal Information Collected |
Mandatory/Optional |
|
To perform face recognition and liveness detection (core SDK functions) |
When the Face SDK is activated for face recognition |
Facial information (including face images, liveness detection short videos, and extracted biometric features) |
Mandatory |
|
For application authentication and compatibility adaptation |
When the Face SDK is initialized |
Device information (including device brand/model, operating system and version, processor architecture, current application package name, version number) |
Mandatory |
|
For device risk detection and SDK security protection |
When the Face SDK performs device risk assessment |
Application information (including installed abnormal apps, abnormal files, abnormal system processes) |
Optional |
|
For device risk detection and SDK security protection |
When the Face SDK performs device risk assessment |
Device information (including gyroscope sensor data, number of sensors, presence of Bluetooth/flashlight, battery charging status and mode, Android ID, device network VPN and proxy information, creation/modification time and ID of specific system files) |
Optional |
|
To connect to the network for interaction and optimize SDK strategies based on network status |
When the Face SDK is initialized |
Network information (including network connection status, type of connection (e.g., 4G, WiFi)) |
Mandatory |
|
To correct user posture during face recognition and improve capture quality |
When the Face SDK is performing face recognition |
Device information (including gravity sensor data) |
Optional |
|
Purpose / Function |
Triggering Scenario (When Collected) |
Personal Information Collected |
Mandatory/Optional |
|
To perform face recognition and liveness detection (core SDK functions) |
When the Face SDK is activated for face recognition |
Facial information (including face images, liveness detection short videos, and extracted biometric features) |
Mandatory |
|
For application authentication and compatibility adaptation |
When the Face SDK is initialized |
Device information (including device brand/model, operating system and version, processor architecture, current application package name, version number) |
Mandatory |
|
For device risk detection and SDK security protection |
When the Face SDK performs device risk assessment |
Installed abnormal applications and plugins |
Optional |
|
For device risk detection and SDK security protection |
When the Face SDK performs device risk assessment |
Device information (including gyroscope sensor data, number of sensors, battery charging status and mode, Identifier for Vendors (IDFV), device network VPN and proxy information) |
Optional |
|
To connect to the network for interaction and optimize SDK strategies based on network status |
When the Face SDK is initialized |
Network information (including network connection status, type of connection (e.g., 4G, WiFi)) |
Mandatory |
|
To correct user posture during face recognition and improve capture quality |
When the Face SDK is performing face recognition |
Device information (including gravity sensor data) |
Optional |
|
Purpose / Function |
Triggering Scenario (When Collected) |
Personal Information Collected |
Mandatory/Optional |
|
To perform face recognition and liveness detection (core SDK functions) |
When the Face SDK is activated for face recognition |
Facial information (including face images, liveness detection short videos, and extracted biometric features) |
Mandatory |
|
For application authentication and compatibility adaptation |
When the Face SDK is initialized |
Device information (including device brand/model, operating system and version, processor architecture, current application package name, version number) |
Mandatory |
|
For device risk detection and SDK security protection |
When the Face SDK performs device risk assessment |
Application information (including installed abnormal applications and plugins) |
Optional |
|
For device risk detection and SDK security protection |
When the Face SDK performs device risk assessment |
Device information (including gyroscope sensor data) |
Optional |
|
To connect to the network for interaction and optimize SDK strategies based on network status |
When the Face SDK is initialized |
Network information (including network connection status, type of connection (e.g., 4G, WiFi)) |
Mandatory |
|
To correct user posture during face recognition and improve capture quality |
When the Face SDK is performing face recognition |
Device information (including gravity sensor data) |
Optional |
|
Purpose / Function |
Triggering Scenario (When Collected) |
Personal Information Collected |
Mandatory/Optional |
|
To perform image quality inspection and capture (core SDK function) |
When the Document SDK is initialized |
Document information (including document photos and corresponding extracted text information) |
Mandatory |
|
For application authentication and compatibility adaptation |
When the Document SDK is initialized |
Application information (including current application package name) |
Mandatory |
|
For application authentication and compatibility adaptation |
When the Document SDK is initialized |
Device information (including device brand/model, operating system and version, processor architecture) |
Mandatory |
|
To determine network connectivity |
When the Document SDK is initialized |
Network information (i.e., network connection status) |
Mandatory |
To ensure that you can properly use the FinAuth SDK, we will request the following device permissions from your device system through the developer’s application. Prior to requesting these permissions, we will seek your consent, and you may choose to “Allow” or “Deny” the permission request. Once you have granted authorization, the relevant permissions will be enabled. You may revoke the authorization at any time in your device settings. Please note that revoking permissions may prevent you from using certain features and services. The SDK’s access to device permissions is as follows:
|
Purpose / Function |
Triggering Scenario (When Requested) |
Required Permissions |
Mandatory/Optional |
|
To perform face recognition and liveness detection (core SDK functions) |
When the Face SDK is activated for face recognition |
Camera |
Mandatory |
|
To connect to the network for interaction and optimize SDK strategies based on network status |
When the Face SDK is initialized |
Network |
Mandatory |
|
Purpose / Function |
Triggering Scenario (When Requested) |
Required Permissions |
Mandatory/Optional |
|
To perform face recognition and liveness detection (core SDK functions) |
When the Face SDK is activated for face recognition |
Camera |
Mandatory |
|
To connect to the network for interaction and optimize SDK strategies based on network status |
When the Face SDK is initialized |
Network |
Mandatory |
|
Purpose / Function |
Triggering Scenario (When Requested) |
Required Permissions |
Mandatory/Optional |
|
To perform face recognition and liveness detection (core SDK functions) |
When the Face SDK is activated for face recognition |
Camera |
Mandatory |
|
For device risk detection and SDK security protection |
When the Face SDK performs device risk assessment |
Application Information |
Optional |
|
For device risk detection and SDK security protection |
When the Face SDK performs device risk assessment |
(No specific permission listed) |
Optional |
|
To connect to the network for interaction and optimize SDK strategies based on network status |
When the Face SDK is initialized |
Network |
Mandatory |
|
SDK Name |
Purpose / Function |
Triggering Scenario (When Requested) |
Required Permissions |
Mandatory/Optional |
|
OCR_SDK(Android) |
To perform image quality inspection and capture (core SDK function) |
When the Document SDK is initialized |
Camera |
Mandatory |
|
To determine network connectivity |
When the Document SDK is initialized |
Network Information |
Mandatory |
|
|
OCR_SDK(iOS) |
To perform image quality inspection and capture (core SDK function) |
When the Document SDK is initialized |
Camera |
Mandatory |
|
OCR_SDK(HarmonyOS) |
To perform image quality inspection and capture (core SDK function) |
When the Document SDK is initialized |
Camera |
Mandatory |
2. How We Retain and Disclose Your Personal Information
1)Retention of Your Personal Information
Unless otherwise required by applicable laws, regulations, or
regulatory requirements, we retain your personal information only for the
shortest period necessary to achieve the purposes for which it was collected.
Under this SDK, we primarily provide technical capabilities for specific applications. To ensure the proper functioning of this SDK, we will retain device information collected during your use of the SDK and for a reasonable period thereafter. Once the specific functionalities have been performed, we will promptly delete or anonymize the original images, videos, and other data provided by our customers, as well as any service results derived from such data.
2)External Collaborations in FinAuth’s
Business
In our collaborations with customers and suppliers, we strictly adhere to the
principles of lawfulness, legitimacy, minimal necessity, and security prudence.
We reach agreements with customers and suppliers in advance and consistently
follow the relevant contractual terms to protect the security of your personal
information.
Personal
Information Interactions with Our Customers
Please understand that this SDK is a third-party technical SDK and typically
acts as a processor of personal information on behalf of our customers. We
perform specific processing in accordance with customer instructions. In this
process, we carry out the necessary technical processing on the original
personal information based on the requirements provided by the customer and provide
the corresponding service results to the customer. Please note that although
this process involves the interaction of personal information with our
customers, it does not constitute substantive third-party information sharing.
We have implemented reasonable and feasible administrative and technical measures to protect the personal information we process and to respond to personal information security incidents. However, please note that, despite these measures, no website, Internet transmission, computer system, or wireless connection can be guaranteed to be completely secure.
Specifically, under this SDK, the primary security measures we employ to protect the personal information you provide include, but are not limited to:
1) De-identification of Personal Information: Whenever feasible, we de-identify your personal information to reduce the risk of re-identification by other organizations or individuals.
2) Regular Review of Processing Methods: We regularly review the methods by which personal information is processed, including physical security measures, and continuously enhance the security of technical tools such as APIs and SDKs.
3) End-to-End Security Measures: We continuously strive to safeguard your personal information and implement measures such as end-to-end encryption during transmission to prevent unauthorized access, use, or disclosure of your personal information.
Our servers are located in Singapore, Indonesia, and Japan.
Our clients will independently determine which server(s) to support; based on the choices made by our clients, your personal information may be transferred from your jurisdiction to servers located in Singapore, Indonesia, or Japan for processing.
Should it become necessary to transfer your personal information globally, we, together with our clients, will endeavor to ensure such transfers comply with the mandatory legal requirements of the relevant jurisdictions.
5. Your Personal Information Rights
We highly respect your lawful rights regarding personal information. Below, we outline your rights and how we protect them. Please note that, for specific requests, we may need to verify your identity prior to processing your request for security reasons.
1) Right to Be Informed: We are committed to enhancing the transparency of personal information processing and will inform you of how we handle your personal information through the FinAuth Policy and other relevant legal documents.
2) Right of Access: You have the right to access your personal information.
3) Right to Rectification: If you discover any inaccuracies in the personal information we process about you, you have the right to request correction.
4) Right to Deletion: If we have no lawful reason to continue retaining and processing your information, you may request that we delete your personal information, and we will promptly comply with your request.
5) Right to Object to Automated Decisions: You have the right not to be subject to decisions based solely on automated processing, including user profiling. If such decisions significantly affect your lawful rights, you have the right to request an explanation.
6) Right to Explanation: You have the right to request an explanation regarding our rules for processing your personal information.
7) Right to Data Portability: Subject to compliance with applicable national regulatory requirements and technical feasibility, you may request the transfer of your personal information to a designated processor. If necessary, please contact us in advance to confirm whether the conditions are met and to determine the specific transfer procedure.
8) Right to Inquire: You have the right to inquire about your personal information. Where necessary and in accordance with applicable regulations, you may also request a copy of your personal information.
9) Right to Withdraw Consent: Each functional module requires certain basic personal information to operate. If you withdraw your consent or authorization, we will no longer provide the services corresponding to the withdrawn consent and will cease processing the relevant personal information. However, your decision to withdraw consent or authorization will not affect any personal information processing conducted based on your prior consent or authorization.
You may exercise your rights of access, rectification, deletion, withdrawal of consent, and other rights by contacting us at business@yljz.com. We will complete the verification and processing of your request within 15 business days.
In principle, we do not charge fees for reasonable requests. However, for repeated requests or requests excessive requests, we may charge a reasonable fee to cover the associated costs. We may refuse requests that are unreasonably repetitive, require excessive technical efforts (e.g., developing new systems or fundamentally changing existing practices), pose risks to the lawful rights of others, or are highly impractical (e.g., involving information stored on backup tapes).
Unless otherwise stipulated by the laws and regulations of the country or region, or organization, relevant to the provision of our services, generally, we will complete the verification and processing of your request within 15 working days or within the period specified by applicable laws and regulations.
If we fail to respond to your request in a timely manner, or if we are unable to resolve the issue through communication, and you believe your personal information rights have been infringed, we respect your right to seek further remedies.
Please be aware that all our products, websites, and services are primarily intended for business clients. We do not proactively or independently collect or process children's personal information.
Should any client or user intend to provide us with or request us to process children's personal information, it is imperative that prior and explicit consent has been obtained from the child's guardian in strict accordance with the requirements of applicable laws and regulations. Given the variations in children's personal information protection regulations across different countries, regions, and organizations, clients are obligated to secure the necessary authorization based on the most stringent applicable requirements.
If we discover any original data containing children’s personal information provided by a customer or user without parental or guardian consent, we will immediately delete such data and will not provide any services based on it. For the avoidance of doubt, any individual under the age of 14 shall be considered a child. For minors aged 14 to under 18, we recommend that you review relevant legal documents (including, but not limited to, the customer’s privacy policy and this FinAuth Policy) together with your parent or guardian.
In addition, we place special emphasis on the security and control of children’s personal information. Internally, children’s personal information is classified as the highest security level data type. We implement strong technical and administrative measures, including encrypted storage and strict access control, to provide enhanced protection.
If you have any questions, complaints, or requests regarding this Policy or your personal information, or if you require assistance in exercising your personal information rights, we recommend that you first submit your request directly to the personal information processor in the specific business scenario (typically our customers), who may forward it to us as appropriate. We will respond promptly upon receiving a forwarded request.
If necessary, you may also contact us directly by sending an email to business@yljz.com. To ensure that your request is clear and specific, please include the following in your email:
1) Your name and contact information;
2) Your detailed request, feedback, and/or any relevant links.
We will accept and process your request within 15 working days or within the period specified by applicable laws and regulations. If you are dissatisfied with our response, it is recommended to first attempt to resolve the matter through amicable negotiation.
Should the negotiation fail to reach a consensus, or if you remain dissatisfied with the final outcome, you have the right to seek assistance from the relevant regulatory authorities.
8. How the FinAuth Policy Is Updated
We reserve the right to update or modify the FinAuth Policy from time to time. However, we will not reduce the rights you are entitled to under the FinAuth Policy without your explicit consent. You can view the latest version of the FinAuth Policy on this page.
For significant changes, we will provide more prominent notice (including, for certain services, sending notifications via email specifying the specific changes).
Significant changes to the FinAuth Policy include, but are not limited to:
1) Major changes in our service model, such as the purposes of processing personal information, types of personal information processed, or the manner in which personal information is used;
2) Major changes in our ownership structure, organizational structure, or other significant changes such as business adjustments, bankruptcy, or mergers and acquisitions resulting in ownership changes;
3) Changes in the primary recipients of personal information sharing, transfer, or disclosure;
4) Significant changes in your rights regarding the processing of personal information and the manner in which they are exercised;
5) Changes to the departments responsible for personal information security, their contact information, or complaint channels;
6) When a personal information security impact assessment indicates a high risk.