Last Updated: April 9, 2026

Section 1: Introduction

This Privacy Policy describes TokenWorks’ data practices regarding information within its scope, including the choices available to you. Unless otherwise stated, “information” or “personal information” means information that identifies, relates to, or is reasonably capable of being associated with an individual or household.

This Privacy Policy applies to information we collect where we control the purposes and means of processing, specifically through our websites (including tokenworks.com and idscanner.com, operated as “IDScanner.com by TokenWorks”), dashboard, apps (including Android and Windows apps), emails, or other online services that link to this Privacy Policy (the “Service“) as well as from other sources described below. Your use of the Service is subject to our Master Services Agreement.

This Privacy Policy does not apply to:

• The practices of third parties we do not control.
• Information collected in the context of job applications or employment with us.
• Information that has been anonymized or, to the extent permitted by law, deidentified.

For information on how we process personal information on behalf of our business clients, please see the Processing on Behalf of Our Business Clients section below.

If you are a resident of the U.S., see our U.S. State-Specific Disclosures.

See Contact Us for our contact details.

Section 2: Processing on Behalf of Our Business Clients

TokenWorks provides identity verification products and services to business clients. In connection with providing these products and services, we collect and use information on their behalf (“client data“). For example, we may collect and process information to verify your identity and otherwise comply with the law. Client data has historically included contact identifiers, characteristics or demographics, commercial or transactions information, device identifiers, device information, internet activity, and non-precise location data, among other information. Client data may also include sensitive data such as biometric data or government issued ID data and precise location data.

Our collection of such data and our processing of such data is governed by the written agreement executed by us and the applicable business client, including our Data Processing Addendum, privacy policy or other agreement between the customer and you or your organization, and not this Privacy Policy.

If we process your information on behalf of one of our clients and you wish to discontinue such processing, or if you seek to correct, amend, or delete inaccurate data, please directly contact the client on whose behalf we are processing such information. Where permitted by law, we may create aggregated, de-identified, or anonymized data from Client data, and use such data for our lawful business purposes, including to improve our algorithms and products.

Section 3: Collection

We collect the following categories of information:

• Contact identifiers, including your name, email address, postal address, phone number.
• Business contact information, including your company name and title.
• Characteristics or demographics, including your country of residence.
• Commercial information, including records of products or services you purchased, obtained, or considered.
• Account credentials, including your username, password, password hints, and other information used for authentication or account access.
• Payment information, including your payment instrument number (such as a credit or debit card number), expiration date, and security code as necessary to process your payments. This information is processed by our payment processors.
• Content, including any content within messages you send to us (such as feedback or questions).
• Device identifiers, including your device’s IP address and Ad ID.
• Device information, including your device’s operating system and browser (e.g., type, version, and configuration), internet service provider, and regional and language settings.
• Internet or other network activity, including your browsing history and interactions with the Service, such as the features you use, pages you visit, content you view, time of day you browse, and referring and exiting pages.
• Non-precise location data, such as location inferred from an IP address or generalized to a city or postal code level.
• Precise location data, such as latitude and longitude, collected with your consent.
• Inferences, preferences, or other insights we derive from the information described above.

Some of the information we collect may be considered sensitive under applicable law. See our region-specific disclosures for details.

Section 4: Sources

We collect information from the following sources:

• Information you provide through the Service. When you use the Service, you may be asked to provide information to us, such as when you register for an account, sign up for our communications, and respond to or contact us. Please do not provide any information that we do not request.
• From your device. When you use the Service, we and third parties we work with automatically collect information from your browser or device using cookies and other tracking technologies. See Cookies and Other Technologies.
• Through our business relationship with you. To the extent you engage with us on behalf of another business, we collect information relating to you and that business. This information is not subject to this Privacy Policy except as required by applicable law.
• From third parties. We obtain information from third party sources, including:
  • Third party vendors and related parties we work with in connection with receiving analytics, security, and fraud prevention services.
  • Data providers, such as licensors of private and public databases.
  • Public sources, such as data in the public domain.
• Where we generate the information. We generate information based on information we collect from the various sources described above. For example, we derive inferences, preferences, or other insights using analytics or machine learning.

Section 5: Cookies & Other Technology

This section describes the types of tracking technologies we use to automatically collect information from your browser or device. See Your Privacy Choices to exercise choice around tracking technologies.

• Cookies. Cookies are browser-based text files placed on your browser when you visit a website, open or click on an email, or interact with an advertisement. There are various types of cookies, including session cookies (which expire when you close your browser) and persistent cookies (which remain until a set expiration date or until you manually delete them). Cookies may be first party (served directly by us) or third party (served by third parties we work with).
• Pixels. Pixels (also known as web beacons) are pieces of code embedded in a service. There are various types of pixels, including image pixels (typically one-pixel transparent images) and JavaScript pixels (which execute code). Pixels are often used in conjunction with cookies. When you access a service that contains a pixel, the pixel may allow us or a third party to collect information from your browser or device, or to place or read cookies on your browser.
• App technologies. App technologies refer to tools embedded in apps that are not browser-based like cookies. For example, our apps may include Software Development Kits (SDKs), which are tools provided by third parties to enable specific functionality. When you use our apps, these technologies may allow us or a third party to collect information from your browser or device.

We use these tracking technologies for various purposes, including to operate our Service, personalize your browsing experience, prevent fraud, improve security, and perform measurement and analytics.

Section 6: Purposes for Collection & Use

We collect and use information for the following purposes:

• To provide services, including operating and maintaining the Service.
• To personalize your experience, including showing you content we believe may be of interest to you.
• To communicate with you, including sending transactional and marketing messages by email.
• To understand usage and trends, including through surveys you respond to and tracking technologies incorporated into the Service (such as Google Analytics).
• To improve products and services, including to improve our models and algorithms, and to conduct testing, research, product development, and analytics related to the products and services.
• For security, compliance, and enforcement, including preventing, detecting, investigating, and responding to fraud, misuse, policy or legal violations, or threats to safety.
• At your direction, including where you instruct us to use your information in a specific way or where we notify you and obtain your consent.
• Non-personal information. We may anonymize or deidentify information so it is no longer considered personal information under applicable law. Where we deidentify information, we commit to maintaining and using the deidentified information in deidentified form and not attempt to reidentify it. We may use non-personal information for any purpose permitted by law.

See Your Privacy Choices to exercise choice around our collection and use.

Section 7: Disclosure

We disclose the information we collect for the purposes described in this Privacy Policy. The categories of persons to whom we disclose information include:

• Service providers. Many of the third parties we work with are service providers that collect and process information on our behalf. Service providers perform services for us, such as payment processing, data analytics, website hosting, and technical support. To the extent required by law, we contractually prohibit our service providers from processing information they collect on our behalf for purposes other than performing services for us, although we may permit them to use non-personal information for any purpose permitted by law.
• Third party vendors and related parties. Some of the third parties we work with independently control the purposes and means of processing your information. For example, we disclose information to vendors that provide analytics, security, and fraud prevention services to us.
• Affiliates. We disclose information to our affiliates and related entities, including where they act as our service providers subject to this Privacy Policy or use the information in accordance with their own privacy policies.
• Recipients in a merger or acquisition. We disclose information in connection with, or during negotiations of, any proposed or actual merger, purchase, sale, or any other type of acquisition or business combination of all or any portion of our assets, or transfer of all or a portion of our business to another business.
• Recipients for legal, security, and enforcement purposes. We disclose information to comply with the law or other legal process, and where required, in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. We also disclose information to protect the rights, property, life, health, security, and safety of us, the Service, or anyone else.
• Recipients at your direction or with your consent. We disclose information where you direct us to do so or with notice to you and your consent.
• Non-personal information. We may disclose non-personal information for any purpose permitted by law.

See Your Privacy Choices to exercise choice around our disclosures.

Section 8: Third Parties

Our Service may link to or be incorporated with websites and online services controlled by third parties. In addition, we may integrate technologies into our Service, including those described in Cookies and Other Technologies, that are controlled by third parties. Except where third parties act as our service providers, they (not us) determine the purposes and means of processing your information.

Section 9: Your Privacy Choices

This section describes the choices available to you regarding your information.

Region-Specific Choice.

Some regions offer additional choice. If you are a resident of the U.S., see our U.S. State-Specific Disclosures. If you are located in the EEA, Switzerland, or the UK, see our EU Disclosures.

Emails.

To stop receiving marketing emails follow the unsubscribe instructions near the bottom of such emails, or email us at as set out in the Contact Us section below with the word UNSUBSCRIBE in the subject field of the email. Please note that you cannot opt out of transactional emails.

Accounts.

If you have an account with us, you can delete your account through your account settings. We will address your request in accordance with our data retention practices. You may also request account deletion by contacting privacy@tokenworks.com.

Browser and Device Controls.

• Cookies and pixels. You may be able to manage cookies through your browser settings. When you manage cookies, pixels associated with such cookies may also be impacted. Please note that cookie management only applies to our website. If you use multiple browsers, you will need to instruct each browser separately. If you delete or reset your cookies, you will need to reconfigure your settings. Your ability to limit cookies is subject to your browser settings and limitations.
• App technologies. Unlike cookies, app technologies cannot be controlled by your browser settings. For some platforms (like Apple iOS), we will only receive access to your device’s Ad ID if you provide consent. You can reset your device’s Ad ID through your device settings, which is designed to limit how the prior Ad ID can be used. See your device settings for details. You can stop all collection of information through an app by uninstalling the app.
• Third party opt-out tools. Some third parties we work with offer their own opt-out tools related to information collected through cookies and pixels. To opt out of your information being used by Google Analytics, visit https://tools.google.com/dlpage/gaoptout. We are not responsible for the effectiveness of their tools.

Section 10: Children

The Service is not directed toward children under 18 years old. If you are a parent or guardian and believe we have collected information from children in violation of applicable law, contact us as set out in the Contact Us section below.

Section 11: Security

We implement and maintain reasonable administrative, physical, and technical security safeguards to help protect information about you from loss, theft, misuse and unauthorized access, disclosure, alteration and destruction. Please note that transmission via the internet is not completely secure and we cannot guarantee the security of information about you.

Section 12: Retention

We retain information for the length of time that is reasonably necessary for the purpose for which it was collected, and as necessary to comply with our legal obligations, resolve disputes, prevent fraud, and enforce our agreements.

Section 13: International Transfer

We are based in the U.S. Your information may be transferred to and processed in the U.S. or another country where we operate. Where required by applicable law, we will provide appropriate safeguards for data transfers.

Section 14: Changes to this Privacy Policy

We reserve the right to revise and reissue this Privacy Policy at any time. Any changes will be effective immediately upon posting of the revised Privacy Policy. Your continued use of our Service indicates your consent to the Privacy Policy then posted. If the changes are material, we may provide additional notice to you, such as through email or prominent notice on the Service.

Section 15: Contact Us

The controller responsible under this Privacy Policy is:

TokenWorks, Inc. (“TokenWorks,” “we,” “our,” or “us“)

privacy@tokenworks.com

If you have any questions about our data practices or experience difficulty accessing this Privacy Policy, contact us using the postal or email address above. To exercise any choices available to you, follow the instructions provided in the relevant sections of this Privacy Policy.

Section 16: US State-Specific Disclosures

This section applies to residents of California or any other U.S. state that has enacted a comprehensive state privacy law (each, a “Consensus State”). For purposes of this Privacy Policy, Consensus States include Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia. This section does not apply to residents of other states except as expressly provided herein.

Notice at Collection

Our data practices are as follows:

• Collection. In the past 12 months, we have collected the categories of personal information set out in the Collection section above.
• Sources. The categories of sources from which we collect personal information are set out in the Sources section above.
• Purpose. The specific purposes (including business and commercial purposes) for collecting and using personal information are set out in the Purposes for Collection and Use section above.
• Disclosure. The categories of persons to whom personal information is disclosed, including service providers for business purposes, are set out in the Disclosure section above. We disclose the categories of personal information listed in the Collection section above to service providers for business purposes.
• Sales, Shares, and Targeted Advertising. We do not sell your personal information to third parties. We do not share your personal information for cross-context behavioral advertising purposes. We do not sell or share the personal information of consumers we know are under 16 years old.
• Profiling. We do not process personal information for purposes of profiling in furtherance of decisions that produce legal or similarly significant effects concerning consumers.
• Sensitive Data. We collect, use, and disclose sensitive personal information only for the permissible business purposes for sensitive personal information under applicable law. WE DO NOT SELL OR SHARE SENSITIVE PERSONAL INFORMATION TO THIRD PARTIES.
• Retention. The criteria used to determine the period of time we retain your personal information is set out in the Retention section above.

Rights

This section sets out your rights. See Exercising Rights below for details on how to exercise your rights.

Verifiable Requests.

For California residents, you have the right to:

• Know what personal information we have collected about you, specifically have the right to know the categories of sources from which personal information was collected, the business or commercial purposes for collecting, selling, or sharing personal information, the categories of personal information that we sold, shared, or disclosed for a business purpose, the categories of third parties to whom we disclosed personal information, and the specific pieces of personal information we have collected about you;
• Correct inaccurate personal information we maintain about you; and
• Delete personal information that we have collected from you.

For Consensus State Residents, you have the right to:

• Confirm whether or not we are processing your personal information, and in some regions, confirm the categories of personal information we have processed;
• Access your personal information;
• Correct inaccuracies in your personal information;
• Delete your personal information;
• Obtain a copy of your personal information that you previously provided to us in a portable and readily usable format.

If you are a Minnesota or Oregon resident, you also have the right to obtain a list of the specific third parties to which we have disclosed your personal data.

If you are a Delaware or Maryland resident, you also have the right to obtain a list of categories of third parties to which we have disclosed your personal data.

If you are a Connecticut or Rhode Island resident, you also have the right to obtain a list of the specific third parties to which we have sold personal information.

• Revocation of Consent. You have the right to revoke consent previously given to us that we rely on to process your personal information. If you withdraw consent, you may not be able to receive certain services dependent on that consent.
• Nondiscrimination. You have the right not to be discriminated against for exercising any of your rights.
• Appeals. You have the right to appeal our decision in response to your requests.
• Authorized Agents. You may exercise your rights through an authorized agent.

Exercising Rights

This section sets out how to exercise your rights.

• Verifiable Requests. Verifiable requests require us to verify your identity before fulfilling them. To exercise any of these rights, submit a request by emailing us at privacy@tokenworks.com. We will confirm receipt of and respond to your request consistent with applicable law. To verify your identity, we may require you to confirm receipt of an email sent to an email address that matches our records, provide us with details relating to your history with us, or provide additional information. If we cannot verify your identity, we may deny your request in accordance with applicable law.

For website tracking technologies: Enable a recognized opt-out preference signal in your browser (such as Global Privacy Control) or adjust your cookie preferences. This opt-out will apply only to the browser in which it is set, and, if you delete or reset cookies or switch browsers, you will need to opt-out again.

For information in our systems: Submit a request through our contact forms available at tokenworks.com or idscanner.com, use the opt-out setting in our app’s settings menu, or use the opt-out option in your account settings (if you have an account).

If we can readily associate the information collected through website tracking technologies with other information in our systems, such as you are logged into your account when you submit the request or we maintain a pseudonymous profile associated with the browser or device from which you submit the request, we will apply the opt-out more broadly across our systems where feasible.

• Consent. To revoke consent, write us at the email or postal address set out in the Contact Us section above (specifying the consent you wish to withdraw). If you withdraw consent, you may not be able to receive certain services related to that consent.
• Authorized Agents. Authorized agents must submit requests through the specific methods designated herein. Except where prohibited by law, we will require written and signed proof of the agent’s permission.
• Appeals. To appeal, write us at the email or postal address set out in Contact Us and specify what you wish to appeal. We will review and respond to your appeal in accordance with applicable law. If we deny your appeal, you may submit a complaint to your Attorney General as follows: Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, Virginia.
• Limitations. Your rights are subject to exceptions and our data retention practices. To the extent permitted by law, rights requests must be exercised through the applicable designated method specified herein.

Additional California Disclosures

• Shine the Light. If you are a California resident and have an established business relationship with us, you have the right to request a list of the categories of personal information (as defined by Shine the Light) disclosed by us to third parties for their own direct marketing purposes during the immediately preceding calendar year, along with the names and addresses of such third parties. To exercise this right, write us at the email or postal address set out in the Contact Us section above and specify that you are making a “California Shine the Light Request.” We will respond to requests received in accordance with Shine the Light.
• Do Not Track. We do not respond to Do Not Track signals.

Disclosures for Nevada

For Nevada residents, you have the right to opt-out of sales of your personal information to third parties. To exercise your right, following the opt-out process in Exercising Rights above. Your rights are subject to exceptions and our data retention practices.

Section 17: EEA, Switzerland, and the UK

Data Practices

For individuals located in the European Economic Area, Switzerland, or the United Kingdom, our practices regarding the collection, use, disclosure, and retention of your personal data are set out in the main Privacy Policy above.

Lawful Basis for Processing

Data protection laws in your region require a “lawful basis” for processing personal data. Our lawful bases include where: (a) you have given consent to the processing for one or more specific purposes, either to us or to our service providers, partners, or clients; (b) processing is necessary for the performance of a contract with you; (c) processing is necessary for compliance with a legal obligation; or (d) processing is necessary for the purposes of the legitimate interests pursued by us or a third party, and your interests and fundamental rights and freedoms do not override those interests. Where applicable, we will transfer your personal data to third countries subject to appropriate safeguards, such as standard contractual clauses.

Requests

You have the right to access, rectify, or erase any personal data we have collected about you. You also have the right to data portability and the right to restrict or object to our processing of personal data we have collected about you. In addition, you have the right to ask us not to process your personal data (or provide it to third parties to process) for marketing purposes or purposes materially different from that for which it was originally collected or subsequently authorized by you. You may withdraw your consent at any time for any data processing we do based on consent you have provided to us.

To exercise any of these rights, submit a request through the contact forms available at tokenworks.com or idscanner.com, or write us at the email or postal address set out in the Contact Us section above (specifying the rights you wish to exercise).

Complaints

You also have the right to lodge a complaint with the data protection regulator in your jurisdiction.

Copyright © 2026 TokenWorks, Inc.

tokenworks.com | idscanner.com