Privacy Policy
TLAuth – Mobile Passport Verification Application
Effective Date: June 7, 2026 | Last Updated: June 11, 2026
TL International Group Ltd.
Registered in England and Wales (Company No. 07899212)
Registered Office: 168 Church Road, Hove, East Sussex, BN3 2DL, United Kingdom
Trading Address: Suite 501, Regency House, 91 Western Road, Brighton, BN1 2NW, United Kingdom
Email: IT@tlinternationalgroup.com
1. Introduction
Welcome to TLAuth ("the App"), a mobile passport verification application owned and operated by TL International Group Ltd. ("we," "our," or "us").
TL International Group Ltd. is a company registered in England and Wales (Company No. 07899212) that operates car rental services under the Right Cars Global Rentals and Zezgo Rent A Car brands across more than 25 countries and over 200 locations worldwide.
We are committed to protecting the privacy, security, and integrity of your personal data. This Privacy Policy explains how we collect, use, process, store, disclose, and protect your information when you use the TLAuth mobile application on iOS or Android devices.
The App is used by authorised personnel to verify the authenticity of government-issued passports presented by customers in connection with our car rental services.
By using the App, you acknowledge that you have read and understood this Privacy Policy.
This Privacy Policy is designed to comply with applicable data protection laws, including:
- General Data Protection Regulation (EU) 2016/679 (GDPR)
- UK Data Protection Act 2018 (UK DPA 2018)
- California Consumer Privacy Act (CCPA)
- California Privacy Rights Act (CPRA)
- Apple App Store and Google Play Store requirements
2. Definitions
- Personal Data: Any information relating to an identified or identifiable natural person.
- Passport Data: Data extracted from a government-issued passport, including Machine Readable Zone (MRZ) data and biometric chip data.
- Biometric Data: The facial photograph stored on the passport's RFID chip.
- Processing: Any operation performed on Personal Data, including collection, recording, transmission, or deletion.
- Data Controller: TL International Group Ltd., which determines the purposes and means of processing your data.
- Data Subject: The individual whose passport is being verified.
- User: The authorised individual operating the App.
3. Data Controller Information
Organisation: TL International Group Ltd.
Company Number: 07899212 (England and Wales)
Registered Office: 168 Church Road, Hove, East Sussex, BN3 2DL, United Kingdom
Trading Address: Suite 501, Regency House, 91 Western Road, Brighton, BN1 2NW, United Kingdom
Email: IT@tlinternationalgroup.com
Website: https://www.right-cars.com
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us using the details above.
4. Information We Collect
4.1 Passport Data (Identity Document Data)
When a passport is scanned using the App, we collect:
MRZ Data:
- Document type
- Document number
- Full name
- Date of birth
- Gender
- Nationality
- Issuing country
- Document expiration date
- MRZ raw text (lines 1 and 2)
Biometric Chip Data:
- Cryptographic data records
- Facial photograph (JPEG image)
- Document Security Object (SOD)
4.2 Device and Application Data
- Device UUID (randomly generated)
- Operating system type (iOS or Android)
- Application version number
4.3 Verification Metadata
- Scan UUID
- Timestamp (UTC)
- NFC read duration
- MRZ-to-chip match result
- SOD hash verification result
- BAC authentication result
- Active Authentication result
- Overall verification status
- Reservation number
4.4 Account Data
- Username provided by TL International Group Ltd.
- Account status
- Last validation timestamp
4.5 Data We Do Not Collect
We do not collect: GPS or location data, Contacts, Microphone or audio data, Photos or media library content (other than passport biometric photos), Browsing history, Calendar data, Fitness or health information, Financial or payment information, Children's data, Analytics identifiers, Advertising identifiers, or Marketing identifiers.
5. How We Collect Your Data
5.1 Direct Collection
- Camera-Based MRZ Scanning: The App uses the device camera to scan the passport MRZ. Camera images are processed in real time and are not stored.
- NFC Chip Reading: The App uses NFC technology to communicate with the biometric chip embedded in ePassports.
- Manual Entry: Users may manually enter MRZ information.
- QR Code Scanning: The App may scan QR codes for reservation number entry.
5.2 Automated Collection
- Activation Validation: The app periodically validates account status with our servers.
- Connectivity Monitoring: The app monitors internet connectivity to manage offline synchronisation.
6. How We Use Your Data
6.1 Primary Purpose: Passport Verification
Passport data is processed to perform a three-way cryptographic anti-fraud verification:
- Verify that RFID chip data matches printed passport data.
- Verify chip integrity using SOD cryptographic hashes.
- Verify chip authenticity using BAC and Active Authentication.
6.2 Secondary Purposes
- Reservation verification
- User authentication
- Account management
- Compliance and audit requirements
- Fraud prevention
- Offline queue synchronisation
7. Legal Basis for Processing
We process data under one or more of the following legal bases: Consent, Contractual Necessity, Legitimate Interest, and Legal Obligation.
8. Data Transmission and Storage
8.1 Data Transmission
All data transmissions use HTTPS with TLS encryption. Passport verification data is transmitted as XML payloads.
8.2 Data Storage
- Device (In-Memory): Passport data is stored only during the active scan session and is cleared immediately afterward.
- Device (Hive Local Storage): Stores username, activation status, device UUID, and pending offline scans.
- Server: Stores verification results, passport metadata, face photographs, timestamps, and audit records.
8.3 Offline Queue
When offline: Data is temporarily stored in encrypted local storage, automatically transmitted once connectivity returns, and deleted after successful transmission. It is completely purged if transmission cannot be completed within a reasonable period.
8.4 Server Data Retention
Verification data is retained indefinitely for Compliance, Fraud prevention, Audit trail maintenance, and Dispute resolution.
9. Data Sharing and Disclosure
9.1 We Do Not Sell Your Data
We do not sell, rent, trade, or commercially distribute personal data.
9.2 Limited Disclosure
Data may be shared with: TL International Group Ltd. affiliates, Car rental franchise partners, Service providers, and Legal authorities when required by law.
9.3 No Third-Party Analytics or Advertising
The App does not use: Google Analytics, Firebase Analytics, Facebook SDK, Meta Pixel, Advertising SDKs, Tracking technologies, or Data brokers.
10. Third-Party Services and Software
The App uses Google ML Kit (OCR and QR scanning), JMRTD / SCUBA, Bouncy Castle Cryptography, NFCPassportReader, Hive, and connectivity_plus. All processing occurs locally on the device. No passport data is transmitted to these providers.
11. Device Permissions
Required Permissions:
- Camera: Used for MRZ and QR code scanning.
- NFC: Used for reading passport RFID chips.
- Vibration (Android): Used for fraud detection alerts.
The App does not request: Location, Contacts, Microphone, Photos, Calendar, Bluetooth, Notifications, or Background location.
12. Your Rights
Depending on your jurisdiction, you may have rights including Access, Rectification, Erasure, Restriction of Processing, Data Portability, Objection, and Withdrawal of Consent. California residents may also have the Right to Know, Right to Delete, and Right to Non-Discrimination.
To exercise these rights, contact: IT@tlinternationalgroup.com
13. Data Security
Security measures include TLS encrypted communications, on-device processing, BAC and PACE protocols, cryptographic verification, encrypted local storage, restricted system access, security reviews, and incident response procedures.
Note: No electronic system can guarantee absolute security.
14. Children's Privacy
The App is not intended for individuals under 16 years of age. If personal data from a child is identified, we will take appropriate steps to remove it.
15. International Data Transfers
Data may be transferred and processed outside the UK or EEA. Appropriate safeguards include Standard Contractual Clauses (SCCs), Adequacy decisions, and other legally required safeguards.
16. Changes to This Privacy Policy
We may update this Privacy Policy periodically. Material changes will be reflected by updating the Last Updated date, publishing the revised policy within the App, or providing notice when legally required.
17. Data Breach Notification
Where legally required, we will notify supervisory authorities within 72 hours, notify affected individuals without undue delay, and document the breach and remediation actions.
18. Governing Law
This Privacy Policy is governed by the laws of England and Wales.
19. Contact Information
TL International Group Ltd.
Registered Office: 168 Church Road, Hove, East Sussex, BN3 2DL, United Kingdom
Email: IT@tlinternationalgroup.com
We aim to respond to privacy-related enquiries within 30 days.
20. Summary
| Item | Detail |
|---|---|
| App Name | TLAuth |
| Developer | TL International Group Ltd. |
| Data Collected | Passport data, biometric chip data, device UUID, username, scan metadata, and verification results. |
| Data Stored Locally | Username, activation status, device UUID, and temporary offline scan queue. |
| Analytics / Advertising / Payments | None. |
| Children's Data | Not collected. |
| Data Retention | Temporary on device; server records retained indefinitely. |
| Governing Law | England and Wales. |
| Contact | IT@tlinternationalgroup.com |
© 2026 TL International Group Ltd. All Rights Reserved.