Last updated: 1 December, 2021

CCPA Privacy Notification


Sumsub ('we/us/our'), being a software-as-a-service business, takes the requirements and restrictions under the CCPA very seriously.

The CCPA Privacy Notification ('Notification') supplements the privacy provisions contained in Sumsub Privacy Notice.

This Notification is addressed to Sumsub's clients who reside in the State of California and those who are California residents and will provide their personal information to Sumsub for processing, including Sumsub's public-facing websites.

We adopt this Notification to comply with the requirements and restrictions under the California Consumer Privacy Act of 2018 ('CCPA') and other California privacy laws.

1. Definitions

According to the definitions outlined in Civil Code section 1798.140, for purposes of this Notification:

  • Consumer

    a natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations, as that section read on September 1, 2017, however, identified, including by any unique identifier. The consumer is considered a User ('User' or 'you/your') when receiving any services provided by Sumsub.

  • Personal information

    any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.

  • Business

    a legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners that collects consumers' personal information, or on behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers' personal information, that does business in the State of California, and that satisfies one or more of the thresholds indicated in Section 1798.140. The Business is considered to be a Client when applying for Sumsub services.

  • Service Provider

    a person that processes personal information on behalf of a business and receives from or on behalf of the business a consumer's personal information for a business purpose according to a written contract. Sumsub may be a Service Provider under the Service Provider Agreement.

  • Agreement

    the Service Provider Agreement concluded by Sumsub with each Business (or 'Client'), its annexes, and appendices.

  • Service(s)

    the personal identity verification service and connected services provided by Sumsub.

  • Third-Party

    the service providers, authorized to exercise certain processing activities under the direct authority of Sumsub. Any other terms defined in the CCPA and Privacy Notice have the same meaning when used in this Policy.

2. Scope of this Notification

We may act as a Service Provider

We process personal data where it is engaged by a Business (a Client or its agent) for the purposes of the respective Agreement.
As part of the Services provided to a Business, we perform remote identity verification procedures for clarity. Before passing such procedures, Users express their Consent in line with the Business's privacy policy.

We may act as a Business

We may determine the purposes and means of personal data processing in some instances. This applies, in particular, to the following situations:

  • when "cookie" files are collected in the course of the website or livechat operation;
  • when the Prooface website is visited and interacted with;
  • when we obtain data from the forms filled out on the website;
  • when a prospective Client's representative creates a Customer Account via the website;
  • when taking steps before entering the contract with a Client and further processing for the performance of the contract;
  • when Sumsub's Demo Mobile App or WebSDK Demo on Sumsub's website or Liveness Demo on Prooface's website is used.

3. The types of information that may be collected about you

Category A – Identifiers

Full name, postal address, Internet Protocol address, email address, Social Security number, driver's license number, identity document data (such us document type, issuing country, number, expiry date, MRZ, information embedded into document barcodes (may vary depending on the document), security features), or other similar identifiers.

Category B – Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e))

Full name, signature, Social Security number, address, email address, telephone number, identity document data (such as document type, issuing country, number, expiry date, MRZ, information embedded into document barcodes (may vary depending on the document), security features), driver's license or state identification card number, bank account number, credit or debit card number (cardholder name, expiry date, first six and last four digits of the card number), or any other financial information (documents provided as proof of source of funds/wealth).

Category C – Protected classification characteristics under California or federal law

Age (if the User is over 40s) and citizenship.

Category D – Commercial information

Records of personal property.

Category E - Biometric information

Facial features.

Category F – Internet or other similar network activity

Access history and information on your interaction with our services.

Category H - Audio, electronic, visual, thermal, olfactory, or similar information

Photos of the face (including selfie images) and photo or scan of the face on the identification document, videos, sound recordings.

Category I – Professional or employment-related information

Occupation, employment information.

Category L - Sensitive personal information

Information concerning health (vaccination certificates data, test certificates (NAAT/RT-PCR test or a rapid antigen test) data, and certificates for persons who have recovered from COVID-19).

4. Sources of information collection

We collect the above-listed categories of personal information from the following sources:

  • Directly from our clients or their agents (e.g., our clients provide to us the information necessary for the Services for which they engage us).
  • Directly from you (e.g., you provide us with the information when our clients or agents subscribe and engage our services).
  • Directly and indirectly from you when interacting with our websites (e.g., tech information collected automatically in your interaction with our website or application and other information you left when filling in the forms or making the requests).

5. Purpose of use of the provided information

We will not collect additional categories of personal information or use the personal information already collected for materially different, unrelated, or incompatible purposes to these indicated below without providing you notice:

As the Business

We may collect and further process personal data submitted via the website to:

  • provide you with the information you may request from us in a livechat or the 'Contact Us' form;
  • provide you with the information you may request from us in the 'Make a request form;
  • email you regarding compliance-related advice, news, and guidelines (if you have previously consented to it using the 'Contact Us' form);
  • evaluate the information presented by you when considering a candidacy and contact you back;
  • maintain communication with a Client's representative regarding entering into an Agreement, carrying out due diligence of the Clients, and providing Services to the respective Client and other similar matters;
  • provide a representative of a prospective Client with an opportunity to create a Customer Account on the website and operate it to be serviced and invoiced;
  • provide the test of WebSDK Demo on Sumsub's website to demonstrate the capabilities of Sumsub's facial and identity verification service when the Sumsub's сlients integrated with Sumsub service.

When you interact with the website, fill in the forms or livechat, or test WebSDK Demo, we collect "cookie" files. Cookies are necessary to store your preferences and settings, enabling you to sign in, personalize content and advertising, combat fraud, and analyze the incoming traffic. The Cookie Policy is available here.

We may collect personal information submitted via Sumsub's Demo Mobile App to obtain a demonstration of the capabilities of Sumsub's facial and identity verification service when the Sumsub's сlients integrate with Sumsub service.

We may collect and further process personal information submitted via the Prooface website to:

  • provide you with functionality and better user experience regarding the Prooface website as stated in the Cookie Policy (Prooface section);
  • provide you with the information you may request via the 'Contact Us' and 'Make a request form;
  • email you regarding compliance-related advice, news, and guidelines (if you have previously consented to it using the 'Contact Us' form);
  • provide the test of Liveness Demo on Prooface's website.

As the Service Provider

We provide Services to our Clients, collecting and further processing Users' personal information to verify their identities. Such procedures may be necessary for the Clients' compliance with the applicable AML/CFT or other laws and regulations and the Clients' internal due diligence policies and procedures.

We subject some personal information to automated reading, verification of authenticity, and other types of automated processing, such as cross-checks against multiple databases of Data Providers (e.g., PEP lists, global and country-specific sanctions lists, criminal lists, financial lists).

Once the personal data is no longer necessary for the relevant purpose, we, upon the written instruction of the Business, erase it from its servers without leaving any backup copies after having transferred it to the Business (if the Business so requests).

6. Sharing of personal information

We may share personal information with Third-Parties if such is necessary to provide a service under the Agreement with a client or its agent or to operate Sumsub websites as well as to achieve other purposes of Sumsub as well as to comply with the legal obligations vested on Sumsub. The applied Third-Parties are mostly limited to only accessing or using personal information to limited purposes and provide reasonable assurances they appropriately safeguard the personal information.

Sometimes Sumsub may have to share the personal information to Third-Parties that have their own purposes. In this case, Sumsub manages to conclude all the necessary agreements containing applicable law compliance and non-disclosure obligations.

  1. In the preceding twelve (12) months, we have disclosed the following categories of personal information indicated in Section 3 of the Notification:

    1. Category A: Identifiers.
    2. Category B: California Customer Records personal information categories.
    3. Category C: Protected classification characteristics under California or federal law.
    4. Category D: Commercial information.
    5. Category E: Biometric information.
    6. Category F: Internet or other similar network activity.
    7. Category H: Audio, electronic, visual, thermal, olfactory, or similar information.
    8. Category I: Professional or employment-related information.
    9. Category L: Sensitive personal information.
  2. We have not sold any personal information in the preceding twelve (12) months.

7. Your Rights and Choices

You are granted specific rights regarding your personal information under CCPA. This section describes your CCPA rights and explains the ways how to exercise those rights within Sumsub.

As the Business, we respect and guarantee the following rights of each consumer:

Right to know

  1. The categories of your personal information we collected;
  2. Our purposes for collecting that personal information;
  3. The categories of third parties with whom we share that personal information;
  4. The specific pieces of your personal information we collected (so-called data portability right).

Right to delete

You have the right to request us to delete any of your personal information we collected from you and retained, subject to certain exceptions. Once we receive a valid request and verify your identity, we delete (and direct our service providers to delete) your personal information from our systems unless an exception applies.

Your deletion request may be denied if retaining the information is necessary to:

  1. Ensure information security, including actions for detection of security incidents, protection against malicious, deceptive, fraudulent, or illegal activity, or prosecution of those responsible for such activities;
  2. Exercise the prevailing human rights such as the right of another consumer to exercise their free speech rights, or another right provided for by law;
  3. Comply with the requirements of the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 seq.);
  4. Comply with a legal obligation to retain personal information under applicable laws;
  5. Make other internal and legitimate uses of that information compatible with the purposes for which you provided it.

8. Exercising of CCPA Rights

To exercise the rights described above, please submit a valid request to us by email at [email protected].

Only you or a person registered with the California Secretary of State that you authorize to act on your behalf may make a valid request related to your personal information.

You may only make a valid request for data portability twice within 12 months. To make a valid request, you must describe it with sufficient detail to properly understand and evaluate it and pass the verification procedure. If we cannot verify your identity or authority to make the request and verify the personal information related to you, we cannot respond to your request or provide you with personal information.

As the Service Provider, we assist Businesses in exercising your CCPA rights upon the respective Business's written instruction.

9. Request response Timing and Format

We endeavor to respond to a valid request within 45 days of its receipt. We inform you of the reason and extension period in writing when we require more time (up to 90 days).

We will deliver our written response in the way a valid request has been obtained: we'll email you back if you email us. If the response is supposed to be delivered by any other means of communication, we'll do so.

We do not charge a fee to process or respond to any request unless it has an excessive, repetitive, or manifestly unfounded manner. If we determine that the request warrants a fee, we will inform you of the reasons for that decision and provide you with a cost estimate before completing the request.

Please note that any disclosures we provide only cover the 12 months preceding the valid request's receipt. The response also explains the reasons we cannot comply with a request, if applicable. For data portability requests, we choose a format to provide your personal information that is readily usable and should allow you to transmit the information with no obstacles.

10. Non-Discrimination

We will not discriminate against you in connection to your exercising the CCPA rights. Unless permitted by the CCPA, we do not:

  • Deny your use of our Websites or Services.
  • Provide you with a different level or quality of Websites or Services.

11. Changes to Our Privacy Notice

This Notification is constantly reviewed and amended to provide appropriate compliance with the CCPA and other applicable laws.

The date this Notification was last updated is identified at the bottom of this page.

12. Contact Information

If you have any request or complaint regarding the CCPA Privacy Notification or wish to exercise any of the rights granted to you by the applicable laws, please contact us at [email protected] or [email protected]. Our support team works 24/7 and will answer you shortly.