Privacy Notice (Data Controller)

1. Scope

This Privacy Notice applies to personal data that we collect and process as a data controller – i.e. when we decide why and how your personal data are used.

This policy does not apply to:

• personal data that we process on behalf of our business customers while providing our Services. Please refer to the Privacy Notice (Service Delivery) for more information in that context;
• personal data about current and former Sumsub employees, contractors, agents acting in similar roles, which is covered by our internal Staff Privacy Notice.

If you are a U.S. resident, you may find information about the relevant U.S. State Privacy Laws application in Provision 14 of this Privacy Notice.

If you are a resident of Illinois, Washington, or Texas, it is necessary to refer to the “Special notice to residents of the states of Illinois, Washington, or Texas (USA)” (Provision 14 of this Privacy Notice). In case of any conflict or ambiguity between the Special biometric notice and the other provisions of this Privacy Notice, the former prevails.

2. Definitions

• Client

  a legal entity that uses, or is entitled to use, Sumsub’s Services in accordance with the respective Agreement and as authorized by the respective Sumsub entity. For the purposes of identity verification services involving Qualified Electronic Signature, Client is an entity that has a business relationship with Sumsub and to which Sumsub in collaboration with a QTSP provides remote identity proofing services for issuing a QES. Subscribers are the potential customers of Clients and provide their personal data (and Subjects’ personal data, if applicable) to Sumsub on behalf of the respective Client using that Client's websites/platforms;

• Service(s)

  the personal identity verification service and connected services provided by Sumsub;

• Data Controller, or Controller

  natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal data; i.e. Sumsub where it, alone or jointly with others, determines the purposes and means of the processing of personal data;

• Data Processor, or Processor

  any legal entity that processes personal data on behalf of Sumsub or Sumsub’s Processor;

• Data Subject

  any individual whose personal data Sumsub may process, including, but not limited to, Sumsub’s Clients’ customers and representatives, job applicants, Visitors, event or webinar attendee, etc.

• Personal data

  any information relating to an identified or identifiable Data Subject;

• Special categories of personal data

  personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation;

• Visitor

  any individual interacting with or using Sumsub Websites;

• Processing

  any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

• Consent

  any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which they, by a statement or by clear affirmative action, signify agreement to the processing of their personal data;

• Customer Account

  a dedicated account created by a prospective Client’s representative via the Sumsub Website for the purposes of subsequent provision of Services and invoicing;

• Sumsub Website(s)

  sumsub.com or any other public-facing websites owned and managed by Sumsub;

• Mobile App

  a mobile application owned and managed by Sumsub;

• Dashboard Livechat

  a system that allows Clients to have real-time interactions with Sumsub’s support team in a chat box in the Dashboard;

• Standard Contractual Clauses

  standard sets of contractual terms and conditions adopted by the European Commission and ensuring appropriate safeguards for data transfers from the EEA and the UK to third countries, which the Controller and the Processor both sign up to, where necessary;

• EEA

  European Economic Area (the European Union Member States, Norway, Iceland and Liechtenstein);

• CCPA

  the California Consumer Privacy Act of 2018, Civil Code sections 1798.100.

3. Principles of personal data processing that Sumsub adheres to

Sumsub adheres to the principles of personal data protection as envisaged in the EU GDPR and UK GDPR. In accordance with these principles, personal data is:

1. Processed fairly, lawfully and transparently in relation to the Data Subject;
2. Processed for specified, explicit and legitimate purposes only and not further processed in a manner that is incompatible with those purposes;
3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
4. Kept accurate and up to date;
5. Not retained longer than necessary;
6. Processed in a manner that ensures their appropriate security;
7. Not transferred outside the European Economic Area (EEA) or the EU without adequate protection.

4. Purposes, types, and retention period of personal data processing

Sumsub only processes personal data according to the purpose limitations below.

[a] Customer support purposes

Sumsub collects and processes personal data in order to provide you with the information you may request from Sumsub as a Client via Dashboard Livechat or as a Visitor using website forms.

• Personal data

  Retention period

• first name
  email address (if provided)
  phone number (if provided)
  other information necessary for Sumsub to resolve the relevant issue.

  three years enabling Sumsub to re-contact in the event of unforeseen circumstances

[b] Direct marketing purposes

We email subscribers regarding compliance-related advice, news and guidelines if they have previously consented to it using the relevant website form. We may also email or otherwise notify our existing Clients of new products and functions of our services in terms of ‘soft opt-in’, meaning that our clients would want to stay tuned for better offers and service benefits.

• Personal data

  Retention period

• email address

  until unsubscribing by following the respective link in the email.

Please note that you can unsubscribe from receiving Sumsub emails in respect of compliance-related advice, news, and guidelines at any time by following the “Unsubscribe” link in the email.

[c] Client communications and account management

We process the personal data of our potential Client’s representatives to maintain communication with them regarding entering into an agreement, carrying out customer due diligence, providing Services to the Client, and other similar matters.

When a Client creates and uses a Customer Account, we process the data below in order to service and invoice it.

• Personal data

  Retention period

• Personal data of the representative (e.g., name, job title, position, contact information, and certain data contained in an ID document);
  Information obtained in connection with providing the Services to the respective Client (e.g., communication materials)
  Personal data contained in corporate documents;
  Publicly available data relevant to the position of the Client’s representatives

  up to six years from the date of termination of contract or interaction while taking steps to enter the relationships enabling Sumsub to keep the contact with active Clients and provision of the Services uninterrupted;

[d] Events purposes

We hold various events online, such as webinars or workshops for which you can sign up. In such cases, we process your data to enable you to register for the event, receive a reminder, and provide ancillary information.

When registering for an event, you may also choose to subscribe to future webinars and similar events hosted by Sumsub by selecting the appropriate option in the registration form. You may withdraw this consent at any time by following the unsubscribe link in any event communication or by contacting us at [email protected].

Once signed up for the event, your information is added to and managed through the contact database following the marketing preferences you submitted to us. Where permitted by law, a member of our sales team may contact you if we determine through your submission whether you may be interested in our services. When you attend any offline event (e.g. expo forums) and are interested in communicating, we will process your data as we do for business purposes.

• Personal data

  Retention period

• name
  email address
  company name and position

  up to five years after registration for the event

[e] Recruitment purposes

When you apply for a position at Sumsub, we process the information you provide to assess your qualifications and consider your application. We may also use your contact details to follow up with you during the recruitment process.

For more details, please see Privacy Notice for Candidates.

[f] Purposes of Sumsub Websites functionality, analytics, and improvement

When you interact with our Sumsub Websites, we, along with certain vendors and third-party providers, may use cookies and similar tracking tools to gather information about you or how you use the websites. Cookies are small files stored on your device that help recognize your browser and remember your preferences.

But cookies aren't the only way this kind of tracking happens. Other technologies can serve the same purpose, such as local storage (e.g., HTML5), tracking pixels, web beacons, plug-ins, and local shared objects.

For more details on our use of tracking technologies, please see our Cookie Policy.

[g] Exercise of Data Subject’s privacy rights

We process personal data to respond to and manage requests you make in relation to your Data Subject’s rights under applicable laws and in accordance with Provision 8. This includes verifying your identity, maintaining a record of the request, and communicating with you regarding the outcome.

• Personal data

  Retention period

• contact details, such as your email address

  three years

• biometric data (such as facial features)

  Until Sumsub’s purposes for collecting the biometric data are satisfied or until one (1) year of the date the purpose for collecting the data expires for residents of Texas, whichever occurs first), without prejudice to any verification records that may be retained for AML purposes up to five (5) years from the provision of data to the Sumsub system. For the residents of Illinois, the retention period of Personal data, including biometric data, will be three (3) years from the date of data provision to the Sumsub system. For Colorado residents, biometric data is deleted at the earliest of: (a) the stated purpose is fulfilled; (b) 24 months from your last interaction with us; or (c) 45 days after we determine the data is no longer necessary.

Disposal and Destruction Policy

Any Personal data is deleted only after (a) obtaining Data Subject’s data deletion request in line with corresponding procedures by a Client or the Data Subject or (b) the satisfaction of the purpose for data processing, including the termination of the agreement with a Client or the expiration of retention period prescribed by applicable law.

To delete data from the Sumsub Identity Verification System (Dashboard and storage space), we call a method that searches for a unique applicant identifier (Applicant ID) inside the database. The database contains references, or object IDs, connected to the applicant’s Personal data provided to the system. After seeking all these references, the Dashboard system automatically removes them one by one by calling the AWS S3 API Object Deletion method, providing Object IDs are placed in the S3 bucket. After all referenced objects are found and deleted from the S3 bucket, the original applicant's Personal data is also deleted from Sumsub’s internal database located on AWS Servers. Deletion of biometrics should render it non-recoverable, even using forensic information recovery techniques.

To delete data from the equipment, we implement measures in accordance with the particular Operational System of the equipment. If the information is intended to be rendered non-recoverable, the deletion must be executed by the person who owns it (typically, who has created it) by the ‘empty trash bucket’ mechanism. If any of the methods above is not secure enough considering the sensitivity of the information and such information may be recovered again, the equipment storage medium must be destroyed completely (e.g. shredded, disintegrated, pulverised, or incinerated by burning the device in a licensed incinerator, etc.) in the presence of the Asset Owner.

To delete data from the files located in the removable media, we call the setting and tools designated to the relevant sanitisation method - clearing or purging. If the purging method is not secure enough considering the sensitivity of the information and such information may be recovered again, the removable media containing such information must be destroyed completely (e.g. shredded, crushed, disintegrated, pulverised, or incinerated by burning the device in a licensed incinerator, etc.).

To delete data from mobile devices, we use the means of a particular device. If a certain mobile device is intended to be reused/recycled/donated or is no longer to be used by the Sumsub staff, this staff member must reset the device to the original settings. As a general rule, the procedure for Apple iPhone and iPad OS: Select ‘Settings > General > Reset > Erase All Content and Settings menu’. For Android OS devices: Select ‘Settings > Backup & Reset > Factory Data Reset > Reset Phone’.

It’s forbidden to handle any sensitive data in any equipment, removable media or mobile devices.

Any request to delete all or any Personal data related to a User is fulfilled within 30 days. This period is justified by the complexity of the systems and technologies Sumsub operates to process the data.

When the processing purposes differ from those specified above, Sumsub maintains the following retention period considering the amount, nature and sensitivity of the Personal data and the purposes for which we’re permitted to process it.

When we develop and improve identity verification services to prevent and detect fraud and other illicit activity, we will keep Personal data in a pseudonymised format for the period required to calibrate and select the perfect algorithm and model for detecting fraud and other illicit activity. We may also have to store some records that have been confirmed as relating to fraudulent applications or accounts or obtaining and maintaining records to prove our compliance with legal obligations in and outside the EU and the UK. For example, regarding consent activity log history, the retention period is defined by the criteria derived from requirements by law regarding limitation periods, other applicable regulatory requirements, contractual provisions and industry standards.

When the purpose refers to the establishment, exercise or defence of legal claims (so-called ‘litigation hold’), the retention period is limited to the duration of such proceedings in a specific case or circumstance.

In any case, we do not keep your data longer than we have a lawful basis for doing so.

[h] Business purposes related to Services delivery

In certain cases, Sumsub processes Personal data as an independent data controller to support and improve the delivery of its Services. These activities serve our legitimate interests and include:

• Service development, improvement, and research;
• detecting and preventing fraud, money laundering, and other illicit activities;
• conducting analytics and profiling related to AML/CFT risk indicators;
• ensuring compliance within the Sumsub Travel Rule Ecosystem, including sharing due diligence data in accordance with legal requirements;
• supporting crypto-related features such as wallet attribution for Travel Rule compliance;
• operating Sumsub ID, including creating and maintaining dedicated storage spaces (“Data Pool Keys”) for Applicants who wish to reuse their identity data with multiple Clients;
• identity verification services involving Qualified Electronic Signature;

For more details, please see our Privacy Notice (Services Delivery).

[i] Marketing and audience-building purposes

Sumsub may collect and process professional contact information that is publicly available on LinkedIn and other professional networks, such as name, job title, employer, and business email address, for the purpose of building targeted marketing audiences. This includes uploading hashed contact lists to advertising platforms (such as LinkedIn Ads, Google, or Meta) to create custom audiences and lookalike audiences for the promotion of Sumsub’s products and services. We rely on Legitimate interests legal basis (direct B2B marketing and audience targeting).

• Personal data processed

  Retention period

• Name, job title, employer name, business email address

  Until the marketing purpose is fulfilled or upon objection

5. Automated decision-making relief and checks

When we perform the Services, the checks are either automated, semi-automated, or done by humans. When we carry out checks, we implement a complicated verification system that includes human presence and machine work. A human will be involved if the system cannot reach a verdict on its own or recheck the system verdict. This may occur when data is uncertain or the system faces some other difficulty in analysing information during the verification session. This is to ensure that the verification process is fair and safe for users.

Decision-making during processing is based on a symbiosis of the machine and human work. If decisions are to be made, for example, on the suitability of a job candidate or customer before concluding an agreement, they are not fully automated and involve human intervention.

6. The lawfulness of personal data processing

Sumsub always relies on the appropriate legal grounds of processing, which depend on the processing purposes:

• Contract. We may process your Personal data to take steps before entering into a contract with you and to perform our obligations under such contract, such as for the purpose of Client communications and account management or for the purpose of providing you with Sumsub ID.
• Legitimate interest. We may process your Personal data relying on our legitimate interests, such as, among others:
  
  
  • provision of customer support;
  • assistance in effective exercise of Data Subject’s privacy rights;
  • provision of event details and reminders, if you are taking part in our Events;
  • Improvement and development of our Services;
  • conducting analytics and profiling related to AML/CFT risk indicators;
  • ensuring compliance within the Sumsub Travel Rule Ecosystem, including sharing due diligence data in accordance with legal requirements;
  • supporting crypto-related features such as wallet attribution for Travel Rule compliance.
• Legal obligation. We may be obliged to process some of your personal data to comply with applicable laws in connection with recruitment processes or where we need to comply with valid legal processes such as search warrants, subpoenas, or court orders.
• Consent. We may process certain personal data based on your consent, such as, among others, when we process your Personal data for direct marketing purposes or when you are passing biometric verification for the purpose of exercise of Data Subject’s rights.

7. Processing children’s personal data

Sumsub may process personal data of children (individuals below the age of majority under applicable national laws) both as a data controller and as a data processor, subject to a valid legal basis under applicable data protection laws.

When acting as a data controller, Sumsub will only process children’s personal data where a valid legal basis exists: for example, where the person with parental responsibility for the child has provided consent, or where such processing is otherwise permitted under the applicable national law without parental consent (including cases where the child may consent independently under national law). If Sumsub becomes aware that it has collected or processed a child’s personal data without a valid legal basis, it will delete such data without undue delay.

When acting as a data processor, Sumsub may process children’s personal data as provided and instructed by the Client. In this case, it is the Client’s responsibility, as data controller, to ensure that a valid legal basis exists for such processing, including obtaining parental consent where required, or otherwise complying with the applicable age-related regulatory requirements in the jurisdictions where the Client operates and collects data from users.

If Sumsub becomes aware that a child’s Personal data has been submitted without the necessary parental consent (for instance, through an internal audit), the data may be deleted without undue delay.

8. Data Subjects’ rights

Sumsub respects and guarantees the following rights of each Data Subject. According to privacy laws, you have the right to:

• obtain confirmation as to whether or not your personal data is being processed;
• obtain a copy of your personal data undergoing processing;
• rectify personal data, or, in other words, to correct wrong information or supplement incomplete information;
• erase personal data, or “right to be forgotten”. Please note that this right is not absolute and applies only if (i) your personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed, (ii) you object to the processing, and there are no overriding legitimate grounds for Sumsub to process data; (iii) personal data has been unlawfully processed;
• restrict personal data processing where (i) the accuracy of the personal data is contested (during the period when Sumsub is able to verify its accuracy); (ii) the processing is unlawful, and you object to the erasure of the personal data and request to restrict its use instead; (iii) the Client no longer needs the personal data for the purposes of processing, but they are required by you to establish, exercise or defend legal claims; (iv) you have objected to processing pending verification whether the Client’s legitimate grounds override those of yours;
• data portability or, in other words, to receive your personal data in a structured, commonly-used, machine-readable format to be able to provide it to another party or transfer your personal data from one controller to another;
• object to personal data processing if the processing is justified by ‘public interest’ or ‘legitimate interest’ legal grounds as set out in points (e) and (f) of Article 6(1) of the GDPR;
• not be subject to a decision based solely on automated processing unless (i) such decision is necessary for entering into, or the performance of, a contract between you and the data controller; (ii) such a decision is authorised by law to which the data controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests or (iii) such a decision is based on your explicit consent;
• lodge a complaint with the supervisory authority. If you're a resident of the EU, please follow this link. If you're a resident of the UK, please follow the link.

To request that Sumsub executes the rights mentioned above, you should send a free form email to [email protected] or use this form. Information on actions taken regarding any request is provided to you within one month. That period may be extended by two months where necessary, considering the complexity and number of requests. We will inform you of any such extension within one month of receipt of the request and the reasons for the delay.

Sumsub guarantees that making a request for receiving personal data is free unless a reasonable cost is to be charged where requests are unfounded or excessive, or repetitive in character.

Please note that any Data Subject’s request to delete all or any personal data related to a Data Subject is fulfilled within 30 days. This period is justified by the complexity of the systems and technologies Sumsub operates to process the data.

9. Withdrawing consent and objection to legitimate interest mechanism

To withdraw consent or object to the processing justified by a legitimate interest, you can send a free-form email to [email protected] or use this form. After that, the Data Subject will go through the authentication procedure to prove that such a request is actually made by him/her and is valid in nature.

10. Specific measures to ensure data protection

Sumsub takes specific measures to ensure personal data protection, including, but not limited to, the following:

• where applicable, all personal data processing is conditioned on respective Agreements, non-disclosure agreements and data processing agreements compliant with the EU GDPR and the UK GDPR;
• Sumsub’s specially designed API interface (iFrame) enables Data Subjects to submit personal data directly to Sumsub’s secure servers;
• all personal data is always securely stored on the servers located in safe European data centres of the security level no lower than Tier 3¹;
• all personal data is subjected to encryption;
• personnel involved in personal data processing are officially authorised and undergo background checks and regular training;
• Sumsub regularly carries out internal and external data protection and information security audits and vulnerability assessments. In particular, compliance with the EU GDPR and the UK GDPR requirements, ISO/IEC 27001, 27017 and 27018, SOC 2 Type 2, and PCI DSS has been demonstrated. Visit our Sumsub Trust Center for more information;
• where the processing of certain personal data (e.g., children’s personal data or sensitive data under certain data protection laws) would be unlawful, Sumsub takes all possible measures to identify and delete or, where appropriate, encrypt such data immediately upon its submission;
• physical, software and network security guarantees as set out below are implemented.

¹At present, all personal data is stored and processed on specially designated servers in Germany.

If certain types of personal data are under special protection regimes (such as the Dutch BSN, Korean RRN, Singaporean NRIC number, Japanese My Number Card and related sensitive data, as well as other country-specific identity document data), Sumsub will take necessary measures not to process such data — such as requesting the user to cover such data with a sticker or using blurring technology, unless the respective Client has a legal basis for processing it freely.

11. Data disclosure

[a] Third Parties

Sumsub may have to apply third parties for data processing activities, which include the following categories:

• Data Processors as reasonably necessary to operate Sumsub Websites, Mobile App, as well as to achieve other purposes provided in this Privacy Notice;
• Data providers, when it is necessary for carrying out due diligence of the Clients; and
• Sumsub Group of companies for assistance in service provision and Sumsub EU representative for granting the opportunity to Data Subjects and Supervisory authority to address Sumsub within EU borders for the purposes of Article 27 of the EU GDPR.

Sumsub requires the Third Parties to respect the security of personal data and treat it according to applicable law. In addition, Third Parties are mostly limited to only accessing or using personal data to provide services to Sumsub and must provide reasonable assurances that they will appropriately safeguard the data.

[b] Recipients

Sumsub may have to provide personal data to Recipients, which includes the following categories:

• Governmental bodies and regulatory authorities, judicial bodies, investigation bodies, sworn bailiffs and notaries based on written and concrete requests. Such sharing is conducted in line with strict compliance with derogations of the EU GDPR and the UK GDPR.
• Any other Clients provided that there is a legitimate interest or any other legal reason for doing so, obtained consent or where Sumsub has been instructed to share the information on behalf of our Clients as specified above.

12. Sumsub group of companies and EU Representative

Sumsub is a group of companies established as a network of the following legal entities operating worldwide. The processing activities stipulated in this Privacy Notice are provided by the operating company: Sum and Substance Ltd. (registered in England and Wales under company number 09688671), which is for and on behalf of itself and the other members of the Sumsub group of companies. The following entities constitute the Sumsub group of companies:

• The UK: Sum and Substance Ltd
• Germany: Sumsub GmbH
• Cyprus: SUMSUB Tech Limited, SUMSUB LTD, Raritex Trade Ltd.
• The USA: Sumsub Inc
• UAE: Sumsub Technology LLC
• Singapore: Sumsub APAC Pte. Ltd.
• Brazil: Sumsub Brasil LTDA

Sumsub’s EU representative is SUMSUB LTD - incorporated and registered in Cyprus with company number HE 405087.

13. International data transfers

Sumsub confirms that all personal data that is submitted to Sumsub is stored in the EU and/or, subject to national localisation requirements, in the respective country where such requirements exist.

Where it is necessary for the purpose of processing, achieving or ensuring convenient and reliable communication with the Data Subjects, Sumsub may transfer personal data outside of the EU/EEA or the UK to the Third Parties and Recipients indicated in Provision 11 of this Notice.

Whenever a transfer of personal data outside the EU or the EEA is carried out, Sumsub implements appropriate safeguards as set out in Chapter V of the EU GDPR by transferring based on the EU Adequacy Decision (or UK Adequacy Regulations) and by concluding Standard Contractual Clauses. The Third-Party Processors likewise rely on appropriate safeguards, which include Binding Corporate Rules, Standard Contractual Clauses, etc. Cross-border personal data transfers from the UK to the EU/EEA countries are permitted by the UK Government.

To ensure transparency and compliance with applicable data protection legislation, Sumsub provides below the details of the countries outside the EU where personal data may be transferred and the corresponding safeguards applied.

• Country

  International data transfer mechanism

• UK

  EU Adequacy Decision for the UK, Brussels, 28 June 2021

• United States of America

  Appropriate safeguards pursuant to article 46 of the EU GDPR and the UK GDPR: the Standard Contractual Clauses; or Adequate level of protection pursuant to article 45 of the EU GDPR: EU–US Data Privacy Framework.

• United Arab Emirates

  Appropriate safeguards pursuant to article 46 of the EU GDPR and the UK GDPR: the Standard Contractual Clauses.

• Singapore

  Appropriate safeguards pursuant to article 46 of the EU GDPR and the UK GDPR: the Standard Contractual Clauses.

• Brazil

  EU Adequacy Decision for Brazil, Brussels, 26 January 2026

14. Jurisdiction-Specific Notices

a. Additional Information for Individuals residing in certain U.S. States

If you reside in California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, or Virginia, the information in this section applies to you. This section also serves as our California notice at collection where required under applicable law.

Additional Disclosures

This Privacy Notice describes how we collect and use personal information (see Provision 4) and disclose it to third parties (see Provision 11), as well as our data retention practices (see Provision 4). The following disclosures summarize this information as required by certain U.S. State Privacy Laws.

In the context covered by this Privacy Notice, Sumsub acts as a Business (or equivalent term under applicable state law), determining the purposes and means of processing personal information about website visitors, prospective and existing Client representatives, marketing contacts, job applicants, event attendees, and individuals exercising their data subject rights.

(1) Categories of Personal Information Collected

Depending on the context in which you interact with Sumsub, we may collect the following categories of personal information (as prescribed by the CCPA):

• Identifiers: Full name, email address, IP address, or other similar identifiers.
• Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)): Full name, address, email address, telephone number, and employment-related information provided in the course of entering into or managing a Client relationship.
• Biometric information: Facial features, where collected for the purpose of verifying the identity of individuals submitting data subject rights requests.
• Internet or other similar network activity: Access history and information about your interaction with Sumsub Websites, collected via cookies and similar tracking technologies. Please refer to our Cookie Policy for more details.
• Geolocation data: General location derived from IP address or device metadata.
• Professional or employment-related information: Occupation, employer, job title, and related details provided by Client representatives or job applicants.
• Inferences: Fraud-related signals or risk indicators generated in connection with identity verification performed for the purpose of processing data subject rights requests.

Further details about the types of personal information we collect are described in Provision 4 of this Privacy Notice.

(2) Purposes of Processing and Categories of Third Parties

Sumsub collects and processes personal information for the purposes described in Provision 4 and discloses personal information as described in Provision 11.

We may disclose personal information to the following categories of third parties:

• authorized service providers and data processors supporting our business operations;
• data providers used in the context of Client due diligence;
• the Sumsub group of companies;
• supervisory authorities, courts, regulators, or government agencies where required by law.

In the preceding twelve (12) months, Sumsub has disclosed the following categories of personal information in connection with its controller activities: identifiers; personal information categories listed in the California Customer Records statute; biometric information; internet and other similar network activity; geolocation data; professional or employment-related information; inferences.

(3) Third-Party Analytics and Advertising Technologies

Third-party analytics and advertising providers may collect personal information through our Websites and apps, including identifiers and device information (such as cookie IDs, device IDs, and IP addresses), geolocation data, usage data, and inferences derived from that data, as described in our Cookie Policy. These providers may combine this data across multiple sites and services for their own purposes. For example, we use Google Analytics to understand how users interact with our Websites; you can learn how Google collects and uses data at www.google.com/policies/privacy/partners.

Where our Websites include integrations, references, or links to third-party services, any personal information you provide to those third parties (or that we share with them) is governed by their own privacy practices, not this Notice.

Some disclosures of personal information to third-party analytics and advertising providers may constitute a "sale" or "sharing" of personal information as defined under California law and analogous U.S. state privacy laws. If you wish to opt out of such disclosures, please refer to the "Your Privacy Rights under U.S. State Privacy Laws" section below, or manage your preferences through our Cookie Policy.

(4) Sources of Personal Information

We collect personal information directly from you, automatically through your interactions with our Websites (including via cookies and similar technologies), from our Clients' representatives in the course of account management and service delivery, and from third-party data providers used for Client due diligence purposes, as described in Provision 4.

(5) Retention of Personal Information

We retain personal information in accordance with the retention periods set out in Provision 4 of this Privacy Notice. Retention periods depend on factors such as the purpose for which data was collected, applicable legal or regulatory requirements, and our legitimate operational needs.

(6) Sale, Share, and Targeted Advertising

Sumsub does not sell personal information in the traditional sense and does not share personal information for cross-context behavioural advertising in connection with its core business activities.

However, certain disclosures of personal information to third-party analytics and advertising providers through our Websites and apps (including identifiers, device information (such as cookie IDs, device IDs, and IP addresses), geolocation data, usage data, and inferences derived from that data) may constitute a "sale" or "sharing" of personal information as defined under California law and analogous U.S. state privacy laws. Please refer to the "Third-Party Analytics and Advertising Technologies" subsection above for more details.

We do not knowingly sell or share the personal information of individuals under the age of 16.

To opt out of the sale or sharing of your personal information, or to opt out of targeted advertising, you may:

• manage your cookie and tracking preferences as described in our Cookie Policy; or
• submit an opt-out request by contacting us at [email protected].

If our practices change in the future, we will update this Privacy Notice and provide any required notice or opt-out rights under applicable law.

(7) Processing of Sensitive Personal Information

Certain personal information processed by Sumsub may constitute sensitive personal information under applicable state privacy laws, including the CCPA. In the context of this Privacy Notice, this may include:

• biometric identifiers and biometric information, where collected for the purpose of verifying the identity of individuals submitting data subject rights requests (see Provision 4[g]).

Where Sumsub processes sensitive personal information, such processing is limited to purposes permitted under applicable privacy laws, including purposes necessary to perform services, maintain security and integrity, detect and prevent fraud or illegal activity, and comply with legal obligations.

Because sensitive personal information is used only for these permitted purposes, the right to limit the use of sensitive personal information under certain privacy laws generally does not apply to the processing described above.

(8) Your Privacy Rights under U.S. State Privacy Laws

Depending on the state in which you reside, you may have certain rights regarding your personal information. These may include:

• the right to confirm whether we process your personal information and to access such information;
• the right to obtain a copy of your personal information in a portable format;
• the right to request correction of inaccurate personal information;
• the right to request deletion of personal information;
• the right to opt out of the sale of personal information, targeted advertising, or profiling in furtherance of decisions that produce legal or similarly significant effects.

California residents also have the right to request:

• categories of personal information collected about them;
• categories of sources from which the information was collected;
• business or commercial purposes for collecting or sharing the information;
• categories of third parties to whom the information was disclosed; and
• the specific pieces of personal information collected.

To submit a request, please contact us at [email protected] or use the request form.

Authorized agents may submit requests on behalf of individuals where permitted by law.

We will not discriminate against individuals for exercising any of their privacy rights.

Before responding to a request, we will verify the identity of the requester using information already maintained by us or through additional information reasonably necessary to confirm the requester's identity.

We aim to respond to requests within 45 days of receipt. If additional time is required (up to a total of 90 days), we will notify you within the initial 45-day period.

Information provided in response to a consumer request shall be provided free of charge, up to twice annually per consumer. If requests are manifestly unfounded, excessive, or repetitive, we may charge a reasonable fee or decline to act on the request.

If we deny a request, you may have the right to appeal that decision by contacting us at [email protected]. Depending on your jurisdiction, you may also have the right to contact the relevant supervisory authority or attorney general.

(9) Automated Processing

Sumsub's identity verification Services involve automated analysis of identity documents, biometric facial images, and other verification data. In the context of this Privacy Notice, automated processing may be used when verifying the identity of individuals who submit data subject rights requests (see Provision 4[g]).

As described in Provision 5, Sumsub's verification processes involve a combination of automated checks and human review. Final decisions are not made solely by automated means.

(10) Financial Incentives

We do not offer financial incentives in exchange for providing your personal information.

b. Special Notice to Residents of the States of Illinois, Washington or Texas (USA)

Personal data processed by Sumsub may include certain "biometric identifiers" (such as scans of facial geometry or voiceprints) and "biometric information" (data extracted from and based on biometric identifiers), which are used to verify the identity of the given Data Subject.

In any event, biometric data shall only be collected and further processed by Sumsub after having obtained written informed consent of the respective Data Subject to such collection and further processing. In case of any conflict or inconsistency between the other provisions of this Privacy Notice and the terms of this special notice, the latter shall prevail whenever the laws of Illinois, Washington or Texas (USA) apply to the legal relationship between Sumsub and any Data Subject.

15. Changes to this Notice

This Privacy Notice is constantly reviewed and amended in order to provide appropriate compliance with the relevant data protection laws.

Sumsub reserves the right to make amendments to this Notice at any time and for any reason. Any amendments will be effective immediately upon us posting the updated Privacy Notice on our website. Users of our website waive the right to receive specific notice about such amendments. You are invited to review this Privacy Notice at any time to stay informed about updates.

When required under applicable law, we will notify you of any changes to this Privacy Notice by posting an update on our Website or in another appropriate manner.

If you want to observe the previous version of this Privacy Notice, please contact us at [email protected] or visit this link. Our technical and legal support teams work 24/7 and will answer you shortly.