Notification to Processing of Personal Data

By clicking the “Continue” button, I hereby acknowledge and agree that my personal data which I am providing or have provided to the Company – the organisation with which I wish to establish a business relationship after completion of KYC, will be processed by Sumsub Group of Companies (hereinafter - the “Service Provider or Sumsub”), in order to verify my identity for the Company’s purposes of carrying out customer due diligence procedures in accordance with internal procedures and policies of the Company. Please refer to the Privacy Notice for details about the identity and contact details of Sumsub.

1. My name and other means of identification for the purposes of obtaining this Notification shall be established in the course of the processing of my personal data carried out in accordance with this Notification.

2. I hereby acknowledge and agree that processing shall be done for the purposes of the Company and may include matters of compliance with applicable AML/CFT, anti-fraud laws and regulations, age restrictions acts and/or other laws and regulations and/or the Company customer due diligence procedures in accordance with the laws governing the intended business relationship. The processing will also be carried out for other compatible purposes of the Service Provider acting as a separate data controller. Such compatible purposes include service development, fraud and criminal activity prevention, as well as ‘litigation hold’ and statutory obligations of the Service Provider, and are explained in detail in the Privacy Notice available here. The personal data categories processed by the Service Provider for its own purposes are provided in point 5 below and include biometric data.

3. I hereby acknowledge the delegation of personal data processing by the Company:

  • 3.1. I hereby acknowledge and agree that I know the company details (including the address) of the Company, which is the Data Controller. Any orders, directions or instructions for processing, designation of the purposes of the processing, determination of personal data subject to processing and other similar matters are the responsibility of the Company.
  • 3.2. I hereby acknowledge and agree that the Company may entrust the processing of my personal data to data processors (e.g. Service Provider) through which the Company collects and processes my data if it is necessary for the processing purposes as set out above; the personal data may be disclosed to entities associated with Sumsub Group of Companies that are obliged to implement appropriate technical and organisational measures to ensure the safety of the personal data to achieve the purpose of the processing under this Notification. The Service Provider stores personal data in AWS Amazon or Google Cloud (depending on the requirements of the Company on the place of data storage).
  • 3.3. I hereby acknowledge and agree that my personal data may be disclosed to entities associated with the Service Provider to achieve the purpose of the processing under this Notification. The Service Provider guarantees that such entities, as well as other data processors to which it discloses personal data, implement appropriate technical and organisational measures to ensure the safety of the personal data.

4. Data processing methods
I hereby acknowledge and agree that my personal data shall be processed by means of automated text extraction, verification of authenticity/validity and other methods of automated processing of photos and scanned copies of documents.
This Notification covers the following processing activities: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission to the Company or Service Provider and data processors, dissemination or otherwise making available for the performance of a task carried out in the public interest or in the exercise of official authority, transfer (including cross-border transfer, where necessary), alignment or combination, restriction, erasure and destruction.
The personal data may be checked in multiple databases, including International Politically Exposed Persons (PEPs), Sanctions, Country-Specific Sanctions Lists and other ‘watch’ lists. It may also be reviewed in media information sources.
Whenever a transfer of personal data outside the EEA is carried out, the Company and Sumsub implement appropriate safeguards as set out in the applicable laws by transferring on the basis of the EU adequacy decisions (or UK adequacy regulations) or by concluding standard contractual clauses. Third-party processors likewise rely on appropriate safeguards, which include binding corporate rules, standard contractual clauses, or other means as allowed by applicable laws. Cross-border personal data transfers from the UK to the EU/EEA countries are permitted by the UK Government.
I hereby acknowledge and agree that Company and Service Provider shall process my biometrics by means of automated reading, verification of the authenticity and other automated processing as stated in the Privacy Notice available here, which includes the processing of facial scan while passing liveness, video-selfie or video identification process, biometric authorisation, face comparison from the photo of an identity document and the facial image, searching of multiple identity creation, work and development of fraud control network to detect and prevent fraud and criminal activity.

5. Types of personal data subject to processing
The following categories of personal data are processed in accordance with this Notification:

  • general personal data: full name, sex, personal identification code or number, date of birth, legal capacity, nationality and citizenship, location (street, city, country, postcode);
  • facial image data; photos of a face (including selfie images) and photo or scan of a face on the identification document, videos, and sound recordings;
  • biometrical data: facial scan(s);
  • identity document data: document type, issuing country, number, expiry date, MRZ, information embedded into document barcodes (may vary depending on the document), security features;
  • banking details: cardholder name, expiry date, first 6 and last 4 digits of the card number, data extracted from documents provided as proof of source of funds/wealth;
  • contact details: address, e-mail address, phone number, IP address;
  • technical data: information regarding the date, time and activity in the Services; IP address and domain name; software and hardware attributes (camera name and type); general geographic location (e.g., city, country) from Data Subject’s device;
  • unique identifier (Applicant ID) created only for the association Data Subject and its personal data inside the Informational System;
  • relevant publicly available data: information regarding a person being a Politically Exposed Person (PEP) or included in sanctions lists;
  • personal information that the Data Processor has received from the Controller, such as contact details;
  • personal information additionally provided by Data Subjects, such as data obtained during their communications with the Data Processor (e.g., requests, reports).
    I hereby acknowledge and agree that facial images of myself are processed to confirm the liveliness of my face and/or to confirm that a given identity document is presented by me, its legitimate owner.

6. Data subject rights
I hereby represent that I have been informed about my rights to:

  • withdraw consent to personal data processing, if the processing is based on consent, not other legal basis requiring notification only;
  • access and adjust personal data;
  • make a justified demand in writing to suspend the processing of personal data due to a particular reason;
  • object to the processing of personal data;
  • object to the transfer of personal data; including the right to object to engaging any third parties to process personal data;
  • object to being subject to a decision based solely on automated processing/profiling;
  • make a justified demand in writing to erase personal data subject to applicable laws and regulations;
    all of which may be exercised by contacting the Company directly or the Service Provider with a respective notice at [email protected].
    Some rights are not exclusive and may be limited to the statutory legal obligations vested in the Company or the Service Provider.
    I also acknowledge that I have the right to lodge a complaint with the supervisory authority. When it is related to the processing activities of the Company, please refer to the methods specified in its privacy policies. When it relates to the processing activity of Sumsub, please see here for more details.

7. I hereby represent that I have been informed that my personal data will be retained and stored by the Company and the Service Provider and will be permanently destroyed based on the Company’s instructions when the Company’s initial purpose and/or retention period prescribed by applicable law expires. Where the Service Provider independently defines the compatible purposes for data processing, personal data will be retained and stored as specified in Privacy Notice.

8. I hereby represent that I have carefully read all of the above provisions, including the Privacy Notice available here, and do voluntarily and unequivocally agree with them.