Privacy Notice (Data Controller)

1. Scope

This Privacy Notice applies to personal data that we collect and process as a data controller – i.e. when we decide why and how your personal data are used.

This policy does not apply to:

• personal data that we process on behalf of our business customers while providing our Services. Please refer to the Privacy Notice (Service Delivery) for more information in that context;
• personal data about current and former Sumsub employees, contractors, agents acting in similar roles, which is covered by our internal Staff Privacy Notice.;

California residents may refer to the Provision 14 of this Notice (“Sale of Personal Data and CCPA Reference”) and to our dedicated CCPA Privacy Notification.

Where the laws of Illinois, Washington, or Texas apply, it is necessary to refer to the “Special notice to residents of the states of Illinois, Washington, or Texas (USA)” (Provision 15 of this Privacy Notice). In the case of any conflict or ambiguity between the Special Notice and the other provisions of this Privacy Notice, the former will prevail.

2. Definitions

• Client

  a legal entity that uses, or is entitled to use, Sumsub’s Services in accordance with the respective Agreement and as authorized by the respective Sumsub entity. For the purposes of identity verification services involving Qualified Electronic Signature, Client is an entity that has a business relationship with Sumsub and to which Sumsub in collaboration with a QTSP provides remote identity proofing services for issuing a QES. Subscribers are the potential customers of Clients and provide their personal data (and Subjects’ personal data, if applicable) to Sumsub on behalf of the respective Client using that Client's websites/platforms;

• Service(s)

  the personal identity verification service and connected services provided by Sumsub;

• Data Controller, or Controller

  natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal data; i.e. Sumsub where it, alone or jointly with others, determines the purposes and means of the processing of personal data;

• Data Processor, or Processor

  any legal entity that processes personal data on behalf of Sumsub or Sumsub’s Processor;

• Data Subject

  any individual whose personal data Sumsub may process, including, but not limited to, Sumsub’s Clients’ customers and representatives, job applicants, Visitors, event or webinar attendee, etc.

• Personal data

  any information relating to an identified or identifiable Data Subject;

• Special categories of personal data

  personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation;

• Visitor

  any individual interacting with or using Sumsub Websites;

• Processing

  any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

• Consent

  any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which they, by a statement or by clear affirmative action, signify agreement to the processing of their personal data;

• Customer Account

  a dedicated account created by a prospective Client’s representative via the Sumsub Website for the purposes of subsequent provision of Services and invoicing;

• Sumsub Website(s)

  sumsub.com or any other public-facing websites owned and managed by Sumsub;

• Mobile App

  a mobile application owned and managed by Sumsub;

• Dashboard Livechat

  a system that allows Clients to have real-time interactions with Sumsub’s support team in a chat box in the Dashboard;

• Standard Contractual Clauses

  standard sets of contractual terms and conditions adopted by the European Commission and ensuring appropriate safeguards for data transfers from the EEA and the UK to third countries, which the Controller and the Processor both sign up to, where necessary;

• EEA

  European Economic Area (the European Union Member States, Norway, Iceland and Liechtenstein);

• CCPA

  the California Consumer Privacy Act of 2018, Civil Code sections 1798.100.

3. Principles of personal data processing that Sumsub adheres to

Sumsub adheres to the principles of personal data protection as envisaged in the EU GDPR and UK GDPR. In accordance with these principles, personal data is:

1. Processed fairly, lawfully and transparently in relation to the Data Subject;
2. Processed for specified, explicit and legitimate purposes only and not further processed in a manner that is incompatible with those purposes;
3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
4. Kept accurate and up to date;
5. Not retained longer than necessary;
6. Processed in a manner that ensures their appropriate security;
7. Not transferred outside the European Economic Area (EEA) or the UK without adequate protection.

4. Purposes, types, and retention period of personal data processing

Sumsub only processes personal data according to the purpose limitations below.

[a] Customer support purposes

Sumsub collects and processes personal data in order to provide you with the information you may request from Sumsub as a Client via Dashboard Livechat or as a Visitor using website forms.

• Personal data

  Retention period

• first name
  email address (if provided)
  phone number (if provided)
  other information necessary for Sumsub to resolve the relevant issue.

  three years enabling Sumsub to re-contact in the event of unforeseen circumstances

[b] Direct marketing purposes

We email subscribers regarding compliance-related advice, news and guidelines if they have previously consented to it using the relevant website form. We may also email or otherwise notify our existing Clients of new products and functions of our services in terms of ‘soft opt-in’, meaning that our clients would want to stay tuned for better offers and service benefits.

• Personal data

  Retention period

• email address

  until unsubscribing by following the respective link in the email.

Please note that you can unsubscribe from receiving Sumsub emails in respect of compliance-related advice, news, and guidelines at any time by following the “Unsubscribe” link in the email.

[c] Client communications and account management

We process the personal data of our potential Client’s representatives to maintain communication with them regarding entering into an agreement, carrying out customer due diligence, providing Services to the Client, and other similar matters.

When a Client creates and uses a Customer Account, we process the data below in order to service and invoice it.

• Personal data

  Retention period

• Personal data of the representative (e.g., name, job title, position, contact information, and certain data contained in an ID document);
  Information obtained in connection with providing the Services to the respective Client (e.g., communication materials)
  Personal data contained in corporate documents;
  Publicly available data relevant to the position of the Client’s representatives

  up to six years from the date of termination of contract or interaction while taking steps to enter the relationships enabling Sumsub to keep the contact with active Clients and provision of the Services uninterrupted;

[d] Events purposes

We hold various events online, such as webinars or workshops for which you can sign up. In such cases, we process your data to enable you to register for the event, receive a reminder, and provide ancillary information. Once obtained for the event, your information is added to and managed through the contact database following the marketing preferences you submitted to us. Where permitted by law, a member of our sales team may contact you if we determine through your submission whether you may be interested in our services. When you attend any offline event (e.g. expo forums) and are interested in communicating, we will process your data as we do for business purposes.

• Personal data

  Retention period

• name
  email address
  company name and position

  up to five years after registration for the event

[e] Recruitment purposes

When you apply for a position at Sumsub, we process the information you provide to assess your qualifications and consider your application. We may also use your contact details to follow up with you during the recruitment process.

For more details, please see Privacy Notice for Candidates.

[f] Purposes of Sumsub Websites functionality, analytics, and improvement

When you interact with our Sumsub Websites, we, along with certain vendors and third-party providers, may use cookies and similar tracking tools to gather information about you or how you use the websites. Cookies are small files stored on your device that help recognize your browser and remember your preferences.

But cookies aren't the only way this kind of tracking happens. Other technologies can serve the same purpose, such as local storage (e.g., HTML5), tracking pixels, web beacons, plug-ins, and local shared objects.

For more details on our use of tracking technologies, please see our Cookie Policy.

[g] Exercise of Data Subject’s privacy rights

We process personal data to respond to and manage requests you make in relation to your Data Subject’s rights under applicable laws and in accordance with Provision 8. This includes verifying your identity, maintaining a record of the request, and communicating with you regarding the outcome.

• Personal data

  Retention period

• contact details, such as your email address

  three years

• biometric data (such as facial features)

  Until Sumsub’s purposes for collecting the biometric data are satisfied (and one (1) year of the date the purpose for collecting the data expires for residents of Texas) or five (5) years from the provision of data to the Sumsub system, whichever occurs first. For the residents of Illinois, the retention period of Personal data, including biometric data, will be three (3) years from the date of data provision to the Sumsub system.

Disposal and Destruction Policy

Any Personal data is deleted only after (a) obtaining Data Subject’s data deletion request in line with corresponding procedures by a Client or the Data Subject or (b) the satisfaction of the purpose for data processing, including the termination of the agreement with a Client or the expiration of retention period prescribed by applicable law.

To delete data from the Sumsub Identity Verification System (Dashboard and storage space), we call a method that searches for a unique applicant identifier (Applicant ID) inside the database. The database contains references, or object IDs, connected to the applicant’s Personal data provided to the system. After seeking all these references, the Dashboard system automatically removes them one by one by calling the AWS S3 API Object Deletion method, providing Object IDs are placed in the S3 bucket. After all referenced objects are found and deleted from the S3 bucket, the original applicant's Personal data is also deleted from Sumsub’s internal database located on AWS Servers. Deletion of biometrics should render it non-recoverable, even using forensic information recovery techniques.

To delete data from the equipment, we implement measures in accordance with the particular Operational System of the equipment. If the information is intended to be rendered non-recoverable, the deletion must be executed by the person who owns it (typically, who has created it) by the ‘empty trash bucket’ mechanism. If any of the methods above is not secure enough considering the sensitivity of the information and such information may be recovered again, the equipment storage medium must be destroyed completely (e.g. shredded, disintegrated, pulverised, or incinerated by burning the device in a licensed incinerator, etc.) in the presence of the Asset Owner.

To delete data from the files located in the removable media, we call the setting and tools designated to the relevant sanitisation method - clearing or purging. If the purging method is not secure enough considering the sensitivity of the information and such information may be recovered again, the removable media containing such information must be destroyed completely (e.g. shredded, crushed, disintegrated, pulverised, or incinerated by burning the device in a licensed incinerator, etc.).

To delete data from mobile devices, we use the means of a particular device. If a certain mobile device is intended to be reused/recycled/donated or is no longer to be used by the Sumsub staff, this staff member must reset the device to the original settings. As a general rule, the procedure for Apple iPhone and iPad OS: Select 'Settings > General > Reset > Erase All Content and Settings menu. For Android OS devices: Select ‘Settings > Backup & Reset > Factory Data Reset > Reset Phone’.

It’s forbidden to handle any sensitive data in any equipment, removable media or mobile devices.

Any request to delete all or any Personal data related to a User is fulfilled within 30 days. This period is justified by the complexity of the systems and technologies Sumsub operates to process the data.

When the processing purposes differ from those specified above, Sumsub maintains the following retention period considering the amount, nature and sensitivity of the Personal data and the purposes for which we’re permitted to process it.

When we develop and improve identity verification services to prevent and detect fraud and other illicit activity, we will keep Personal data in a pseudonymised format for the period required to calibrate and select the perfect algorithm and model for detecting fraud and other illicit activity. We may also have to store some records that have been confirmed as relating to fraudulent applications or accounts or obtaining and maintaining records to prove our compliance with legal obligations in and outside the EU and the UK. For example, regarding consent activity log history, the retention period is defined by the criteria derived from requirements by law regarding limitation periods, other applicable regulatory requirements, contractual provisions and industry standards.

When the purpose refers to the establishment, exercise or defence of legal claims (so-called ‘litigation hold’), the retention period is limited to the duration of such proceedings in a specific case or circumstance.

In any case, we do not keep your data longer than we have a lawful basis for doing so.

[h] Business purposes related to Services delivery

In certain cases, Sumsub processes Personal data as an independent data controller to support and improve the delivery of its Services. These activities serve our legitimate interests and include:

• Service development, improvement, and research;
• detecting and preventing fraud, money laundering, and other illicit activities;
• conducting analytics and profiling related to AML/CFT risk indicators;
• ensuring compliance within the Sumsub Travel Rule Ecosystem, including sharing due diligence data in accordance with legal requirements;
• supporting crypto-related features such as wallet attribution for Travel Rule compliance;
• operating Sumsub ID, including creating and maintaining dedicated storage spaces (“Data Pool Keys”) for Applicants who wish to reuse their identity data with multiple Clients;
• identity verification services involving Qualified Electronic Signature;

For more details, please see our Privacy Notice (Services Delivery).

5. Automated decision-making relief and checks

When we perform the Services, the checks are either automated, semi-automated, or done by humans. When we carry out checks, we implement a complicated verification system that includes human presence and machine work. A human will be involved if the system cannot reach a verdict on its own or recheck the system verdict. This may occur when data is uncertain or the system faces some other difficulty in analysing information during the verification session. This is to ensure that the verification process is fair and safe for users.

Decision-making during processing is based on a symbiosis of the machine and human work. If decisions are to be made, for example, on the suitability of a job candidate or customer before concluding an agreement, they are not fully automated and involve human intervention.

6. The lawfulness of personal data processing

Sumsub always relies on the appropriate legal grounds of processing, which depend on the processing purposes:

• Contract. We may process your Personal data to take steps before entering into a contract with you and to perform our obligations under such contract, such as for the purpose of Client communications and account management or for the purpose of providing you with Sumsub ID.
• Legitimate interest. We may process your Personal data relying on our legitimate interests, such as, among others:
  
  
  • provision of customer support;
  • assistance in effective exercise of Data Subject’s privacy rights;
  • provision of event details and reminders, if you are taking part in our Events;
  • Improvement and development of our Services;
  • conducting analytics and profiling related to AML/CFT risk indicators;
  • ensuring compliance within the Sumsub Travel Rule Ecosystem, including sharing due diligence data in accordance with legal requirements;
  • supporting crypto-related features such as wallet attribution for Travel Rule compliance.
• Legal obligation. We may be obliged to process some of your personal data to comply with applicable laws in connection with recruitment processes or where we need to comply with valid legal processes such as search warrants, subpoenas, or court orders.
• Consent. We may process certain personal data based on your consent, such as, among others, when we process your Personal data for direct marketing purposes or when you are passing biometric verification for the purpose of exercise of Data Subject’s rights.

7. Processing children’s personal data

Sumsub, acting as a data controller, does not knowingly collect or process Personal data of children (individuals below the minimum age required to provide valid consent by applicable data protection laws). If we become aware that we have inadvertently collected such data without a proper legal basis, we will delete it without undue delay.

While acting as data processor, however, Sumsub may collect Personal data of children, understood as individuals under the age of majority under national laws of a Client’s country of incorporation, when such data is provided by the Client and the Client ensures that the person with parental responsibility for the child has consented to such processing or when the child may consent themselves to the processing according to the national laws without parental consent. As the data controller, it is the Client's responsibility to determine when parental consent is required based on the type of Personal data collected, and to fully understand the regulatory requirements and age restrictions related to processing data without parental consent in the countries where the Client operates and from which it gathers users.

If Sumsub becomes aware that a child's Personal data has been submitted without the necessary parental consent (for instance, through an internal audit), the data may be deleted without undue delay.

8. Data Subjects’ rights

Sumsub respects and guarantees the following rights of each Data Subject. According to privacy laws, you have the right to

• obtain confirmation as to whether or not your personal data is being processed;
• obtain a copy of your personal data undergoing processing;
• rectify personal data, or, in other words, to correct wrong information or supplement incomplete information;
• erase personal data, or “right to be forgotten”. Please note that this right is not absolute and applies only if (i) your personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed, (ii) you object to the processing, and there are no overriding legitimate grounds for Sumsub to process data; (iii) personal data has been unlawfully processed;
• restrict personal data processing where (i) the accuracy of the personal data is contested (during the period when Sumsub is able to verify its accuracy); (ii) the processing is unlawful, and you object to the erasure of the personal data and request to restrict its use instead; (iii) the Client no longer needs the personal data for the purposes of processing, but they are required by you to establish, exercise or defend legal claims; (iv) you have objected to processing pending verification whether the Client’s legitimate grounds override those of yours;
• data portability or, in other words, to receive your personal data in a structured, commonly-used, machine-readable format to be able to provide it to another party or transfer your personal data from one controller to another;
• object to personal data processing if the processing is justified by ‘public interest’ or ‘legitimate interest’ legal grounds as set out in points (e) and (f) of Article 6(1) of the GDPR;
• not be subject to a decision based solely on automated processing unless (i) such decision is necessary for entering into, or the performance of, a contract between you and the data controller; (ii) such a decision is authorised by law to which the data controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests or (iii) such a decision is based on your explicit consent;
• lodge a complaint with the supervisory authority. If you're a resident of the EU, please follow this link. If you're a resident of the UK, please follow the link.

To request that Sumsub executes the rights mentioned above, you should send a free form email to [email protected] or use this form. Information on actions taken regarding any request is provided to you within one month. That period may be extended by two months where necessary, considering the complexity and number of requests. We will inform you of any such extension within one month of receipt of the request and the reasons for the delay.

Sumsub guarantees that making a request for receiving personal data is free unless a reasonable cost is to be charged where requests are unfounded or excessive, or repetitive in character.

Please note that any Data Subject’s request to delete all or any personal data related to a Data Subject is fulfilled within 30 days. This period is justified by the complexity of the systems and technologies Sumsub operates to process the data.

9. Withdrawing consent and objection to legitimate interest mechanism

To withdraw consent or object to the processing justified by a legitimate interest, you can send a free-form email to [email protected] or use this form. After that, the Data Subject will go through the authentication procedure to prove that such a request is actually made by him/her and is valid in nature.

10. Specific measures to ensure data protection

Sumsub takes specific measures to ensure personal data protection, including, but not limited to, the following:

• where applicable, all personal data processing is conditioned on respective Agreements, non-disclosure agreements and data processing agreements compliant with the EU GDPR and the UK GDPR;
• Sumsub’s specially designed API interface (iFrame) enables Data Subjects to submit personal data directly to Sumsub’s secure servers;
• all personal data is always securely stored on the servers located in safe European data centres of the security level no lower than Tier 3¹;
• all personal data is subjected to encryption;
• personnel involved in personal data processing are officially authorised and undergo background checks and regular training;
• Sumsub regularly carries out internal and external data protection and information security audits and vulnerability assessments. In particular, compliance with the EU GDPR and the UK GDPR requirements, ISO/IEC 27001, 27017 and 27018, SOC 2 Type 2, and PCI DSS has been demonstrated. Visit our Sumsub Trust Center for more information;
• where the processing of certain personal data (e.g., children’s personal data or sensitive data under certain data protection laws) would be unlawful, Sumsub takes all possible measures to identify and delete or, where appropriate, encrypt such data immediately upon its submission;
• physical, software and network security guarantees as set out below are implemented.

¹At present, all personal data is stored and processed on specially designated servers in Germany.

If certain types of personal data are under special protection regimes (such as the Dutch BSN, Korean RRN, Singaporean NRIC number, Japanese My Number Card and related sensitive data, as well as other country-specific identity document data), Sumsub will take necessary measures not to process such data — such as requesting the user to cover such data with a sticker or using blurring technology, unless the respective Client has a legal basis for processing it freely.

11. Data disclosure

[a] Third Parties

Sumsub may have to apply third parties for data processing activities, which include the following categories:

• Data Processors as reasonably necessary to operate Sumsub Websites, Mobile App, as well as to achieve other purposes provided in this Privacy Notice;
• Data providers, when it is necessary for carrying out due diligence of the Clients; and
• Sumsub Group of companies for assistance in service provision and Sumsub EU representative for granting the opportunity to Data Subjects and Supervisory authority to address Sumsub within EU borders for the purposes of Article 27 of the EU GDPR.

Sumsub requires the Third Parties to respect the security of personal data and treat it according to applicable law. In addition, Third Parties are mostly limited to only accessing or using personal data to provide services to Sumsub and must provide reasonable assurances that they will appropriately safeguard the data.

[b] Recipients

Sumsub may have to provide personal data to Recipients, which includes the following categories:

• Governmental bodies and regulatory authorities, judicial bodies, investigation bodies, sworn bailiffs and notaries based on written and concrete requests. Such sharing is conducted in line with strict compliance with derogations of the EU GDPR and the UK GDPR.
• Any other Clients provided that there is a legitimate interest or any other legal reason for doing so, obtained consent or where Sumsub has been instructed to share the information on behalf of our Clients as specified above.

12. Sumsub group of companies and EU Representative

Sumsub is a group of companies established as a network of the following legal entities operating worldwide. The processing activities stipulated in this Privacy Notice are provided by the operating company: Sum and Substance Ltd. (registered in England and Wales under company number 09688671), which is for and on behalf of itself and the other members of the Sumsub group of companies. The following entities constitute the Sumsub group of companies:

• The UK: Sum and Substance Ltd
• Germany: Sumsub GmbH
• Cyprus: SUMSUB Tech Limited, SUMSUB LTD, Raritex Trade Ltd.
• The USA: Sumsub Inc
• UAE: Sumsub Technology LLC
• Singapore: Sumsub APAC Pte. Ltd.
• Brazil: Sumsub Brazil LTDA

Sumsub’s EU representative is SUMSUB LTD - incorporated and registered in Cyprus with company number HE 405087.

13. International data transfers

Sumsub confirms that all personal data that is submitted to Sumsub is stored in the EU and/or, subject to national localisation requirements, in the respective country where such requirements exist.

Where it is necessary for the purpose of processing, achieving or ensuring convenient and reliable communication with the Data Subjects, Sumsub may transfer personal data outside of the EU/EEA or the UK to the Third Parties and Recipients indicated in Provision 11 of this Notice.

Whenever a transfer of personal data outside the EU or the EEA is carried out, Sumsub implements appropriate safeguards as set out in Chapter V of the EU GDPR by transferring based on the EU Adequacy Decision (or UK Adequacy Regulations) and by concluding Standard Contractual Clauses. The Third-Party Processors likewise rely on appropriate safeguards, which include Binding Corporate Rules, Standard Contractual Clauses, etc. Cross-border personal data transfers from the UK to the EU/EEA countries are permitted by the UK Government.

To ensure transparency and compliance with applicable data protection legislation, Sumsub provides below the details of the countries outside the EU where personal data may be transferred and the corresponding safeguards applied.

• Country

  International data transfer mechanism

• UK

  EU Adequacy Decision for the UK, Brussels, 28 June 2021

• United States of America

  Appropriate safeguards pursuant to article 46 of the EU GDPR and the UK GDPR: the Standard Contractual Clauses; or Adequate level of protection pursuant to article 45 of the EU GDPR: EU–US Data Privacy Framework.

• United Arab Emirates

  Appropriate safeguards pursuant to article 46 of the EU GDPR and the UK GDPR: the Standard Contractual Clauses.

• Singapore

  Appropriate safeguards pursuant to article 46 of the EU GDPR and the UK GDPR: the Standard Contractual Clauses.

• Brazil

  Appropriate safeguards pursuant to article 46 of the EU GDPR and the UK GDPR: the Standard Contractual Clauses.

14. Sale of personal data and CCPA reference

Sumsub does not sell personal data and strictly complies with restrictions and prohibitions under CCPA and the EU or the UK GDPR.

For more information on the CCPA application to Sumsub processing activities, please refer to CCPA Privacy Notification.

15. Special notice to residents of the states of Illinois, Washington or Texas (USA)

Personal data processed by Sumsub may include certain “biometric identifiers” (such as scans of facial geometry or voiceprints) and “biometric information” (data extracted from and based on biometric identifiers), which are used to verify the identity of the given Data Subject.

Whenever biometric data is used to test or demonstrate Sumsub’s facial recognition products and services, it shall be automatically and irretrievably deleted within 30 days upon collection.

In any event, biometric data shall only be collected and further processed by Sumsub after having obtained written informed consent of the respective Data Subject to such collection and further processing. In case of any conflict or inconsistency between the other provisions of this Privacy Notice and the terms of this special notice, the latter shall prevail whenever the laws of Illinois, Washington or Texas (USA) apply to the legal relationship between Sumsub and any Data Subject.

16. Changes to this Notice

This Privacy Notice is constantly reviewed and amended in order to provide appropriate compliance with the relevant data protection laws.

Sumsub reserves the right to make amendments to this Notice at any time and for any reason. Any amendments will be effective immediately upon us posting the updated Privacy Notice on our website. Users of our website waive the right to receive specific notice about such amendments. You are invited to review this Privacy Notice at any time to stay informed about updates.

When required under applicable law, we will notify you of any changes to this Privacy Notice by posting an update on our Website or in another appropriate manner.

If you want to observe the previous version of this Privacy Notice, please contact us at [email protected] or visit this link. Our technical and legal support teams work 24/7 and will answer you shortly.