When you visit and use Sumsub websites, we collect and process certain information about your interactions with the website and the data you leave at your sole discretion. For more information, please read this Privacy Notice attentively.
This is the Privacy Notice of the Sumsub group of companies: Sum and Substance Ltd., incorporated and registered in England with company number 09688671 (hereinafter – Sumsub or we) together with all affiliated companies and trading divisions, irrespective of location or jurisdiction. More information about our group can be found in Provision 14 of this Privacy Notice.
This Privacy Notice is addressed to Sumsub‘s client's representatives and visitors of Sumsub’s Websites and Mobile App. Sumsub is a Data Controller and determines the purposes and means of personal data processing under Article 24 of the EU GDPR and the UK GDPR when:
California residents may find the information on the CCPA application in Provision 16 of this Notice.
Where the laws of Illinois, Washington, or Texas apply, it is necessary to refer to the “Special notice to residents of the states of Illinois, Washington, or Texas (USA)” (Provision 17 of this Privacy Notice). In the case of any conflict or ambiguity between the Special Notice and the other provisions of this Privacy Notice, the former will prevail.
the legal entity to which Sumsub provides Services under the specific legal arrangement;
the personal identity verification service and connected services provided by Sumsub;
Data Controller, or Controller
Sumsub where it, alone or jointly with others, determines the purposes and means of the processing of personal data by written instruction for processing activities given to Processor;
Data Processor, or Processor
any legal entity that processes personal data on behalf of Sumsub or Sumsub’s Processor;
any individual whose personal data Sumsub may process, including, but not limited to, Sumsub’s Clients’ customers and representatives, job applicants, Visitors, etc.
any information relating to an identified or identifiable Data Subject;
Special categories of personal data
personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation;
any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis used for service delivery (e.g. Dashboard System used for service provision and Demo of Service or CRM systems);
any individual interacting with website or using Sumsub Websites as well as Sumsub’s Demo of Service;
any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
Personal data breach
a breach of data security leading to unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which they, by a statement or by clear affirmative action, signify agreement to the processing of their personal data;
a dedicated account created by a prospective Client’s representative via the Website for the purposes of subsequent provision of Services and invoicing;
sumsub.com, prooface.ai or any other public-facing websites owned and managed by Sumsub;
Sumsub Mobile App
a mobile application owned and managed by Sumsub (hereinafter – Mobile App);
Demo of Services
the webpage on the Sumsub Websites or Mobile App owned by Sumsub and allowing individuals to test a part of Sumsub’s Service;
a system that allows Clients to have real-time interactions with Sumsub’s support team in a chat box in the Dashboard;
Standard Contractual Clauses
standard sets of contractual terms and conditions adopted by the European Commission and ensuring appropriate safeguards for data transfers from the EEA and the UK to third countries, which the Controller and the Processor both sign up to, where necessary;
European Economic Area (the European Union Member States, Norway, Iceland and Liechtenstein);
the California Consumer Privacy Act of 2018, Civil Code sections 1798.100.
3. Principles of personal data processing that Sumsub adheres to
Sumsub adheres to the principles of personal data protection as envisaged in the EU GDPR and UK GDPR. In accordance with these principles, personal data is
4. Purposes, types, and retention period of personal data processing
Sumsub only processes personal data according to the purpose limitations below.
[a] Livechat and contact forms purposes
Sumsub collects and processes personal data in order to provide you with the information you may request from Sumsub as a Client via Dashboard Livechat or as a Visitor using website forms.
If you ask us to provide information in the ‘Make a request’ form, we may use the following personal data:
other information necessary for Sumsub to resolve the relevant issue.
three years enabling Sumsub to re-contact in the event of unforeseen circumstances
[b] Marketing purposes
We email subscribers regarding compliance-related advice, news and guidelines if they have previously consented to it using the relevant website form. We may also email or otherwise notify our existing Clients of new products and functions of our services in terms of ‘soft opt-in’, meaning that our clients would want to stay tuned for better offers and service benefits.
until unsubscribing by following the respective link in the email.
[c] Business purposes
We process the personal data of our potential Client’s representatives to maintain communication with them regarding entering into an Agreement, carrying out customer due diligence, and providing Services to the Client and other similar matters.
When a Client creates and uses a Customer Account, we process the data below in order to service and invoice it.
Personal data of the representative (e.g., name, job title, position, contact information, and certain data contained in an ID document);
Information obtained in connection with providing the Services to the respective Client (e.g., communication materials)
Personal data contained in corporate documents;
Publicly available data relevant to the position of the Client’s representatives
up to six years from the date of termination of contract or interaction while taking steps to enter the relationships enabling Sumsub to keep the contact with active Clients and provision of the Services uninterrupted, or;
Personal data contained in a passport or other identity document;
Facial image data, such as photos of the face (including selfie images and identity documents)
Data necessary for transaction processing.
up to six years after the date of breach or termination of the contract enabling Sumsub to retain information in case of a statutory limitation
[e] Events purposes
We hold various events online, such as webinars or workshops for which you can sign up. In such cases, we process your data to enable you to register for the event, receive a reminder, and provide ancillary information. Once obtained for the event, your information is added to and managed through the contact database following the marketing preferences you submitted to us. Where permitted by law, a member of our sales team may contact you if we determine through your submission that you may be interested in our services. When you attend any offline event (e.g. expo forums) and are interested in communicating, we will process your data as we do for business purposes.
company name and position
up to five years after the event visited
[d] Recruitment purposes
Once a job application is sent to Sumsub, we process the application data to evaluate the information presented by job applicants when considering their candidacy and to contact them subsequently.
contact phone number
five years from the disqualification of the candidacy (enabling Sumsub to contact the applicant if the position is re-opened)
[f] Cookie processing purposes
[g] Demo of Service purposes
We may process personal data submitted via the Sumsub Websites or Mobile App to provide a demo of Sumsub’s facial and/or identity verification services.
identity document data, such as the name of the identity document, issuing country, number, expiry date, MRZ, information embedded in document barcodes (may vary depending on the document), and security features,
facial image data, including facial images of the User (“selfies”) and photos on identity documents,
biometric data (such as facial features),
contact details (such as an address, email address, phone number
unique identifier (Applicant ID) created only for association Data Subject’s and its personal data inside the Sumsub’s system
technical data, which includes, but is not limited to, information regarding the date, time and activity on the Website); IP address and domain name; software and hardware attributes;
Geolocation data, such as general geographic location (e.g., city, country) from Data Subject’s device.
Up to 30 days due to the presence of Sumsub’s legitimate interests specified in Provision 6 of this Notice
We may process special categories of personal data (e.g. biometrics) only if you have consented to it. The special categories of personal data will be retained and stored by Sumsub and will be permanently destroyed when Sumsub's purpose and/or retention period prescribed by applicable law expires or purposes for collecting such personal data have been satisfied or after five (5) years from the individual's last interaction with the Sumsub, whichever occurs first, or three (3) if there is a local specific legislative requirement.
Disposal and Destruction Policy
Any personal data is deleted only after (a) obtaining the applicant's data deletion request in line with corresponding procedures by the Client or the Data Subject or (b) the satisfaction of the purpose for data processing, including expiration of retention period prescribed by applicable law.
To delete data from the Sumsub Identity Verification System (Dashboard and storage space), we call a method that searches for a unique applicant identifier (Applicant ID) inside the database. The database contains references, or object IDs, connected to the applicant’s personal data provided to the system. After seeking all these references, the Dashboard system automatically removes them one by one by calling the AWS S3 API Object Deletion method providing Object IDs are placed in the S3 bucket. After all referenced objects are found and deleted from the S3 bucket, the original applicant's personal data is also deleted from Sumsub’s internal database located on AWS Servers. The deletion of biometrics should render it non-recoverable, even using forensic information recovery techniques.
To delete data from the equipment, we implement measures in accordance with the particular Operational System of the equipment. If the information is intended to be rendered non-recoverable, the deletion must be executed by the person who owns it (typically, who has created it) by the ‘empty trash bucket’ mechanism. If any of the methods above is not secure enough considering the sensitivity of the information and such information may be recovered again, the equipment storage medium must be destroyed completely (e.g. shredded, disintegrated, pulverised, or incinerated by burning the device in a licensed incinerator, etc.) in the presence of the Asset Owner.
To delete data from the files located in the removable media, we call the setting and tools designated to the relevant sanitisation method - clearing or purging. If the purging method is not secure enough considering the sensitivity of the information and such information may be recovered again, the removable media containing such information must be destroyed completely (e.g. shredded, crushed, disintegrated, pulverised, or incinerated by burning the device in a licensed incinerator, etc.).
To delete data from mobile devices, we use the means of a particular device. If a certain mobile device is intended to be reused/recycled/donated or is no longer to be used by the Sumsub staff, this staff member must reset the device to the original settings. As a general rule, the procedure for Apple iPhone and iPad OS: Select 'Settings > General > Reset > Erase All Content and Settings menu. For Android OS devices: Select ‘Settings > Backup & Reset > Factory Data Reset > Reset Phone’.
It’s forbidden to handle any sensitive data in any equipment, removable media or mobile devices.
[h] Public-facing website purposes
Sumsub may collect and further process personal data submitted via the Prooface website in order to:
[i] New product and services development, improvement and research
Sometimes, we process data to develop, improve, and conduct research upon our products and services. The reason is to ensure proper use of the System by the Client, including the prevention of user error resulting in serious consequences. Please read more in Provision 5 of this Notice.
The personal data defined here
the period required to calibrate and select the perfect algorithm and model for the detection of fraud and other illicit activity
Any information on the use of our service
the period necessary to analyse and tackle any non-conformities found
5. Data processing activities
Sumsub provides multiple types of automated processing, including, but not limited to, collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination (if so legally binding) or otherwise making available, alignment or combination, restriction, erasure or destruction.
• Biometric processing and document check when testing the Demo of Service
Sumsub may process biometrics to verify whether provided facial images are likely to match when you test the demo of our verification flow. The processing of biometrics means extracting facial features from uploaded or recorded facial images on government-issued identity documents submitted by the user and comparing them. We store this biometric data for up to 30 days.
The aim of the Liveness check is to verify whether you are alive. So, when you pass the Liveness demo version, we detect if you aren’t holding a mobile phone, showing any signs of constraint, or attempting to defraud the system using emulators, static images, or ‘deep fakes’. As a rule, you are prompted to blink, smile or move your device while passing Liveness.
Sumsub subjects personal data from photos and scanned copies of documents to automated reading and verification of authenticity by conducting different checks, such as completeness of records, screenshots detection, or cross-checking of all data from all submitted documents (e.g. name, date and place of birth, signature). We also check the document's security features, including the embedded security chip, machine-readable zone (MRZ), barcodes, QR codes and other security components used for genuine data validation. The Sumsub system analyses the results of the above to make an inference regarding the document’s trustworthiness.
• Automated decision-making relief and checks
When you test our Demo of Services, we communicate the verification results to you. The results are derived from the work of our system and its algorithms, including those based on a symbiosis of machine learning models and human supervision and intervention.
The checks are either automated, semi-automated, or done by humans. When we carry out checks, we implement a complicated verification system that includes human presence and machine work. A human will be involved if the system cannot reach a verdict on its own or recheck the system verdict. This may occur when data is uncertain or the system faces some other difficulty in analysing information during the verification session. This is to ensure that the verification process is fair and safe for users.
Certain checks during the Demo of Services may be fully automated due to simplicity, using machine learning. Please note that such verification results do not have any legal or other significant effect on you. The verification session during the Demo of Services may also be analysed by a human.
Decision-making during processing for purposes other than demo testing is based on a symbiosis of the machine and human work. If decisions are to be made, for example, on the suitability of a job candidate or customer before concluding an agreement, they are not fully automated and involve human intervention.
• Service development, improvement and research
Our clients use our services to detect whether a real person is passing the identity verification process, as well as any impersonation or spoofing attempts, to prevent money laundering, terrorist financing, fraud, and other activities that are considered a matter of public interest. That is why we, as a service provider, are responsible for providing the highest quality services. For this reason, where it is not prohibited by applicable law, and you have consented to it while testing the demo, we, as a data controller, use personal data to develop and improve our services by building and enhancing algorithms and developing and testing new verification options, products and services to verify a user's identity better and detect fraud.
We do this in two ways. First, we deploy a system of recognising specific patterns in the information and making predictions about new data sets based on those patterns by training our computers or so-called 'machine learning.’ Machine learning helps create models based on the information provided by the users, such as signs of potential fake data, and select the best models to be integrated into our system. The development of services also includes continuous improvement and assessment. We review the approaches for service delivery to ensure that our services comply with clients' requirements and work appropriately by testing and correcting new features and functions. Second, we implement initial and ongoing training for our human analysts to perform those tasks only to prevent machine learning models' automatic judgement. It is also beneficial while machine learning models are in the stage of development and aren't adequately suited to perform such tasks.
We may conduct some research on the user's product and service experience within the Dashboard to make it easy and intuitive to use. For this, we employ state-of-the-art technologies and tools to monitor and analyse User behaviour in the Dashboard System or the Sumsub Websites or Mobile App as a means of detecting flaws in the interface, the reasons for them, and enacting solutions. During such sessions, we make personal data or other confidential information on the Dashboard pages pseudonymised or processed with the use of other security techniques.
6. The lawfulness of personal data processing
Sumsub always relies on the appropriate legal grounds of processing, which depend on the processing purposes:
For Livechat and contact forms purposes, we rely on Article 6(1)(b) of the EU GDPR and the UK GDPR. This allows Sumsub to provide the respective individual with information that has been requested prior to, and during the course of the business relationship. However, when making a data subject right request, we rely on legitimate interest under Article 6(1)(f) of the EU GDPR and the UK GDPR.
For Marketing purposes, we ask individuals to consent to data processing by ticking a special box on the forms on sumsub.com and prooface.ai in line with Article 6(1)(a) of the EU GDPR and the UK GDPR.
For Business purposes, Sumsub relies on Article 6(1)(b) of the GDPR to take steps before entering into a contract, including carrying out due diligence of the Clients and for the performance of the contract, including the provision of the Service, communication with the representative of the Client, ongoing due diligence, as well as legal and financial matters).
For Events purposes, Sumsub relies on Article 6(1)(f) of the GDPR, meaning that the personal data you leave is necessary for us to provide you with the event’s details and information on updates and reminders.
For Recruitment purposes, two legal grounds equally apply: (i) Article 6(1)(c) of the GDPR for compliance with a legal obligation based on labour laws to which Sumsub is subject; and (ii) Article 6(1)(f) of the GDPR since “legitimate interest”, which allows Sumsub to evaluate personal information when considering the job candidacy of a certain applicant and to be able to contact them back on the matter.
For Cookie processing purposes, consent is obtained via the cookie banner (Article 6(1)(a) of the GDPR) on sumsub.com and prooface.ai; necessary cookies are processed in the legitimate interest (Article 6(1)(f) of the EU GDPR and UK GDPR).
For the Demo of Service test, consent is required as specified in Article 6(1)(a) of the GDPR. Further processing of personal data following their collection is justified by the legitimate interest of Sumsub, namely by the necessity of internal analysis and ongoing improvement of Sumsub’s services used by its customers in order to detect whether a real person is passing the verification procedure, as well as any impersonation or spoofing attempts, to prevent money laundering, terrorist financing, fraud, and other illicit activities, which is considered a matter of public interest.
For Service development, improvement and research, Sumsub relies on Article 6(1)(f) of the GDPR – legitimate interest. Our legitimate interest arises from the strict necessity of analysis and ongoing development and improvement of Sumsub's services that the Clients use to detect fraud and illicit activities to prevent money laundering, terrorist financing, fraud, and other activities, which are considered a matter of substantial public interest. When we explore the user’s product and service experience, our legitimate interest relates to the necessity of improving our products and services so that the Client encounters fewer misunderstandings and ambiguities that could lead to undesirable consequences for both the Client and the Client's customers.
Sumsub ensures that no personal data is used for any purposes incompatible with the aforementioned ones.
7. Processing children’s personal data
When personal data is provided via Sumsub’s Demo of Service, Sumsub only processes the personal data of individuals who have reached the age of majority under the national laws of their country/countries of citizenship and/or residence. If a child’s personal data is accidentally submitted to Sumsub, it will be deleted without undue delay.
Please let us know if you, a person under the age of majority, have uploaded any personal data to the Sumsub system or website, we will erase it as soon as possible.
8. Data Subjects’ rights
Sumsub respects and guarantees the following rights of each Data Subject. According to privacy laws, you have the right to
To request that Sumsub executes the rights mentioned above, you should send a free form email to[email protected] or use this form. Information on actions taken regarding any request is provided to you within one month. That period may be extended by two months where necessary, considering the complexity and number of requests. We will inform you of any such extension within one month of receipt of the request and the reasons for the delay.
Sumsub guarantees that making a request for receiving personal data is free unless a reasonable cost is to be charged where requests are unfounded or excessive, or repetitive in character.
Please note that any Data Subject’s request to delete all or any personal data related to a Data Subject is fulfilled within 30 days. This period is justified by the complexity of the systems and technologies Sumsub operates to process the data.
9. Withdrawing consent and objection to legitimate interest mechanism
To withdraw consent or object to the processing justified by legitimate interest, you can send a free-form email to [email protected] or use this form. After that, the Data Subject will go through the authentication procedure to prove that such a request is actually made by him/her and is valid in nature.
[a] Sumsub’s responsibilities
Sumsub is responsible for establishing policies and procedures in order to comply with the EU GDPR and the UK GDPR. Our Data Protection Officer can be contacted via the following e-mail address: [email protected].
[b] Sumsub’s Data Protection Officer’s responsibilities
Sumsub’s Data Protection Officer holds responsibility for
[c] Sumsub personnel responsibilities
Sumsub personnel who are involved in personal data processing comply with the requirements of this Privacy Notice and other internal rules, ensuring that:
[d] Third-Party Processors acting on behalf of Sumsub
Where third-party companies are engaged to process personal data on behalf of Sumsub, responsibility for the security and appropriate use of the data remains with Sumsub.
Before engaging a Third-Party Processor, Sumsub ensures that it provides sufficient guarantees as regards personal data security. In particular, a written contract establishing the types of personal data to be processed and the purposes of such processing, as well as containing provisions on personal data protection, are concluded between Sumsub and the Third-Party Processor.
11. Specific measures to ensure data protection
Sumsub takes specific measures to ensure personal data protection, including, but not limited to, the following:
1 At present, all personal data is stored and processed on specially designated servers in Germany.
If certain types of personal data, such as the Dutch BSN, Korean RRN, Singaporean NRIC number, Japanese My Number Card and related sensitive data, as well as other country-specific identity document data, are under special protection regimes, Sumsub will take necessary measures not to process such data—such as requesting the user to cover such data with a sticker or using blurring technology, unless the respective Client has a legal basis for processing it freely.
12. Personal data breaches
Where a personal data breach occurs or is suspected, it is reported immediately to the Data Protection Officer (DPO) or the Director and, where applicable, to the data protection authority and the individual affected by the breach. The report includes full and accurate details of the incident (including its reasons and magnitude) and sets out the planned measures intended to eliminate the breach, potential consequences for concerned individuals, as well as contact details of the person for feedback.
The respective Data Breach Notifications will be provided to concerned individuals and data protection authorities.
13. Data disclosure
[a] Third Parties
If the Client agrees, Sumsub may have to apply third parties for data processing activities, which include the following categories:
Sumsub requires the Third Parties to respect the security of personal data and treat it according to applicable law. In addition, Third Parties are mostly limited to only accessing or using personal data to provide services to Sumsub and must provide reasonable assurances that they will appropriately safeguard the data in line with Provision 10[d] of this Notice.
Sumsub may have to provide personal data to Recipients, which includes the following categories:
14. Sumsub group of companies and EU Representative
Sumsub is a group of companies established as a network of the following legal entities operating worldwide. The processing activities stipulated in this Privacy Notice are provided by the operating company: Sum and Substance Ltd. (registered in England and Wales under company number 09688671), which is for and on behalf of itself and the other members of the Sumsub group of companies.
Sumsub’s EU representative is SUMSUB LTD - incorporated and registered in Cyprus with company number HE 405087.
15. International data transfers
Sumsub confirms that all personal data that is submitted to Sumsub is stored in the EU and/or, subject to national localisation requirements, in the respective country where such requirements exist.
Where it is necessary for the purpose of processing, achieving or ensuring convenient and reliable communication with the Data Subjects, Sumsub may transfer personal data outside of the EU/EEA or the UK to the Third Parties and Recipients indicated in Provision 13 of this Notice.
Whenever a transfer of personal data outside the EU or the EEA is carried out, Sumsub implements appropriate safeguards as set out in Chapter V of the EU GDPR by transferring based on the EU Adequacy Decision (or UK Adequacy Regulations) and by concluding Standard Contractual Clauses. The Third-Party Processors likewise rely on appropriate safeguards, which include Binding Corporate Rules, Standard Contractual Clauses, etc. Cross-border personal data transfers from the UK to the EU/EEA countries are permitted by the UK Government.
16. Sale of personal data and CCPA reference
It should be underlined that Sumsub does not sell personal data and strictly complies with restrictions and prohibitions under CCPA and the EU or the UK GDPR.
For more information on the CCPA application to Sumsub processing activities, please refer to CCPA Privacy Notification.
17. Special notice to residents of the states of Illinois, Washington or Texas (USA)
Personal data processed by Sumsub may include certain “biometric identifiers” (such as scans of facial geometry or voiceprints) and “biometric information” (data extracted from and based on biometric identifiers), which are used to verify the identity of the given Data Subject.
Whenever biometric data is used to test or demonstrate Sumsub’s facial recognition products and services, it shall be automatically and irretrievably deleted within 30 days upon collection.
In any event, biometric data shall only be collected and further processed by Sumsub after having obtained written informed consent of the respective Data Subject to such collection and further processing.
In case of any conflict or inconsistency between the other provisions of this Privacy Notice and the terms of this special notice, the latter shall prevail whenever the laws of Illinois, Washington or Texas (USA) apply to the legal relationship between Sumsub and any Data Subject.
18. Changes to this Notice
This Privacy Notice is constantly reviewed and amended in order to provide appropriate compliance with the relevant data protection laws.
Sumsub reserves the right to make amendments to this Notice at any time and for any reason. Any amendments will be effective immediately upon us posting the updated Privacy Notice on our website. Users of our website waive the right to receive specific notice about such amendments. You are invited to review this Privacy Notice at any time to stay informed about updates.
If you want to observe the previous version of this Privacy Notice, please contact us at [email protected] or visit this link. Our technical and legal support teams work 24/7 and will answer you shortly.