Do we need to disclose Alloy in our privacy policy?

Yes. Alloy processes personal data on your behalf as a service provider, and regulations including GDPR, CCPA, and the Gramm-Leach-Bliley Act (GLBA) require you to disclose third-party processors. You must inform users that their identity data is shared with Alloy for verification and fraud prevention purposes.

What specific data does Alloy collect about me?

Alloy collects identity verification data (name, address, date of birth, government ID information), credit bureau data, device fingerprinting information, transaction monitoring signals, and data from watchlist and sanctions screening databases. This aggregated data is used to verify your identity and assess fraud risk during account opening and ongoing monitoring.

Does Alloy require a cookie consent banner?

No. Alloy does not rely on cookies for its core identity verification and fraud prevention functions. However, if your website uses cookies for other purposes, you should include appropriate disclosures in your cookie banner and privacy policy about all tracking technologies in use.

Who processes my data and where is it stored?

Alloy Inc., a United States-based company, processes your identity data as our service provider. Data is transferred to and processed in the United States. Alloy is subject to GDPR, CCPA, and other privacy regulations. You can review Alloy's privacy practices at https://www.alloy.com/privacy-policy.

Identity Verification

Privacy policy clauses for Alloy

Alloy is an identity verification and fraud prevention platform used by financial services companies to verify customer identities, screen against watchlists and sanctions, and detect fraudulent activity. We use Alloy to comply with Know Your Customer (KYC) and Anti-Money Laundering (AML) regulations.

Scan my site free →Copy sample clause ↓

Free scan · No signup · Results in 60 seconds

What data Alloy collects

Your privacy policy must disclose each of the following data types when you use Alloy.

Identity verification data

Credit bureau data

Watchlist and sanctions screening

Device fingerprinting

Transaction monitoring signals

When does Alloy trigger privacy obligations?

Installation & Immediate Data Flows

Adding Alloy to your application triggers data protection obligations the moment identity verification requests are processed. Alloy collects and aggregates: identity documents, personally identifiable information (name, address, DOB, SSN/tax ID), credit bureau data, device fingerprints, and sanctions/watchlist screening results. This data flows from your application → Alloy's US servers → third-party data sources (credit bureaus, watchlists).

Jurisdictional Thresholds

Common compliance pitfalls

Pitfall 1: Omitting Device Fingerprinting from Privacy Disclosures

Alloy includes device fingerprinting as part of fraud detection, but many operators disclose only "identity verification" in their privacy policies and privacy notices. Device fingerprinting—collecting IP, browser, device attributes—is a tracking technology that GDPR Article 13(2)(c) requires you to disclose at point of collection, and the ePrivacy Directive Article 5(3) requires consent *before* activation in some jurisdictions (notably Germany). The mistake happens because device data feels incidental to identity checks, but regulators (especially German DPAs) treat it as separate processing with separate legal basis. Consequence: GDPR enforcement notice requiring notice amendments, or €5k–€10k fines for undisclosed processing.

Pitfall 2: Missing DPA Data Localization & Sub-processor Clauses

Alloy is a US processor; identity data may cross borders to US credit bureaus and third-party watchlist providers. A DPA must explicitly authorize sub-processing (GDPR Article 28(2)) and identify sub-processors. Many indie founders sign Alloy's default DPA without reviewing sub-processor flow or negotiating deletion/return terms. If Alloy uses an unlisted sub-processor or transfers data outside US without adequacy mechanisms, you're non-compliant. Consequence: data location audit finding; potential breach notification if sub-processor lacks security standards.

Pitfall 3: Conflating "Consent" with "Legitimate Interest" for KYC

KYC (Know Your Customer) for financial compliance is often *mandatory*, not consensual. Some operators request opt-in consent for Alloy processing, then falsely claim compliance because users clicked "agree." Regulators (US FinCEN, UK FCA) expect you to make KYC *mandatory* as a condition of service, with transparent disclosure of *why* Alloy processes data (regulatory requirement, not marketing). Opting out should mean account closure, not degraded service. Consequence: BSA/AML audit finding; classification as willful non-compliance; criminal referral in severe cases.

Privacy policy clauses for Alloy

What data Alloy collects

When does Alloy trigger privacy obligations?

Installation & Immediate Data Flows

Jurisdictional Thresholds

First Concrete Step

Where data goes

Common compliance pitfalls

Pitfall 1: Omitting Device Fingerprinting from Privacy Disclosures

Pitfall 2: Missing DPA Data Localization & Sub-processor Clauses

Pitfall 3: Conflating "Consent" with "Legitimate Interest" for KYC

Legal note

Sample privacy policy clause

What regulators look for

Enforcement Priorities

Frequently asked questions

Do we need to disclose Alloy in our privacy policy?

What specific data does Alloy collect about me?

Does Alloy require a cookie consent banner?

Who processes my data and where is it stored?

Don't ship without Bandit.