Do I need to disclose Jumio in my privacy policy?

Yes. Because Jumio collects biometric data (facial recognition for liveness detection) and processes government-issued ID documents, you must disclose it in your privacy policy. Biometric data collection is regulated under GDPR Article 9, BIPA, and CCPA, requiring explicit notice and consent. Failing to disclose Jumio exposes you to regulatory violations and user trust issues.

What specific data does Jumio collect?

Jumio collects government ID document scans (driver's licenses, passports, etc.), facial biometric data for liveness detection, personally identifiable information (name, date of birth, address), and device/IP metadata. This data is processed to verify identity and detect fraud. The company retains this sensitive data according to its retention policies and applicable regulations.

Does Jumio require a cookie consent banner?

No documented cookies are directly set by Jumio itself. However, you should verify with Jumio's current implementation whether any tracking or analytics cookies are deployed. Regardless, biometric consent under GDPR and CCPA must be obtained separately from cookie consent—do not rely on a generic cookie banner for biometric data authorization.

Who processes my data and where does it go?

Jumio Corporation, a United States-based company, is the data processor. Data is transferred to and stored in the U.S. under Jumio's processing infrastructure. If you operate under GDPR, you must ensure an adequate data transfer mechanism (Standard Contractual Clauses or similar) is in place. Review Jumio's Data Processing Agreement and privacy policy at https://www.jumio.com/legal-information/privacy-policy/.

Identity Verification

Privacy policy clauses for Jumio

Jumio is an AI-powered identity verification platform that uses government ID document analysis and facial biometric technology to confirm user identity and comply with Know Your Customer (KYC) requirements. Websites integrate Jumio to prevent fraud, verify account holders, and meet regulatory compliance obligations.

Scan my site free →Copy sample clause ↓

Free scan · No signup · Results in 60 seconds

What data Jumio collects

Your privacy policy must disclose each of the following data types when you use Jumio.

Government ID document scans

Facial biometric data for liveness detection

Personal identity information (name, DOB, address)

Device and IP metadata

When does Jumio trigger privacy obligations?

Jumio integration triggers obligations the moment you embed its SDK or API and begin collecting identity documents and facial biometric data from users. This is not optional compliance—biometric data collection is explicitly regulated across multiple jurisdictions.

GDPR (EU/EEA users): Biometric data is classified as a special category under GDPR Article 9(1), meaning you cannot process it without explicit legal basis. Article 9(2) permits processing only with explicit consent (Article 7) or for specific statutory reasons (e.g., employment, public interest). You must also comply with Article 13/14 (transparent disclosure) and Article 35 (DPIA—data protection impact assessment is mandatory for biometric processing). First step: Conduct a DPIA before deployment.

Privacy policy clauses for Jumio

What data Jumio collects

When does Jumio trigger privacy obligations?

Where data goes

Common compliance pitfalls

Not separating biometric consent from general terms

Missing or incomplete Data Processing Agreement (DPA)

Failing to update privacy disclosure for facial biometric retention

Legal note

Sample privacy policy clause

What regulators look for

Frequently asked questions

Do I need to disclose Jumio in my privacy policy?

What specific data does Jumio collect?

Does Jumio require a cookie consent banner?

Who processes my data and where does it go?

Don't ship without Bandit.