Do I need to disclose Onfido in my privacy policy?

Yes. Onfido processes biometric data (facial geometry from selfies) and government ID information, which are sensitive under GDPR, CCPA, BIPA, and similar laws. You must clearly disclose Onfido's use, explain the legal basis for collection, and obtain explicit, informed consent before any verification occurs.

What specific data does Onfido collect?

Onfido collects government-issued ID document images, facial biometric data (selfie and liveness checks), name, date of birth, nationality, and address extracted from identity documents. It also analyzes document authenticity signals to detect fraud or tampering.

Does Onfido require a cookie consent banner?

Onfido itself does not set cookies. However, you should still disclose Onfido in your privacy policy and obtain consent for biometric data collection before the verification process begins, separate from cookie consent.

Who processes my data with Onfido and where?

Onfido Ltd., a United Kingdom-based company, is the data processor. You should ensure a Data Processing Agreement (DPA) is in place. Under GDPR, transfers outside the EU/EEA require adequate safeguards; Onfido is SOC 2 Type II certified. Review Onfido's privacy policy at https://onfido.com/privacy/ for their data retention and international transfer practices.

Identity Verification

Privacy policy clauses for Onfido

Onfido is an identity verification service that uses document analysis and facial biometrics to confirm user identity. Websites integrate Onfido to prevent fraud, comply with know-your-customer (KYC) regulations, and securely verify that users are who they claim to be.

Scan my site free →Copy sample clause ↓

Free scan · No signup · Results in 60 seconds

What data Onfido collects

Your privacy policy must disclose each of the following data types when you use Onfido.

Government-issued ID document images

Facial biometric data (selfie/liveness)

Name, date of birth, nationality

Address from identity documents

Document authenticity signals

When does Onfido trigger privacy obligations?

Installation and activation

Onfido's identity verification flow triggers data protection obligations the moment you integrate its SDK or API into your application or website. Unlike analytics or marketing tags, Onfido immediately begins collecting biometric data (facial geometry from selfies/liveness checks) and government ID document images—both classified as special category data under GDPR Article 9 and biometric identifiers under CCPA Section 1798.100.

### Jurisdictional triggers

Privacy policy clauses for Onfido

What data Onfido collects

When does Onfido trigger privacy obligations?

Installation and activation

Where data goes

Common compliance pitfalls

1. Treating biometric consent as generic "privacy" consent

2. No Data Processing Agreement (DPA) with Onfido

3. Retaining biometric data longer than stated, or not disclosing retention at all

Legal note

Sample privacy policy clause

What regulators look for

GDPR Data Protection Authorities (DPAs)

BIPA enforcement (Illinois Attorney General, private rights of action)

CCPA enforcement (California Attorney General)

Frequently asked questions

Do I need to disclose Onfido in my privacy policy?

What specific data does Onfido collect?

Does Onfido require a cookie consent banner?

Who processes my data with Onfido and where?

Don't ship without Bandit.