Do I need to disclose Sumsub in my privacy policy?

Yes. Sumsub processes sensitive personal data including biometric information, government-issued identity documents, and AML screening results. Because it involves biometric data collection subject to GDPR Article 9 and similar regulations like BIPA and CCPA, disclosure is legally required. You must clearly inform users that their identity data will be verified through Sumsub before they complete verification.

What specific data does Sumsub collect and process?

Sumsub collects identity documents (passport, driver's license, etc.), selfies for biometric face-matching verification, proof of address documents, phone and address verification data, and generates AML screening results against regulatory databases. This data is processed to verify your identity and assess compliance with financial regulations.

Does Sumsub require a cookie consent banner?

No documented cookies are used by Sumsub's verification service itself. However, you should review your implementation, as consent requirements depend on how Sumsub is integrated into your website and whether other tracking technologies are deployed alongside it.

Who is the data processor and where is my data stored?

Sumsub Ltd., based in the United Kingdom, is the data processor. Your biometric and identity data is transferred to and processed by Sumsub as a third-party service provider. Sumsub maintains SOC 2 certification and is subject to GDPR requirements for international data transfers. Review their privacy notice at https://sumsub.com/privacy-notice/ for complete data handling details.

Identity Verification

Privacy policy clauses for Sumsub

Sumsub is a full-cycle KYC/AML (Know Your Customer/Anti-Money Laundering) identity verification platform that uses document analysis, biometric matching, and regulatory screening to verify user identities and assess compliance risk.

Scan my site free →Copy sample clause ↓

Free scan · No signup · Results in 60 seconds

What data Sumsub collects

Your privacy policy must disclose each of the following data types when you use Sumsub.

Identity documents and selfies

Biometric face matching

AML screening results

Address and phone verification

Proof of address documents

When does Sumsub trigger privacy obligations?

Sumsub integration triggers obligations the moment you begin collecting identity documents, selfies, and biometric face-matching data—even during testing. This is not a tracking pixel; it is regulated personal data collection.

GDPR (EEA users): Biometric data collection for identification purposes falls under GDPR Article 9 (special categories). You must have a lawful basis under Article 6 *and* a derogation under Article 9(2)—typically Article 9(2)(a) (explicit consent) or Article 9(2)(h) (employment/regulatory necessity). If you collect from anyone in the EEA, GDPR applies regardless of your location.

Privacy policy clauses for Sumsub

What data Sumsub collects

When does Sumsub trigger privacy obligations?

Where data goes

Common compliance pitfalls

Forgetting to separate consent for biometric data

Missing or incomplete Data Processing Agreement (DPA)

Failing to update privacy policies with specific data types

Legal note

Sample privacy policy clause

What regulators look for

Frequently asked questions

Do I need to disclose Sumsub in my privacy policy?

What specific data does Sumsub collect and process?

Does Sumsub require a cookie consent banner?

Who is the data processor and where is my data stored?

Don't ship without Bandit.