Must I disclose Veriff in my privacy policy?

Yes. Veriff processes sensitive biometric and identity data, which qualifies as special category data under GDPR. You must transparently disclose that Veriff performs identity verification, explain the legal basis for processing, and inform users about their rights. This is a mandatory privacy policy requirement, not optional.

What specific data does Veriff collect from users?

Veriff collects identity document images (passports, driver's licenses, etc.), extracted identity data from those documents, facial biometric data, liveness detection results, device and session metadata, and geolocation information. This data is processed to verify that the person completing verification matches their submitted identity documents.

Do I need a cookie consent banner for Veriff?

No cookies are directly documented for Veriff's core identity verification functionality. However, you should review your specific implementation and Veriff's current cookie disclosures, as session management or analytics features may employ cookies requiring separate consent under GDPR or similar regulations.

Who processes my data with Veriff and where is it stored?

Veriff OÜ, an Estonian company, is your data processor. Estonia is within the European Union, so data benefits from GDPR protections. You should execute a Data Processing Agreement (DPA) with Veriff and review their privacy notice at https://www.veriff.com/privacy-notice for complete details on retention, transfers, and user rights.

Identity Verification

Privacy policy clauses for Veriff

Veriff is an AI-powered identity verification service that uses document analysis and facial recognition to confirm user identities for compliance purposes. Websites integrate Veriff to prevent fraud, meet regulatory requirements, and verify customer identities during onboarding.

Scan my site free →Copy sample clause ↓

Free scan · No signup · Results in 60 seconds

What data Veriff collects

Your privacy policy must disclose each of the following data types when you use Veriff.

Identity document images and data

Facial biometric data and liveness

Device and session metadata

Geolocation data

When does Veriff trigger privacy obligations?

Installation triggers immediate obligations

The moment you embed Veriff's identity verification SDK or API on your site or app, you begin collecting special-category biometric data (facial images, liveness signals) and identity document images. Under GDPR Article 9(1), processing biometric data for identification purposes is prohibited unless you meet one of the narrow exemptions—most commonly Article 9(2)(a) (explicit consent) or Article 9(2)(h) (employment/social security, if applicable to your use case).

Jurisdiction-specific thresholds

EU/EEA users

Common compliance pitfalls

Pitfall 1: Missing or vague lawful basis for biometric processing

The mistake: Adding Veriff without explicitly documenting why you need facial biometrics and which GDPR Article 9 exemption applies. Many founders assume 'KYC compliance' is self-evident.

Why it happens with Veriff: Biometric data feels different from typical form data, so teams often skip the deliberate lawful-basis analysis. Veriff's documentation emphasizes regulatory compliance outcomes, not the *data protection* framework you need to satisfy first.

Consequence: GDPR enforcement action. Regulators (EDPB, national DPAs) have flagged unlawful biometric processing in fintech and onboarding flows. Fines up to €20M or 4% annual global revenue. Users can file GDPR Article 82 damages claims.

Pitfall 2: No Data Processing Agreement (DPA) with Veriff OÜ

The mistake: Treating Veriff as a simple SaaS vendor without a written DPA specifying processor obligations, sub-processors, data location, and deletion timelines.

Why it happens with Veriff: Veriff provides a privacy notice, but that document alone does not satisfy GDPR Article 28 requirements. Many founders assume the privacy notice is enough.

Consequence: You remain liable for Veriff's processing failures. If Veriff experiences a breach or unauthorized sub-processor engagement, you are jointly and severally liable. DPA absence is a *per se* GDPR violation.

Pitfall 3: BIPA non-compliance for Illinois users

The mistake: Collecting Veriff's liveness facial biometrics without obtaining explicit written consent *before* collection, or failing to disclose retention periods and use restrictions.

Why it happens with Veriff: BIPA is state-level and less widely known than GDPR. Teams often assume GDPR compliance covers U.S. obligations, or miss that liveness checks are BIPA-regulated biometric collection.

Consequence: BIPA provides private right of action. Statutory damages are $1–5k per violation per person. Class actions have resulted in settlements of $50M+. Illinois AG enforcement is active.

Privacy policy clauses for Veriff

What data Veriff collects

When does Veriff trigger privacy obligations?

Installation triggers immediate obligations

Jurisdiction-specific thresholds

First concrete step

Where data goes

Common compliance pitfalls

Pitfall 1: Missing or vague lawful basis for biometric processing

Pitfall 2: No Data Processing Agreement (DPA) with Veriff OÜ

Pitfall 3: BIPA non-compliance for Illinois users

Legal note

Sample privacy policy clause

What regulators look for

GDPR/EEA Data Protection Authorities

CPRA and state AGs

Audit red flags

Frequently asked questions

Must I disclose Veriff in my privacy policy?

What specific data does Veriff collect from users?

Do I need a cookie consent banner for Veriff?

Who processes my data with Veriff and where is it stored?

Don't ship without Bandit.