Products and Services Privacy Notice

General information and contact details

This policy was last updated on 01 April, 2025.

This Products and Services Privacy Policy covers GB Group Plc and our wholly owned subsidiaries ("GBG", "we", "us" or "our").

GBG’s wholly owned subsidiaries include, but is not limited to Acuant Inc, IDology Inc, Loqate Inc, GBG (Australia) Pty Ltd, Verifi Identity Services, Mastersoft Group Pty Ltd GBG (Malaysia) Sdn Bhd, GBG Singapore Pte Ltd and PT Fraud Solutions (GBG Jakarta).

Please note, this is a global privacy policy. It is recognised there is not a consistent standard for privacy across the globe but to confirm GBG complies with applicable data protection law and will review any request based on what is required for your jurisdiction. Where additional disclosure is required for a jurisdiction, please select from the side menu for additional information.

This privacy policy sets out the personal data we collect and process about you through our products and services, the purposes of the processing and how you can exercise your privacy rights. If you would like to understand how GBG collect, use, disclose, and otherwise process personal data in connection with our websites and how we interact with you when facilitating our business, please see our General Privacy Policy.

You may be reading this policy because of a link provided by one of our third party data suppliers, one of our customers, or you simply want more information on processing in relation to our products and services.

It is important to note, our customers and data suppliers will have a lawful reason for processing your data and may have a separate relationship with you. They are separately required to provide you with information (for example through their own privacy policy) about how they collect and process your data.

GBG have subsidiaries and offices in a number of countries, which are detailed here. See ‘Contact Us’ to see how best to contact your regional representative with any questions about how GBG use your personal data.

This privacy policy is reviewed annually, or sooner if changes to regulation or how we process personal data require it.

What do we do?

GBG is a global organisation who set out to create trust in a digital world, where everyone can transact with confidence. Typically, customers use our products so they can verify the information that you give to them about yourself. We do this by matching third party reference data (which we receive from data suppliers) against the data you give about yourself to our customers.

This still sounds complex, so here are some examples as we believe it is often the easiest way to explain:

Address Verification Example:

You want to order goods/services online
To receive your goods, you need to provide your address. The organisation (GBG’s customer) wants to ensure they have an accurate address for you, to ensure your order can be delivered.
As you enter your address, you are provided with address options for you to select. Our customers have chosen their integration, e.g. they may ask you for a postcode/zipcode or simply ask you to start typing.
As part of this processing, we may match the address data you provided against the addresses provided by our data suppliers.
Matching your address can work in 2 ways:
1. GBG’s customer may have an on-premise solution, which means GBG does not process any data.
2. GBG’s customer may be using a SAAS service, which means it is securely connecting to a GBG product, hosted by GBG.
You select the correct address presented on screen. This is then captured by the organisation you are engaging with, to be able to fulfil your order.
GBG does not have visibility of other data captured online by the company you are engaging with, nor can we influence how they respond to you.

Identity Verification Example:

You are going to open a bank account
In order to open the bank account, the bank (our customer) needs to verify you are who you say you are. This is for a number of reasons, such as for the bank to comply with anti-money laundering regulations or combatting fraud purposes.
The bank collects personal data from you and passes this to GBG’s technology to process (via our products and services).
As part of this processing, we may match the personal data you provided against third party data (from our data suppliers), such as data belonging to Credit Reference Agencies or public sources, such as the voters register.
We may also collect your selfie photo and identity documents to verify that the person carrying out the journey is the same as those in the identity documents.
Matching your personal data may be done in 2 ways:

GBG host a copy of this personal data that we receive from data suppliers; and, or
GBG access personal data via a web service, which means our data suppliers holds the database and we securely send them your personal data to match against the records they hold. They then return the result to GBG.

We pass a result back to the bank (our customer) on whether we could match your input data against the third party data for the purposes of verifying your identity and preventing or detecting fraud.
Our customer then decides how they will respond to you, e.g. open your bank account, decline your request etc.
GBG does not have visibility on, nor can we influence how our customer responds to you.

More examples are included in the table below describing why we collect your personal data.

What personal data do we collect and why?

The personal information that we may collect about you broadly falls into the following categories:

Category	Examples
Basic identifying information	Name Address Telephone Email Address Date of Birth
Financial	Bank account details
Device	IP, Geocode, DeviceID
Government Records	Home Ownership, County Court Judgements, Insolvency
Social	Social Networks
Image	Photo on a passport or driving license, self-taken photos

Why we collect your personal data depends on the services we provide.

GBG Service	Description of services / why we collect this personal data
Location Intelligence	Address Capture & Verification – we can capture and verify addresses globally. Our service aims to create the best, quickest experience when you order online, whilst ensuring the company you are engaging with has the information they need to fulfil your request. For example, it is much quicker for you to enter a postcode/zipcode and be presented with a list of addresses to select from, as opposed to entering the full address. There is also the option where the company you are engaging with can verify if you have provided a valid email address or phone number so they can get in touch with you if needed. Some of our customers also take Geocodes, which is a unique identifier for your address, so the delivery company can easily find you to deliver the item you have ordered Data Cleansing – we are all busy people and it’s often difficult to remember and very time consuming to contact all the businesses we engage with if any of our details or preferences change. These organisations also have a legal requirement to keep your data up-to-date, which is where we come in. We can help them identify if your details are no longer valid, such as if you have moved address or if someone in your household has died, for the purposes of reducing the risk of fraud or being contacted at what we know will be an upsetting time. GBG is also able to provide our customers with additional information about you to help them try to ensure that the information that collected from you remains accurate and relevant to the purposes for which you provided it to them. For clarity, data that we provide to our customers cannot be used by us or them to contact you for marketing purposes. An example of where this could be used is if you had a pension at an old address, we could provide our customer with a new address so they can contact you. It is a legal requirement for such organisations to try to reunify you with your assets, which is why they are entitled to keep your information accurate and up to date.
Identity	Identity & Age Verification – we can capture and verify your identity globally, making it easier for you to transact online. What this includes depends on the organisation you are engaging with. For example, we can verify the authenticity of your identity documents or check if you are over a particular age if you want to access a service which has age restrictions. Our customers do this because many of them must meet regulatory requirements and prevent fraud, so we help them to meet their requirements, with you in mind, to make things as simple and easy as possible. Identity Intelligence & Tracing* –is used where a company has minimal or old information on you and they may need to contact you. Use cases include law enforcement, fraud, asset reunification and debt collection to identify and locate individuals in the United Kingdom. To give you an example, our product has helped assist police in locating a domestic abuse victim who needed help. A woman made a 999 call as there was an incident at a domestic address. The police used GBG’s product to identify three possible addresses. Patrols attended each address and the operator was able to hear the officers knocking on the door, confirming they were in the right place. A man was arrested and the woman treated for her injuries. *This product only processes personal data that belongs to residents of the United Kingdom.
Fraud Prevention	GBG or one of our wholly owned subsidiaries, may collect your data directly from you, from our third party suppliers, or from our customers, to help protect you and our GBG customers against fraud and help other third parties to detect and prevent fraud. When we collect your data, we may use it to generate risk scores or create fraud and/or identity alerts, insights and reports. If collection is via our customers, we have requested you be informed of this via their privacy notices. We generate these risk scores and alerts via our fraud networks. Depending upon what has been agreed with you or GBG’s customer, this may be a data pool specific to a named GBG legal entity and/or your data may be shared across all GBG entities. The purpose of our fraud networks is to be able to gain insights from the data that is fed into them, for the purposes of fraud prevention. To give you an example, Mary Christmas placed a large food order on the last shipping day before Christmas. Her name triggered fraud indicators: due to her name and timing, the retailer would have normally declined the order. However, the retailer used our service to determine that Mary Christmas was a legitimate customer. Mary Christmas's goods were dispatched and she/her family got to enjoy a lovely Christmas lunch.

GBG Service

Description of services / why we collect this personal data

Location Intelligence

Address Capture & Verification – we can capture and verify addresses globally. Our service aims to create the best, quickest experience when you order online, whilst ensuring the company you are engaging with has the information they need to fulfil your request. For example, it is much quicker for you to enter a postcode/zipcode and be presented with a list of addresses to select from, as opposed to entering the full address. There is also the option where the company you are engaging with can verify if you have provided a valid email address or phone number so they can get in touch with you if needed. Some of our customers also take Geocodes, which is a unique identifier for your address, so the delivery company can easily find you to deliver the item you have ordered
Data Cleansing – we are all busy people and it’s often difficult to remember and very time consuming to contact all the businesses we engage with if any of our details or preferences change. These organisations also have a legal requirement to keep your data up-to-date, which is where we come in. We can help them identify if your details are no longer valid, such as if you have moved address or if someone in your household has died, for the purposes of reducing the risk of fraud or being contacted at what we know will be an upsetting time. GBG is also able to provide our customers with additional information about you to help them try to ensure that the information that collected from you remains accurate and relevant to the purposes for which you provided it to them. For clarity, data that we provide to our customers cannot be used by us or them to contact you for marketing purposes. An example of where this could be used is if you had a pension at an old address, we could provide our customer with a new address so they can contact you. It is a legal requirement for such organisations to try to reunify you with your assets, which is why they are entitled to keep your information accurate and up to date.

Identity

Identity & Age Verification – we can capture and verify your identity globally, making it easier for you to transact online. What this includes depends on the organisation you are engaging with. For example, we can verify the authenticity of your identity documents or check if you are over a particular age if you want to access a service which has age restrictions. Our customers do this because many of them must meet regulatory requirements and prevent fraud, so we help them to meet their requirements, with you in mind, to make things as simple and easy as possible.

Identity Intelligence & Tracing* –is used where a company has minimal or old information on you and they may need to contact you. Use cases include law enforcement, fraud, asset reunification and debt collection to identify and locate individuals in the United Kingdom. To give you an example, our product has helped assist police in locating a domestic abuse victim who needed help. A woman made a 999 call as there was an incident at a domestic address. The police used GBG’s product to identify three possible addresses. Patrols attended each address and the operator was able to hear the officers knocking on the door, confirming they were in the right place. A man was arrested and the woman treated for her injuries.
*This product only processes personal data that belongs to residents of the United Kingdom.

Fraud Prevention

GBG or one of our wholly owned subsidiaries, may collect your data directly from you, from our third party suppliers, or from our customers, to help protect you and our GBG customers against fraud and help other third parties to detect and prevent fraud.

When we collect your data, we may use it to generate risk scores or create fraud and/or identity alerts, insights and reports. If collection is via our customers, we have requested you be informed of this via their privacy notices. We generate these risk scores and alerts via our fraud networks. Depending upon what has been agreed with you or GBG’s customer, this may be a data pool specific to a named GBG legal entity and/or your data may be shared across all GBG entities. The purpose of our fraud networks is to be able to gain insights from the data that is fed into them, for the purposes of fraud prevention.

To give you an example, Mary Christmas placed a large food order on the last shipping day before Christmas. Her name triggered fraud indicators: due to her name and timing, the retailer would have normally declined the order. However, the retailer used our service to determine that Mary Christmas was a legitimate customer. Mary Christmas's goods were dispatched and she/her family got to enjoy a lovely Christmas lunch.

Our legal basis for processing personal data

If you are based in a jurisdiction that requires legal grounds for us to be able to process your personal data, we process your information on the following grounds:

Compliance with a legal obligation.
Legitimate Interests of a third party (subject to balancing test), such as preventing fraud, crime prevention and detection and ensuring only individuals who should have access to services are able to do so
Consent, which may be express or implied, gathered directly or via our customer. An identity verification journey may include steps that will perform face match, therefore your biometric data will be processed, as further detailed in our Biometric Notice below. If you are not happy to provide your consent, then please consult with the organisation that you are engaging with. They may provide an alternative means to verify your identity. Unfortunately, this is not something GBG can influence.

GBG’s customers will have their own lawful basis for processing your data and will have communicated this with you.

The table below identifies the legitimate interest that we rely on for each of our activities.

Activity/Purpose	GBG's Lawful basis
Location Intelligence (Address Capture & Verification)	We have given a description of the types of services our customers provide in the table above, but in a nutshell, they help to ensure you receive the goods/services you have ordered and prevent fraud by ensuring your data is accurate and up-to-date. When operating as a controller, where relevant, GBG may use this Legitimate Interest of a third party as our lawful basis. We have given a description of the types of services our customers provide in the table above
Identity	Our services help to prevent fraud by ensuring you are who you say you are. Many of our customers must also meet a legal obligation when processing your personal data, such as ensuring you are old enough, or verifying your identity. When operating as a controller, where relevant, GBG may use this Legitimate Interest of a third party as our lawful basis. We have given a description of the types of services our customers provide in the table above.
Fraud Prevention	These services help to prevent fraud and allow our customer to meet their compliance obligations. When operating as a controller, where relevant, GBG may use this Legitimate Interest of a third party as our lawful basis. We have given a description of the types of services our customers provide in the table above.

Activity/Purpose

GBG's Lawful basis

Location Intelligence (Address Capture & Verification)

We have given a description of the types of services our customers provide in the table above, but in a nutshell, they help to ensure you receive the goods/services you have ordered and prevent fraud by ensuring your data is accurate and up-to-date. When operating as a controller, where relevant, GBG may use this Legitimate Interest of a third party as our lawful basis. We have given a description of the types of services our customers provide in the table above

Identity

Our services help to prevent fraud by ensuring you are who you say you are. Many of our customers must also meet a legal obligation when processing your personal data, such as ensuring you are old enough, or verifying your identity. When operating as a controller, where relevant, GBG may use this Legitimate Interest of a third party as our lawful basis. We have given a description of the types of services our customers provide in the table above.

Fraud Prevention

These services help to prevent fraud and allow our customer to meet their compliance obligations. When operating as a controller, where relevant, GBG may use this Legitimate Interest of a third party as our lawful basis.

We have given a description of the types of services our customers provide in the table above.

Where relevant, GBG maintain an up-to-date record of processing activities under our responsibility, which details for each of our processing activities, the lawful basis.

Where relevant, you are entitled to more information on the balancing test we have carried out when determining we are able to rely on legitimate interest as our lawful basis for processing your personal data.

If you have questions about this or need further information concerning the legal basis on which we collect and use your personal data, please contact us using the contact details provided.

Who will we receive your personal data from, who will we share your personal data with, and why?

As explained above under "What do we do", we receive personal data about you directly, or from our customers and data suppliers. We also send your personal data to our customers and data suppliers, where there is a lawful reason to do so, in order to provide our products and services.

GBG Customers

We offer our products services to public and private organisations worldwide. These include:

Sector	Examples
Financial Services	Banks, insurance providers, debt management companies
eCommerce	Retail (online shopping), online commerce platforms
Gaming	Online gaming
Consumer Services	Travel and leisure, media, car rental companies
Public Sector	Law enforcement, local government, education bodies
Utilities	Gas, electricity, water suppliers and switching/price comparison sites

GBG Data Suppliers

We work with a number of trusted data suppliers. These include:

Data Supplier	Further information
Government / Public Authorities	These bodies include authorities that provide driving licence information, passport information, citizen identification number, social security number, insolvency records (also in publicly available) or sanctions lists (also in publicly available).
Regulated Financial Services Organisations / Firms	These entities collect information about your financial status, but this data can also be used to help organisations like us verify your identity by confirming you are who you say you are, and where you live, or if you have lived at an address.
Other Regulated Organisations / Firms	These entities provide personal data which can help to verify you, reduce fraud or contact you. directory.
Commercial Organisations	These entities provide your contact details, such as name, address, telephone number or email address, which we can then use to meet the request you have made to one of our Customers.
Publicly available, collected by a third party organisation or GBG	These customer entities have informed individuals that data will be provided to GBG to protect them against fraud, by generating risk scores or creating fraud and/or identity alerts, insights and reports.
Non-personal / address data	These entities provide information about deceased records, geocodes, co-ordinates, postcodes or zipcodes.

We may also disclose your personal data to the following categories of recipients:

to our group companies, third party services providers and partners who provide data processing services to us, or who otherwise process personal data for purposes that are described in this privacy notice;
to any competent law enforcement body, regulatory, government agency, court or other third party where we believe disclosure is necessary (i) as a matter of applicable law or regulation, (ii) to exercise, establish or defend our legal rights, or (iii) to protect your vital interests or those of any other person;
to a potential buyer (and its agents and advisers) in connection with any proposed purchase, merger, acquisition, restructuring or insolvency of any part of our business, provided that we inform the buyer it must use your personal information only for the purposes disclosed in this privacy notice.

How long do we retain your data for in our Products and Services?

We retain personal data we collect from you, our customers and data suppliers for the length of time necessary to fulfil the specific purpose or purposes for which it has been collected (for example, to provide our customers with a service you have requested or for our customers to comply with applicable legal requirements, such as anti-money laundering), or for the duration that is set by our customers, which we do not control. We may also keep it to comply with our legal obligations, resolve any disputes and enforce our rights.

As explained above in the section “What do we do”, GBG access personal data in 2 ways. When we access personal data via a web service, our data suppliers hold the database therefore GBG does not see or have any control over this, other than via our GBG Audit Trail which we explain below.

Sector	GBG Data Retention Period	Further Information
GBG Audit Trail	12 month	Where appropriate, GBG may retain a copy of your personal data for a period of twelve (12) months to enable GBG to respond when an individual wishes to exercise a data subject right.
GBG Fraud Networks	Up to 10 years	The exact retention duration depends on the relevant GBG fraud network and how often you engage with our customers.

For the majority of GBG’s products and services, GBG’s customers make a choice as to how long they want to retain the data they have collected on you. Dependent upon where we are in the world, GBG’s role for this is typically as a processor, which means we operate under the instructions of the GBG customer if we host this on their behalf. GBG’s customer has an obligation to advise you in their privacy policy which will have been shared with you, how they collect and manage your personal data.

For data retention related to UK, click here

Cross Border Transfers

Your personal information may be transferred to, and processed in, countries other than the country in which you are resident. These countries may have data protection laws that are different to the laws of your country.

Our group companies, data suppliers, customers and third party providers and partners operate around the world. This means that when we collect your personal data we may process it in any of these countries.

However, we have taken appropriate safeguards so that your personal data will remain protected in accordance with this privacy notice.
Where appropriate, these include implementing the European Commission’s Standard Contractual Clauses and the UK International Data Transfer Agreement for international data transfers between our group companies, which require all group companies to protect UK and EEA personal data in accordance with UK and European Union data protection law.

We have implemented similar appropriate safeguards with our data suppliers, customers and third party providers and partners.
In our agreements with our customers, we are clear where data is processed so they can ensure you are adequately informed in their privacy notice.

For transfers specific to Australia and New Zealand, click here

Data Security

GBG is ISO27001 certified, with some areas of our business also covered by PCI-DSS, Cyber Essentials and/or Cyber Essentials Plus.

GBG’s Information Security Team is focused on maintaining an information security program which covers everything you would expect and more.

This includes technical security measures (e.g. intrusion, detection, firewalls, monitoring), encryption of personal data, restricted access to personal data, protection of our physical premises and hard assets, maintaining security measures for our team members (e.g. pre-screening), a data-loss prevention strategy and regular testing of our security posture.

GBG’s 24 x 7 Security Operations Centre responds to any event or notification for investigation to uphold the security posture of GBG. Therefore, GBG have eyes and ears on the threats and threat actors that are likely to be attracted to GBG and the data that the organisation processes. GBG understands the critical need for technical and organisational control implementation to ensure GBG operates securely.

Your privacy rights

It depends on where you are based in the world as to the rights you have (in the US, this currently only includes California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Delaware, New Hampshire, Nebraska and New Jersey). GBG will fulfil all rights requests in line with applicable data protection law. Your rights may include:

The right to access/know your personal information – You have a right to know what personal information we hold on you and for what purpose we are processing your personal data.
The right to data portability – you can request that the personal data you have provided to us be ported to another organisation, or be provided to you (to the extent technically feasible) in a readily useable format that allows you to transmit it yourself.
The right to opt-out of sale of your personal data, including the right to opt-out of targeted advertising and profiling – you have the right to stop us from “selling” your personal data to third parties. However, please note that GBG does not sell personal data.
The right to withdraw consent – you can withdraw consent at any time.
The right to erasure/delete – you can request that we remove your personal data from our systems.
The right to restrict processing – you can request that GBG only process your personal data for the purposes you specify or limit processing of your sensitive personal data
The right to rectification/correction – you have the right to ask us to rectify/correct any information you believe is inaccurate. You may also have the right to ask us to complete information you think is incomplete.
The right to object to processing – you have the right to object to processing if we are able to process your information because the processing is in our legitimate interests.
The right to obtain information upon request on the balancing test we have carried out when determining we are able to rely on legitimate interest as our lawful basis for processing your personal information
The right to No Discrimination – You have the right not to receive discriminatory or retaliatory treatment for exercising your privacy rights. This includes the right as an employee, applicant, or independent contractor to not be retaliated against for the exercise of your rights.
The right to complain if you think we’ve mishandled your personal information.

Please keep in mind that dependent upon the applicable law, some of these rights are subject to an internal assessment that one of the grounds thereunder is satisfied.

Privacy rights vary among U.S. states. These rights are not absolute and may be subject to specific exceptions (e.g., personal data of individuals while acting in a commercial or employment contexts are excluded from data protection laws).

If you are a resident of the State of Nevada, you may opt out of future sales of certain covered information that a website operator has collected or will collect about a resident of the State of Nevada. We do not currently sell covered information for monetary consideration, but you may still contact us on our webform to submit such a request.

If you are a resident of the State of California:

Shine the Light: California residents that have an established business relationship with us have rights to know how their information is disclosed to third parties for their direct marketing purposes under California’s “Shine the Light” law (Civ. Code §1798.83).
The right to limit the use of sensitive information – you have the right to request that we limit our usage of your personal information to what is strictly necessary to perform our Services. However, we only use and disclose sensitive personal information that we collected for purposes specified in section 7027, subsection (m) of the CCPA regulations.

How to Make a Privacy Rights Request

Please use our webform, or send via phone or post using the information provided in our “Contact Us” section of this General Privacy Policy.

You are not required to pay any charge for exercising your rights. We usually have one calendar month to respond, but this may vary depending on your location (for example, if you are in the US we have 45 days depending on your state of residence). If we are unable to comply with your request, we will provide you with an explanation.

Verification. Due to the confidential nature of your personal information, we may ask you to provide proof of identity when exercising the above rights to verify your identity, in accordance with applicable data privacy laws. This can be done by providing a copy of a valid identity document issued by the authorised body where you are a resident and is exercised for the purpose of ensuring that the individual making the rights request is in fact who they claim to be.

Authorised Agents. As defined in the applicable privacy law, you may use an authorised agent to exercise your rights on your behalf. If you are making any of the requests above through an authorised agent, we will request written authorisation from you and will seek to verify you as described above or we will accept a legal Power of Attorney. To make a request using an authorised agent, have your agent use our webform and upload documentation demonstrating authorisation from you. In the U.S., authorized agents can exercise some, but not all, privacy rights.

Complaints and Appeals

If you are a resident of a jurisdiction that allows you to appeal a decision we have made in connection with your attempt to assert a right under applicable Data Protection Laws, you may file an appeal of our decision by contacting us at DPO@gbgplc.com. Please ensure you provide us with the postal address in which you reside, accompanied with details for the basis of your appeal.

Your jurisdiction may allow you to file a complaint regarding any concerns with the result of your appeal request.

For the UK Regulator, click here
For other data protection authorities in the EU, click here
US residents whose states have enacted an applicable privacy law may file a complaint with their corresponding state’s Attorney General or dedicated Agency if they have concerns about the result of the appeal.
For Australia, Office of the Australian Information Commissioner, click here
For New Zealand, Office of the Privacy Commissioner, click here

Contact Us

If you have any questions or requests in connection with this Products and Services Privacy Policy, please use this form or send an email to DPO@gbgplc.com. Alternatively, enquiries may be made to:

Jurisdiction	Phone	Address
UK Head Office for GB Group plc Company Registration Number: 02415211	+44 (0) 1244 657277	Privacy & Data Compliance Team GBG The Foundation Herons Way Chester Business Park Chester CH4 9GB United Kingdom
EEA /Swiss (EEA Representative)	+34 (0) 935 451 156	Privacy & Data Compliance Team GBG Edifici El Triangle 4a planta Placa de Catalunya 1 08002 Barcelona Spain
US	1(833) 383-0085	Privacy & Data Compliance Team GBG IDology 2300 Windy Ridge Pkwy SE Suite 1115 Atlanta, GA 30339 United States
Australia, New Zealand and APAC countries	+61 (0) 3 8595 1500	Head of Privacy, APAC GBG Level 4 / 360 Collins St Melbourne Victoria 3000 Australia

Biometrics Notice

This Biometrics Notice was last updated on 01 April, 2025

Our Biometric Notice governs the collection, use, safeguarding, handling, storage, retention, disclosure or transmission, redisclosure, and destruction of biometric data in accordance with applicable laws relevant to the biometric Services we provide to GBG customers.

GBG customers are responsible for developing and complying with their own biometric data practices and privacy policies in accordance with applicable laws, including obtaining your affirmative express consent and/or informed written consent on behalf of GBG and our third-party vendors (“GBG Technology Vendors”) before the collection, use, safeguarding, handling, storage, retention, disclosure or transmission, and redisclosure of your biometric data (or personal data utilized for biometric processing).

BIOMETRIC DATA DEFINED

The term “biometric data” as used in this Biometric Notice has the meaning provided under relevant and applicable comprehensive data protection and biometric laws, and includes “biometric identifiers” and “biometric information.”

OUR SERVICES

Why We Collect Your Personal Data for Biometric Processing.

We collect your personal data to provide our Services to our GBG customers so that they can authenticate or verify an individual by asking “Is this person who they say they are?”.

We do not use your personal data for identification purposes; we do not ask “Is this person in a database?”.

Our Biometric Services Explained:

Methods of Collection

How we collect your face images for the biometric processing depends on the specific biometric Service that is being used and/or how our GBG customer choose to set up the Service. We can collect the data directly from you, such as when you download and use our app, or we can collect it indirectly through our GBG customer’s application or platform with which you directly interact.

Facial Images Sources

Our Services utilize your face images collected from two different sources: (1) an identity document (e.g., driver’s license, passport, etc.), and (2) a selfie.

GBG Technology Vendors

Some of our biometric Services may use external service providers (“GBG Technology Vendors”), all of which are listed at the end of this Biometric Notice.

Our Processing and Information provided to GBG Customers

We take your identity document image and your selfie image (collectively, your “facial images”) and compare the two using facial recognition technology to see if the facial images you submitted belong to you.
We do this by using facial recognition technology, either internally or through a GBG Technology Vendor, to extract biometric data by scanning or digitally mapping an individual’s facial features or facial geometry, such as the distance between the eyes or the forehead and chin.
These measurements are then used to create a mathematical algorithm or formula known as a ‘facial template’ or ‘facial signature’ of the extracted data, which is deemed to be biometric data.
An algorithm then compares the biometric data extracted from your facial images to authenticate or verify that the person on the identity document image is the same person on the selfie image.
This process then generates a numerical ‘face match score,’ which we provide to our GBG customer that you are transacting with so they can assess their confidence level in determining whether the facial images collected belong to the same person.

Passive Liveness

Our GBG customers may also purchase our Passive Liveness Service, which detects whether the selfie image is a photo of an actual live person instead of a photo of a non-living person or spoof (e.g., a recording, another picture, a mask, a mannequin, etc.) by analyzing the features of the selfie image while not utilizing facial recognition technology. When GBG customers use our Passive Liveness Services they are asking the question “is this a representation of a live person?” instead of “is this the person who they say they are?”. The technology used by our Passive Liveness Services does not collect or process any facial template, the selfie images are instantly purged when the processing has been completed.

BIOMETRIC DATA DISCLOSURE

We may disclose or transmit your personal data (i.e., your facial images) to our GBG Technology Vendors, such as, when we utilize their facial recognition technology to facilitate the provision of our Services to GBG customers.

We and our GBG Technology Vendors will not sell, lease, trade, or otherwise profit from a person’s biometric data that we may possess as a result of our GBG customer’s use of our Services.

We prohibit any further disclosure or re-disclosure of your biometric data not covered under this Biometric Notice, unless:

You consented;
We are required to do so under state or federal law, or municipal ordinance; or
We are required to do so under a valid warrant or subpoena issued by a court.

OUR DATA SECURITY

We store, transmit, and protect from disclosure all personal data processed under our biometric Services using a reasonable standard of care with measures that are at least equivalent to the measures that we use to store, transmit, and protect from disclosure other confidential and sensitive data, such as drivers’ license numbers and social security numbers.

OUR SERVICES RETENTION SCHEDULE

Our data retention practices vary depending on the biometric Service utilized by our GBG customers to collect and process biometric data and follow the retention schedule provided below. Unless otherwise required by law, once the retention schedule no longer authorizes us to retain your personal data, we will securely and permanently destroy your data, including any biometric data.

The table below sets out the difference between how long we retain ‘facial images’ (i.e., your identity document photo and selfie) and ‘biometric data’ (i.e., the facial template).

GBG Services	Categories of Personal Information Collected	Purposes	Facial Images Retention	Biometric Data Retention
IDScan Enterprise	Image from an identity document (e.g., driver’s license, passport) Selfie Biometric data	To collect and process your facial images using facial recognition technology to authenticate or verify a suggested identity and provide a face match score to GBG Customers.	Up to 31 days* (GBG’s customer can reduce to instant deletion when processing has been completed)	Facial templates are immediately deleted when processing has been completed
IDScan Core**	Image from an identity document (e.g., driver’s license, passport) Selfie Biometric data	To collect and process your facial images using facial recognition technology to authenticate or verify a suggested identity and provide a face match score to GBG Customers.	Facial images are immediately deleted when processing has been completed	Facial templates are immediately deleted when processing has been completed
ExpectID Scan Verify	Image from an identity document (e.g., driver’s license, passport) Selfie Biometric data	To collect, process and disclose your facial images to GBG Technology Vendors, which utilize facial recognition technology to authenticate or verify a suggested identity and provide a face match score to GBG Customers.	Up to 30 days* (GBG’s customer can reduce to instant deletion when processing has been completed)	24 hours
ExpectID Scan Onboard** (if either Face Review or Programmatic Face Compare are enabled)	Image from an identity document (e.g., driver’s license, passport) Selfie Biometric data	To collect, process, and disclose your facial images to GBG Technology Vendors, which utilize facial recognition technology to authenticate or verify a suggested identity and provide a face match score to GBG Customers.	Up to 30 days* (GBG’s customer can reduce to instant deletion when processing has been completed)	24 hours
FaceID	Image from an identity document (e.g., driver’s license, passport) Selfie Biometric data	To collect, process, and disclose your facial images to GBG Technology Vendors, which utilize facial recognition technology to authenticate or verify a suggested identity and provide a face match score to GBG Customers.	40-60 seconds	24 hours
GBG Go** (if Face Match is enabled)	Image from an identity document (e.g., driver’s license, passport) Selfie Biometric data	To collect and process your facial images using facial recognition technology to authenticate or verify a suggested identity and provide a face match score to GBG Customers.	Facial images are immediately deleted when processing has been completed	Facial templates are immediately deleted when processing has been completed

* Our GBG customers can choose to reduce or extend the default retention period.

** Our GBG customers may use this Service without processing any biometric data. This Service will only process biometric data if our GBG customer chooses to enable biometric processing.

GBG TECHNOLOGY VENDORS

We disclose your personal data (i.e., your facial images) to our GBG Technology Vendors, listed below, for the purposes of cloud hosting services and/or technology service providers of facial recognition technology when providing our Services to GBG customers.

GBG Services	GBG Technology Vendors
IDScan Enterprise	Amazon Web Services (AWS) Cloud hosting services
IDScan Core	Amazon Web Services (AWS) Cloud hosting services
ExpectID Scan Verify	Quality Technology Services (QTS) Data center Acuant, Inc. (see FaceID) Technology service provider
ExpectID Scan Onboard	Quality Technology Services (QTS) Data center Acuant, Inc. (see FaceID) Technology service provider
FaceID	Amazon Web Services (AWS) Cloud hosting services Microsoft, Inc. (Azure) Technology service provider of facial recognition technology

UK - Data Retention

This UK – Data Retention Addendum was last updated on 01 April, 2025
At the point of collection, you will have been advised how long your personal data will be held for, which will be different to the retention period GBG state below.

A ‘data refresh’ is how often GBG get a copy of the personal data. The data supplier may provide GBG with a complete refresh, which is a new copy of the entire file. Some data suppliers only provide updates to a file (e.g. new records, updates to existing records or a request to delete records). GBG then apply these updates to a master file we hold. What this means is whilst GBG gets a new copy of the data, this database may contain much of the same data we have previously received. This explains why the data refresh is different to GBG’s data retention period

Data Refresh	GBG Data Retention Period	Further Information
Full Electoral Roll	Monthly	From 1992 The retention period will increase each year, up to 80 years. This will then be maintained at 80 years. Customer access is restricted for 6 years, with the opportunity to view earlier data providing they have a justification. This data is governed by the Representation of the People Act, therefore can only be used by our public sector/law enforcement customers.
Open Register	Monthly	From 2003 The retention period will increase each year, up to 80 years. This will then be maintained at 80 years. Customer access is restricted for 6 years, with the opportunity to view earlier data providing they have a justification. Also known as the Edited Electoral Roll.
Insolvency Data	Weekly	6 years We receive data from 3 sources: England and Wales, Scotland, and Northern Ireland. They each send GBG any new records, amended records or records they would like us to delete. We then apply this to a copy of the database we hold.
Postcode Address File (PAF)	Daily	Variable GBG receives daily updates of PAF, which we hold for 2 weeks but we apply this to a copy of the database we hold where an address is retained for as long as Royal Mail keeps it on their master database (i.e., for as long as the property exists). PAF is address data provided by Royal Mail.
BT OSIS (UK Telephone Number Database)	6 days a week	Variable GBG receives updates of any new records, amended records or any records we need to delete and we hold these update files for 2 weeks. We apply the updates to a master database, so you will stay on this until BT asks us to remove you, which is typically when you cease having a landline telephone number. You may know this as the BT Phonebook. GBG must refer to it by its name as dictated by our licence.
Commercial Data	Weekly or Monthly	2 Months GBG receives a full refresh of the data each month, but may receive a weekly update asking us to remove a record if an individual has exercised one of their data subject rights to our data supplier.

Australia and New Zealand

This Australia and New Zealand Addendum was last updated on 01 April, 2025

GBG take the protection and security of your personal information very seriously and this addendum sets out our additional responsibilities under the Privacy Act 1988 (Cth) (‘Australian Privacy Act’) and the Privacy Act 2020 (‘New Zealand Privacy Act’) relating to the processing and security of your personal information. We refer to the Australian Privacy Principles as the APPs and the New Zealand Information Privacy Principles as the IPPs. We refer to the Australian Privacy Act and the New Zealand Privacy Act together as ‘the Privacy Acts’.

This addendum sets out additional privacy notifications required for GBG's products sold in Australia and New Zealand.

The organisation you are interacting with should clearly outline to you where your data will be transferred, as this will have been detailed for them when contracting with GBG. GBG is a global organisation, therefore is capable of verifying your identity or an address globally as outlined in our Privacy Policy above.

GBG has taken appropriate safeguards and also conduct robust due diligence on data suppliers and third party providers to ensure data is protected. This means your personal information will be handled in accordance with the APPs and IPPs (at a minimum) in relation to the collection, use, disclosure, storage and destruction or de-identification of personal information.

Regions for transfer may include Europe, Africa & Middle East; Latin America; North America; East Asia; South Asia; and South East Asia.As an individual, we recognise it’s unlikely you’ll know the name of GBG’s product, however transfers and data retention based on the type of processing is outlined for information below.

GBG Product	Service	Data Collection	Data Hosted	Transfers	Data Retention
IDScan	Identity Document Verification	Australia New Zealand	Australia	N/A	Up to 31 days
IDScan	Customer Requested Support		UK Malaysia Turkey
GBG Go	Identity Data Verification	Australia New Zealand	Australia	Europe Africa & Middle East Latin America North America East Asia South Asia South East Asia	This will be defined by GBG’s customer, 0-5 years maximum
	Identity Document Verification	Australia New Zealand	Australia	N/A	This will be defined by GBG’s customer, 0-5 years maximum
	Customer Requested Support		Australia UK Malaysia US Costa Rica
GreenID	Identity Data Verification	Australia New Zealand	Australia	N/A	Unless defined by the Customer, the data is deidentified after 12 months.
GreenID	Identity Document Verification	* See IDScan
Cloudcheck	Identity Data Verification	New Zealand	New Zealand	New Zealand Australia And if international services taken: Europe Africa & Middle East Latin America North America East Asia South Asia South East Asia	7 days
Loqate Harmony	Address Verification	Australia New Zealand	Australia		0 or 30 days
	Email Validation	Australia New Zealand	Australia	Germany Belgium US	0 or 30 days
	Phone Validation	Australia New Zealand	Australia	Germany Belgium	0 or 30 days

Identity Document Verification may use biometric processing. Please refer to GBG’s Biometrics Notice for more detail.