GBG Identify Privacy Policy

This policy was last updated on 18th October 2022.

Please Read These Licence Terms Carefully

Who we are and what this agreement does

GB Group plc ("GBG", "we", "us" or "our) of The Foundation, Herons Way, Chester Business Park, Chester, CH4 9GB, (company number 02415211), license you to use:

  • The IDscan SDK’s for mobile and web application software (the App) and any updates or supplements to it: and
  • The service you connect to via the App and the content we provide to you through it (the Service).

As permitted by these Terms.

About our Terms

These terms and conditions of use (Terms) explain how you may use the App and the Service. These Terms apply between GBG and you, the person accessing or using the App and the Service (you/ your).

You should read these Terms carefully before using the App and Service. By using the App and Service and by indicating that you have read and understood these Terms through ticking the box on screen, you agree to be bound by these Terms. If you do not agree with any of these Terms, you should stop using the App and Service immediately.


General information and contact details

GBG take the protection and security of your personal data very seriously. This privacy notice sets out the personal information we collect and process about you through your use of the Service, the purposes of the processing and how you can exercise your privacy rights.

You will be reading this notice because of a link provided by one of our customers to enable us to provide you with processing information about the Service or App.

Our customers will have a lawful reason for processing your data and may have a separate relationship with you. They are separately required to provide you with information (for example through their own privacy notice) about how they collect and process your data.

We have offices in 19 locations, and our registered head office is located within the United Kingdom at:

GB Group Plc
The Foundation
Herons Way
Chester Business Park
United Kingdom

Our Company Registration Number is: 02415211

If you have any questions about how your personal data is used by GBG, please contact our Data Protection Officer using this form.

Our EEA representative is located in Spain at the following address:

Edifici El Triangle 4a planta
Placa de Catalunya
1 08002 Barcelona

T: +34 (0) 935 451 156

We review this privacy notice on an annual basis, sooner if changes to regulation require it or we change the way we process personal data.


What do we do?

GBG is a global organisation who create technology. Typically, customers use our technology so they can verify the information that you give to them about yourself. We do this by verifying that the captured Identity Document is authentic and can be linked to the claimant, we will then ensure that the Identity is free of fraud and is a legitimate Identity.


What personal data do we collect and why?

The personal information that we may collect about you broadly falls into the following categories:



Basic information

Name (First and Last)/ Address/ Sex


Date of Birth/ Issue Date/ Expiry Date/ Document Numbers (Passport Number, Driving Licence Number, Personal Number)


IP, Geocode, DeviceID


Photo on a passport or driving licence, self-taken photos

Why we collect your personal data depends on the services we provide.

GBG Service

Description of services / why we collect this personal data


Identity & Age Verification: we can capture and verify your identity globally, making it easier for you to transact online. What this includes depends on the organisation you are engaging with. For example, we can verify the authenticity of your identity documents or check if you are over a particular age if you want to access a service which has age restrictions. Our customers do this because many of them must meet regulatory requirements and prevent fraud, so we help them to meet their requirements, with you in mind, to make things as simple and easy as possible.

GBG will not use your data for marketing purposes and will not create additional aggregated data sets.


Our legal basis for processing personal data

We will collect personal data where the processing is in our or our customer's legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms. These include legitimate business interests which provide a societal benefit, such as preventing fraud, crime prevention and detection and ensuring only individuals who should have access to services are able to do so.

We will also rely on your explicit Consent as our lawful basis for processing special category data in the form of your biometric data. If you are not happy to provide your explicit consent, then please consult with the organisation that you are engaging with. They may provide an alternative means to verify your identity. Unfortunately, this is not something GBG can influence.

The table below identifies the legitimate interest and consent that we rely on pursuant to the GDPR for this activity.


GBG's Lawful basis


Legitimate Interests of a third party: Our customers will have their own lawful basis for processing your data and will have communicated this with you. We have given a description of the types of services our customers provide in the table above, but in a nutshell, they help to prevent fraud by ensuring you are who you say you are, so you can access goods and services compliantly. Many of our customers must also meet a legal obligation when processing your personal data, such as ensuring you are old enough or verifying your identity. 

Consent: The journey includes steps that will perform face match and liveness tests so your biometric data will be processed. This is special category data under the GDPR, and GBG will rely on explicit consent under Article 9(2)(a) to process such data. 


Pursuant to our obligations under Article 30 GDPR, we maintain an up-to-date record of processing activities under our responsibility, which details for this processing activity the legitimate interest relied on as a lawful basis for processing the personal data. 

You are entitled to more information on the balancing test we have carried out when determining we are able to rely on legitimate interest as our lawful basis for processing your personal data. If you have questions about this or need further information concerning the legal basis on which we collect and use your personal data, please contact us using the contact details provided below. 


Who will we receive your personal data from and who will we share your personal data with and why?

As explained above under "What do we do", we receive personal data about you from our customers. We also send your personal data to our customers, data providers and technology suppliers, where there is a lawful reason, to do so in order to provide the Service.

Here we set out further details about our customers, suppliers, and other categories of recipients.


GBG Customers

We offer our product to public and private organisations in the UK. These include:



Financial Services

Banks and insurance providers


Retail (online shopping), online commerce platforms


Online gaming

Consumer Directories

Travel and leisure


GBG Data & Technology Suppliers

We work with a number of trusted data and technology suppliers. These include:

Data / Tech Supplier

Further information

Regulated Financial Services Organisations / Firms

These entities collect information about your financial status, but this data can also be used to help organisations like us verify your identity by confirming you are who you say you are, and where you live, or if you have lived at an address.

Credit reference agencies (CRAs) play a key role in the UK’s financial ecosystem. There are 3 CRAs in the UK: Equifax, Experian, and TransUnion. They each provide us/you with a copy of the “CRAIN”, Credit Reference Agency Information Notice.

Fraud Prevention Agency

The personal information we have collected from you will be shared with fraud prevention agencies who will use it to prevent fraud and money laundering and to verify your identity. If fraud is detected, you could be refused certain services, finance or employment. Further details of how your information will be used by us and these fraud prevention agencies, and your data protection rights, can be found at

Royal Mail

Postcode Address


The biometric chip reading (NFC) is provided by Innovalor


The Passive Liveness solution is provided by IDR&D


We may also disclose your personal data to the following categories of recipients:

- to our group companies, third party services providers and partners who provide data processing services to us, or who otherwise process personal information for purposes that are described in this privacy notice.

- to any competent law enforcement body, regulatory, government agency, court or other third party where we believe disclosure is necessary (i) as a matter of applicable law or regulation, (ii) to exercise, establish or defend our legal rights, or (iii) to protect your vital interests or those of any other person;

- to a potential buyer (and its agents and advisers) in connection with any proposed purchase, merger, acquisition, restructuring or insolvency of any part of our business, provided that we inform the buyer it must use your personal information only for the purposes disclosed in this privacy notice.


How long do we retain your data for in our Product?

We retain personal data we collect from you, our customers for the length of time necessary to fulfil the specific purpose or purposes for which it has been collected (for example, to provide our customers with a service you have requested or for our customers to comply with applicable legal requirements, such as anti-money laundering). We may also keep it to comply with our legal obligations, resolve any disputes and enforce our rights.

Once the respective purpose ceases to apply, we will either delete or anonymise the personal data or, if this is not possible (for example, because your personal data has been stored in backup archives), then we will securely store your personal data and isolate it from any further processing until deletion is possible.

As explained above in the section “What do we do”, GBG access personal data in two ways. When we access personal data via a web service, our data suppliers hold the database therefore GBG does not see or have any control over this, other than via our GBG Audit Trail which we explain below.  

We also receive personal data which we host a copy of.  At the point of collection, you will have been advised how long your personal data will be held for, which will be different to the retention period GBG state below.

A ‘data refresh’ is how often GBG get a copy of the personal data. The data supplier may provide GBG with a complete refresh, which is a new copy of the entire file. Some data suppliers only provide updates to a file (e.g. new records, updates to existing records or a request to delete records). GBG then apply these updates to a master file we hold. What this means is whilst GBG gets a new copy of the data, this database may contain much of the same data we have previously received. This explains why the data refresh is different to GBG’s data retention period.


Information Type

Data Refresh

GBG Data Retention Period

Further Information

GBG Audit Trail


12 months

GBG retain a copy of your personal data for a period of twelve (12) months to enable GBG to respond when an individual wishes to exercise a data subject right.

Postcode Address File (PAF)



GBG receives daily updates of PAF, which we hold for 2 weeks but we apply this to a copy of the database we hold where an address is retained for as Royal Mail keeps it on their master database (i.e. for as long as the property exists). 

PAF is address data provided by Royal Mail


If you have questions about or need further information concerning how long we keep your personal data for, please contact us using the contact details provided below.


Transfers outside of the UK and European Economic Area (EEA)

Your personal data may be transferred to, and processed in, countries other than the country in which you are resident. These countries may have data protection laws that are different to the laws of your country.

Our group companies, data suppliers, customers and third-party service providers operate around the world. This means that when we collect your personal data, we may process it in any of these countries.

However, we have taken appropriate safeguards to require that your personal data will remain protected in accordance with this privacy notice.

These include implementing the European Commission ™s Standard Contractual Clauses for transfers of personal data between our group companies, which require all group companies to protect personal data they process from the EEA and UK in accordance with UK and European Union data protection law.

Our Standard Contractual Clauses can be provided on request. We have implemented similar appropriate safeguards with our data suppliers, customers and third-party service providers and partners and further details can be provided upon request.


Your rights under the GDPR and DPA 2018

As an individual, you have rights under the GDPR regarding the use of your personal data, these are:

  • The right to withdraw consent you can withdraw consent at any time. 
  • The right to erasure you can request that GBG remove your personal data from our systems. 
  • The right to restrict processing you can request that GBG only process your personal data for the purposes you specify.
  • The right to data portability you can request that the personal data you have provided to GBG be ported to another organisation.
  • The right to access your personal data you have a right to know what personal data GBG hold on you and for what purpose we are processing your personal data. This is known as a Subject Access Request (SAR). 
  • The right to rectification you have the right to ask us to rectify any information you believe is inaccurate. You also have the right to ask us to complete information you think is incomplete. 
  • The right to object to processing you have the right to object to processing if we are able to process your information because the processing is in our legitimate interests.
  • The right to obtain information upon request on the balancing test we have carried out when determining we are able to rely on legitimate interest as our lawful basis for processing your personal data.

Please keep in mind that some of these rights are subject to an internal assessment that one of the grounds under the GDPR is satisfied. 

You can send these requests using this form, or by post to:

Privacy & Data Compliance Team
GB Group Plc
The Foundation
Herons Way
Chester Business Park
United Kingdom

Or you can make a request in person or call 0161 909 6713.

You are not required to pay any charge for exercising your rights. We have one calendar month to respond to you. If GBG are unable to comply with your request, we will provide you with an explanation. 


How to contact us if you're not happy

We appreciate that at GBG we may not always get things right and it is regrettable for us as an organisation when we receive a complaint. We take all complaints seriously and can assure you we will do our best to deliver a satisfactory outcome. If you do wish to complain about how your personal data is used by GBG then please use this form, alternatively please write to us at:

Privacy & Data Compliance Team
GB Group Plc
The Foundation
Herons Way
Chester Business Park
United Kingdom

GBG will investigate and aim to respond within 10 working days. This allows us time to investigate your complaint thoroughly. 

Your right to lodge a complaint with the Supervisory Authority

Where you believe that GBG has not taken our responsibilities with your personal data seriously, you have the right to complain to a Supervisory Authority. In the UK, GBG's regulator is:

The Information Commissioner's office
Wycliffe House
Water Lane 

Telephone number: 0303 123 113 or 01625 545 745