This policy was last updated on 7th May, 2025.
This GBG Detected Privacy Policy covers how GB Group Plc and IDology, Inc. (collectively, "GBG", "we", "us" or "our") process business information to provide its services. This may include processing of business’s representatives’ personal information that we collect and process through Detected (“personal data”) and through our products and services, the purposes of the processing and how individuals can exercise their privacy rights in relation to their personal data.
Please note, this is a global privacy policy. It is recognised there is not a consistent standard for privacy across the globe but to confirm GBG complies with applicable data protection law and will review any request based on what is required for your jurisdiction. Where additional disclosure is required for a jurisdiction, please select from the side menu for additional information.
If you would like to understand how GBG collect, use, disclose, and otherwise process personal data in connection with our websites and how we interact with you when facilitating our business, please see our General Privacy Policy.
It is important to note, our customers and data suppliers will have a lawful reason for processing your data and may have a separate relationship with you. They are separately required to provide you with information (for example through their own privacy policy) about how they collect and process your data.
GBG have subsidiaries and offices in a number of countries, which are detailed here. See ‘Contact Us’ to see how best to contact your regional representative with any questions about how GBG use your personal data.
This privacy policy is reviewed annually, or sooner if changes to regulation or how we process personal data require it.
GBG Detected provides Know Your Business (KYB) services. KYB is the process of verifying a business's existence, ownership structure, business operations. Many institutional customers are required to conduct KYB in accordance with financial crime regulations. It supports Anti-Money Laundering (AML) compliance and helps prevent fraud.
Businesses often require that the representatives of the company that they are performing KYB checks on undergo identity verification (IDV). An option that may be utilized in GBG Detected is verifying identities globally for KYB purposes, to make it easier for our GBG customers to onboard their businesses. What this processing requires depends on the organisation you are engaging with (i.e., GBG’s business customer) and how they decided to set up their IDV requirements. For example, we can verify the authenticity of identity documents to ensure they are valid government issued to meet regulatory requirements or prevent fraud.
The personal data that we may collect about a business or its representative for KYB purposes falls into the following categories:
Category |
Examples |
Company information |
Legal Name |
Basic identifying information of Company Representatives |
Name |
Financial |
Bank account details |
Device |
IP, Geocode, Device ID |
Government Records |
County Court Judgements, Insolvency |
Social |
Social Networks |
Image |
If you are based in a jurisdiction that requires legal grounds for us to be able to process your business’s representatives’ personal data, we may process it on the following grounds:
GBG customers will have their own lawful basis for processing personal data and should have communicated to the businesses with whom they are engaging with for the purposes of conducting a KYB.
The table below identifies the legitimate interest that we rely on for each of our activities.
Activity/Purpose |
GBG's Legitimate Interest Summary |
KYB |
Our services support our GBG customers to meet their legal compliance obligations, such as with Anti-Money Laundering (AML) regulations and preventing fraud by verifying partner, supplier and vendor identities before engaging in transactions. |
Identity |
Our services help to prevent fraud by ensuring you are who you say you are. Many of our customers must also meet a legal obligation when processing your personal data. When operating as a controller, where relevant, GBG may use this Legitimate Interest of a third party as our lawful basis. We have given a description of the types of services our customers provide in the table above. |
Fraud Prevention |
These services help to prevent fraud and allow our customer to meet their compliance obligations. When operating as a controller, where relevant, GBG may use this Legitimate Interest of a third party as our lawful basis. |
Where relevant, GBG maintain an up-to-date record of processing activities under our responsibility, which details, for each of our processing activities, the lawful basis.
Where relevant, you may be entitled to more information on the balancing test we have carried out when determining we are able to rely on legitimate interest as our lawful basis for processing your personal data.
If you have questions about this or need further information concerning the legal basis on which we collect and use personal data, please contact us using the contact details provided.
As explained above under "What Does GBG Detected Do", we receive personal data about businesses’ representatives directly from them or their employees (acting on their behalf), or from our GBG customers and data suppliers. We also send businesses’ representatives’ personal data to our GBG customers and data suppliers, where there is a lawful reason to do so, in order to provide our GBG Detected services.
GBG Customers
We offer our GBG Detected services to public and private organisations worldwide, which may include:
Sector |
Examples |
Financial Services |
Banks, insurance providers, debt management companies |
eCommerce |
Retail (online shopping), online commerce platforms |
Gaming |
Online gaming |
Consumer Directories |
Travel and leisure, media, car rental companies |
Public Sector |
Law enforcement, local government, education bodies |
Utilities |
Gas, electricity, water suppliers and switching/price comparison sites |
GBG Data and Technology Providers
We work with a number of trusted data and technology providers. These include:
Provider |
Further information |
Detected Ltd |
We utilize Detected Ltd’s platform. Detected Ltd acts as GBG’s processor for the GBG Detected services. |
Government / Public Authorities |
These bodies include authorities that may provide driving licence information, passport information, government issued ID numbers, insolvency records (publicly available) or sanctions lists (publicly available). |
Regulated Financial Services Organisations / Firms |
These entities collect information about your financial status, but this data can also be used to help organisations like us verify your identity by confirming you are who you say you are, and where you live, or if you have lived at an address. |
Other Regulated Organisations / Firms |
These entities provide personal data which can help to verify you and/or reduce fraud, which may include Credit Reference Agencies***. *** For the UK: Credit reference agencies (CRAs) play a key role in the UK’s financial ecosystem. There are 3 CRAs in the UK: Equifax, Experian and TransUnion. They each provide us/you with a copy of the Credit Reference Agency Information Notice (CRAIN) which provides further information on their processing (click on their name to access). The information may be disclosed to the CRA’s which may keep a record of this information (this is known as a soft footprint which is left on the data subjects credit file). This is usually displayed as having been made by GBG and the name of company who conducted the search. CRA(s) may disclose this information and the fact that a search was made to its/their other customers for the purpose of assessing risk or giving credit and occasionally to prevent fraud, money laundering and to trace debtors. Checks of end user data may be run against any particulars on any database (public or otherwise) to verify the data subject’s identity. *** For Germany: Creditreform Boniversum GmBH are a German Credit Reference Agency. If a data check is carried out utilising data services provided by them, it will be transferred and stored with Creditreform Boniversum GmBH. |
Commercial Organisations |
These entities provide your contact details, such as name, address, telephone number or email address, which we can then use to meet the request you have made to one of our Customers. |
Customer Data |
These customer entities have informed individuals that data will be provided to GBG to protect them against fraud, by generating risk scores or creating fraud and/or identity alerts, insights and reports. |
Publicly available, collected by a third party organisation or GBG |
This data is publicly available, typically on a website for public download. Examples include insolvency records, property information, sanction lists, PEPs information. |
Non personal / address data |
These entities provide information about deceased records, geocodes, co-ordinates, postcodes or zip codes. |
We may also disclose your business’s representatives’ personal data to the following categories of recipients:
We retain your business’s representatives’ personal data we collect through Detected, our customers and data suppliers for the length of time necessary to fulfil the specific purpose or purposes for which it has been collected (for example, our customers to comply with applicable legal requirements, such as anti-money laundering), or for the duration that is set by our customers, which we do not control. We may also keep it to comply with our legal obligations, resolve any disputes and enforce our rights.
As explained above in the section “What Does GBG Detected Do”, GBG access your business’s representatives’ personal data in 2 ways. When we access your business’s representatives’ personal data via a web service, our data suppliers hold the database therefore GBG does not see or have any control over this, other than via our GBG Audit Trail which we explain below.
|
Data Retention |
Further Information |
GBG Audit Trail |
12 months |
Where appropriate, GBG may retain a copy of your business’s representatives’ personal data for a period of twelve (12) months to enable GBG to respond when an individual wishes to exercise a data subject right. |
GBG Fraud Networks |
Up to 10 years |
The exact retention duration depends on the relevant GBG fraud network and how often you engage with our customers. |
GBG’s customers make a choice as to how long they want to retain the data they have collected on you. Dependent upon where we are in the world, GBG’s role for this is typically as a processor, which means we operate under the instructions of the GBG customer if we host this on their behalf. GBG’s customer has an obligation to advise you in their privacy policy which will have been shared with you, how they collect and manage your personal data.
The personal information collected and processed through GBG Detected may be transferred to, and processed in, countries other than the country in which a business or its representative are residents. These countries may have data protection laws that are different to the laws of the originating country.
Our group companies, data suppliers, customers and third-party providers and partners operate around the world. This means that when we collect and process personal data for the purposes described in this privacy notice we may process it in any of these countries.
However, we have taken appropriate safeguards so that the personal data collected and processed through GBG Detected will remain protected in accordance with this privacy notice.
Where appropriate, these include implementing the European Commission’s Standard Contractual Clauses and the UK International Data Transfer Agreement for international data transfers between our group companies, which require all group companies to protect UK and EEA personal data in accordance with UK and European Union data protection law.
We have implemented similar appropriate safeguards with our data suppliers, customers and third party providers and partners.
In our agreements with our GBG customers, we are clear where data is processed so they can ensure that businesses and its representatives are adequately informed in their respective privacy notice.
For transfers specific to Australia and New Zealand, click here.
GBG is ISO27001 certified.
We apply technical security measures (e.g. intrusion, detection, firewalls, monitoring), encryption of personal data, restricted access to personal data, protection of our physical premises and hard assets, maintaining security measures for our team members (e.g. pre-screening), a data-loss prevention strategy and regular testing of our security posture.
GBG’s 24 x 7 Security Operations Centre responds to any event or notification for investigation to uphold the security posture of GBG.
It depends on where you are based in the world as to the rights you have. GBG will fulfil all rights requests in line with the applicable data protection law that applies to you. Your rights may include:
Please keep in mind that dependent upon the applicable law, some of these rights are subject to an internal assessment that one of the grounds thereunder is satisfied.
Privacy rights vary among U.S. states. These rights are not absolute and may be subject to specific exceptions (e.g., personal data of individuals while acting in a commercial or employment contexts are excluded from data protection laws).
Please use our webform, or send via phone or post using the information provided in our “Contact Us” section of this Privacy Policy.
You are not required to pay any charge for exercising your rights. We usually have one calendar month to respond, but this may vary depending on your location (for example, if you are in the US we have 45 days depending on your state of residence). If we are unable to comply with your request, we will provide you with an explanation.
Verification. Due to the confidential nature of your personal information, we may ask you to provide proof of identity when exercising the above rights to verify your identity, in accordance with applicable data privacy laws. This can be done by providing a copy of a valid identity document issued by the authorised body where you are a resident and is exercised for the purpose of ensuring that the individual making the rights request is in fact who they claim to be.
Authorised Agents. As defined in the applicable privacy law, you may use an authorised agent to exercise your rights on your behalf. If you are making any of the requests above through an authorised agent, we will request written authorisation from you and will seek to verify you as described above or we will accept a legal Power of Attorney. To make a request using an authorised agent, have your agent use our webform and upload documentation demonstrating authorisation from you. In the U.S., authorized agents can exercise some, but not all, privacy rights.
If you are a resident of a jurisdiction that allows you to appeal a decision we have made in connection with your attempt to assert a right under applicable Data Protection Laws, you may file an appeal of our decision by contacting us at DPO@gbgplc.com. Please ensure you provide us with the postal address in which you reside, accompanied with details for the basis of your appeal.
Your jurisdiction may allow you to file a complaint regarding any concerns with the result of your appeal request.
If you have any questions or requests in connection with this Products and Services Privacy Policy, please use this form or send an email to DPO@gbgplc.com. Alternatively, enquiries may be made to:
This Biometrics Notice was last updated on 7 May, 2025
Our Biometric Notice governs the collection, use, safeguarding, handling, storage, retention, disclosure or transmission, redisclosure, and destruction of biometric data in accordance with applicable laws relevant to the biometric Services we provide to GBG customers.
GBG customers are responsible for developing and complying with their own biometric data practices and privacy policies in accordance with applicable laws, including obtaining your affirmative express consent and/or informed written consent on behalf of GBG and our third-party vendors (“GBG Technology Vendors”) before the collection, use, safeguarding, handling, storage, retention, disclosure or transmission, and redisclosure of your biometric data (or personal data utilized for biometric processing).
BIOMETRIC DATA DEFINED
The term “biometric data” as used in this Biometric Notice has the meaning provided under relevant and applicable comprehensive data protection and biometric laws and includes “biometric identifiers” and “biometric information.”
OUR SERVICES
Why We Collect Your Personal Data for Biometric Processing.
We collect your personal data to provide our Services to our GBG customers so that they can authenticate or verify an individual by asking “Is this person who they say they are?”.
We do not use your personal data for identification purposes; we do not ask “Is this person in a database?”.
Our Biometric Services Explained:
Methods of Collection
We collect the data directly from you via GBG customers application or the Detected platform with which you directly interact.
Facial Images Sources
Our Services utilize your face images collected from two different sources: (1) an identity document (e.g., driver’s license, passport, etc.), and (2) a selfie.
GBG Technology Vendors
Some of our biometric Services may use external service providers (“GBG Technology Vendors”), all of which are listed at the end of this Biometric Notice.
Our Processing and Information provided to GBG Customers
Passive Liveness
Our GBG customers use our Passive Liveness Service, which detects whether the selfie image is a photo of an actual live person instead of a photo of a non-living person or spoof (e.g., a recording, another picture, a mask, a mannequin, etc.) by analyzing the features of the selfie image while not utilizing facial recognition technology. When GBG customers use our Passive Liveness Services they are asking the question “is this a representation of a live person?” instead of “is this the person who they say they are?”. The technology used by our Passive Liveness Services does not collect or process any facial template, the selfie images are instantly purged when the processing has been completed.
BIOMETRIC DATA DISCLOSURE
We may disclose or transmit your personal data (i.e., your facial images) to our GBG Technology Vendors, such as, when we utilize their facial recognition technology to facilitate the provision of our Services to GBG customers.
We and our GBG Technology Vendors will not sell, lease, trade, or otherwise profit from a person’s biometric data that we may possess as a result of our GBG customer’s use of our Services.
We prohibit any further disclosure or re-disclosure of your biometric data not covered under this Biometric Notice, unless:
OUR DATA SECURITY
We store, transmit, and protect from disclosure all personal data processed under our biometric Services using a reasonable standard of care with measures that are at least equivalent to the measures that we use to store, transmit, and protect from disclosure other confidential and sensitive data, such as drivers’ license numbers and social security numbers.
OUR SERVICES RETENTION SCHEDULE
Our data retention practices vary depending on the biometric Service utilized by our GBG customers to collect and process biometric data and follow the retention schedule provided below. Unless otherwise required by law, once the retention schedule no longer authorizes us to retain your personal data, we will securely and permanently destroy your data, including any biometric data.
The table below sets out the difference between how long we retain ‘facial images’ (i.e., your identity document photo and selfie) and ‘biometric data’ (i.e., the facial template).
Categories of Personal Information Collected |
Purposes |
Facial Images Retention |
Biometric Data Retention |
|
To collect and process your facial images using facial recognition technology to authenticate or verify a suggested identity and provide a face match score to GBG Customers. |
31 days |
Facial templates are immediately deleted when processing has been completed |
GBG TECHNOLOGY VENDORS
We disclose your personal data (i.e., your facial images) to our GBG Technology Vendors, listed below, for the purposes of cloud hosting services and/or technology service providers of facial recognition technology when providing our Services to GBG customers.
GBG Technology Vendors |
|
Amazon Web Services (AWS) |
This Australia and New Zealand Addendum was last updated on 7 May, 2025
GBG take the protection and security of your personal information very seriously and this addendum sets out our additional responsibilities under the Privacy Act 1988 (Cth) (‘Australian Privacy Act’) and the Privacy Act 2020 (‘New Zealand Privacy Act’) relating to the processing and security of your personal information. We refer to the Australian Privacy Principles as the APPs and the New Zealand Information Privacy Principles as the IPPs. We refer to the Australian Privacy Act and the New Zealand Privacy Act together as ‘the Privacy Acts’.
This addendum sets out additional privacy notifications required for GBG's products sold in Australia and New Zealand.
The organisation you are interacting with should clearly outline to you where your data will be transferred, as this will have been detailed for them when contracting with GBG. GBG is a global organisation, therefore is capable of verifying your identity or an address globally as outlined in our Privacy Policy above.
GBG has taken appropriate safeguards and also conduct robust due diligence on data suppliers and third party providers to ensure data is protected. This means your personal information will be handled in accordance with the APPs and IPPs (at a minimum) in relation to the collection, use, disclosure, storage and destruction or de-identification of personal information.
Regions for transfer may include Europe, Africa & Middle East; Latin America; North America; East Asia; South Asia; and South East Asia. As an individual, we recognise it’s unlikely you’ll know the name of GBG’s product, however transfers and data retention based on the type of processing is outlined for information below.
GBG Product |
Service |
Data Collection |
Data Hosted |
Transfers |
Data Retention |
GBG Detected |
Business Screening Platform |
Australia |
United Kingdom |
UK |
Set for the life of the contract, but our customer can delete records at any time. |
IDScan |
Identity Document Verification |
Australia New Zealand |
United Kingdom |
UK |
31 days |
ID3global |
Identity Data Verification |
Australia |
United Kingdom |
Europe, Africa & Middle East |
Variable determined by customer |
|
Customer Requested Support |
|
|
UK |
|
Identity Document Verification may use biometric processing. Please refer to the Biometrics Notice for more detail.