Sumsub ('we/us/our'), being a software-as-a-service business, takes the requirements and restrictions under the CCPA very seriously.
The CCPA Privacy Notification ('Notification') supplements the privacy provisions contained in Sumsub Privacy Notice.
This Notification is addressed to Sumsub's clients who reside in the State of California and those who are California residents and will provide their personal information to Sumsub for processing, including Sumsub's public-facing websites.
We adopt this Notification to comply with the requirements and restrictions under the California Consumer Privacy Act of 2018 ('CCPA') and other California privacy laws.
According to the definitions outlined in Civil Code section 1798.140, for purposes of this Notification:
Consumer
a natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations, as that section read on September 1, 2017, however, identified, including by any unique identifier. The consumer is considered a User ('User' or 'you/your') when receiving any services provided by Sumsub.
Personal information
any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.
Business
a legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners that collects consumers' personal information, or on behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers' personal information, that does business in the State of California, and that satisfies one or more of the thresholds indicated in Section 1798.140. The Business is considered to be a Client when applying for Sumsub services.
Service Provider
a person that processes personal information on behalf of a business and receives from or on behalf of the business a consumer's personal information for a business purpose according to a written contract. Sumsub may be a Service Provider under the Service Provider Agreement.
Agreement
the Service Provider Agreement concluded by Sumsub with each Business (or 'Client'), its annexes, and appendices.
Service(s)
the personal identity verification service and connected services provided by Sumsub.
Third-Party
the service providers, authorized to exercise certain processing activities under the direct authority of Sumsub. Any other terms defined in the CCPA and Privacy Notice have the same meaning when used in this Policy.
We may act as a Service Provider
We process personal data where it is engaged by a Business (a Client or its agent) for the purposes of the respective Agreement.
As part of the Services provided to a Business, we perform remote identity verification procedures for clarity. Before passing such procedures, Users express their Consent in line with the Business's privacy policy.
We may act as a Business
We may determine the purposes and means of personal data processing in some instances. This applies, in particular, to the following situations:
Category A – Identifiers
Full name, postal address, Internet Protocol address, email address, Social Security number, driver's license number, identity document data (such us document type, issuing country, number, expiry date, MRZ, information embedded into document barcodes (may vary depending on the document), security features), or other similar identifiers.
Category B – Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e))
Full name, signature, Social Security number, address, email address, telephone number, identity document data (such as document type, issuing country, number, expiry date, MRZ, information embedded into document barcodes (may vary depending on the document), security features), driver's license or state identification card number, bank account number, credit or debit card number (cardholder name, expiry date, first six and last four digits of the card number), or any other financial information (documents provided as proof of source of funds/wealth).
Category C – Protected classification characteristics under California or federal law
Age (if the User is over 40s) and citizenship.
Category D – Commercial information
Records of personal property.
Category E - Biometric information
Facial features.
Category F – Internet or other similar network activity
Access history and information on your interaction with our services.
Category H - Audio, electronic, visual, thermal, olfactory, or similar information
Photos of the face (including selfie images) and photo or scan of the face on the identification document, videos, sound recordings.
Category I – Professional or employment-related information
Occupation, employment information.
Category L - Sensitive personal information
Information concerning health (vaccination certificates data, test certificates (NAAT/RT-PCR test or a rapid antigen test) data, and certificates for persons who have recovered from COVID-19).
We collect the above-listed categories of personal information from the following sources:
We will not collect additional categories of personal information or use the personal information already collected for materially different, unrelated, or incompatible purposes to these indicated below without providing you notice:
As the Business
We may collect and further process personal data submitted via the website to:
When you interact with the website, fill in the forms or livechat, or test WebSDK Demo, we collect "cookie" files. Cookies are necessary to store your preferences and settings, enabling you to sign in, personalize content and advertising, combat fraud, and analyze the incoming traffic. The Cookie Policy is available here.
We may collect personal information submitted via Sumsub's Demo Mobile App to obtain a demonstration of the capabilities of Sumsub's facial and identity verification service when the Sumsub's сlients integrate with Sumsub service.
We may collect and further process personal information submitted via the Prooface website to:
As the Service Provider
We provide Services to our Clients, collecting and further processing Users' personal information to verify their identities. Such procedures may be necessary for the Clients' compliance with the applicable AML/CFT or other laws and regulations and the Clients' internal due diligence policies and procedures.
We subject some personal information to automated reading, verification of authenticity, and other types of automated processing, such as cross-checks against multiple databases of Data Providers (e.g., PEP lists, global and country-specific sanctions lists, criminal lists, financial lists).
Once the personal data is no longer necessary for the relevant purpose, we, upon the written instruction of the Business, erase it from its servers without leaving any backup copies after having transferred it to the Business (if the Business so requests).
We may share personal information with Third-Parties if such is necessary to provide a service under the Agreement with a client or its agent or to operate Sumsub websites as well as to achieve other purposes of Sumsub as well as to comply with the legal obligations vested on Sumsub. The applied Third-Parties are mostly limited to only accessing or using personal information to limited purposes and provide reasonable assurances they appropriately safeguard the personal information.
Sometimes Sumsub may have to share the personal information to Third-Parties that have their own purposes. In this case, Sumsub manages to conclude all the necessary agreements containing applicable law compliance and non-disclosure obligations.
You are granted specific rights regarding your personal information under CCPA. This section describes your CCPA rights and explains the ways how to exercise those rights within Sumsub.
As the Business, we respect and guarantee the following rights of each consumer:
Right to know
Right to delete
You have the right to request us to delete any of your personal information we collected from you and retained, subject to certain exceptions. Once we receive a valid request and verify your identity, we delete (and direct our service providers to delete) your personal information from our systems unless an exception applies.
Your deletion request may be denied if retaining the information is necessary to:
To exercise the rights described above, please submit a valid request to us by email at [email protected].
Only you or a person registered with the California Secretary of State that you authorize to act on your behalf may make a valid request related to your personal information.
You may only make a valid request for data portability twice within 12 months. To make a valid request, you must describe it with sufficient detail to properly understand and evaluate it and pass the verification procedure. If we cannot verify your identity or authority to make the request and verify the personal information related to you, we cannot respond to your request or provide you with personal information.
As the Service Provider, we assist Businesses in exercising your CCPA rights upon the respective Business's written instruction.
We endeavor to respond to a valid request within 45 days of its receipt. We inform you of the reason and extension period in writing when we require more time (up to 90 days).
We will deliver our written response in the way a valid request has been obtained: we'll email you back if you email us. If the response is supposed to be delivered by any other means of communication, we'll do so.
We do not charge a fee to process or respond to any request unless it has an excessive, repetitive, or manifestly unfounded manner. If we determine that the request warrants a fee, we will inform you of the reasons for that decision and provide you with a cost estimate before completing the request.
Please note that any disclosures we provide only cover the 12 months preceding the valid request's receipt. The response also explains the reasons we cannot comply with a request, if applicable. For data portability requests, we choose a format to provide your personal information that is readily usable and should allow you to transmit the information with no obstacles.
We will not discriminate against you in connection to your exercising the CCPA rights. Unless permitted by the CCPA, we do not:
This Notification is constantly reviewed and amended to provide appropriate compliance with the CCPA and other applicable laws.
The date this Notification was last updated is identified at the bottom of this page.
If you have any request or complaint regarding the CCPA Privacy Notification or wish to exercise any of the rights granted to you by the applicable laws, please contact us at [email protected] or [email protected]. Our support team works 24/7 and will answer you shortly.