We will provide you with the link to GBG’s Products & Services Privacy Policy, but before doing so, we thought it would be beneficial to provide more information specific to Temu.
Temu will have linked to this page for identity document verification.
What is the service and how does it work?
GBG’s identity document verification tool, scans a document then presents a pass/fail response to Temu to confirm if the individual is over the age of 18, to enable access Temu’s age restricted good and services.
If a “fail” response has been provided to Temu, this could be for one or more of the following reasons:
One of the common questions asked is about the retention of the identity document (e.g. passport or driving licence) so we wanted to be really upfront about this.
What data is captured?
The identity document and the personal information contained on that document, for example your name, date of birth and passport ID (if a passport) or name, address, date of birth and driving licence number (if a driving licence). This is held in a repository hosted by GBG in the UK or Australia, and only contains Temu data (e.g. for citizens in UK & Europe, data is hosted in the UK. If you’re Australia, data remains in Australia).
How long is this data retained for?
The data will be purged every 2 days, which means your document is only retained for up to a maximum of 48 hours.
The “up to 48 hours” is important to note as it depends on when you complete your verification as the purge process runs at the same time every 2 days, which means your document/data may be retained for 36 hours or 5 minutes, but never for longer than 48 hours.
Who can access this data?
This data can only be accessed by a small number of GBG employees to answer a specific query. Temu will not have access to this data, which means they will not see your identity document.
Is this data shared with other third parties?
No
Is biometric data processed?
This is a document only journey. If you accidentally share a selfie, this image is not further processed. GBG has a biometric policy which details what we do in relation to biometric processing, but it is not relevant in this instance.
I want to raise a ‘right of erasure’, how do I do this?
Whilst you have the right to do so, with the automatic deletion within 48 hours, this would action your request. How to make a privacy rights request with GBG is detailed in full in our Products & Services Privacy Policy linked below.
What is GBG’s role and lawful basis under privacy law?
This is where it gets really complex as it depends on where in the world you are. In the US and APAC, GBG takes on the role of a processer/service provider.
Under GDPR, GBG is viewed as a controller because we have created the tool (the means of processing). This doesn’t mean GBG can do what we want with your personal data though as it’s guided by our agreement with Temu. GBG’s lawful basis is ‘legitimate interest of a third party’ which for Temu is age verification to meet regulatory requirements.
As a controller, GBG retain a “GBG Audit Trail”. This is not a copy of your document, but a record that at a point in time GBG completed a transaction, the personal data submitted to GBG’s service and the result we provided to Temu. This data is only accessed by GBG’s Data Subject Rights Team when you make a request to GBG and is retained for 12 months, then automatically deleted. GBG does not further process this data or share it with third parties. Data is only retained to meet our regulatory obligations in relation to rights requests. Where GBG is operating as a processor/service provider (e.g. in the US), GBG does not capture a copy of this transaction in our GBG Audit Trail.
Please contact Temu for any further queries in relation to your verification check. They have requested you contact them online via https://www.temu.com/contact-us.html
To view GBG’s Products and Services Privacy Policy, click here
