This policy was last updated on 29th April 2026.

Please Read These Licence Terms Carefully

Who we are and what this agreement does

GB Group plc ("GBG", "we", "us" or "our) of The Foundation, Herons Way, Chester Business Park, Chester, CH4 9GB, (company number 02415211), license you to use:

The IDscan SDK’s for mobile and web application software (the App) and any updates or supplements to it: and
The service you connect to via the App and the content we provide to you through it (the Service).

As permitted by these Terms.

About our Terms

These terms and conditions of use (Terms) explain how you may use the App and the Service. These Terms apply between GBG and you, the person accessing or using the App and the Service (you/ your).

You should read these Terms carefully before using the App and Service. By using the App and Service and by indicating that you have read and understood these Terms through ticking the box on screen, you agree to be bound by these Terms. If you do not agree with any of these Terms, you should stop using the App and Service immediately.

PRIVACY POLICY

General information and contact details

GBG take the protection and security of your personal data very seriously. This privacy notice sets out the personal information we collect and process about you through your use of the Service, the purposes of the processing and how you can exercise your privacy rights.

You will be reading this notice because of a link provided by one of our customers to enable us to provide you with processing information about the Service or App.

Our customers will have a lawful reason for processing your data and may have a separate relationship with you. They are separately required to provide you with information (for example through their own privacy notice) about how they collect and process your data.

Our registered head office is located within the United Kingdom at:

GB Group Plc
The Foundation
Herons Way
Chester Business Park
Chester
United Kingdom
CH4 9GB

Our Company Registration Number is: 02415211

If you have any questions about how your personal data is used by GBG, please contact our Data Protection Officer using this form.

Our EEA representative is located in Spain at the following address:

GBG
Edifici El Triangle 4a planta
Placa de Catalunya
1 08002 Barcelona
Spain

T: +34 (0) 935 451 156

We review this privacy notice on an annual basis, sooner if changes to regulation require it or we change the way we process personal data. This policy was last updated on 29th April 2026.

What do we do?

GBG is a global organisation who set out to create trust in a digital world, where everyone can transact with confidence. Typically, customers use our products so they can verify the information that you give to them about yourself. We do this by either verifying that the captured Identity Document is authentic and can be linked to the claimant or matching third party reference data (which we receive from data suppliers) against the data you give about yourself to our customers. We will then ensure that the Identity is free of fraud and is a legitimate Identity.

What personal data do we collect and why?

The personal information that we may collect about you broadly falls into the following categories:

Category	Examples
Basic information	Name (First and Last)/ Address/ Sex
Attribute	Date of Birth/ Issue Date/ Expiry Date/ Document Numbers (Passport Number, Driving Licence Number, Personal Number)
Device	IP, Geocode, DeviceID
Image	Photo on a passport or driving licence, self-taken photos

Why we collect your personal data depends on the services we provide.

GBG Service

Description of services / why we collect this personal data

Identity

Identity & Age Verification: we can capture and verify your identity globally, making it easier for you to transact online. What this includes depends on the organisation you are engaging with. For example, we can verify the authenticity of your identity documents or check if you are over a particular age if you want to access a service which has age restrictions. Our customers do this because many of them must meet regulatory requirements and prevent fraud, so we help them to meet their requirements, with you in mind, to make things as simple and easy as possible.

GBG will not use your data for marketing purposes and will not create additional aggregated data sets.

Our legal basis for processing personal data

We will collect personal data where the processing is in our or our customer's legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms. These include legitimate business interests which provide a societal benefit, such as preventing fraud, crime prevention and detection and ensuring only individuals who should have access to services are able to do so.

We will also rely on your explicit Consent as our lawful basis for processing special category data in the form of your biometric data. If you are not happy to provide your explicit consent, then please consult with the organisation that you are engaging with. They may provide an alternative means to verify your identity. Unfortunately, this is not something GBG can influence.

The table below identifies the legitimate interest and consent that we rely on pursuant to the GDPR for this activity.

Activity/Purpose

GBG's Lawful basis

Identity

Legitimate Interests of a third party: Our customers will have their own lawful basis for processing your data and will have communicated this with you. We have given a description of the types of services our customers provide in the table above, but in a nutshell, they help to prevent fraud by ensuring you are who you say you are, so you can access goods and services compliantly. Many of our customers must also meet a legal obligation when processing your personal data, such as ensuring you are old enough or verifying your identity.

Consent: The journey includes steps that will perform face match and liveness tests so your biometric data will be processed. This is special category data under the GDPR, and GBG will rely on explicit consent under Article 9(2)(a) to process such data.

Pursuant to our obligations under Article 30 GDPR, we maintain an up-to-date record of processing activities under our responsibility, which details for this processing activity the legitimate interest relied on as a lawful basis for processing the personal data.

You are entitled to more information on the balancing test we have carried out when determining we are able to rely on legitimate interest as our lawful basis for processing your personal data. If you have questions about this or need further information concerning the legal basis on which we collect and use your personal data, please contact us using the contact details provided below.

Who will we receive your personal data from and who will we share your personal data with and why?

As explained above under "What do we do", we receive personal data about you from our customers. We also send your personal data to our customers, data providers and technology suppliers, where there is a lawful reason, to do so in order to provide the Service.

Here we set out further details about our customers, suppliers, and other categories of recipients.

GBG Customers

We offer our product to public and private organisations in the UK, which may include:

Sector	Examples
Financial Services	Banks and insurance providers
eCommerce	Retail (online shopping), online commerce platforms
Gaming	Online gaming
Consumer Directories	Travel and leisure

GBG Data & Technology Suppliers

We work with a number of trusted data and technology suppliers. These include:

Data / Tech Supplier	Further information
Regulated Financial Services Organisations / Firms	These entities collect information about your financial status, but this data can also be used to help organisations like us verify your identity by confirming you are who you say you are, and where you live, or if you have lived at an address.
Other Regulated Organisations / Firms	Credit reference agencies (CRAs) play a key role in the UK’s financial ecosystem. There are 3 CRAs in the UK: Equifax, Experian, and TransUnion. They each provide us/you with a copy of the “CRAIN”, Credit Reference Agency Information Notice.
Fraud Prevention Agency	The personal information we have collected from you will be shared with fraud prevention agencies who will use it to prevent fraud and money laundering and to verify your identity. If fraud is detected, you could be refused certain services, finance or employment. Further details of how your information will be used by us and these fraud prevention agencies, and your data protection rights, can be found at www.cifas.org.uk/fpn
Royal Mail	Postcode Address
Innovolar	The biometric chip reading (NFC) is provided by Innovalor
IDR&D	The Passive Liveness solution is provided by IDR&D
Paravision	Face Recognition is provided by Paravision

We may also disclose your personal data to the following categories of recipients:

- to our group companies, third party services providers and partners who provide data processing services to us, or who otherwise process personal information for purposes that are described in this privacy notice.

- to any competent law enforcement body, regulatory, government agency, court or other third party where we believe disclosure is necessary (i) as a matter of applicable law or regulation, (ii) to exercise, establish or defend our legal rights, or (iii) to protect your vital interests or those of any other person;

- to a potential buyer (and its agents and advisers) in connection with any proposed purchase, merger, acquisition, restructuring or insolvency of any part of our business, provided that we inform the buyer it must use your personal information only for the purposes disclosed in this privacy notice.

How long do we retain your data for in our Product?

We retain personal data we collect from you, our customers for the length of time necessary to fulfil the specific purpose or purposes for which it has been collected (for example, to provide our customers with a service you have requested or for our customers to comply with applicable legal requirements, such as anti-money laundering). We may also keep it to comply with our legal obligations, resolve any disputes and enforce our rights.

Once the respective purpose ceases to apply, we will either delete or anonymise the personal data or, if this is not possible (for example, because your personal data has been stored in backup archives), then we will securely store your personal data and isolate it from any further processing until deletion is possible.

As explained above in the section “What do we do”, GBG access personal data in two ways. When we access personal data via a web service, our data suppliers hold the database therefore GBG does not see or have any control over this, other than via our GBG Audit Trail which we explain below.

We also receive personal data which we host a copy of. At the point of collection, you will have been advised how long your personal data will be held for, which will be different to the retention period GBG state below.

A ‘data refresh’ is how often GBG get a copy of the personal data. The data supplier may provide GBG with a complete refresh, which is a new copy of the entire file. Some data suppliers only provide updates to a file (e.g. new records, updates to existing records or a request to delete records). GBG then apply these updates to a master file we hold. What this means is whilst GBG gets a new copy of the data, this database may contain much of the same data we have previously received. This explains why the data refresh is different to GBG’s data retention period.

Information Type

Data Refresh

GBG Data Retention Period

Further Information

GBG Audit Trail

Daily

12 months

GBG retain a copy of your personal data for a period of twelve (12) months to enable GBG to respond when an individual wishes to exercise a data subject right.

Postcode Address File (PAF)

Daily

Variable

GBG receives daily updates of PAF, which we hold for 2 weeks but we apply this to a copy of the database we hold where an address is retained for as Royal Mail keeps it on their master database (i.e. for as long as the property exists).

PAF is address data provided by Royal Mail

If you have questions about or need further information concerning how long we keep your personal data for, please contact us using the contact details provided below.

Transfers outside of the UK and European Economic Area (EEA)

Your personal data may be transferred to, and processed in, countries other than the country in which you are resident. These countries may have data protection laws that are different to the laws of your country.

Our group companies, data suppliers, customers and third-party service providers operate around the world. This means that when we collect your personal data, we may process it in any of these countries.

However, we have taken appropriate safeguards to require that your personal data will remain protected in accordance with this privacy notice.

Where appropriate, these include implementing the European Commission’s Standard Contractual Clauses and the UK International Data Transfer Agreement for international data transfers between our group companies, which require all group companies to protect UK and EEA personal data in accordance with UK and European Union data protection law.

We have implemented similar appropriate safeguards with our data suppliers, customers and third party providers and partners.

Data Security

GBG is ISO27001 certified, with some areas of our business also covered by PCI-DSS, Cyber Essentials and/or Cyber Essentials Plus.

GBG’s Information Security Team is focussed on maintaining an information security program which covers everything you would expect and more.

This includes technical security measures (e.g. intrusion, detection, firewalls, monitoring), encryption of personal data, restricted access to personal data, protection of our physical premises and hard assets, maintaining security measures for our team members (e.g. pre-screening), a data-loss prevention strategy and regular testing of our security posture.

GBG’s 24 x 7 Security Operations Centre responds to any event or notification for investigation to uphold the security posture of GBG. Therefore, GBG have eyes and ears on the threats and threat actors that are likely to be attracted to GBG and the data that the organisation processes. GBG understands the critical need for technical and organisational control implementation to ensure GBG operates securely.

Your rights under the GDPR and DPA 2018

As an individual, you have rights under the GDPR regarding the use of your personal data, these are:

The right to withdraw consent you can withdraw consent at any time.
The right to erasure you can request that GBG remove your personal data from our systems.
The right to restrict processing you can request that GBG only process your personal data for the purposes you specify.
The right to data portability you can request that the personal data you have provided to GBG be ported to another organisation.
The right to access your personal data you have a right to know what personal data GBG hold on you and for what purpose we are processing your personal data. This is known as a Subject Access Request (SAR).
The right to rectification you have the right to ask us to rectify any information you believe is inaccurate. You also have the right to ask us to complete information you think is incomplete.
The right to object to processing you have the right to object to processing if we are able to process your information because the processing is in our legitimate interests.
The right to obtain information upon request on the balancing test we have carried out when determining we are able to rely on legitimate interest as our lawful basis for processing your personal data.

Please keep in mind that some of these rights are subject to an internal assessment that one of the grounds under the GDPR is satisfied.

You can send these requests using this form, or by post to:

Privacy & Data Compliance Team
GB Group Plc
The Foundation
Herons Way
Chester Business Park
Chester
CH4 9GB
United Kingdom

Or you can make a request in person or call 0161 909 6713.

You are not required to pay any charge for exercising your rights. We have one calendar month to respond to you. If GBG are unable to comply with your request, we will provide you with an explanation.

How to contact us if you're not happy

We appreciate that at GBG we may not always get things right and it is regrettable for us as an organisation when we receive a complaint. We take all complaints seriously and can assure you we will do our best to deliver a satisfactory outcome. If you do wish to complain about how your personal data is used by GBG then please use this form, alternatively please write to us at:

Privacy & Data Compliance Team
GB Group Plc
The Foundation
Herons Way
Chester Business Park
Chester
CH4 9GB
United Kingdom

GBG will investigate and aim to respond within 10 working days. This allows us time to investigate your complaint thoroughly.

Your right to lodge a complaint with the Supervisory Authority

Where you believe that GBG has not taken our responsibilities with your personal data seriously, you have the right to complain to a Supervisory Authority. In the UK, GBG's regulator is:

The Information Commissioner's office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone number: 0303 123 113 or 01625 545 745

Email: casework@ico.org.uk