Privacy Policy

GBG PLC (‘GBG’) acquired Verifi Identity Services (‘Verifi’) in 2022. Verifi is the owner of the identity verification software Cloudcheck.

This Privacy Policy explains to you how GB Group plc and its group companies including Verifi (jointly referred to as 'GBG') collect, hold, use and disclose (‘process’) your personal information:

  • whilst you are using the Verifi website www.gbg-cloudcheck.com
  • in connection with our products and services.

GBG take the protection and security of your personal information very seriously and this policy sets out our responsibilities under the Privacy Act 2020 (‘New Zealand Privacy Act’) and the Australian Privacy Act (1988) (‘Australian Privacy Act”), and other applicable laws relating to the processing and security of personal information. We refer to the New Zealand Information Privacy Principles as the IPPs and the Australian Privacy Principles as the APPs. Together we refer to the New Zealand Privacy Act and Australian Privacy Act as ‘the applicable data protection laws’. Where your personal information is transferred overseas, it will be treated in accordance with New Zealand and Australian laws at a minimum.

GBG has offices in 22 locations, and our registered head office is located within the United Kingdom.

GB Group Plc, The Foundation, Herons Way, Chester Business Park, Chester, United Kingdom CH4 9GB

Company Registration Number: 02415211

If you have any questions about how your personal information is used by GBG, please  email us at support@verifidentity.com or call  +64 9 953 8333 . For more detailed information about GBG, please visit our website at www.gbgplc.com .

GBG review our Privacy Policy on an annual basis, sooner if changes to regulation require it or GBG change the way we process personal information.

If you are a US resident, please see the section at the bottom of this policy "Your US Privacy Rights".

This policy was last updated on 23 July 2024

Verifi Identity Services Limited is a registered New Zealand business NZBN 9429030806313.

Cookies and Statistical Information

We collect statistical information about visitors to our websites such as the number of visitors, pages viewed, types of transactions conducted, time online and documents downloaded. This information is used to evaluate and improve the performance of our websites. Other than statistical information, we do not collect any information about you through our website unless you provide the information to us.

You should also be aware that we use cookies on our websites. A cookie is a small amount of data, which often includes a unique identification number or value that is sent to your browser from a website's computer and stored on your computer's hard drive. Each website can send its own cookies to your browser if your browser allows it. However, to protect your privacy, your browser only allows a website to access the cookies it has sent to your computer.

When cookies are used on our websites, they are used to collect the statistical information referred to above in addition to allowing you to access your account online. When you access your account on-line a cookie will be created which uniquely identifies your computer and your username and password. This means that you do not have to re-enter those details each time you want to access your account online.

Most internet browsers are set up to accept cookies. If you do not wish to receive cookies, you may be able to change the settings of your browser to refuse all cookies or to have your computer notify you each time a cookie is sent to it, and thereby give yourself the choice whether to accept it or not. If you reject all cookies, you will be unable to access your account online. You can also delete cookies from your computer after they have been created.

Cloudcheck

Cloudcheck is an electronic identity verification tool that performs identity using biometric checks, bank account details, document fraud checks, Australian, New Zealand and international data sources and global watchlists.

What personal information does Cloudcheck collect and why?

GBG may collect information from you in the following circumstances:

  • As the representative of one of our business users
  • As the individual undertaking identity verification

Business users of Cloudcheck

In order to provide you with access to the product and to provide support to you under our contract with your organisation, GBG is required to collect the following information from you:

  • Email address
  • Telephone Number
  • Company registration details
  • Company ownership details
  • Reason for requiring the service
  • Compliance with the AU/NZ Privacy Acts
  • Location of staff & servers

How we use your personal information

We use these details in order to provide you with access to Cloudcheck and to retain appropriate audit logs of activity within the system. The above information will be held by GBG until the conclusion of the arrangements between the organisation and GBG, or until we are advised you no longer require access to the product.

Accuracy of your personal information

You can request an amendment to your personal information at any time by requesting your account manager to do so by emailing support@verifidentity.com

Individuals undertaking identity verification

GBG provides online identity verification and fraud detection solutions to businesses to assist them to onboard their customers. If you apply for a product or service with any of our customers, we will collect information about you (from you and/or from our customer) in order to verify your identity. In order to do this we will need to provide your information to our data partners to confirm your details.

To verify your identity, we are required to collect a variety of information from you including some or all of the following, your:

  • Name
  • Address
  • Birthdate
  • Identity document information
  • Email address
  • Mobile phone number
  • IP address
  • Device information
  • Images of your face and ID document

This information is processed by our products and you should refer to the relevant section of this privacy notice to understand any potential international transfers of your data.

You need not give us any of the personal information requested by GBG. However, without that information GBG will not be able to verify your identity to provide you with any other services, information or assistance you have sought.

How we use your personal information

The information requested in any identity verification transaction is required to enable us to provide a service to you and the reporting entity whom you are establishing a relationship with. That information, together with the information collected and maintained by GBG during the identity verification process, is used to provide the services to you and to audit the success of any such services.

Your information will be held for a period of time in order to support our customers onboarding processes. That timeframe is negotiated between GBG and it’s business users depending on their requirements.

Who will we share your data with and why?

We will always disclose your personal information and identify verification to our business users, with whom you apply for a product or service.

We will need to provide some of your personal information to the third-party service providers we use to help us provide our services e.g. credit reporting bodies, government agencies, external data storage providers etc. We may also disclose your personal information to our affiliates and related companies in order to undertake our normal business practices.

If we provide your personal information to any of these entities, we will always require them to manage it in accordance with the relevant data protection laws. We may also provide your information to third parties if we are required to do so by law or under some unusual circumstances which are permitted under the Privacy Act 2020 in New Zealand and Privacy Act 1988 in Australia.

Accuracy of your personal information

The information that GBG holds on you is a record of an identity verification at a point in time. Whilst it is unlikely we would amend that information, should you have any queries in relation to that data you can email us support@verifidentity.com

We may pass any correction request to our customer or such other third party which collected the information from you.

International Transfers of personal data

In some circumstances there may be an international transfer of your personal data. This may occur where our data partners are located overseas, and also where our internal business processes require an overseas transfer.

In accordance with the relevant data protection laws, your information will only be transferred to an overseas entity where that entity is either:

- Subject to comparable data protection laws; or

- We have an arrangement in place that requires the recipient to provide an adequate level of protection to your information.

Data Retention

GBG maintains records of all transactions made through the identity verification process, including the sources used to verify your identity and whether the verification was successful. GBG will retain information it receives from customers and business users for a period of 7 days for auditing and error checking purposes. Following this 7-day period, GBG will automatically and securely remove the data from its systems.

IDscan

GBG’s customers access IDscan products and services to prevent and detect fraud. Using a combination of automated document recognition, digital tampering detection, advanced face-matching technologies and real-time online support from trained document examiners, our clients are able to on-board individuals while improving customer experience, fighting fraud and meeting compliance obligations.

What personal information GBG holds and why

IDscan obtains a copy of your identification document. Where GBG provides a hosted cloud storage solution to our clients, we hold your identity documents (IDs). We hold this data in order to provide our services, including storage, support and maintenance.

We also require sample documents to train and test our document recognition engine, so that we can improve our ability to recognise, extract from, validate and authenticate our customers’ documents. Where our customer has agreed to it, a copy of your ID or proof of address document might be provided to GBG to train the IDscan document recognition engine to recognise underperforming or unrecognised documents. The nature of the documents means that they include personal information such as photograph, name, address and date of birth. This information cannot be anonymised or pseudonymised without compromising the ability to train and test GBG’s document recognition engine. Our aim is to be fully transparent, which is why we suggest our Australian and New Zealand customers include a link to this Privacy Policy in their own notices so that individuals are informed of GBG’s involvement as part of the service we provide and so that individuals may exercise their rights under the Privacy Acts.

Purpose and legal basis for processing

Our purposes for processing your data in connection with IDscan are: (i) to provide support services to our clients who use IDscan to verify your identity and to conduct maintenance and testing of our IDscan systems (in accordance with APP 3.2, which allows us to collect personal information when it is reasonably necessary for one or more of GBG’s functions or activities and IPP 1 which allows us to collect information for a lawful purpose connected with one of our functions or activities where the collection of the information is necessary for that purpose); and (ii) to train the IDscan document recognition engine to recognise underperforming or unrecognised documents (with your consent).  

International Transfers

For our New Zealand customers, IDscan is hosted from Australia. For any New Zealand customers there will be a data transfer from New Zealand to Australia of personal information. PII from our New Zealand customers will generally be stored in Australia, unless product support is required.

If product support is required, this will be provided by our team based in the United Kingdom and Malaysia and our technical and support teams in Turkey. Should they be required to access or view any identification documents, this is considered to be a transfer of data to the United Kingdom, Malaysia or Turkey in order to facilitate that support.

Where there is an international data transfer to our Australian, United Kingdom, Malaysian or Turkey offices, your personal information will be handled in accordance with the relevant data protection laws (at a minimum) in relation to the collection, use, disclosure, storage and destruction or de-identification of personal information.

Data retention

IDs captured by GBG IDscan will be retained until the earlier of the following events occurs (the ‘Retention Period’):

the ID is no longer in circulation and is no longer accepted as a valid identification document; orwe no longer need it for any purpose for which it may be used or disclosed by us in accordance with the APPs or IPPs (as applicable), or for such longer period as may be required under any applicable law.

At the end of the Retention Period, we will take reasonable steps to destroy or de-identify the ID.

Your rights under Australian and New Zealand Privacy Laws

As an individual, you have rights regarding the processing of your personal information, these are:

  • The right to transparency – you have the right to know why your personal information is being collected, how it will be used and who it will be disclosed to. 
  • The right of anonymity/pseudonymity – you have the right not to identify yourself, or the right to use a pseudonym in certain circumstances if the Australian Privacy Act applies.
  • The right to access your personal information – you have a right to know what personal information GBG hold on you.
  • The right to opt out – you have the right to stop receiving unwanted direct marketing.
  • The right to correction – you have the right to ask us to correct any information you believe is inaccurate. You also have the right to ask us to complete information you think is incomplete.
  • The right to complain about a breach by us of the applicable Privacy Act if you think we’ve mishandled your personal information (see ‘How to contact us if you’re not happy’ and ‘Your right to lodge a complaint with the Supervisory Authority’ below).

Please keep in mind that some of these rights are subject to an internal assessment that one of the grounds set out in the applicable Privacy Act is satisfied.

You can send these requests to support@verifidentity.com or by calling us on:

New Zealand: 0800 2VERIFI (0800 283743)

Australia: 1300 849 290

International / NZ: +64 9 953 8333

We will always aim to provide you with access within 30 days (if the Australian Privacy Act applies) or within 20 working days (if the New Zealand Privacy Act applies) but in some cases, it may take longer. If GBG are unable to comply with your request, we will provide you with an explanation.

There is no fee for requesting access to your information, although GBG may charge you the reasonable cost of processing your request.

How to contact us if you're not happy

We appreciate that at GBG we may not always get things right and it is regrettable for us as an organisation when we receive a complaint. We take all complaints seriously and can assure you we will do our best to deliver a satisfactory outcome. If you do wish to complain about how your personal information is used by GBG then please write to us at support@verifidentity.com

GBG will investigate and respond within 10 working days of receipt of your complaint. This allows us time to investigate your complaint thoroughly. 

Your right to lodge a complaint with the Supervisory Authority

Where you believe that GBG have not taken our responsibilities with your personal information seriously, you have the right to complain to the applicable Supervisory Authority. We ask that you first raise your concerns with us and give us 30 days to satisfactorily resolve your complaint as required by the New Zealand Privacy Act/IPPs. Should we be unable to resolve in the first instance, you can then escalate to the Supervisory Authority as follows:

Office of the Privacy Commissioner, PO Box 10094, Wellington 6143, New Zealand 

Telephone number: 0800 803 909

Email: enquiries@privacy.org.nz

Office of the Australian Information Commissioner, GPO Box 5218, Sydney, NSW 2001, Australia

Telephone number: 1300 363 992

Email: enquiries@oaic.gov.au

Your US Privacy Rights 

 This section describes how we collect, use, disclose, and otherwise process personal information of individual residents of the States of California, Virginia, Colorado, Connecticut, or Utah, in accordance with their corresponding privacy laws and regulations (collectively, the "US Privacy Laws"). For the purpose of this Privacy Policy “Personal Data” includes “personal information” as defined under the California Privacy Rights Act.  

 

The only Verifi product that currently processes US resident data is CloudCheck. For more general information on how it works, please see the section on CloudCheck at the beginning of this Privacy Policy. 

 

California, Virginia, Colorado, Connecticut and Utah residents may exercise the following rights via:  

  • our webform, or  
  • by calling our toll-free number: 1(833) 383 0085     
  • Right to Know. You have the right to request information on, the personal information we collected about you in the last 12 months,  including the categories of personal information, the categories of sources from which your personal information was collected from, the business or commercial purpose for collecting, selling, or sharing your personal information, the categories of third parties to whom we disclosed your personal information to, and the specific pieces of personal information we have collected about you;  
  • Right to Delete. You have the right to request that we delete Personal Data that we have collected from you, subject to certain exceptions.  
  • Right to Correct. You have a right to request that we correct inaccurate Personal Data that we maintain on you.  
  • Right to Opt Out. You have the right to opt out of the sale of your Personal Data. However, please note that we do not sell your Personal Data.   
  • Right to No Discrimination. You have the right not to receive discriminatory treatment by us for the exercise of your privacy rights. This includes employee, applicant, or independent contractor rights to not to be retaliated against for the exercise of your privacy rights. We will not discriminate against you, in any manner prohibited by applicable law, for exercising these rights.  

 

Sensitive Personal Data: We will not use or discloses your sensitive personal information for purposes other than those specified in section 7027 of the California Consumer Privacy Act regulations, subsection (m).  

 

Verification: In order to exercise your rights, we will need to obtain information to locate you in our records and verify your identity depending on the nature of the request. If you are submitting a request on behalf of a household, we will need to verify each member of the household in the manner set forth in this section.  

 

For Right to Know, Right to Correct, and Right to Delete, we may request an ID Document, as well as information on your First Name, Last Name, Email Address, Phone, Postal Address, and Date of Birth to verify your identity and ask that you declare, under penalty of perjury, that you are who you say you are.  This is done to try to ensure that we never provide personal information to individuals who it does not belong to. 

 

Authorized Agents: You may use an authorized agent to exercise your rights on your behalf. If you are making any of the requests above through an authorized agent, we will request written authorization from you and will seek to verify you as described above or we will accept a legal Power of Attorney under the California Probate Code to the authorized agent. To make a request using an authorized agent, use our webform and upload documentation demonstrating you have authorized the agent to exercise rights on your behalf.  

 

Appeal: If you are a resident of a US State that allows you to appeal a decision we have made in connection with your attempt to assert a right under applicable US Privacy Law, you may file an appeal of our decision by contacting us at compliance@gbgplc.com. Please ensure you provide us with the postal address in which you reside, accompanied with details for the basis of your appeal.  

 

Your jurisdiction may also allow you to file a complaint with the state’s Attorney General’s Office regarding any concerns with the result of your appeal request.  Residents of the following states may file a complaint via the following links:  

Viriginia: www.oag.state.va.us/consumer-protection/index.php/file-a-complaint  

Colorado: coag.gov/file-complaint  

Connecticut: portal.ct.gov/AG/Common/Complaint-Form-Landing-page  

Utah: https://services.dcp.utah.gov/s/  

  

Timing: We will respond to rights requests, in compliance with the applicable US Privacy Law, usually within 45 days, unless we need more time in which case we will notify you and may take up to 90 days total to respond to your request if allowed to do so under the applicable US Privacy Law.  

 

Minors under 16: Please note that we do not knowingly collect or disclose personal information in relation to minors under the age of 16.  

 

Your Nevada Notice  

If you are a resident of the State of Nevada, you may opt out of future sales of certain covered information that a website operator has collected or will collect about the resident. However, we do not currently sell covered information. But should you have any questions as a Nevada resident, please email us at compliace@gbgplc.com.  

 

CCPA Summary of Processing  

Below is a summary of the Personal Data we collect and process, as required under the CCPA. Verifi does not sell personal data and only operates as a service provider to our business to business (B2B) customers. Please note that as a service provider to our customers, it is our customers who dictate what personal data our products will collect from you. 

Identifiers and information protected by Cal. Civ. Code 1798.80(e), such as real name, address, business email address, date of birth, IP address 

Sources of Personal Data: You or our Verifi customers to whom you provide it to. 

Business or Commercial Purpose for Collection: To enable use of our sites, services, products, to communicate with you, to understand how our users interact with our sites, to improve our offerings, to market our products or services, to secure our services, to fulfil our legal compliance obligations, in connection with a business merger or transaction, and otherwise for internal business purposes and to comply with applicable legal requirements.

Have we sold the Personal Data: No.

With whom we share / transfer the Personal Data: We share this information with our service providers, and with business customers and partners and affiliates, in order to enable our services and products to function. 

Financial information, such as credit or debit card information (solely in relation to our B2B transactions with our customers) 

Sources of Personal Data: You. 

Business or Commercial Purpose for Collection: To transact with you if you use our products or services, to enable transactions you’ve requested, and otherwise for our own internal business purposes.

Have we sold the Personal Data: No.

With whom we share / transfer the Personal Data: We share this information with our service providers and business partners and affiliates, in order to enable our services and products to function. 

Commercial information and preferences, such as product purchase history, and contact information (name, job, title, work email, phone, and address) (solely in relation to our B2B transactions) 

Sources of Personal Data: You. 

Business or Commercial Purpose for Collection: To transact with you, in your capacity as a B2B employee, if you use our sites, products, or services, to enable transactions you’ve requested as a B2B employee, and for our own internal business purposes such as record-keeping.

Have we sold the Personal Data: No.

With whom we share / transfer the Personal Data: We share this information with our service providers, third party analytics partners, and business partners and affiliates, in order to enable our services and products to function. 

Internet or other electronic network activity information, such as system version, browser type, internet service provider, cookie IDs, device type, details about how you use our site, pages visited, and other similar activity information  

Sources of Personal Data: Your device. 

Business or Commercial Purpose for Collection: To enable use of our Site, to communicate with you, to understand how you interact with our sites, to secure our services, and to improve our offerings.

Have we sold the Personal Data: No.

With whom we share / transfer the Personal Data: We share this information with our service providers, and with business customers and partners and affiliates, in order to enable our services and products to function.