Data Protection Policy

Data Protection Policy

By engaging with Shufti Pro’s services, the User agrees to and is bound by the following provisions. The policies mentioned herein are the sole understanding between Shufti Pro, and the End Users. The provisions are subject to change without any prior notice given. All policies are subject to the laws as laid down by General Data Protection Law (EU 2016/679).


“Data Processor”, means Shufti Pro, an online Identity Verification and Background Checks service based out of United Kingdom.

“Data Controller”, means any Enterprise, Company or from which the User has been referred to the Data Processor for Identity Verification.

“EEA Zone” means European Economic Area.

“Hosted Services” means online identity and document verification services, which are made available to the Data Controller by the Data Processor after a contractual agreement that has been put in place.

“Information”, means any personal details during processing of information provided by the User either in form of digital text, digital image, or video.

“PII Data” means any information which can identify a User as the holder of their identity. This may include but is not limited to; Name, Date of Birth, Residential Address, Phone Number, Passport Number, Tax Number, and Government ID Card Number.

Data Retention

1.1 The time period of User’s data storage corresponds to the prior contractual agreement in place between the Data Processor, and the Data Controller. The time period can be anywhere from six (6) months to two (2) years.

1.2 The nature of data stored is of PII relevance.

1.3 The information containing the PII data can be either in the form of Image, Text or Video.

1.4 The User’s data is stored within the EEA zone located in Germany.

1.5 The User’s data is stored in databases housed on Dedicated Hosted Servers.

1.6 As per GDPR EU, data is stored for record-keeping purposes as per the guidelines declared by the regulatory bodies to ensure transparency.

Data Erasure

2.1 The erasure of data is subject to three conditions:

  1. On End User’s demand
  2. On Data Controller demand
  3. Scheduled Data Erasure processes in place; the Data Processor must inform the Data Controller ten (10) business days in advance about this.

2.2 The erasure of data is carried out by employing Industry Sanitization Methods.

2.3 The impact of Data Erasure on existing case may include but is not limited to re-addressing contractual address between Data Processor and Data Controller, increase in autonomy of User as data’s owner, and administrative policies in place prior to Data Erasure.

Data Security

3.1 The Data Processor hereby certifies that its shall take necessary security measures required to ensure protection, and prevention of decrypting information flowing across servers.

3.2 The Data Processor shall ensure that the information is being collected, and processed within the EEA zone, and should this information travel outside the EEA Zone, in this regard the Data Processor shall immediately take necessary actions to prevent it, and inform the Data Controller through a proper channel.

3.3 The Data Processor shall ensure that the transmission of User’s data shall not be shared with any Third Party Services unless the sharing of data becomes necessary by law, or necessary to carry out the Hosted Services.

Data Assessment

4.1 The Data Processor shall nominate one Data Compliance Office who shall be responsible to address that all necessary policies regarding protection of data

4.2 The Data Processor shall make sure to implement process for Security Audit of Hosted Services to ensure all systems are running, and are as per the SLA kept in place under the contractual agreement between Data Processor and the Data Controller.

4.3 The Data Processor hereby acknowledges that it shall implement a suitable mechanism in place to address any leak or data breach by immediately notifying the International Commissioner Office UK within next one or two business days.

User’s Responsibility

6.1 The User acknowledges and provides confirmation that they are above the age of sixteen (16) years

6.2 The User hereby consents that the information provided by them is valid, accurate, and up-to-date to the best of their knowledge.

6.3 The User acknowledges that if any discrepancy arises in the information provided by them then they must inform the Data Controller in an appropriate manner.