Services Privacy Notice

Shufti as Processor (Service Delivery for Clients)

For most identity verification, AML screening and related checks, Clients are controllers and Shufti is a processor that performs only those data processing activities that Clients request. Shufti's Terms state that Shufti processes User Information on the Client's documented instructions.

Shufti as Independent Controller (Improvement / Security)

Shufti may also act as an independent controller where processing is necessary for model training, fraud prevention, service security and product improvement, as Shufti's Terms explicitly state.

Independent controller processing for model training and fraud prevention is subject to the following limitations:

• Only personal data strictly necessary for the defined improvement or security purpose is used. Shufti does not use broader datasets than required for the specified purpose.
• Data used for model training or internal improvement purposes is pseudonymised or anonymised wherever technically and operationally feasible prior to use, and is not re-identified except where strictly necessary for quality control.
• Biometric data used for algorithm training is maintained in segregated datasets, subject to enhanced access controls, with access limited to authorised personnel only and governed by documented access policies.
• Retention of biometric training data is subject to documented limits (see Section 13). These limits are reviewed at each training cycle and enforced through technical controls.
• Independent controller processing is subject to documented Legitimate Interest Assessments and, where biometric data is involved, to a dedicated Data Protection Impact Assessment (see Section 9).

Shufti as Independent Controller (Client Representatives and Authorised Users)

When Shufti processes personal data about Client representatives and authorised users, Shufti generally acts as an independent data controller because it decides how to use this data to set up, run, secure and support Client accounts and access to Shufti tools (including the Back Office).

4A.Separation of Processor and Controller Data Sets

Data processed by Shufti on behalf of Clients for service delivery purposes (processor data) is logically and operationally segregated from any datasets used by Shufti for its own controller purposes, including model training, fraud intelligence, and service improvement.

Shufti implements the following technical and organisational controls to maintain this separation:

• Processor data and controller data are stored in separate logical data environments with distinct access controls. Personnel authorised to access processor data for service delivery purposes do not have unrestricted access to controller datasets used for internal purposes.
• Data flows between processor and controller environments are governed by documented procedures and are subject to approval by the Data Protection team.
• Where data is moved from a processor environment to a controller environment (e.g. for pseudonymised model training), this transfer is documented, subject to a written agreement with the relevant Client where required, and disclosed in this notice.
• Automated controls are implemented to prevent processor data from being inadvertently included in controller datasets or used for purposes beyond those permitted by the Client's instructions.
• The separation of datasets is reviewed as part of Shufti's annual DPIA and data governance review cycle.

A. Service Delivery and Service Operations

• A1. Identity and Contact Data: Name, date of birth, email and/or phone number (as required by the Client's configured checks).
• A2. Document Data: Images and/or videos of identity documents (passport/ID card/driving licence) and related proofs, plus extracted text via OCR when required.
• A3. Biometric Data (Face / Liveness / Deepfake): Face images and/or videos and derived liveness/deepfake detection results.
• A4. AML / Screening Data: Screening results and match signals (e.g. sanctions screening against regimes including UN/OFAC/EU/HMT and others). Processed only upon explicit client instructions; Shufti acts only as processor for this data.
• A5. Device, Behavioural and Risk Data: Device fingerprint attributes such as screen resolution, browser settings and IP address to create a unique identifier (device fingerprinting) and multi-source risk inputs (email/phone/IP/location/transaction history) for risk assessment.
• A6. SMS / OTP Authentication Data: Shufti may collect an end-user's mobile number to send SMS/OTP for authentication. That mobile information is not shared/sold/rented for marketing. Shufti acts as a processor for this data.

B. Data About Client Representatives / Authorised Users

• B1. Identity and Contact Details: Full name, business email, business phone number.
• B2. Organisation/Account Details: Company name, company website, country, verification volume, industry and other information required to set up and administer your account.
• B3. Communications Data: Emails, messages, meeting notes, support queries and responses relating to account set-up, integration, service delivery, incident handling and commercial administration.
• B4. Account and Security Data: User IDs, role/permission assignments, authentication logs (e.g. login history), IP addresses and device/security signals associated with account access.

Part 1 — Processing Where Shufti Is a Processor (Client-Controlled Purposes)

When Shufti acts as a processor, the Client (controller) determines and documents the lawful basis and provides privacy information to end-users. Typical controller lawful bases used by Clients include:

• Legal obligation (e.g. regulated AML/KYC checks);
• Contract (necessary to provide a service to the end-user);
• Legitimate interests (fraud prevention / security), subject to balancing;
• Consent, where the Client chooses consent as the lawful basis.

Shufti processes personal data on documented instructions of the Client unless required to do otherwise by law.

Part 2 — Processing Where Shufti Is an Independent Controller

A. Service Delivery (Model Training, Fraud Prevention, Audit)

Lawful basis hierarchy applied:

• Consent (Article 6(1)(a) UK GDPR): used only where consent is freely given, specific, informed and unambiguous, and is not bundled with or made a condition of access to the service. Where consent is relied upon, clear withdrawal mechanisms are provided.
• Legitimate interests (Article 6(1)(f) UK GDPR): used for service security, verification efficiency, fraud prevention and model improvement, where consent is not the appropriate basis. Each legitimate interest processing activity is supported by a documented Legitimate Interest Assessment (LIA) that identifies the interest pursued, assesses necessity and proportionality, and records mitigation measures applied to protect individuals' rights. LIAs are reviewed periodically.
• Legal obligation (Article 6(1)(c) UK GDPR): where Shufti must retain or disclose information to comply with law or lawful requests.
• Legal claims (Article 6(1)(f) / recital 111 UK GDPR): where needed to establish, exercise or defend legal claims (litigation hold).

B. Client Representatives and Authorised Users (Account Administration)

Lawful bases relied upon:

• Legitimate interests: account administration, service delivery support, security, misuse prevention and maintaining audit logs — supported by documented LIAs.
• Contract / steps to enter into a contract: account administration, service delivery support.
• Legal obligation: where Shufti must process or retain information to comply with applicable laws.
• Legal claims: where processing is necessary to establish, exercise, or defend legal claims.

If the Client is the controller:

The Client is responsible for identifying a valid Article 9 condition where required. Shufti's Terms require Clients to ensure necessary consents/notifications for lawful transfer and collection on behalf of the Client.

If Shufti is the controller (model training and fraud prevention):

Shufti will rely on an identified Article 9 condition for each specific controller processing activity involving biometric or other special category data. The Article 9 conditions relied upon include:

• Article 9(2)(a): explicit consent of the data subject, where Shufti obtains and documents explicit consent with withdrawal controls as described in this notice. Consent is not bundled with service access;
• Article 9(2)(f): establishment, exercise or defence of legal claims, where applicable;
• Article 9(2)(g): substantial public interest (where supported by applicable law and appropriate safeguards);
• Other permitted conditions only where applicable law supports them and appropriate safeguards exist.

Enhanced safeguards for biometric data used in model training include: logical segregation of biometric training datasets; restricted access limited to authorised personnel; pseudonymisation or anonymisation prior to use where feasible; documented retention limits; and prohibition on sharing of biometric training data with third parties except under a written agreement incorporating Article 28 requirements.

Shufti's Role as Processor

Shufti's Terms describe service modes: Standard Mode (AI engine + human review layer) and Customised Mode (AI-only or HI-only). Shufti's User Risk Assessment describes risk-based decisioning (approve/flag/deny) using inputs like IP/location/transaction history and rules/risk bands.

Shufti performs checks and produces verification outcomes and risk outputs for Clients. Accepted/declined results and verification details are delivered to Clients via API and back office. Shufti may use automated systems and (depending on mode/configuration) human review to perform checks.

Where a Client uses Shufti outputs for decisions that are solely automated and have legal or similarly significant effects, the Client must provide required information to end-users and ensure appropriate safeguards, including the right to obtain human intervention, express a point of view and contest the decision.

Shufti's Role as Controller

Where Shufti processes personal data as an independent controller and uses automated processing that produces risk outputs or categorisations that have legal or similarly significant effects on individuals, the following safeguards are applied:

• Human review is integrated into the decision-making process where required by Article 22 UK GDPR or where the automated output would otherwise constitute a sole basis for a significant decision;
• Individuals are informed of the existence of automated processing and its logic through this notice;
• Individuals retain the right to obtain human intervention, express their point of view, and contest outcomes;
• Automated processing activities conducted as controller are documented in Shufti's ROPA and reviewed as part of the DPIA cycle.

A. Group Companies

In some circumstances, Shufti Pro Limited and its group entities may act as joint controllers of your personal data. Group companies include:

• Shufti AB (Sweden)
• Shufti Pro Limited (Cyprus)
• Shufti LLC (Delaware)
• Shufti Digital ID Verification Services Limited (Dubai)
• Shufti PTE Limited (Singapore)

B. Categories of Third-Party Service Providers (Sub-processors)

a. Service Delivery Sub-processors

• Cloud infrastructure & hosting providers
• Data storage / database providers
• CDN, DDoS protection & load balancing providers
• AML / sanctions screening providers
• IP geolocation providers
• Business / company verification data providers
• National ID / registry verification providers
• Live interview/chat platforms for Video KYC
• SMS / OTP / 2FA delivery providers

b. Client Interaction Sub-processors

• Email communication providers
• Live interview/chat platforms
• Customer support / ticketing systems

c. Payment Processors and Other Recipients

• Payment gateway providers (e.g. Stripe)
• Insurers/professional advisers where reasonably necessary
• Authorities/law enforcement where required by law

If You Are an End-User Being Verified for a Client

In most cases, the Client is the controller of your service verification data. You should contact the Client in the first instance for rights requests (access, deletion, objection, restriction, etc). If Shufti receives a rights request from an end-user while acting as a processor, Shufti will acknowledge the request within 5 working days and direct you to contact the relevant Client controller, which manages the request outcome. Shufti will cooperate with Clients in fulfilling data subject rights requests in accordance with its contractual obligations and Article 28(3)(e) UK GDPR.

If Shufti Is Acting as Controller (Model Improvement, Security Logs, Client Reps)

Contact Shufti at [email protected] for rights requests. Use this form for your requests. Shufti will respond within one calendar month of receipt of a valid request (or within three months for complex requests, with notification within one month of the extension). We may ask for information to verify your identity before responding.

Where a request involves processing activities conducted in both processor and controller roles, Shufti will triage the request, identify the relevant controller(s), and coordinate the response to ensure a complete and consistent outcome for the data subject.

Full List of Rights

Depending on applicable law and the context, rights may include:

• Access: ask for a copy of your personal data.
• Rectification: correct inaccurate data.
• Erasure: ask us to delete data (subject to legal obligations/retention).
• Restriction: ask us to limit processing in certain cases.
• Portability: receive certain data in a portable format.
• Object: object to processing based on legitimate interests and to direct marketing.
• Withdraw consent: where processing is based on consent. Withdrawal does not affect the lawfulness of prior processing.
• Right not to be subject to solely automated decisions with legal or similarly significant effects (see Section 10).
• Complain: lodge a complaint with a supervisory authority (ICO in the UK; EEA DPAs via EDPB list).