Face Verification
Address Verification
Document Verification
Age Verification
VideoIdent
Fast ID
eIDV
NFC Verification
Consent Verification
Business Verification
Due Diligence
Investor Verification
E-Signature
Behavioural Biometrics
Device Fingerprinting
MFA
AML Screening
Business AML Screening
User Risk Assessment
Transaction Screening
Adverse Media Screening
Identity Verification
KYC
KYB
KYI
Fraud Prevention
Bonus Abuse
Deepfakes
Multi-Accounting
Banking
Crypto
Fintech
Forex
Gaming
Gig Economy
Marketplace
Social Networks
Product Managers
Compliance Officers
Fraud Analyst
Global Trust Platform
Journey Builder
Vendor Comparison
Content library
Blogs
News
Reports
Insights
Knowledgebase
ROI calculator
Blind Spot Audit
Deepfake Detector
Liveness Detection
Document Originality
Document Deepfake
Events & Webinar
Podcast Studio
Spotlight Studio
API Documentation
Mobile SDKs
Service Status
Help Center
Contact Us
Technical Support
Compliance
Supported Documents
About
Career
Press Release
Certifications
Partnership
Awards
Privacy Policy for Shufti Employees
Applies to employees, interns, former employees, contractors, consultants and temporary agency workers ("Employees"). UK GDPR & Data Protection Act 2018.
Please note that a separate privacy policy may apply to job applicants. Other privacy policies may apply if we process the same persons' data in another role (for example, our general customer privacy policy will apply in addition to this Policy where you are using our services).
Last updated: April 2026
1.About Us
We are Shufti Pro Limited, a company registered in the UK under company registration number 11039567 and have our registered office at Office 408 Coppergate House, 10 Whites Row, London E1 7NF, GB.
2.Overview
For the purpose of the General Data Protection Regulation (GDPR) and applicable UK laws, notably the UK GDPR and the Data Protection Act 2018, this Privacy Policy applies to the situations where Shufti is the "Data Controller" of Employees' data. Shufti's corporate group (Shufti Group) comprises the following companies: Shufti Pro Limited (UK), Shufti Digital ID Verification Services Limited (DIFC), SHUFTI PRO PTE. LTD (Singapore). Shufti Group's entities may act as joint controllers of your personal data. For further information about our joint controller arrangement, please contact us at: [email protected].
2A.Controller, Joint Controller and Intra-Group Data Allocation
Shufti Pro Limited acts as the primary data controller for employee personal data processed within the Shufti Group. Other group entities (including Shufti Digital ID Verification Services Limited (DIFC) and SHUFTI PRO PTE. LTD (Singapore)) act only as processors.
3.The Basis for the Processing of Your Data
Shufti processes employee personal data on the following lawful bases, which vary depending on the purpose of processing:
| Lawful Basis | Description |
|---|---|
| Article 6(1)(c) Legal Obligation |
Processing necessary to comply with our legal and regulatory requirements, including payroll administration, tax reporting, National Insurance contributions, compliance with employment law obligations, and responding to lawful requests from government authorities. |
| Article 6(1)(b) Contract |
Processing necessary for the performance of the employment contract, or to take steps at your request prior to entering into it. This includes workforce administration, compensation and benefits management, and managing the employment relationship. |
| Article 6(1)(f) Legitimate Interests |
Processing necessary for our legitimate interests, or those of a third party, where those interests are not overridden by your fundamental rights and freedoms. This includes internal operations management, security monitoring, fraud prevention, protecting company assets, and making or defending against legal claims. Shufti maintains documented Legitimate Interest Assessments (LIAs) for each such purpose, available upon request. |
| Article 9 UK GDPR Special Category Data |
Where we process special category data (such as health information or data concerning disability), we rely on Article 9(2)(b) (employment law obligations), Article 9(2)(h) (medical purposes and occupational health), or Article 9(2)(f) (legal claims) as applicable. Where processing of special category data requires a DPIA, one will be conducted and documented prior to processing. |
We may ask for your consent in other cases where we process your data. Such consent can be revoked at any time by contacting us at [email protected].
4.Information Gathered
Employees' data may be collected directly from the data subjects or via other persons such as manager, referees, former employers or in another way e.g. via open internet resources. Shufti collects only the personal data that is necessary for defined employment-related purposes, in accordance with the principle of data minimisation.
The data gathered would typically comprise full name, contact and emergency contact details, records of holiday, sickness and other absence, teleworking information, information needed for payroll, benefits and expenses purposes, application form and references, dietary requirements, performance reviews, correspondence with or about the Employee, a copy of passport and visa, a photo and the employment contract and any amendments to it.
Where necessary, we may keep information relating to your health, which could include reasons for absence and GP reports and notes. This information will be used in order to comply with our health and safety and occupational health obligations, to consider how your health affects your ability to do your job and whether any adjustments to your job might be appropriate. We will also need this data to administer and manage statutory and company sick pay.
Special Category Data
Special category data (including health data, data concerning disability, racial or ethnic origin, religious beliefs, or trade union membership) is processed by Shufti strictly where necessary and in reliance on the applicable condition under Article 9(2) UK GDPR, namely: Article 9(2)(b) for processing necessary to fulfil obligations and exercise rights in employment law; Article 9(2)(h) for medical, health and safety, and occupational health purposes; and Article 9(2)(f) for the establishment, exercise or defence of legal claims.
Access to special category data is restricted on a strict need-to-know basis. Appropriate confidentiality controls are applied, and retention of such data is limited to the period strictly necessary for the relevant purpose.
5.The Use of Your Personal Information
We process Employees' personal information for the following purposes:
- Workforce planning, recruitment and staffing;
- Workforce administration, payroll, compensation and benefit programs;
- Performance management, learning and development;
- Advancement and succession planning;
- Legal compliance, including compliance with government authority requests for information, liens, garnishments and tax compliance;
- Workplace management, such as travel and expense programs and internal health and safety programs;
- Internal reporting;
- Audit;
- To protect Shufti, its workforce, and the public against injury, theft, legal liability, fraud or abuse or other injury; and
- Other legal and customary business-related purposes.
6.Monitoring
Employees shall be entitled to reasonably necessary private communication using Shufti's communications infrastructure. Shufti may block certain communications channels as long as suitable alternatives are provided.
Shufti may monitor employees' use of company-owned telecommunications and computer systems only where such monitoring is necessary and proportionate to a legitimate aim, and only after completion of a prior documented assessment. Such assessment will include a Legitimate Interest Assessment and, where required under applicable law, a Data Protection Impact Assessment. Monitoring will be conducted in accordance with applicable employment and privacy laws, including but not limited to the Investigatory Powers Act 2016 and any relevant codes of practice.
Employees will be informed in advance of the nature, scope and purpose of any monitoring activity unless exceptional circumstances (such as a reasonable suspicion of serious misconduct or criminal activity) make prior notification impractical, in which case monitoring may be conducted without prior notice to the extent permitted by law. Any such exceptional circumstances will be documented.
7.Recipients of Your Information
Where necessary to fulfil defined employment-related purposes, employees' data may be shared with third parties. All sharing of personal data with third parties is subject to written agreements that incorporate appropriate data protection obligations, confidentiality provisions, and safeguards consistent with the requirements of UK GDPR.
Categories of third-party recipients include:
- Third party service providers: subcontractors, vendors or suppliers who perform services on our behalf, including:
- Storage providers
- CRM providers
- Communications providers and web communications tools
- IT service providers
- Background check providers (where applicable)
- Referees: when we take references (you will be informed before we contact your referees).
- Professional advisors: such as lawyers or auditors, where necessary.
- Other entities within our group, acting as processors or joint controllers as described in Section 2A.
- A successor or acquiring organisation where Shufti is involved in a merger, sale or transfer of some or all of its business, subject to appropriate confidentiality and data protection safeguards.
- Insurance companies, to the extent necessary for the provision of employee-related insurance coverage.
- Governmental or regulatory authorities: where we are required to do so by law or believe that such action is necessary to: (a) fulfil a government or regulatory authority request; (b) conform with the requirements of the law or legal process; (c) protect or defend our legal rights or property, our websites or employees.
- Any other third parties with your express consent.
8.International Transfers of Data
We may transfer information about you for purposes connected with your employment or the management of the company's business. Employees' data may be transferred to, and stored at, destinations outside the European Economic Area (EEA) and the UK where the laws on processing personal data may be less stringent than in your country. It may also be processed by staff operating outside the EEA or the UK who work for us or for one of our agents or suppliers.
When your personal data is transferred to parties located outside of the EEA or the UK, we will undertake an assessment and take appropriate measures to ensure such third party will provide adequate security of such personal data and respect your rights to privacy. All international transfers of employee personal data are recorded in Shufti's transfer register.
Appropriate safeguards for international transfers may include:
- Transferring personal data only to countries which have been deemed to provide an adequate level of protection for personal data by the UK Government (adequacy regulations); or
- Entering into UK International Data Transfer Agreements (IDTAs), Standard Contractual Clauses (SCCs) as incorporated into UK law, or other UK-approved transfer mechanisms; or
- Other appropriate safeguards as recognised under Article 46 UK GDPR.
Where a transfer impact assessment (TIA) is required to assess whether the law and practice in the destination country allows the safeguards to be effective, such assessment will be conducted and documented prior to the transfer taking place.
Employees may request further information regarding the specific transfer mechanisms applicable to their personal data, and copies of any relevant safeguards, by contacting [email protected].
9.Data Retention
Where multiple legal or operational retention obligations apply to the same data, the longest applicable period will prevail.
| Data Category | Maximum Retention Period | Basis / Notes |
|---|---|---|
| General employment records (contracts, correspondence, HR records) | Up to 6 years from termination | Legitimate interests in defending against or pursuing legal claims. |
| Payroll and tax records | Minimum 3 years after end of relevant tax year | Required by HMRC and applicable tax legislation. Longer period applies where mandated by statute. |
| Health and special category data | Period strictly necessary for purpose | Subject to applicable statutory obligations; securely deleted upon expiry. |
| Email communications (employee-to-employee and employee-to-third party) | Up to 6 years | Where necessary to evidence or defend contractual or legal claims. Deleted earlier where no longer required. |
| CVs, application materials, and references | Duration of employment + up to 6 years | Legitimate interests in substantiating basis for employment relationship. Consent not relied upon post-termination. |
Following the expiry of the applicable retention period, personal data will be securely deleted or irreversibly anonymised in accordance with Shufti's data retention and disposal procedures. Employees may request further information about applicable retention periods by contacting [email protected].
10.Your Rights
- Right of Access (DSAR): Request a copy of the personal data we hold about you and information on how it is used, shared and retained.
- Right to Rectification: Request correction of inaccurate or incomplete personal data. We will need to verify the accuracy of the new data you provide.
- Right to Restriction: Ask us to suspend the processing of your personal data in certain circumstances, for example where you contest the accuracy of data or where processing is unlawful but you do not want erasure.
- Right to Erasure ('right to be forgotten'): Ask us to delete or remove personal data where there is no good reason for us continuing to process it, subject to any legal or legitimate basis for continued retention.
- Right to Object: Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party). You also have the right to object where we are processing your personal data for direct marketing purposes.
- Right to Data Portability: Request your data in a common, machine-readable format by contacting us at [email protected].
Requests will be escalated internally to the Data Protection Officer where the request involves complex data protection questions or where it concerns processing by multiple group entities. Where group entities act as joint controllers, Shufti will coordinate responses across group entities to ensure a consistent and compliant outcome for the data subject.
11.Contact and Complaints
Should you have any concerns or complaints about how we handle your personal information, we encourage you to raise the matter with us in the first instance so that we can seek to resolve it promptly and fairly. Please contact our Data Protection Officer at [email protected]. Shufti is committed to handling all concerns transparently, and we will acknowledge your complaint and provide a substantive response within a reasonable timeframe.
Should we be unable to resolve your complaint through our internal processes and you wish to escalate your complaint further, you may do so by contacting the relevant supervisory authority:
| Authority | Link |
|---|---|
| ICO (UK) | ico.org.uk/make-a-complaint/ |
| EU Authorities | digital-strategy.ec.europa.eu/en/library/list-personal-data-protection-competent-authorities |
12.Data Protection Officer Contact Details
Shufti has appointed a Data Protection Officer (DPO) for you to contact if you have any questions or concerns about Shufti's personal data policies or practices. The DPO operates independently of Shufti's management and reports to the highest level of management within the organisation in accordance with Article 38 UK GDPR.
Eagle House, 163 City Road, London EC1V 1NR
Telephone: +44 20 3917 4158
Email: [email protected]
13.Data Security and Access Controls
Shufti implements appropriate technical and organisational measures to protect employee personal data against unauthorised access, loss, alteration, disclosure or destruction. Security measures include:
- Role-based access controls (RBAC), ensuring that access to employee personal data is restricted to those with a legitimate need to access it in the performance of their duties;
- Logging and audit trails for access to and processing of personal data, enabling detection and investigation of unauthorised or inappropriate access;
- Security monitoring of systems and networks to detect and respond to potential security incidents;
- Encryption of personal data in transit and at rest where appropriate;
- Regular testing and review of security measures.
Shufti's security measures are reviewed on a regular basis and updated as necessary to reflect changes in technology and the threat environment.
14.Data Breach Handling
In the event of a personal data breach, Shufti will act in accordance with its internal data breach response procedures, which set out the steps to be taken upon detection of a suspected or confirmed breach, including internal escalation to the Data Protection Officer.
Where the breach is likely to result in a high risk to the rights and freedoms of affected individuals, those individuals will be notified without undue delay in accordance with Article 34 UK GDPR.
Further details of Shufti's data breach handling procedures are available upon request from the Data Protection Officer.
15.Automated Decision-Making in Employment Context
Shufti does not currently make decisions about employees that produce legal or similarly significant effects solely by automated means, without meaningful human involvement.
Where any automated processing of employee data occurs that involves profiling or contributes to employment-related decisions, Shufti will:
- (a) ensure that appropriate human review is integrated into the decision-making process;
- (b) inform affected employees of the nature of any such processing;
- (c) provide employees with the right to contest the outcome and to request human review; and
- (d) conduct a Data Protection Impact Assessment prior to implementing any such processing, as required by Article 35 UK GDPR.
16.Data Minimisation
Shufti is committed to the principle of data minimisation. Only personal data that is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed will be collected and retained. Shufti does not collect employee personal data speculatively or for purposes that have not been identified and documented prior to collection.
Data minimisation is reviewed as part of Shufti's data governance processes, including when new processing activities are introduced and as part of periodic reviews of existing processing activities.
17.Changes to This Privacy Policy
We reserve the right to change and update this Privacy Policy from time to time to reflect changes in law, regulatory guidance, or our internal practices. We will notify you if we update or change this Privacy Policy and the latest version will be sent to you.
Last updated: April 2026 · Shufti Pro Limited · Company No. 11039567