Products and Services
Privacy Policy

This policy was last updated on 11 September 2023.

General information and contact details

GB Group Plc and our wholly owned subsidiaries ("GBG", "we", "us" or "our") take the protection and security of your personal data very seriously. This privacy notice sets out the personal information we collect and process about you through our products and services, the purposes of the processing and how you can exercise your privacy rights.

You may be reading this notice because of a link provided by one of our third party data suppliers, one of our customers, or you simply want more information on processing in relation to our products and services.

Where we collect personal information from you directly, for example, through our website or because you have applied for a job with us, please see our Website Privacy Notice.

Our customers and data suppliers will have a lawful reason for processing your data and may have a separate relationship with you. They are separately required to provide you with information (for example through their own privacy notice) about how they collect and process your data.

We have offices in a number of countries, which are detailed here, and our registered head office is located within the United Kingdom:

GB Group Plc
The Foundation
Herons Way
Chester Business Park
Chester
United Kingdom
CH4 9GB

Our Company Registration Number is: 02415211

If you have any questions about how we use your personal data, please contact our Data Protection Officer by email at DPO@gbgplc.com or call + 44 (0) 161 909 6713.

Our EEA representative is located in Spain at the following address

GBG
WeWork Passeig de Gracia
Pg. de Gràcia, 17,
08007 Barcelona
Spain

We review this privacy notice on an annual basis, sooner if changes to regulation require it or we change the way we process personal data.

What do we do?

GBG is a global organisation who create technology. Typically, customers use our technology so they can verify the information that you give to them about yourself. We do this by matching third party reference data (which we receive from data suppliers) against the data you give about yourself to our customers. This still sounds complex, so an example is often the easiest way to explain…

You are going to open a bank account
In order to open the bank account, the bank (our customer) needs to verify you are who you say you are. This is for a number of reasons, such as for the bank to comply with anti-money laundering regulations or combatting fraud purposes.
The bank collects personal data from you and passes this to GBG’s technology to process (via our products and services).
As part of this processing, we may match the personal data you provided against third party data (from our data suppliers), such as data belonging to Credit Reference Agencies or public sources, such as the voters register.
We may also collect your selfie photo and identity documents to verify that the person carrying out the journey is the same as those in the identity documents.
Matching your personal data may be done in 2 ways:
1. GBG host a copy of this personal data that we receive from data suppliers; and, or
2. GBG access personal data via a web service, which means our data suppliers holds the database and we securely send them your personal data to match against the records they hold. They then return the result to GBG.
We pass a result back to the bank (our customer) on whether we could match your input data against the third party data.
Our customer then decides how they will respond to you, e.g. open your bank account, decline your request etc.
GBG does not have visibility on, nor can we influence how our customer responds to you.

More examples are included in the table below describing why we collect your personal data.

What personal data do we collect and why?

The personal information that we may collect about you broadly falls into the following categories:

Category	Examples
Basic information	Name/Address
Attribute	Telephone/Email/Date of Birth
Device	IP, GEocode, DeviceID
Financial	Home Ownership, County Court Judgments, Insolvency
Social	Social Networks
Image	Photo on a passport or driving licence, self-taken photos

Why we collect your personal data depends on the services we provide.

GBG Service	Description on services / why we collect this personal data
Location Intelligence	Address Capture & Verification – we can capture and verify addresses globally. Our service aims to create the best, quickest experience when you order online, whilst ensuring the company you are engaging with has the information they need to fulfil your request. For example, it is much quicker for you to enter a postcode and be presented with a list of addresses to select from, as opposed to entering the full address. There is also the option where the company you are engaging with can verify if you have provided a valid email address or phone number so they can get in touch with you if needed. Some of our customers also take Geocodes, which is a unique identifier for your address, so the delivery company can easily find you to deliver the item you have ordered. Data Cleansing – we are all busy people and it’s often difficult to remember and very time consuming to contact all the businesses we engage with if any of our details or preferences change. These organisations also have a legal requirement to keep your data up-to-date, which is where we come in. We can help them identify if your details are no longer valid, such as if you have moved address or if someone in your household has died, for the purposes of reducing the risk of fraud or being contacted at what we know will be an upsetting time. GBG is also able to provide our customers with additional information about you to help them try to ensure that the information that collected from you remains accurate and relevant to the purposes for which you provided it to them. For clarity, data that we provide to our customers cannot be used by us or them to contact you for marketing purposes. An example of where this could be used is if you had a pension at an old address, we could provide our customer with a new address so they can contact you. It is a legal requirement for such organisations to try to reunify you with your assets, which is why they are entitled to keep your information accurate and up to date.
Identity	Identity & Age Verification – we can capture and verify your identity globally, making it easier for you to transact online. What this includes depends on the organisation you are engaging with. For example, we can verify the authenticity of your identity documents or check if you are over a particular age if you want to access a service which has age restrictions. Our customers do this because many of them must meet regulatory requirements and prevent fraud, so we help them to meet their requirements, with you in mind, to make things as simple and easy as possible. Identity Intelligence & Tracing – use is for law enforcement, asset reunification and debt collection to identify and locate individuals. Where a company has minimal or old information on you, there may be a need to contact you. To give you an example, our product has helped assist police in locating a domestic abuse victim who needed help. A woman made a 999 call as there was an incident at a domestic address. The police used GBG’s product to identify three possible addresses. Patrols attended each address and the operator was able to hear the officers knocking on the door, confirming they were in the right place. A man was arrested and the woman treated for her injuries.
Fraud & Compliance Management	We help our customers reduce fraud and/or comply with their regulatory obligations, which could benefit you by ensuring you get the best price, your identity is protected, and you receive goods and services you order. With each online order companies must make a decision whether to ship or decline it. To give you an example, Mary Christmas placed a large food order on the last shipping day before Christmas. Her name triggered fraud indicators: due to her name and timing, the retailer would have normally declined the order. However, the retailer used our service to determine that Mary Christmas was a legitimate customer. Mary Christmas's goods were dispatched and she/her family got to enjoy a lovely Christmas lunch. To help protect you against fraud and help other third parties to detect and prevent fraud, GBG or one of our wholly owned subsidiaries (e.g. Acuant Inc, IDology Inc, Loqate Inc), may collect your data directly from you, from our third party suppliers, or from our customers. When we collect your data, we may use it to generate risk scores or create fraud and/or identity alerts, insights and reports. If collection is via our customers, we have requested you be informed of this via their privacy notices. We generate these risk scores and alerts via our Consortium Fraud Network. Depending upon what has been agreed with you or GBG’s customer, this may be a data pool specific to a named GBG legal entity and/ or your data may be shared across all GBG entities. The purpose of our consortium fraud networks is to be able to gain insights from the data that is fed into them, for the purposes of fraud prevention and/or compliance. Please note, that we have technical and organisation security measures in place to protect your data, and where applicable, data in our network consortiums is pseudonymized, one-way hashed, and encrypted. Additionally, we do not grant our customers or any third-parties direct access to the data held in our network consortiums; the data is only accessed by us to help our products to generate a risk or pass/fail score, without actual disclosure of the data, for customers whose data is fed into the relevant network consortium.

Our legal basis for processing personal data

We will collect personal information where the processing is in our or our customer’s legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms. These include legitimate business interests which provide a societal benefit, such as preventing fraud, crime prevention and detection and ensuring only individuals who should have access to services are able to do so.

In some of our Identity Products & Services we may also rely on your explicit consent as our lawful basis, where the processing includes special category data in the form of your biometric data. If you are not happy to provide your explicit consent, then please consult with the organisation that you are engaging with. They may provide an alternative means to verify your identity. Unfortunately, this is not something GBG can influence.

The table below identifies the legitimate interest that we rely on pursuant to the GDPR for each of our activities.

Activity/Purpose	GBG's Lawful basis
Location Intelligence: Address Capture & Verification	Legitimate Interests of a third party: Our customers will have their own lawful basis for processing your data and will have communicated this with you. We have given a description of the types of services our customers provide in the table above, but in a nutshell, they help to ensure you receive the goods/services you have ordered and prevent fraud by ensuring your data is accurate and up-to-date.
Identity	Legitimate Interests of a third party: Our customers will have their own lawful basis for processing your data and will have communicated this with you. We have given a description of the types of services our customers provide in the table above, but in a nutshell, they help to prevent fraud by ensuring you are who you say you are, so you can access goods and services compliantly. Many of our customers must also meet a legal obligation when processing your personal data, such as ensuring you are old enough, or verifying your identity. Consent: The journey includes steps that will perform face match and liveness tests so your biometric data will be processed. This is special category data under the GDPR, and GBG will rely on explicit consent under Article 9(2)(a) to process such data.
Fraud & Compliance Management	Legitimate Interests of a third party: Our customers will have their own lawful basis for processing your data and will have communicated this with you. We have given a description of the types of services our customers provide in the table above, but in a nutshell, these services help to prevent fraud and allow our customer to meet their compliance obligations.

Pursuant to our obligations under Article 30 GDPR, we maintain an up-to-date record of processing activities under our responsibility, which details for each of our processing activities the legitimate interest relied on as a lawful basis for processing the personal data.

You are entitled to more information on the balancing test we have carried out when determining we are able to rely on legitimate interest as our lawful basis for processing your personal data. If you have questions about this or need further information concerning the legal basis on which we collect and use your personal information, please contact us using the contact details provided below.

Biometrics Notice

GBG has 2 offerings:

delivered via GBG’s API
delivered via Acuant Inc’s API

The API will collect the following images from you directly or via our customer: (1) an identity document that you take a photo of and (2) a selfie image that you take of yourself, captured through our business customer’s identity verification interface, which the individual is interacting with.

Dependent upon the product taken (which GBG’s customer will be aware of, and you should have been informed about) facial comparison will be performed using modern technology, and specified algorithms to determine whether the faces contained in the two images belong to the same person and to generate a “Face Match Score” (on a scale of 0 to 100) representing the confidence level that the two images of the individual match each other.

Where Acuant Inc’s API has been used, we send the images to our third party partner (Microsoft Azure). They are contractually limited to using the images and/or their corresponding data for purposes of performing the image comparison on our behalf. They are also contractually required to destroy the images and any biometric data within 24 hours. At no point will we have access to any biometric identifiers that our third-party partner may have processed when generating your Face Match Score. Where GBG’s API is used, we will host all processing on AWS.

Once the comparison match is complete, the Face Match Score (which does not include any biometric identifiers or use any biometric identifiers to identify you) is passed through our API to our customer to help them determine their level of confidence that your selfie is the same person as the individual on the identity document.

GBG only uses the Face Match Score to try to help our customers authenticate that you are the same individual whose photo is on the ID document you provided, for the purpose of verification services and fraud prevention. The biometric processing that GBG performs is not used to identify an individual, but instead it is used to authenticate the ID document you submitted by confirming that the individual in the selfie is the same individual in the ID document.

Where required by law, our customers must obtain consent to collect and/or have us process your biometric data, and we have contractually obligated them to do so.

Please note that our customer may retain the data processed in accordance with their own internal policies, which we have no control or influence over. Retention depends on the API taken and the customer’s instructions. This can vary from an instant purge (GBG's IDScan Core), 60 seconds (Acuant Inc) to 30 days (IDScan Enterprise)

However, upon our customer’s request, we may retain the data on our customer’s behalf (with access controls that limit our accessibility to the data—we can only access it on our customers’s behalf, at their instruction) for the amount of time requested by the customer, strictly in accordance with our contractual agreement with the customer. We will not store the data after we cease to have a relationship with the customer unless we otherwise obtain permission or is required by law.

For the avoidance of doubt, the Face Match Score generated by GBG cannot be used to identify you (it is simply a number from 1 to 100). GBG uses appropriate information security safeguards designed to protect the data GBG is collecting and processing, when it is being collected, stored, and transmitted.

Who will we receive your personal data from and who will we share your personal data with and why?

As explained above under "What do we do", we receive personal data about you directly, or from our customers and data suppliers. We also send your personal data to our customers and data suppliers, where there is a lawful reason, to do so in order to provide our products and services.

GBG Customers

We offer our products services to public and private organisations worldwide. These include:

Sector	Examples
Financial Services	Banks, insurance providers, debt management companies
eCommerce	Retail (online shopping), online commerce platforms
Gaming	Online gaming
Consumer Directories	Travel and leisure, media
Public Sector	Law enforcement, local government, education bodies
Utilities	Gas, electricity, water suppliers and switching/price comparison sites

GBG Data Suppliers

We work with a number of trusted data suppliers. These include:

Data Supplier	Further information
Government / Public Authorities	These bodies include authorities that provide driving licence information, passport information, citizen identification number, social security number, insolvency records (also in publicly available) or sanctions lists (also in publicly available). Examples of this include: The Electoral Roll collected by local electoral offices and distributed by Credit Reference Agencies Insolvency data is provided by 3 Government Sources: The Insolvency Service – England & Wales, Department for the Economy – Northern Ireland, AIB – Scotland Land Registry who provide Price Paid Data and Home Ownership searches. DVLA – driving licence checks
Regulated Financial Services Organisations / Firms	These entities collect information about your financial status, but this data can also be used to help organisations like us verify your identity by confirming you are who you say you are, and where you live, or if you have lived at an address. Credit reference agencies (CRAs) play a key role in the UK’s financial ecosystem. There are 3 CRAs in the UK: Equifax, Experian and TransUnion. They each provide us/you with a copy of the “CRAIN”, Credit Reference Agency Information Notice.
Other Regulated Organisations / Firms	These entities provide personal data which can help to verify, reduce fraud or contact you, for example you have made a choice whether or not your landline is included in the public telephone directory. In the UK, BT Wholesale Directory Services deliver this. It is known as “OSIS”, which is the abbreviation for Operator Services Information System. Data is collected from multiple providers to create this central database of publicly available phone numbers. A Mobile Network Operator would also be another example of a regulated organisation.
Commercial Organisations	These entities provide your contact details, such as name, address, telephone number or email address, which we can then use to meet the request you have made to one of our Customers.
Customer Data	These customer entities have informed individuals that data will be provided to GBG to protect them against fraud, by generating risk scores or creating fraud and/or identity alerts, insights and reports.
Publicly available, collected by a third party organisation or GBG	These entities provide information about insolvency records, property information, sanction lists, PEPs information. Examples of this include County Court Judgements (CCJs) from the Registry Trust.
Non personal / address data	These entities provide information about deceased records, geocodes, co-ordinates, postcodes or zipcodes.

We may also disclose your personal data to the following categories of recipients:

to our group companies, third party services providers and partners who provide data processing services to us, or who otherwise process personal information for purposes that are described in this privacy notice;
to any competent law enforcement body, regulatory, government agency, court or other third party where we believe disclosure is necessary (i) as a matter of applicable law or regulation, (ii) to exercise, establish or defend our legal rights, or (iii) to protect your vital interests or those of any other person;
to a potential buyer (and its agents and advisers) in connection with any proposed purchase, merger, acquisition, restructuring or insolvency of any part of our business, provided that we inform the buyer it must use your personal information only for the purposes disclosed in this privacy notice.

How long do we retain your data for in our Products and Services?

We retain personal information we collect from you, our customers and data suppliers for the length of time necessary to fulfil the specific purpose or purposes for which it has been collected (for example, to provide our customers with a service you have requested or for our customers to comply with applicable legal requirements, such as anti-money laundering), or for the duration that is set by our customers, which we do not control. We may also keep it to comply with our legal obligations, resolve any disputes and enforce our rights.

Once the respective purpose ceases to apply, we will either delete or anonymise the personal information or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.

As explained above in the section “What do we do”, GBG access personal data in 2 ways. When we access personal data via a web service, our data suppliers hold the database therefore GBG does not see or have any control over this, other than via our GBG Audit Trail which we explain below.

We also receive personal data which we host a copy of. At the point of collection, you will have been advised how long your personal data will be held for, which will be different to the retention period GBG state below.

A ‘data refresh’ is how often GBG get a copy of the personal data. The data supplier may provide GBG with a complete refresh, which is a new copy of the entire file. Some data suppliers only provide updates to a file (e.g. new records, updates to existing records or a request to delete records). GBG then apply these updates to a master file we hold. What this means is whilst GBG gets a new copy of the data, this database may contain much of the same data we have previously received. This explains why the data refresh is different to GBG’s data retention period.

	Data Refresh	GBG Data Retention Period	Further Information
GBG Audit Trail	Daily	12 months	GBG retain a copy of your personal data for a period of twelve (12) months to enable GBG to respond when an individual wishes to exercise a data subject right.
Full Electoral Roll	Monthly	From 1992 The retention period will increase each year, up to 80 years. This will then be maintained at 80 years. Customer access is restricted for 6 years, with the opportunity to view earlier data providing they have a justification.	This data is governed by the Representation of the People Act, therefore can only be used by our public sector/law enforcement customers.
Open Register	Monthly	From 2003 The retention period will increase each year, up to 80 years. This will then be maintained at 80 years. Customer access is restricted for 6 years, with the opportunity to view earlier data providing they have a justification.	Also known as the Edited Electoral Roll.
Insolvency Data	Weekly	6 years	We receive data from 3 sources: England and Wales, Scotland and Northern Ireland. They each send GBG any new records, amended records or records they would like us to delete. We then apply this to a copy of the database we hold.
Postcode Address File (PAF)	Daily	Variable GBG receives daily updates of PAF, which we hold for 2 weeks but we apply this to a copy of the database we hold where an address is retained for as Royal Mail keeps it on their master database (i.e. for as long as the property exists).	PAF is address data provided by Royal Mail
BT OSIS (UK Telephone Number Database)	6 days a week	Variable GBG receive updates of any new records, amended records or any records we need to delete and we hold these update files for 2 weeks. We apply the updates to a master database, so you will stay on this until BT ask us to remove you, which is typically when you cease having a landline telephone number.	You may know this as the BT Phonebook. GBG must refer to it by its name as dictated by our licence.
Commercial Data	Weekly or Monthly	2 Months	GBG receive a full refresh of the data each month, but may receive a weekly update asking us to remove a record if an individual has exercised one of their data subject rights to our data supplier.
GBG Data	Daily	12 Months	GBG retain a copy of your personal data for a period of twelve (12) months.
GBG Consortium Fraud Networks	Daily	Up to 10 years	It depends on the consortium fraud network as to the retention and how often you engage with GBG or one of our customers to update this.

If you have questions about or need further information concerning how long we keep your personal data for, please contact us using the contact details provided below.

Transfers outside of the UK and European Economic Area (EEA)

Your personal information may be transferred to, and processed in, countries other than the country in which you are resident. These countries may have data protection laws that are different to the laws of your country.

Our group companies, data suppliers, customers and third party providers and partners operate around the world. This means that when we collect your personal information we may process it in any of these countries.

However, we have taken appropriate safeguards to require that your personal information will remain protected in accordance with this privacy notice.

Where appropriate, these include implementing the European Commission’s Standard Contractual Clauses and the UK International Data Transfer Agreement for international data transfers between our group companies, which require all group companies to protect UK and EEA personal data in accordance with UK and European Union data protection law.

We have implemented similar appropriate safeguards with our data suppliers, customers and third party providers and partners.

Your rights under the GDPR

As an individual, you have rights under the GDPR regarding the use of your personal data, these are:

The right to withdraw consent – you can withdraw consent at any time.
The right to erasure – you can request that GBG remove your personal data from our systems.
The right to restrict processing – you can request that GBG only process your personal data for the purposes you specify.
The right to data portability – you can request that the personal data you have provided to GBG be ported to another organisation.
The right to access your personal data – You have a right to know what personal data GBG hold on you and for what purpose we are processing your personal data. This is known as a Subject Access Request (SAR).
The right to rectification – you have the right to ask us to rectify any information you believe is inaccurate. You also have the right to ask us to complete information you think is incomplete.
The right to object to processing – you have the right to object to processing if we are able to process your information because the processing is in our legitimate interests.
The right to obtain information upon request on the balancing test we have carried out when determining we are able to rely on legitimate interest as our lawful basis for processing your personal data.

Please keep in mind that some of these rights are subject to an internal assessment that one of the grounds under the GDPR is satisfied.

You can make a request to us directly by completing this form.

Alternatively, you can send these requests by post to:

Privacy & Data Compliance Team
GB Group Plc
The Foundation
Herons Way
Chester Business Park
Chester
CH4 9GB
United Kingdom

Or you can make a request in person or call +44 (0) 161 909 6713.

You are not required to pay any charge for exercising your rights. We have one calendar month to respond to you. If GBG are unable to comply with your request, we will provide you with an explanation.

How to contact us if you're not happy

We appreciate that at GBG we may not always get things right and it is regrettable for us as an organisation when we receive a complaint. We take all complaints seriously and can assure you we will do our best to deliver a satisfactory outcome. If you do wish to complain about how your personal data is used by GBG then please use this form, alternatively please write to us at:

Privacy & Data Compliance Team
GB Group Plc
The foundation
Herons Way
Chester Business Park
Chester
CH4 9GB
United Kingdom

GBG will investigate and aim to respond within 10 working days, this allows us time to investigate your complaint thoroughly.

Your right to lodge a complaint with the Supervisory Authority

Where you believe that GBG has not taken our responsibilities with your personal data seriously, you have the right to complain to a Supervisory Authority. In the UK, GBG's regulator is:

The Information Commissioner's office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone number: 0303 123 113 or 01625 545 745

Email: casework@ico.org.uk

Products and Services Privacy Policy