Who We Are
VerifyFlow Ltd is a company registered in England and Wales (Company Number: 15847293), with its registered office at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom.
We are registered with the Information Commissioner's Office (ICO) under registration number ZB648371. VerifyFlow operates as a data controller in respect of our platform users (regulated firms and their employees) and as a data processor on behalf of our clients in respect of individuals undergoing identity verification.
VerifyFlow provides Know Your Customer (KYC), Anti-Money Laundering (AML), and identity verification services to UK regulated firms, including accountants, trust or company service providers (TCSPs), and other entities subject to the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (as amended).
Important Notice
Where our clients use VerifyFlow to verify the identity of their customers (data subjects), the client acts as the data controller and VerifyFlow acts as the data processor. The terms of processing are governed by our Data Processing Agreement.
Data We Collect
We collect and process the following categories of personal data depending on your relationship with VerifyFlow:
Identity Documents
Passport images, driving licence images, national identity card images, and other government-issued identity documents submitted for verification. These documents contain data including full name, date of birth, nationality, document number, expiry date, issuing authority, and Machine Readable Zone (MRZ) data.
Biometric Data
Facial photographs submitted for biometric face matching and liveness detection. We extract facial feature descriptors (numerical vectors) solely for the purpose of comparing the live selfie against the document photograph. These descriptors are classified as special category data under UK GDPR Article 9.
Biometric Data Notice
Facial feature descriptors are generated in-memory during the verification process and are deleted immediately upon completion of the face match. We do not retain biometric templates, faceprints, or any derived biometric data beyond the instant of comparison.
Personal Details
Full name, email address, phone number, residential address, date of birth, and nationality as provided during account registration or the verification process. For individuals undergoing verification, this may also include Companies House officer data (publicly available).
Screening Data
Results of PEP (Politically Exposed Persons) checks against HMT, UN, EU, and OFAC sanctions lists. AML screening results and risk assessment scores. Adverse media search results where applicable.
Usage & Technical Data
IP address, browser type and version, device information, pages visited, timestamps of access, referral URLs, and API request metadata. We collect this data to maintain the security and performance of our platform and to detect fraudulent activity.
Account Data
For platform users (our direct customers): organisation name, billing address, payment method details (processed by Stripe; we do not store full card numbers), account preferences, team member details, and API key usage logs.
How We Use Your Data
Identity Verification
We process identity documents and biometric data to verify the identity of individuals on behalf of our clients. This includes optical character recognition (OCR) of document text, MRZ parsing and validation, document authenticity and fraud detection, facial comparison between a live selfie and the document photograph, and liveness detection to prevent spoofing attacks.
Compliance Screening
We screen individuals against international sanctions lists (HMT, UN, EU, OFAC) and PEP databases to help our clients fulfil their obligations under the Money Laundering Regulations 2017. Screening results are combined with verification outcomes to generate risk assessments and Customer Due Diligence (CDD) level recommendations.
Regulatory Compliance
We generate evidence packs containing a cryptographically signed audit trail of each verification. These packs include the verification outcome, timestamps, consent records, document metadata (not the raw images after the retention period), and a SHA-256 integrity hash. Evidence packs enable our clients to demonstrate compliance to regulators and auditors.
Ongoing Monitoring
Where enabled by our clients, we perform daily re-screening of verified individuals against updated sanctions and PEP lists. We monitor document expiry dates and alert our clients when re-verification may be required.
Platform Operation & Improvement
We use aggregated, anonymised usage data to improve the accuracy of our verification engine, monitor platform performance, detect and prevent abuse, and develop new features. We do not use personal data for automated profiling or marketing purposes.
Legal Basis for Processing
We process personal data under the following legal bases as defined in UK GDPR Article 6(1):
Performance of a Contract (Article 6(1)(b))
Processing of account data and usage data is necessary for the performance of our contract with our clients (regulated firms). This includes providing the verification service, managing subscriptions, generating reports, and delivering API access.
Legal Obligation (Article 6(1)(c))
Our clients are legally required to perform customer due diligence under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017. We process personal data as necessary to assist our clients in meeting these statutory obligations. We are also required to maintain certain records and respond to lawful requests from law enforcement and regulatory authorities.
Legitimate Interest (Article 6(1)(f))
We rely on legitimate interest for processing usage and technical data to maintain platform security, detect fraud, prevent abuse of our services, and improve our verification accuracy. We have conducted a Legitimate Interest Assessment (LIA) which concluded that these processing activities are proportionate and do not override the data subjects' rights and freedoms.
Explicit Consent (Article 9(2)(a))
Biometric data (facial feature descriptors) constitutes special category data under UK GDPR Article 9. We process biometric data only where the data subject has provided explicit, informed, and freely given consent prior to the commencement of the verification process. Consent may be withdrawn at any time, although this may prevent the completion of the verification.
Consent Gate
Our platform enforces a technical consent gate: biometric processing cannot proceed unless explicit consent has been recorded. If consent is not provided or is withdrawn, the verification request is rejected with a 403 status and no biometric data is processed.
Data Sharing
We share personal data only where necessary and in accordance with the following principles. We never sell personal data to third parties.
Sub-Processors
We use a limited number of sub-processors to deliver our service. Each sub-processor is bound by a Data Processing Agreement that requires them to implement appropriate technical and organisational measures to protect personal data:
- Stripe, Inc. — Payment processing. Processes billing information under their own controllership for payment facilitation.
- Resend, Inc. — Transactional email delivery. Processes email addresses and message content for the purpose of sending verification invitations, reminders, and account notifications.
- Hetzner Online GmbH — Cloud infrastructure. Hosts our application servers and database within European data centres.
Our Clients (Regulated Firms)
Verification results, risk assessments, and evidence packs are shared with the client who initiated the verification request. Clients access this data through our dashboard or API in their capacity as data controllers.
Law Enforcement & Regulators
We may disclose personal data to law enforcement agencies, regulatory authorities, or courts where we are legally compelled to do so, or where disclosure is necessary to comply with a legal obligation. We will notify the affected data subject of such disclosure unless prohibited by law (for example, under a non-disclosure order).
No Data Sales
VerifyFlow does not sell, rent, lease, or trade personal data to any third party for marketing, advertising, or any other commercial purpose unrelated to the delivery of our verification services.
International Transfers
VerifyFlow is a UK-based company and our primary infrastructure is hosted within the European Economic Area. However, some of our sub-processors operate in jurisdictions outside the UK.
UK Adequacy Decisions
Where personal data is transferred to countries that have received an adequacy decision from the UK Secretary of State under Section 17A of the Data Protection Act 2018, no additional safeguards are required. The EU has been deemed adequate by the UK, and transfers within the EEA are therefore permitted.
Standard Contractual Clauses (SCCs)
Where data is transferred to jurisdictions without an adequacy decision (including the United States, for our payment processor Stripe and email provider Resend), we rely on the International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses with the UK Addendum, as approved by the ICO. We conduct Transfer Impact Assessments (TIAs) for each transfer to evaluate the level of protection in the recipient country.
Data Localisation
Identity document images, biometric data, and verification evidence packs are processed and stored exclusively on infrastructure located within the EEA. These categories of data are never transferred outside the EEA.
Data Retention
We apply the principle of data minimisation and retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Our retention schedule is as follows:
| Data Category | Retention Period |
|---|---|
| Face descriptors (biometric) | Immediately deleted |
| Document images | 30 days |
| Selfie images | 30 days |
| Evidence packs | 6 years |
| Screening results | 6 years |
| Audit logs | 6 years |
| Account data | Duration of account + 2 years |
| Webhook delivery logs | 90 days |
Automated Retention Enforcement
Data retention is enforced automatically by a scheduled cron process that runs daily. Document and selfie images are cryptographically wiped after 30 days. Deletion is logged in the audit trail and cannot be reversed.
Your Rights
Under the UK General Data Protection Regulation (UK GDPR), you have the following rights in relation to your personal data. To exercise any of these rights, please contact us at privacy@verifyflow.uk. We will respond to your request within one calendar month.
Right of Access (Article 15)
You have the right to obtain confirmation as to whether personal data concerning you is being processed, and to request a copy of that data. We will provide the data in a commonly used electronic format (JSON or CSV) free of charge.
Right to Rectification (Article 16)
You have the right to request the correction of inaccurate personal data and the completion of incomplete personal data. Note that verification results are immutable records of the check performed at a point in time; rectification applies to your contact and account information.
Right to Erasure (Article 17)
You have the right to request the deletion of your personal data where it is no longer necessary for the purpose for which it was collected, or where you have withdrawn consent. However, we may be required to retain certain data (such as evidence packs and audit logs) to comply with our legal obligations under the Money Laundering Regulations 2017.
Right to Data Portability (Article 20)
Where processing is based on consent or contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format (JSON), and to transmit that data to another controller.
Right to Object (Article 21)
You have the right to object to processing based on legitimate interest. Upon receiving an objection, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
Right to Restriction of Processing (Article 18)
You have the right to request that we restrict the processing of your personal data where you contest its accuracy, where processing is unlawful, where we no longer need the data but you require it for legal claims, or where you have objected to processing pending verification of our legitimate grounds.
Rights Related to Automated Decision-Making (Article 22)
Our verification engine produces automated risk assessments and CDD level recommendations. However, no decision that produces legal or similarly significant effects is made solely by automated means. All high-risk or referred cases are subject to human review by a qualified compliance officer within the client organisation. You have the right to request human intervention, express your point of view, and contest any automated decision.
Right to Withdraw Consent
Where processing is based on consent (specifically, biometric data processing), you have the right to withdraw consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal. To withdraw consent, contact us at privacy@verifyflow.uk.
Contact & Complaints
Data Protection Officer
If you have any questions about this Privacy Policy, our data processing practices, or wish to exercise your data protection rights, please contact our Data Protection Officer:
Name: Data Protection Officer
Email: dpo@verifyflow.uk
Post: VerifyFlow Ltd, 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ
We aim to respond to all data protection enquiries within 72 hours and to complete subject access requests within one calendar month.
Complaints to the ICO
If you are not satisfied with our response to your data protection enquiry, or if you believe that we are processing your personal data in a manner that is not compliant with UK GDPR, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Organisation: Information Commissioner's Office
Website: ico.org.uk/make-a-complaint
Telephone: 0303 123 1113
Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Policy Updates
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or regulatory guidance. Material changes will be communicated via email to all registered account holders at least 30 days before they take effect. The “Last updated” date at the top of this policy indicates when it was most recently revised.