Applicant Privacy Disclosures and Consent Requirements
To use Sumsub services, clients must ensure that applicants are properly informed about how their personal data will be processed (including, where Sumsub acts as an independent controller, by Sumsub) and, where the law so requires, explicitly consent to such processing before any verification checks are initiated. This is achieved by displaying certain texts containing privacy disclosures and consents (together “Consents”) to the applicants before their personal data is transferred to Sumsub.
For SDK integrations, Sumsub handles the collection of Consents automatically. For API integrations, clients are responsible for collecting Consents and recording the fact of their acceptance by every applicant, since Sumsub has no technical control over the relevant UI.
ImportantFailure to implement consents as described in this article will be considered a material breach of your contract with Sumsub, since it may cause both Sumsub and your company to be in non-compliance with applicable privacy regulations.
Sumsub reserves the right to terminate or suspend access to its services in case of such failure, and all damages incurred by Sumsub in connection with the failure will be claimed as per the respective contract.
When Consents must be accepted
Consents must be accepted by the applicant before Sumsub receives any of their personal data, including but not limited to:
- Personal information (for instance, name, date of birth, address, email, IP address)
- Identity documents
- Biometric data (for instance, selfies, facial images, video recordings)
For integrations using the Sumsub SDK, Consent collection is handled automatically as part of the verification flow.
For API integrations, clients must ensure that Consents are collected before any applicant data is submitted to Sumsub.
What must be shown to applicant
Before starting the verification process, clients must present the applicant with the required Consents. Specifically, the applicant must see the following text:
By submitting my personal data,
- I acknowledge that it will be processed as described in the Sumsub Notice of Personal Data Processing;
- Applicable to US residents only: I additionally consent to the processing of my biometric information and biometric identifiers as described in the Sumsub Biometrics Processing Consent.
Notice of Personal Data Processing and Biometrics Processing Consent must be implemented as links.
The applicant must take a clear affirmative action (for example, clicking a button) to confirm acceptance.
Clients are responsible for ensuring that:
- The text is clearly visible and understandable.
- The applicant has the opportunity to review it before accepting.
- The acceptance is recorded.
For API integrations, this must be implemented on the client side.
ImportantThe consents defined above address Sumsub's own processing and are not intended to satisfy the client's transparency or consent obligations under applicable data protection laws. In particular, they do not cover any consent the client may require for its own processing activities, including consent to process special category data such as biometric data under Article 9 GDPR.
Where such consent is required, the client must obtain it independently through its own integration or by using Sumsub’s SDK custom consent features.
Recording acceptance of Consents
Clients must be able to demonstrate that all the required Consents were accepted by every applicant. This includes:
- Confirmation of acceptance of Consents
- Timestamp of acceptance
- IP address (or another identifier allowing Sumsub to associate the applicant with the relevant verification record in its dashboard) of the accepting applicant
Depending on your integration, Consents logs can be:
- Collected and recorded automatically via Sumsub SDKs (handled by Sumsub).
- Collected on your side and recorded via API (client must collect and send).
Technical implementation
For details on how to record acceptance of Consents using the API, refer to:
- Add accepted applicant consents — submit externally collected Consents.
- Get applicant-facing consents — retrieve the Consents history for audit purposes.
This section explains how to:
- Submit externally collected Consents.
- Retrieve Consents history for audit purposes.
Updated about 8 hours ago