Privacy Policy

GBG PLC (‘GBG’) acquired Verifi Identity Services (‘Verifi’) in 2022. Verifi is the owner of the identity verification software Cloudcheck.

This Privacy Policy explains to you how GB Group plc and its group companies including Verifi (jointly referred to as 'GBG') collect, hold, use and disclose (‘process’) your personal information:

  • whilst you are using the Verifi website www.gbg-cloudcheck.com
  • in connection with our products and services.

GBG take the protection and security of your personal information very seriously and this policy sets out our responsibilities under the Privacy Act 2020 (‘New Zealand Privacy Act’) and the Australian Privacy Act (1988) (‘Australian Privacy Act”), and other applicable laws relating to the processing and security of personal information. We refer to the New Zealand Information Privacy Principles as the IPPs and the Australian Privacy Principles as the APPs. Together we refer to the New Zealand Privacy Act and Australian Privacy Act as ‘the applicable data protection laws’. Where your personal information is transferred overseas, it will be treated in accordance with New Zealand and Australian laws at a minimum.

GBG has offices in 22 locations, and our registered head office is located within the United Kingdom.

GB Group Plc, The Foundation, Herons Way, Chester Business Park, Chester, United Kingdom CH4 9GB

Company Registration Number: 02415211

If you have any questions about how your personal information is used by GBG, please  email us at support@verifidentity.com or call  +64 9 953 8333 . For more detailed information about GBG, please visit our website at www.gbgplc.com .

GBG review our Privacy Policy on an annual basis, sooner if changes to regulation require it or GBG change the way we process personal information.

This policy was last updated on 15 February 2023

Verifi Identity Services Limited is a registered New Zealand business NZBN 9429030806313.

Cookies and Statistical Information

We collect statistical information about visitors to our websites such as the number of visitors, pages viewed, types of transactions conducted, time online and documents downloaded. This information is used to evaluate and improve the performance of our websites. Other than statistical information, we do not collect any information about you through our website unless you provide the information to us.

You should also be aware that we use cookies on our websites. A cookie is a small amount of data, which often includes a unique identification number or value that is sent to your browser from a website's computer and stored on your computer's hard drive. Each website can send its own cookies to your browser if your browser allows it. However, to protect your privacy, your browser only allows a website to access the cookies it has sent to your computer.

When cookies are used on our websites, they are used to collect the statistical information referred to above in addition to allowing you to access your account online. When you access your account on-line a cookie will be created which uniquely identifies your computer and your username and password. This means that you do not have to re-enter those details each time you want to access your account online.

Most internet browsers are set up to accept cookies. If you do not wish to receive cookies, you may be able to change the settings of your browser to refuse all cookies or to have your computer notify you each time a cookie is sent to it, and thereby give yourself the choice whether to accept it or not. If you reject all cookies, you will be unable to access your account online. You can also delete cookies from your computer after they have been created.

Cloudcheck

Cloudcheck is an electronic identity verification tool that performs identity using biometric checks, bank account details, document fraud checks, Australian, New Zealand and international data sources and global watchlists.

What personal information does Cloudcheck collect and why?

GBG may collect information from you in the following circumstances:

  • As the representative of one of our business users
  • As the individual undertaking identity verification

Business users of Cloudcheck

In order to provide you with access to the product and to provide support to you under our contract with your organisation, GBG is required to collect the following information from you:

  • Email address
  • Telephone Number
  • Company registration details
  • Company ownership details
  • Reason for requiring the service
  • Compliance with the AU/NZ Privacy Acts
  • Location of staff & servers

How we use your personal information

We use these details in order to provide you with access to Cloudcheck and to retain appropriate audit logs of activity within the system. The above information will be held by GBG until the conclusion of the arrangements between the organisation and GBG, or until we are advised you no longer require access to the product.

Accuracy of your personal information

You can request an amendment to your personal information at any time by requesting your account manager to do so by emailing support@verifidentity.com

Individuals undertaking identity verification

GBG provides online identity verification and fraud detection solutions to businesses to assist them to onboard their customers. If you apply for a product or service with any of our customers, we will collect information about you (from you and/or from our customer) in order to verify your identity. In order to do this we will need to provide your information to our data partners to confirm your details.

To verify your identity, we are required to collect a variety of information from you including some or all of the following, your:

  • Name
  • Address
  • Birthdate
  • Identity document information
  • Email address
  • Mobile phone number
  • IP address
  • Device information
  • Images of your face and ID document

This information is processed by our products and you should refer to the relevant section of this privacy notice to understand any potential international transfers of your data.

You need not give us any of the personal information requested by GBG. However, without that information GBG will not be able to verify your identity to provide you with any other services, information or assistance you have sought.

How we use your personal information

The information requested in any identity verification transaction is required to enable us to provide a service to you and the reporting entity whom you are establishing a relationship with. That information, together with the information collected and maintained by GBG during the identity verification process, is used to provide the services to you and to audit the success of any such services.

Your information will be held for a period of time in order to support our customers onboarding processes. That timeframe is negotiated between GBG and it’s business users depending on their requirements.

Who will we share your data with and why?

We will always disclose your personal information and identify verification to our business users, with whom you apply for a product or service.

We will need to provide some of your personal information to the third-party service providers we use to help us provide our services e.g. credit reporting bodies, government agencies, external data storage providers etc. We may also disclose your personal information to our affiliates and related companies in order to undertake our normal business practices.

If we provide your personal information to any of these entities, we will always require them to manage it in accordance with the relevant data protection laws. We may also provide your information to third parties if we are required to do so by law or under some unusual circumstances which are permitted under the Privacy Act 2020 in New Zealand and Privacy Act 1988 in Australia.

Accuracy of your personal information

The information that GBG holds on you is a record of an identity verification at a point in time. Whilst it is unlikely we would amend that information, should you have any queries in relation to that data you can email us support@verifidentity.com

We may pass any correction request to our customer or such other third party which collected the information from you.

International Transfers of personal data

In some circumstances there may be an international transfer of your personal data. This may occur where our data partners are located overseas, and also where our internal business processes require an overseas transfer.

In accordance with the relevant data protection laws, your information will only be transferred to an overseas entity where that entity is either:

- Subject to comparable data protection laws; or

- We have an arrangement in place that requires the recipient to provide an adequate level of protection to your information.

Data Retention

GBG maintains records of all transactions made through the identity verification process, including the sources used to verify your identity and whether the verification was successful. GBG will retain information it receives from customers and business users for a period of 7 days for auditing and error checking purposes. Following this 7-day period, GBG will automatically and securely remove the data from its systems.

IDscan

GBG’s customers access IDscan products and services to prevent and detect fraud. Using a combination of automated document recognition, digital tampering detection, advanced face-matching technologies and real-time online support from trained document examiners, our clients are able to on-board individuals while improving customer experience, fighting fraud and meeting compliance obligations.

What personal information GBG holds and why

IDscan obtains a copy of your identification document. Where GBG provides a hosted cloud storage solution to our clients, we hold your identity documents (IDs). We hold this data in order to provide our services, including storage, support and maintenance.

We also require sample documents to train and test our document recognition engine, so that we can improve our ability to recognise, extract from, validate and authenticate our customers’ documents. Where our customer has agreed to it, a copy of your ID or proof of address document might be provided to GBG to train the IDscan document recognition engine to recognise underperforming or unrecognised documents. The nature of the documents means that they include personal information such as photograph, name, address and date of birth. This information cannot be anonymised or pseudonymised without compromising the ability to train and test GBG’s document recognition engine. Our aim is to be fully transparent, which is why we suggest our Australian and New Zealand customers include a link to this Privacy Policy in their own notices so that individuals are informed of GBG’s involvement as part of the service we provide and so that individuals may exercise their rights under the Privacy Acts.

Purpose and legal basis for processing

Our purposes for processing your data in connection with IDscan are: (i) to provide support services to our clients who use IDscan to verify your identity and to conduct maintenance and testing of our IDscan systems (in accordance with APP 3.2, which allows us to collect personal information when it is reasonably necessary for one or more of GBG’s functions or activities and IPP 1 which allows us to collect information for a lawful purpose connected with one of our functions or activities where the collection of the information is necessary for that purpose); and (ii) to train the IDscan document recognition engine to recognise underperforming or unrecognised documents (with your consent).  

International Transfers

For our New Zealand customers, IDscan is hosted from Australia. For any New Zealand customers there will be a data transfer from New Zealand to Australia of personal information. PII from our New Zealand customers will generally be stored in Australia, unless product support is required.

If product support is required, this will be provided by our team based in the United Kingdom and Malaysia and our technical and support teams in Turkey. Should they be required to access or view any identification documents, this is considered to be a transfer of data to the United Kingdom, Malaysia or Turkey in order to facilitate that support.

Where there is an international data transfer to our Australian, United Kingdom, Malaysian or Turkey offices, your personal information will be handled in accordance with the relevant data protection laws (at a minimum) in relation to the collection, use, disclosure, storage and destruction or de-identification of personal information.

Data retention

IDs captured by GBG IDscan will be retained until the earlier of the following events occurs (the ‘Retention Period’):

the ID is no longer in circulation and is no longer accepted as a valid identification document; orwe no longer need it for any purpose for which it may be used or disclosed by us in accordance with the APPs or IPPs (as applicable), or for such longer period as may be required under any applicable law.

At the end of the Retention Period, we will take reasonable steps to destroy or de-identify the ID.

Your rights under Australian and New Zealand Privacy Laws

As an individual, you have rights regarding the processing of your personal information, these are:

  • The right to transparency – you have the right to know why your personal information is being collected, how it will be used and who it will be disclosed to. 
  • The right of anonymity/pseudonymity – you have the right not to identify yourself, or the right to use a pseudonym in certain circumstances if the Australian Privacy Act applies.
  • The right to access your personal information – you have a right to know what personal information GBG hold on you.
  • The right to opt out – you have the right to stop receiving unwanted direct marketing.
  • The right to correction – you have the right to ask us to correct any information you believe is inaccurate. You also have the right to ask us to complete information you think is incomplete.
  • The right to complain about a breach by us of the applicable Privacy Act if you think we’ve mishandled your personal information (see ‘How to contact us if you’re not happy’ and ‘Your right to lodge a complaint with the Supervisory Authority’ below).

Please keep in mind that some of these rights are subject to an internal assessment that one of the grounds set out in the applicable Privacy Act is satisfied.

You can send these requests to support@verifidentity.com or by calling us on:

New Zealand: 0800 2VERIFI (0800 283743)

Australia: 1300 849 290

International / NZ: +64 9 953 8333

We will always aim to provide you with access within 30 days (if the Australian Privacy Act applies) or within 20 working days (if the New Zealand Privacy Act applies) but in some cases, it may take longer. If GBG are unable to comply with your request, we will provide you with an explanation.

There is no fee for requesting access to your information, although GBG may charge you the reasonable cost of processing your request.

How to contact us if you're not happy

We appreciate that at GBG we may not always get things right and it is regrettable for us as an organisation when we receive a complaint. We take all complaints seriously and can assure you we will do our best to deliver a satisfactory outcome. If you do wish to complain about how your personal information is used by GBG then please write to us at support@verifidentity.com

GBG will investigate and respond within 10 working days of receipt of your complaint. This allows us time to investigate your complaint thoroughly. 

Your right to lodge a complaint with the Supervisory Authority

Where you believe that GBG have not taken our responsibilities with your personal information seriously, you have the right to complain to the applicable Supervisory Authority. We ask that you first raise your concerns with us and give us 30 days to satisfactorily resolve your complaint as required by the New Zealand Privacy Act/IPPs. Should we be unable to resolve in the first instance, you can then escalate to the Supervisory Authority as follows:

Office of the Privacy Commissioner, PO Box 10094, Wellington 6143, New Zealand 

Telephone number: 0800 803 909

Email: enquiries@privacy.org.nz

Office of the Australian Information Commissioner, GPO Box 5218, Sydney, NSW 2001, Australia

Telephone number: 1300 363 992

Email: enquiries@oaic.gov.au