Privacy Policy



Shufti Pro Limited (“Shufti Pro”, “us”, “our” and/or “we”) aims to bring global businesses on board in a way that complies with all the legal and regulatory obligations, making the virtual marketplace a secure and safe environment. This Privacy Policy (the “Policy”) describes our privacy practices concerning information collected in connection with global identity and verification business of Shufti Pro that uses your information to support its customers with their business needs (the “Services”).

All the information we acquire from our clients, end-users and/or website visitors is only used to help us with the provision of the said Services.

This Privacy Policy is intended to help you comprehend what information we collect from our clients, end-users and/or website visitors (“you” and/or “your”), how do we use that information, and when do we use it, in order to provide our trusted Services. Our role does not just go as far as information collection, we are also committed to ensuring the security and privacy of the collected data.

Our Cookie Policy is mentioned as a separate section towards the end of this Privacy Policy.




When you browse our website (, we collect the Internet Protocol (IP) address of the device you are using, cookies (small files that we embed on your computer, only if you consent to it) to enable our systems to recognize your browser and capture and retain certain information. We collect this data so that we can identify why our visitors are dropping out of the website and to identify areas of improvement to make the experience more engaging for you.

If you choose to communicate with us via chat or our instant messaging pop-up, we will collect your name and your email, as well as the logs of your chat. We only use this information to respond to your message or to inform you about our products and Services.

If you choose to contact via the contact forms on our website, we may collect your name, email address, contact number, company name, industry information, and any free text field information you choose to include. At the completion of this contact form, your IP address is no longer anonymous, and we will be able to identify you by a combination of your IP address and contact information.

If you choose to subscribe to our newsletter, we will collect your email. Newsletters may be sent upto twice every week with highlights and news about our services and related industry. You may unsubscribe from the newsletter at any time by updating your email preferences using the ‘UNSUBSCRIBE’ link in our email footers, or by sending an email to [email protected] with the subject line ‘UNSUBSCRIBE’ from the email address you wish to unsubscribe.

If you contact us through a third-party website or platform (such as LinkedIn), we collect your name, job title, company name and business email address.




The end-users are our client’s customers whose documents we authenticate and run against AML lists and databases to verify their identity. Depending on the type of verification process selected (onsite or offsite), we either collect end-user’s verification data from the clients or the end-users themselves.




Our clients are enterprises, companies, institutions, and businesses that have opted for our Services. The information we collect from clients include, any or all of, their full name, company email, phone number, company name, company website, country, verification volume, industry, and any other information required to set up their accounts with reference to the Services they select and the end-users they intend to verify.

Depending on the type of verification process selected (onsite or offsite), the data is collected directly from the end-users or the clients; clients in turn take the end-user’s information in the form of image and/or video proofs from the end-users and pass this data to us via our API. In case the clients do not provide certain information required for the selected Services, the missing information is collected from the end-users’ identity documents via OCR technology.




Shufti Pro’s identity verification process describes what information we collect, how we collect it, and when we collect it. We require particular information from the end-users or clients (depending on whether it is an on-site or off-site verification) in order to perform Services.

The data includes, but is not limited to, the images and/or videos of the end-user’s identity documents (e.g. passport, ID card, or driving license), their biometric facial identifiers (e.g. face images and/or videos), and the textual information that is either extracted directly from the end-user’s identity particulars or is provided by the end-user at each step of the verification process.




PII Data is collected by us which includes name, contact information (email ID and/or phone number), date of birth and/or any other information required to perform the verification checks chosen by our client.

For instance, if the client selects the face verification service, we will also collect the image (selfie) or video (short clip showing end-user’s face) proof from the end-user. In the event the client opts for document verification, we would require an image or video of the desired document. Similarly, if a client selects AML screening service, we require the end-user’s name and date of birth for running them against the AML databases, sanctions, and watch lists.

During or after the verification process, whether successful or unsuccessful, we may collect/use your personal data including, without limitation, your name and/or email address for rating or review of your experience with us of our website and/or Services through use of a third-party platform (to name a few; Trustpilot, LinkedIn, Google Maps, Twitter, Facebook, Instagram, etc.)




  1. A verification request is Accepted

If the end-user passes all of the checks pre-set by the client, the verification request status becomes Accepted. Shufti Pro then sends these results to the client through the API. The results are also available to the client in the back-office management system, along with complete verification details (e.g. end-user’s personal information, image and/or video proofs, any .pdf reports, and AML results). The end-user is also shown the verification status after the process is completed.

  1. A verification request is Declined

In cases where the end-user is not verified and the verification status is Declined, we send these results to the client through the API, as well as the back-office management system. The results show which checks the end-user passed and at which check they failed. The verification ends at the failed check. The complete verification details (e.g. end-user’s personal information, image and/or video proofs, any .pdf reports, and AML results) are available to the client in the back-office management system. The end-user is also shown the verification status after the process is completed.




In general, we share the personal and anonymized information we collect in connection with the Services as detailed below:

  1. We share the personal and anonymized information that we collect with you and to such other parties as instructed and agreed with you.
  2. We also use third-party service providers to help us deliver, manage, and constantly improve our Services. These service providers may collect and/or use your personal information or anonymized information to assist us in achieving the purposes stated.
  3. We may also share your personal information with other third parties when necessary to fulfil your requests for services; to complete a transaction that you initiate, to meet the terms of any agreement that you have with us or our partners, etc.
  4. We partner with certain other third parties to collect anonymized information and engage in analysis, auditing, research, and reporting.
  5. We may also use or share your personal information with third parties when we have reason to believe that doing so is necessary; to comply with applicable law or a court order, subpoena, or other legal process; to investigate, prevent, or take action regarding illegal activities; suspected fraud, violations of our terms and conditions, or situations involving threats to our property or the property or physical safety of any person or third party; to establish, protect, or exercise our legal rights or defend against legal claims; or to facilitate the financing, securitization, insuring, sale, assignment, bankruptcy, or other disposal of all or part of our business or assets.




From time to time, we may also share anonymized and aggregated information about client and end-users of the Services (such as by publishing a report on trends in the usage of the Services).




Shufti Pro makes use of the information collected, processed, and stored during any and each step of the identity verification process in order to verify end-users for a legitimate purpose. We ensure that the client’s business is completely legal and the information collection and usage is aligned with the end-user’s absolute consent. Our process is completely transparent and the end-user is informed which of their information will be used and for what purpose. Only once the end-user consents to the process, we start verifying their identity.




  1. Training our machines to learn algorithms to: verify the authenticity of new documents, recognize the text present on them and extract it, match that text using template matching techniques and recognize if the document is original, or counterfeit, forged, photo-shopped, photocopied, or tampered with.
  2. The purposes of computer vision and machine learning techniques, we continually train our artificial intelligence systems to recognize and verify a wider range of identity documents from around the globe.
  3. Preventing fraudulent use of Services. Whenever a fraudulent user uses the Services, we make sure that we store the documents and images they presented in our databases.
  4. Training our human intelligence officers to effectively be a part of the identity verification process.




We may disclose the information provided by you (end-user or client) to any member of our group of companies (which means our subsidiaries, our ultimate holding company, and all its subsidiaries) or third party service providers insofar as reasonably necessary for the purposes set out in this policy.

With respect to end-user personal information (including any images, videos, sensitive data, etc.), the client may require Shufti Pro to collect, use, disclose, or otherwise process data in ways that differ from those described in this Privacy Policy. Some features of the Services may be immobilized or changed by our client. In order to completely comprehend the handling of end-user private information while using our Services, the end-user must also review the privacy policy of the respective client.

We have facilities and staff in different countries around the world and as a result, personal information may be transferred to them or accessed from those locations. We take all the necessary actions to ensure the security of your personal information when transferred across borders.

The end-user’s personal information may travel outside the European Economic Area (EEA) for the purposes of human intelligence checks that serve as an essential part of the identity verification process. This data may be seen and processed, but not stored anywhere outside the EEA. We provide our clients with an option to forego the human intelligence checks, relying solely on the results detected and compiled by the artificial intelligence system. We have our office in the United Kingdom and provide services in 150+ countries. The hosting facility for our website is situated within EEA.

We may disclose your personal data to our insurers and/or professional advisers insofar as reasonably necessary for the purposes of obtaining and maintaining insurance coverage, managing risks, obtaining professional advice, and/or managing legal disputes.

Financial transactions relating to our website and services are handled by our payment services provider, Stripe. We will share transaction data with our payment services provider(s) only to the extent necessary for the purposes of processing your payments. You can find further information about the privacy policies and practices of Stripe at




Shufti Pro acquires and stores the information provided by its clients and end-users for rendering Services. Being a data processor of thousands of users comes with certain responsibility on our part. For this reason, our data retention policies and procedures are designed to help ensure that we comply with our legal obligations in relation to the retention and deletion of personal data. Please see the below outlined terms:

  1. Personal data that we process for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
  2. We will retain and delete your personal data as follows:
    • End-user data category shall be retained or deleted according to the instructions provided by our client (data controller); kindly refer to the Request Form–Data Deletion (link given at the end of this Policy).
    • Personal data of our clients or their customers (end-users) shared with us shall be retained for a period of two (2) years following which it may be deleted from our system.
  3. If no instructions are provided by the data controller, we will determine the period of retention based on the following criteria:
    • The period of retention of your personal information including any data, images, videos and/or private information will be determined based on the applicable data protection laws and the need for their presence in our system owing to any legal reasons or for the betterment of our website or services.
  4. Notwithstanding the other provisions of this section, we may retain your personal data where such retention is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.




Shufti Pro ensures data security through adequate measures to minimize the likelihood of data breaches, whether pre-emptive or not. Data breaches and protection of data itself comes under the wider umbrella of the data lifecycle.

Additionally, observing the GDPR regulations, secure auditory practices are carried out to ensure standardized operations and encryption practices. New techniques are continually implemented in order to keep our data security ahead of the curve.

Compliance of some of our Services with the Payment Card Industry Data Security Standard (PCI DSS) is in itself an evidence that we are doing our very best to keep our customers’ valuable information safe & secure and out of the hands of people who may fraudulently use that data. PCI DSS ensures technical and operational strengths to raise the bar on our security.




If you would like to access any personal information we hold about you, you may request us for the same by filling out our Request Form – Data Subject Access (link given at the end of this Policy) and return it to our Data Protection Officer as instructed therein. The provision of such information will be subject to the supply of appropriate evidence of your identity.

We may withhold personal information that you request to the extent permitted by law. In addition, you may request us, at any time, to not process your personal information. In practice, our clients will usually either expressly agree in advance to our use of your personal information for marketing purposes, or we will provide clients with an opportunity to opt out of the use of their personal information for marketing purposes.

Pursuant to your written request we shall also remove your personal data from our systems in line with the principle of ‘the right to be forgotten’.

For more information on how we safeguard your rights, please read the ‘Data Protection and Security Policy’ (link given at the end of this Policy).

In case of any query or concern, voice your thoughts at [email protected].




Our Services are not directed to children under the age of sixteen (16), and we will never knowingly collect personal or other information from anyone we know is under such age. We record an express declaration from anyone using our verification service that they are above such age at the time we acquire their personal information.




We may be required to make changes to the Services in the future in view of changing technology or services. Whenever we revise the Policy, the new version will be available on the homepage of our website ( In case of any significant material change to our privacy practices, an appropriate notice will be provided to our clients.




Albeit regrettable, we appreciate that there could be lapses. We take all complaints seriously and can assure you that we will do our best to deliver a satisfactory outcome. If you do wish to complain about how your personal data is used by us then please write to us at [email protected].

We will investigate and respond within ten (10) working days. This allows us time to investigate your complaint thoroughly.




We use first party cookies (cookies set directly by us) as well as third party cookies (as described below). We may also use pixel tags (usually in combination with cookies) from the third parties described below to get information about your usage of our website and services, and your interaction with us through email or other communications. We do not use cookies to identify you personally but to gain useful knowledge about how our website and services are used so we can keep improving it for our clients and end-users. Please note that if you limit the ability of websites to use cookies, you may be unable to access certain parts of our website and may not be able to benefit from its full functionality.

Shufti Pro may utilise the following cookies and other technologies:

Strictly Necessary

    1. MouseFlow         


Google Analytics  


Shufti Pro may utilise the following cookies and other technologies:

Strictly Necessary

    1. MouseFlow
    2. SmartLook 


Google Analytics