Effective Date: May 3rd, 2026
This Privacy Policy (the "Policy") sets out the manner in which Surt LLC, together with its affiliated entities (collectively, "Surt", "we", "us" or "our"), collects, uses, discloses and otherwise processes personal data in connection with the provision of its identity verification, fraud prevention and compliance services (the "Services").
Surt operates as a specialised provider of digital identity and risk intelligence solutions, including biometric identity verification, geolocation-based jurisdictional controls, device intelligence, and behavioural risk analysis. These services are typically deployed by Surt's business customers (the "Clients") within regulated environments, including financial services, iGaming, and ecommerce.
This Policy applies both to individuals who access or interact with Surt's website and to individuals whose personal data is processed through the Services in the context of identity verification or fraud prevention workflows carried out on behalf of Clients.
Surt operates under a dual capacity for the purposes of applicable data protection law.
In the majority of cases, Surt acts as a data processor, processing personal data on behalf of its Clients, who determine the purposes and means of the processing in connection with onboarding, identity verification, and regulatory compliance obligations.
However, Surt also acts as an independent data controller in relation to certain limited and strictly defined processing activities. These include, in particular, processing necessary to ensure the security, integrity and resilience of its platform, to detect and prevent fraud and abuse (including across multiple Clients), and to maintain and improve the effectiveness of its verification systems.
Where Surt acts as a controller, it determines the purposes and means of processing independently, in accordance with applicable law and subject to the safeguards described in this Policy.
Surt processes personal data strictly to the extent necessary to provide its Services and to fulfil the purposes described herein. The categories of data processed reflect the technical architecture of Surt's identity verification and risk intelligence systems.
Personal data processed may include identifying information such as name, date of birth, identification numbers, and copies of government-issued identification documents. In the context of identity verification, Surt processes audiovisual data, including photographs or video recordings, from which biometric templates may be derived, such as facial geometry used for identity matching and liveness detection.
Surt also processes contact and account-related data where required by Clients, as well as technical and device-related data, including device identifiers, operating system characteristics, browser configurations, and indicators of device integrity, such as evidence of rooting, jailbreaking, or emulator usage.
Given the nature of the Services, Surt processes geolocation and network data, which may include precise GPS coordinates, IP address-derived location data, Wi-Fi and cellular triangulation signals, and associated metadata used to verify jurisdictional compliance and detect location spoofing.
In addition, Surt processes behavioural and transactional signals, including usage patterns, session data, velocity indicators (such as detection of "impossible travel"), and indicators of coordinated or fraudulent activity across accounts or devices.
Where required, Surt also processes data obtained from authoritative databases and third-party verification providers for the purpose of validating identity attributes and detecting inconsistencies or fraudulent patterns.
Personal data processed by Surt is obtained through several channels. In most cases, the data is provided directly by individuals as part of an identity verification process initiated by a Client. Surt also receives data from its Clients, who integrate Surt's Services into their onboarding or compliance workflows.
Technical and behavioural data is collected automatically from the devices and systems used to access the Services, while additional validation data may be obtained from third-party verification providers, public or private databases, and risk intelligence partners.
Surt processes personal data for clearly defined and limited purposes, each supported by an appropriate legal basis under Regulation (EU) 2016/679 ("GDPR").
Where Surt acts as a processor, personal data is processed exclusively for the purpose of providing identity verification, authentication, and compliance services to Clients. In such cases, Surt acts on documented instructions from the Client, and the legal basis for processing is determined by the Client in its capacity as data controller.
Where Surt acts as an independent controller, personal data is processed for the purposes of ensuring the security and integrity of the Services, detecting and preventing fraud, abuse, and circumvention techniques, and maintaining the effectiveness and reliability of its verification systems. This includes, where necessary and proportionate, the analysis of signals across multiple Clients in order to identify patterns indicative of fraudulent behaviour, identity misuse, or coordinated abuse.
Such processing is based on Surt's legitimate interests pursuant to Article 6(1)(f) GDPR. These interests include the protection of its platform, the prevention of financial crime, and the safeguarding of Clients and end users. Surt has conducted a balancing assessment to ensure that such interests are not overridden by the rights and freedoms of individuals, and implements safeguards to ensure proportionality, data minimisation, and limited retention.
Processing of biometric data, including facial geometry and liveness detection data, is carried out solely for the purposes of identity verification and fraud prevention and is based on the explicit consent of the individual in accordance with Article 9(2)(a) GDPR. Such data is not used for unrelated purposes, profiling beyond identity assurance, or marketing activities.
In addition, Surt may process personal data where necessary to comply with applicable legal obligations, including obligations relating to anti-money laundering, fraud prevention, and regulatory compliance, in accordance with Article 6(1)(c) GDPR.
The Services involve the use of automated processing techniques, including algorithmic analysis, risk scoring, and pattern detection. These processes are designed to support Clients in making informed decisions regarding identity verification and fraud risk.
Surt does not, in its capacity as an independent controller, take decisions producing legal or similarly significant effects solely on the basis of automated processing. Final determinations in relation to user onboarding or account status are made by Clients or are subject to their oversight.
Personal data processed by Surt may be disclosed in a limited and controlled manner.
In its role as processor, Surt discloses personal data to Clients to enable them to fulfil their regulatory and compliance obligations. Surt also engages carefully selected service providers and subprocessors to support the delivery of its Services, including providers of hosting infrastructure, biometric verification technology, device intelligence, geolocation services, and data validation services.
Surt may also share data within its corporate group for internal administrative purposes, provided that such sharing is subject to appropriate safeguards and limited to what is necessary.
Disclosure may also occur where required by law, regulation, or legal process, or where necessary to establish, exercise, or defend legal claims, or to prevent fraud or other unlawful activity.
Given the global nature of Surt's operations and technology infrastructure, personal data may be transferred to jurisdictions outside the European Economic Area.
Where such transfers occur, Surt ensures that appropriate safeguards are in place in accordance with GDPR requirements. These safeguards include the use of Standard Contractual Clauses approved by the European Commission, supplemented where necessary by additional technical and organisational measures to ensure an equivalent level of data protection.
Surt retains personal data only for as long as necessary to fulfil the purposes for which it was collected.
Where Surt acts as a processor, retention periods are determined by the relevant Client and implemented in accordance with contractual arrangements. Where Surt acts as an independent controller, personal data may be retained for a period necessary to ensure platform integrity, prevent fraud, and comply with applicable legal obligations.
In particular, and where justified by regulatory or fraud prevention requirements, personal data may be retained for a period of up to five (5) years, unless a longer retention period is required by law.
Biometric data is subject to enhanced safeguards and is retained only for as long as strictly necessary for identity verification and fraud prevention purposes, after which it is securely deleted or anonymised.
Individuals whose personal data is processed by Surt have the rights provided under GDPR, including the right to access, rectify, or erase their personal data, the right to restrict or object to processing, and the right to data portability.
Where Surt processes personal data as a processor, individuals should direct their requests to the relevant Client acting as controller. Surt will assist Clients in responding to such requests where required.
Where Surt acts as an independent controller, individuals may exercise their rights directly against Surt by contacting us using the details provided below.
Surt implements appropriate technical and organisational measures designed to ensure a level of security appropriate to the risks associated with the processing of personal data. These measures include, among others, encryption, strict access controls, monitoring systems, and audit logging.
The Services are designed and operated in accordance with the principles of privacy by design and by default, ensuring that only data strictly necessary for the intended purposes is processed.
The Services are not intended for individuals under the age of eighteen (18), and Surt does not knowingly process personal data relating to minors.
Surt may update this Policy from time to time to reflect changes in legal, regulatory, or operational requirements. Any updates will be published on this page with an updated effective date.
Surt LLC
251 Little Falls Dr Wilmington, DE 19808,
United States of America
Data Protection Officer: Jorge Pascual
EU Representative: Philipp Tepel
Contact email: privacy@surt.com
Individuals have the right to lodge a complaint with a supervisory authority in the Member State of their habitual residence, place of work, or place of the alleged infringement.