Biometric Checks Policy

Reviewed: 29 January 2026

At a glance

• We use biometric and liveness checks to verify identity as part of KYC/AML and fraud prevention.
• Biometric data is special category data under UK GDPR Article 9. We process it lawfully, minimise what we collect, keep it no longer than necessary, and secure it with encryption and access controls.
• Biometric capture is performed by vetted processors on our behalf; decisions are not solely automated—human review is available.
• Alternatives and reasonable adjustments are maybe offered In exceptional circumstances if you cannot complete biometric checks.
• Questions or rights requests: dpo@ukpostbox.com.

Purpose

This Policy explains how UK Postbox uses biometric technologies (e.g., liveness/selfie checks and document‑to‑face matching) to verify identities, deter fraud and meet legal obligations, while protecting individuals’ rights and freedoms.

Scope

• In scope processing: selfie/liveness capture, face‑template creation and matching to a government ID, presentation‑attack detection, and associated metadata (timestamps, device/network signals used for fraud control).
• Who is covered: applicants, individuals, authorised users, directors, beneficial owners, trustees, responsible persons, undergoing KYC.
• Systems/vendors: our approved KYC/biometric providers acting as processors under contract and DPA.

Legal bases & conditions (UK GDPR / DPA 2018)

Controller/processor roles:

For biometric identity verification, UK Postbox acts as the data controller. Our KYC and biometric verification providers act as processors, processing data on our behalf and in accordance with our instructions.

Article 6 (lawful bases): We process personal data under:

• Legal obligation — to comply with applicable laws, including the Money Laundering Regulations 2017
• Legitimate interests — to prevent fraud, maintain platform security, and protect the integrity of our services

Article 9 (special category data):

Where biometric data is processed, we rely on:

• Substantial public interest under the Data Protection Act 2018 (Schedule 1, Paragraph 14 — preventing or detecting unlawful acts and protecting the public against dishonesty), and/or
• Explicit consent, where required for specific processing activities

We maintain an Appropriate Policy Document (APD) setting out how this data is handled and safeguarded.

Use of consent: Where identity verification is required to comply with legal obligations (such as under the Money Laundering Regulations), we do not rely on consent. Instead, we process this data as a legal requirement. We remain transparent about how personal data is used and, where possible, offer alternative verification methods.

Verification approach: We verify all relevant individuals and organisations using our services, whether required by law or as part of our legitimate interests in preventing fraud, ensuring security, and protecting the integrity of our platform.

What we collect and generate

• Inputs: video/selfie images, ID document images, liveness/anti‑spoof signals (e.g., motion prompts), device/network metadata used to prevent abuse.
• Derived data: biometric templates (mathematical representations) for the purpose of matching the selfie to the document photo; verification scores and decision labels (pass/review/fail), plus audit logs.
• We do not use biometric data for any purpose other than identity verification and fraud prevention. We do not sell, rent, or share biometric data with third parties for marketing or any other purpose.

How checks work (overview)

1. You capture a selfie/short video and ID document using our provider’s secure interface.
2. The provider performs liveness detection and compares the selfie to the document photo to generate a match score.
3. We combine this with other KYC signals (document validity, address checks, sanctions/PEP screening).
4. Outcomes that are close to a threshold, mismatched, or flagged by rules are sent to trained analysts for human review.
5. We communicate the result and, if needed, request additional evidence or offer assisted verification.

Fairness, bias & accessibility

• We assess vendors for accuracy across demographics and require disclosures about known limitations. We monitor pass/fail rates across demographic groups and investigate significant disparities.
• We configure conservative thresholds and require human review paths to reduce false negatives/positives.
• We may provide reasonable adjustments for disabilities (e.g., alternative prompts, additional time, assisted capture). Contact accessibility@ukpostbox.com.

Automated decision‑making

• We do not make solely automated decisions that produce legal or similarly significant effects for individuals. A human reviewer can reassess borderline or negative outcomes on request.
• Appeals: email compliance@ukpostbox.com with context and any new documents; we re‑review and respond with a reasoned outcome.

Data minimisation, retention & deletion

• We collect only what is necessary for verification.
• Biometric templates and raw captures are retained by our providers no longer than necessary to complete verification and support audit/anti‑fraud. Raw captures are deleted within 7 days of verification completion; templates are deleted within 30 days unless an active dispute or investigation requires retention.
• Verification results (pass/review/fail), reasons and audit logs are retained with KYC records for 5 years after relationship end (or longer if legally required).
• Where deletion from backups is not immediate, data is isolated and purged on rotation.
• Individuals may request deletion where we rely on consent; where we rely on legal obligation/legitimate interests, we will assess and explain what can be deleted.

Security measures (Article 32)

• Encryption in transit (TLS 1.2+/1.3 preferred) and at rest (provider‑equivalent to AES‑256).
• Access control & MFA; least‑privilege roles for staff who can view KYC outcomes; time‑bound access with logging.
• Audit & monitoring of admin and data access; anomaly detection for repeated or scripted attempts.
• Supplier due diligence (security questionnaires, certifications) and DPAs with sub‑processors; incident notice without undue delay.
• Secure destruction of paper artefacts in line with BS EN 15713.

International transfers

If biometric data is processed or stored outside the UK, we use appropriate safeguards (e.g., UK IDTA or UK Addendum to SCCs) and complete a Transfer Risk Assessment (TRA/TIA). We publish a live sub‑processor list and notify material changes where practicable.

Individual rights & contact

• Rights: You have rights over your personal data, including the right to access, rectify, erase, restrict, or transfer your data, and to object to certain processing. You also have the right not to be subject to decisions based solely on automated processing, and to withdraw consent where it is used.These rights apply except where we are required or permitted to retain or process data to comply with legal or regulatory obligations (for example, under HMRC Money Laundering Regulations).
• Submit requests via email dpo@ukpostbox.com. We respond within one month (extendable where complex).
• Complaints: use our Complaints & Escalation Process or contact the ICO (ico.org.uk).

Staff responsibilities & training

• Only trained staff may handle biometric verification outcomes and request re‑captures.
• Staff must not download, store or share biometric data outside approved systems.
• Suspected incidents are reported to security@ukpostbox.com and handled under our Incident Response & Breach Notification Policy.

UK Postbox Limited

13 Freeland Park, Wareham Road, Lytchett Matravers, Poole, Dorset, BH16 6FH, United Kingdom

Support: support@ukpostbox.com

Security: security@ukpostbox.com

Legal notices: legal@ukpostbox.com

Data protection: dpo@ukpostbox.com

Complaints: complaints@ukpostbox.com

Accessibility: accessibility@ukpostbox.com

Website: www.ukpostbox.com

Registered in England and Wales Company Number: 06723381

MLR registration no: XLML00000192390

ICO registration no: ZA038907