Privacy Policy

Last updated 24 September 2021

Banuba Limited incorporated and registered in Hong Kong with company number 2360577 whose registered office is at Office A, 16/F Heng Shan Centre 145 Queen’s Road East, Wan Chai, Hong Kong together with companies in the same corporate group, take your privacy seriously. Please read carefully this Privacy Policy as it sets out our data processing practices with respect to your data collected, organized, structured, stored, used or disclosed\transferred through using Product(s) with embedded SDK system.

This Privacy Policy refers to the Banuba SDK, operated by Banuba Limited and embedded in Product(s) , hereinafter – the “SDK”. SDK is delivered to operators of mobile and/or desktop applications, which You installed on Your devices and/or desktop. This privacy policy doesn’t cover any of the products of Operators and refers to the operation of SDK on your devices and/or desktop only. Products which are developed or operated by Operators are covered by a separate privacy policy and do not fall into the scope of this Privacy Policy. 

Please note that we do not process Personal Data via SDK integrated in the Web services Operator’s Product(s).

Banuba Limited is committed to meeting (EU) General Data Protection Regulation (GDPR) requirements.


Apple Identifier for Advertisers (“IDFA”) on Apple is a unique identifier for a mobile device that advertisers use for personalized advertising. It is consistent across all mobile applications and thus allows cross-app tracking. Advertising IDs are non-permanent, non-personal identifiers, which are uniquely associated with your device and/or desktop.

Apple Identifier for Vendor (“IDFV”) means an identifier, which is linked to the vendor of the application and a device where the application is installed. The value of this identifier is the same for apps that come from the same vendor running on the same device. A different value is returned for apps on the same device that come from different vendors, and for apps on different devices regardless of vendor. 

Google Advertising ID (“GAID”) means a device identifier on Android devices, which enables app owners and ad networks to analyze their traffic and attribute users to specific traffic sources. This identifier allows advertisers to anonymously track user ad activity on Android devices.

Personal data  in this Privacy Policy shall mean any data regarding You as am indirect user of the SDK, which identifies or allows to identify You.

Operator means legal owner or duly authorized publisher of the Product who operates, publishes or makes available the Product for the general public.

Product means certain mobile/desktop applications, which you installed, use, exploit for any purpose and which contain SDK as an integral part.

SDK means software that implements interfaces for face recognition, face tracking in real time and rendering effects, built into Products.

Unless the context otherwise requires: (a) words in the singular shall include the plural and in the plural shall include the singular; (b) any words following the terms “including”, “include”, “in particular”, “for example” or any similar expression shall be construed as illustrative and shall not limit the sense of the words, description, definition, phrase or term preceding those terms.


1.1 By using certain Products You express Your acceptance of this Privacy Policy, as such Policy may be amended from time to time. Each time You use Products, You agree to our collection, use, storage, transfer and disclosure of the information that you provide as described in this Policy. 
1.2 If You do not agree to be bound by this Privacy Policy then, please, do not use Products. 


2.1 When You use the Product  we automatically collect from You and/or Your device certain information, which is limited to your unique advertising ID: IDFV, IDFA for IOS and GAID for Android, which are combined. In the result we will operate a unique advertising ID, which we may not hack and restore your initial IDFV and IDFA. We shall not associate collected IDFA or IDFV with other information about you, such as your e-mail, address or other identifying data. As well as we won’t have pure IDFV and IDFA in our systems, only a combined ID is available to us. We cannot restore the initial IDFA and IDFV as soon as we possess a combined ID only.  
2.2 As SDK functionality is fully based on face detection, in order to use the Product, the Operator shall request permission to process Your images taken by your mobile device or desktop camera. You should ask Operators if they process Your images, which in any event may be done upon Your explicit permission. 
2.2.1 We do not process the data being able to directly or indirectly identify the separate features of Your face or appearance in the whole via SDK, i.e. all images taken by Your camera shall not be sent to our servers. As we do not have access to such images, we shall not collect, share or store them. 
2.3 We do not collect, store or access any Your Personal Data like names, email address, gender, age or other sensitive data.
2.4 We do not collect information, which identifies or allows us to identify You, unless the Operator voluntarily provides us with such data (in particular, when communicating You right to erase Your data).
2.5 In case we start collecting other categories of Your personal data, we shall first explain why we collect it and (if applicable) ask for Your express consent for such collection and further processing.


We collect Your data:
 - When it is provided by the Operator (e.g. when we need to process Your request on data erasure).
 - When You install, start or use the Product, where SDK is integrated.


4.1.  The legal bases that we rely upon when processing Your personal data are as follows: 
4.1.1. Processing of Your personal data as described in Clauses 2.1.1. (collecting of a unique advertising ID, which is a combined IDFA, IDFV and GAID) is our legitimate interest to improve the performance of our business and provide Operators (and consequently, You) with services Operators/You request. We pay special attention to Your data protection rights making sure that Your data protection rights are not overridden by our legitimate interests. These legitimate interests are: (a) to ensure effective administration and management of SDK use, including; (i) to understand how You use our Services and how we can improve the customers usage experience; (ii) to prevent, detect, or investigate unauthorised use of our services; (iii) manage any disputes and accidents and take legal or other professional advice; and (iv) anti-fraud reasons.
4.1.2 Contractual necessity (Your personal data as described in Clause 2.3) covers information that is processed by us to provide Operator and, consequently, You with service that Operator has requested – and that we have agreed – to provide to Operator. If the Operator decides not to provide access to this data, we will not be able to provide support for the SDK in cases of malfunction and invoice the Operator in a timely manner.
4.1.3 Legal obligation covers information that is processed by us to comply with a legal obligation that we are subject to: we may share Your data when it is required by law and/or any regulatory authority. In such circumstances, we will expressly inform the recipient of the confidential nature of the data shared. 
4.1.4 Processing of personal data is based on Consent to the processing of Your personal data for one or more specific purposes (e.g. processing of Your Personal Data as for the purposes of clause 2.5).


5.1 We will process data collected under this Privacy Policy for the purposes of: 
5.1.1 Delivering the Services to Operator (and consequently, to You), including but not limited to maintenance and monitoring of the proper operation of SDK, fixing any problems in its operation, administering of SDK, including troubleshooting, dealing with Your enquiries, complaints and requests addressed to Operator in connection with SDK performance and operation.
5.1.2 Ensuring and protecting the safety and security of SDK, anti fraud purposes, protecting our Intellectual Property Rights.
5.1.3 Conducting statistical and analytical surveys and researches, in particular, crashes analysis, bug fixing, automation of billing, improving the services and consequently your user experience.
5.2 In case You voluntarily provide us with any additional personal data, we shall process these data solely for the purposes for which they were provided to us and for no longer they are needed to fulfil such purposes.
5.3 We limit access to data we hold about You to employees who we believe reasonably need to come into contact with that information to provide Services to Operators (and consequently, You) in order to fulfil their official duties. These employees are bound by confidentiality obligations and may be subject to liability, if they fail to meet these obligations. We will take all steps reasonably necessary to ensure that Your data are treated securely and in accordance with this Privacy Policy.


6.1 We cannot provide all services by ourselves. We must, therefore, share collected information with third parties for the purposes as described in section 4 of this Policy. We also reserve the right to disclose Your information (including personally identifiable information) when we are legally required to do so, to disclose Your information in an anonymous and aggregated manner, meaning You could not be personally identified from it. 
Your information may become available for the following categories of recipients:

  • the companies being in the same corporate group with us;
  • data storage, networking and security providers;
  • providers assisting us with client support;
  • any other providers assisting us with delivering and improving the Services.

6.2 We may also share Your data when it is required by law and/or any regulatory authority. In such circumstances, we will expressly inform the recipient of the confidential nature of the data shared. 
6.3 Our third-party providers with whom we share Your data may be located in non-EEA countries, where data protection and privacy regulations may be different from Your home country and offer even lower levels of protection. You acknowledge such transfer and processing of Your data out of EEA to the countries where data protection and privacy regulations may be different from Your home country and offer an even lower level of protection. To safeguard Your interests when transferring Your personal data out of EEA, we will conclude with all out-of-EEA recipients standard data protection clauses adopted by the European Commission or our supervisory authority.
6.4 All third parties with which We share Your data only get the minimum amount of data that are reasonably required in order for them to provide their service to us and therefore to You. The use of the shared information by such third parties is strictly limited to the purposes of processing outlined in Section 4 and is not permitted for any other purpose. All third parties with which we share Your data are required to protect such data in accordance with all relevant laws and regulations and in a manner similar to the way we protect the same. 
6.5 We will not share Your data with third parties which are considered as not being able to provide its clients and potential clients with the required level of protection.


7.1 We respect the privacy rights of our users, and to the extent required by applicable law, will make reasonable commercial efforts to allow You to access, correct, object to the processing of, delete or port any of Your personal data, provided that we are able to properly verify Your identity and link it to any personal data in our possession. With respect to Your personal data we process (if any) You have the right: 

  • to obtain from us the information regarding our processing of Your personal data;
  • to obtain from us without undue delay the rectification of inaccurate personal data concerning You;
  • to obtain from us the erasure of Your personal data (Your ‘right to be forgotten’);
  • to restrict our processing of Your personal data, when it is permitted under applicable law; 
  • to object to processing Your personal data where we are processing Your personal data: based on our legitimate interests (as set out above). If you ask us to stop processing Your personal data on this basis, we will stop processing Your personal data unless we can demonstrate compelling grounds as to why the processing should continue in accordance with data protection laws; and for direct marketing purposes. If you ask us to stop processing Your personal data on this basis, we will stop.
  • to obtain from us Your personal data in a structured, commonly used and machine-readable format and to transmit those data to another controller without any obstacle on our side;
  • to withdraw Your consent, where we are relying on consent to process Your personal data;
  • to lodge a complaint against us with a supervisory authority for GDPR purposes.

7.2 You can always limit collection of Your data and/or reset Your IDFA by managing your mobile devices:
On Your iPhone, iPad, or iPod touch:
Go to Settings > Privacy > Advertising.
Turn on Limit Ad Tracking and/or press Reset Advertising Identifier.
On Your Android Device:
 - Go to Settings > Privacy > Advertising.
- Turn off Ad Tracking and/or press Reset Advertising Identifier. Note: If You clear Your cache, You will lose Your opt-out setting.

Once You've turned off personalization, Google/Apple will no longer use Your info to personalize Your ads. Ads can still be targeted with info like your general location or the content of the website You’re visiting.
Please contact us via to execute any of the rights as stated above.


8.1 With our respect for children’s privacy, we comply with specific protection requirements relating to the collection of personal data from children, i.e. we do not knowingly collect or process personal data from or with respect to children under the age of 16, and you must be 16 years of age or older in order to use Products with embedded SDK.
8.2. If You are a parent or legal guardian and believe that Your child under the age of 16 has submitted his or her personal data or other data without Your consent, permission, or authorization – please let us know immediately, and we will promptly act to remove Your child’s data from our database, cease the use of such data and inform any other party we suspect to have access to such data to do the same.


9.1.  Combined IDFA, IDFV and GAID are retained for as long as we need to deliver services to You unless we have a basis to further process Your data as described in Section 3 of this Policy. 
9.2.  If You request erasure of Your data we erase Your data from our servers and request our providers to do the same within 30 days upon Your request.  
9.3.  With respect to non-personal data We are not limited by any particular retention period.


10.1 We shall update this Privacy Policy from time to time. It is Your responsibility to periodically review this Privacy Policy to be aware of the current changes (as we will notify You only about the material changes).
10.2 Any changes to this Privacy Policy with respect to processing of Your personal data shall be subject to Your prior consent, unless they are required under applicable law.
10.3 Unless otherwise required by law, any changes to this Privacy Policy with respect to processing of Your non-personal data and changes with respect to processing of Your personal data shall become effective immediately upon their posting on the
10.4 If You do not accept the Privacy Policy following an amendment, do not start or continue to use the Product.


11.1 If You have any requests concerning Your personal information or any queries with regard to this Privacy Policy please feel free to contact us via
11.2 If You consider that our collection, usage, disclosure and/or storage of Your personal information violate  any applicable data protection laws we are bound by, please refer your complaints to We will consider them within reasonable time and provide you with an answer.