Gumroad · Gumroad Terms of Service · View original document ↗

Identity Verification Data Collection

High severity High confidence Explicitdocumentlanguage Unique · 0 of 343 platforms
Share 𝕏 Share in Share 🔒 PDF
Recent governance activity Gumroad recorded 3 documented changes in the last 30 days.
Start monitoring updates
Monitor governance changes for Gumroad Create a free account to receive the weekly governance digest and monitor one platform for governance changes.
Create free account No credit card required.
Document Record

What it is

The agreement reserves Gumroad's right to request identity verification information from both Buyers and Suppliers, including Social Security Numbers, bank account details, government-issued identification, and taxpayer identification numbers, for anti-fraud, anti-money laundering, and trade sanctions compliance purposes.

This analysis describes what Gumroad's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology

ConductAtlas Analysis

Why it matters (compliance & governance perspective)

This provision authorizes collection of highly sensitive personal and financial data categories, including Social Security Numbers and bank account information, from both Suppliers and Buyers. The data collection is positioned as discretionary rather than universal, but the categories listed represent the most sensitive class of personal identifiers under US and international privacy frameworks.

Consumer impact (what this means for users)

Under this clause, Gumroad may request that Buyers or Suppliers provide Social Security Numbers, bank account information, government-issued identification, and other sensitive personal data as a condition of continued platform access or transaction processing, for anti-fraud and regulatory compliance purposes.

How other platforms handle this

Ledger Medium

At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.

Strava Medium

If we collect health information from these integrations (such as heart rate), we will not sell or use it for advertising or other similar purposes; we do not disclose it to third parties without your prior consent; and we will only use it for the specific purposes described in this Policy.

eBay Medium

We collect your personal data when you use our Services, create a new eBay account, provide us with information via a web form, add or update information in your eBay account, participate in online community discussions or otherwise interact with us.

See all platforms with this clause type →

Monitoring

Gumroad has changed this document before.

Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.

Get Monitor Or create a free account →
▸ View Original Clause Language DOCUMENT RECORD
"
Gumroad reserves the right, but has no obligation, to request additional information from Buyers or Suppliers to verify identity in order to safeguard the integrity of the Platform and reduce the risk of fraud, money laundering, terrorist financing, and the violation of trade sanctions. Information that Gumroad may request, or seek to confirm, may include full legal name, mailing address, phone number, date of birth, taxpayer identification number (e.g. Social Security Number), bank account information, and a form of government-issued identification.

— Excerpt from Gumroad's Gumroad Terms of Service

ConductAtlas Analysis

Institutional analysis (Compliance & governance intelligence)

(1) REGULATORY LANDSCAPE: Collection of taxpayer identification numbers, Social Security Numbers, and bank account information engages the Bank Secrecy Act and FinCEN's Customer Due Diligence (CDD) and Know Your Customer (KYC) requirements applicable to financial intermediaries. The Gramm-Leach-Bliley Act may apply to financial data collected in connection with payment processing. CCPA requires disclosure of sensitive personal information categories collected, and provides California residents with rights regarding the use of sensitive personal information including Social Security Numbers. GDPR requires a lawful basis for processing special categories of data and financial identifiers. (2) GOVERNANCE EXPOSURE: High. The collection of Social Security Numbers, government-issued identification, and bank account information represents the highest-sensitivity data categories under US and EU privacy frameworks. A data breach involving these categories would trigger state breach notification obligations in all US states, federal notification requirements under applicable financial regulations, and GDPR breach notification requirements for EU-resident data subjects. (3) JURISDICTION FLAGS: California residents have specific rights under CCPA regarding sensitive personal information, including the right to limit its use. EU and EEA users' financial identifiers and government identification are subject to GDPR processing requirements. Illinois, New York, and other states with enhanced data protection statutes create additional compliance obligations for entities collecting this data category. (4) CONTRACT AND VENDOR IMPLICATIONS: Organizations onboarding employees or contractors as Gumroad Suppliers should account for the platform's right to collect sensitive personal identifiers as part of vendor risk assessment. Data processing agreements should address Gumroad's handling and storage of Social Security Numbers and bank account information. (5) COMPLIANCE CONSIDERATIONS: Legal and compliance teams should evaluate Gumroad's data security practices and breach notification procedures with respect to the sensitive data categories this provision authorizes collecting. Users subject to CCPA should review available sensitive personal information controls. GDPR-regulated organizations should assess the lawful basis Gumroad relies upon for processing financial identifiers and government identification.

Full compliance analysis

Regulatory citations, enforcement risk, and due diligence action items.

Track 3 platforms — free Get Monitor

Free: track 3 platforms + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.

Applicable agencies

  • FTC
    The FTC has jurisdiction over data collection and security practices involving sensitive personal information, including Social Security Numbers, in consumer-facing platforms
    File a complaint →
  • CFPB
    The CFPB has jurisdiction over financial data collection and handling practices by payment intermediaries, including bank account information and taxpayer identification numbers collected in connection with payment processing
    File a complaint →

Provision details

Document information
Document
Gumroad Terms of Service
Entity
Gumroad
Document last updated
May 20, 2026
Tracking information
First tracked
May 20, 2026
Last verified
May 20, 2026
Record ID
CA-P-012268
Document ID
CA-D-00899
Evidence Provenance
Source URL
Wayback Machine
Content hash (SHA-256)
c356520388516842e2919afec5fa2cd0d2a51c5d6bafbdf2e9e720a587e88fe7
Analysis generated
May 20, 2026 14:18 UTC
Methodology
Evidence
✓ Snapshot stored   ✓ Hash verified
Citation Record
Entity: Gumroad
Document: Gumroad Terms of Service
Record ID: CA-P-012268
Captured: 2026-05-20 14:18:58 UTC
SHA-256: c356520388516842…
URL: https://conductatlas.com/platform/gumroad/gumroad-terms-of-service/identity-verification-data-collection/
Accessed: July 4, 2026
Permanent archival reference. Stable identifier suitable for legal filings, compliance documentation, and research citation.
Classification
Severity
High
Categories

Other risks in this policy

Related Analysis

Compliance Governance Intelligence

Need to monitor specific governance provisions?

Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.

Arbitration clauses AI governance Data rights Indemnification Retention policies
Get Compliance

Or start with Monitor →

Built from archived source documents, structured governance mappings, and historical version tracking.

Frequently Asked Questions

What does Gumroad's Identity Verification Data Collection clause do?

This provision authorizes collection of highly sensitive personal and financial data categories, including Social Security Numbers and bank account information, from both Suppliers and Buyers. The data collection is positioned as discretionary rather than universal, but the categories listed represent the most sensitive class of personal identifiers under US and international privacy frameworks.

How does this clause affect you?

Under this clause, Gumroad may request that Buyers or Suppliers provide Social Security Numbers, bank account information, government-issued identification, and other sensitive personal data as a condition of continued platform access or transaction processing, for anti-fraud and regulatory compliance purposes.

Is ConductAtlas affiliated with Gumroad?

No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Gumroad.