Revolut · Revolut Privacy Policy (Superseded URL) · View original document ↗

Special Category and Biometric Data Processing

Medium severity Medium confidence Explicitdocumentlanguage Common · 287 of 352 platforms
Share 𝕏 Share in Share 🔒 PDF
Monitor governance changes for Revolut Create a free account to receive the weekly governance digest and monitor one platform for governance changes.
Create free account No credit card required.
Document Record

What it is

Revolut collects copies of your identity documents and processes biometric-style data as part of identity verification, which is a more sensitive category of personal data under UK data protection law.

This analysis describes what Revolut's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology

ConductAtlas Analysis

Why it matters (compliance & governance perspective)

Identity document data and biometric verification data are treated as special categories under UK GDPR, meaning stricter rules apply to how they are collected, stored, and used, and Revolut must have a stronger legal basis for this processing.

Interpretive note: The document does not specify retention periods for identity documents or the precise legal basis for biometric-style processing, creating interpretive uncertainty about whether all UK GDPR special category requirements are fully addressed in disclosed terms.

Consumer impact (what this means for users)

Revolut retains copies of your passport or driving licence and processes them through identity verification systems, which constitutes high-sensitivity data processing; if there were a data breach involving this data, the consequences for affected individuals could be severe.

What you can do

⚠️ These actions may provide transparency or partial mitigation but may not fully address the underlying issue. Effectiveness varies by jurisdiction and individual circumstances.
  • Delete Your Data
    Email dpo@revolut.com to ask what identity document data Revolut holds about you, how long it is retained, and to request deletion where legally permissible. Note that AML regulations may require retention for a statutory minimum period.

How other platforms handle this

Skillshare Medium

The right to know whether, and for what purposes, we process your Personal Data

Discord Medium

If you want to see what information we have collected about you, you can request a copy of your data in the Data & Privacy section of your User Settings. You should receive your data packet within 30 days.

See all platforms with this clause type →

Monitoring

Revolut has changed this document before.

Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.

Get Monitor Or create a free account →
▸ View Original Clause Language DOCUMENT RECORD
"
copies of your identification documents (for example, your passport or driving licence) and any other information you provide to prove you are eligible to use our services

— Excerpt from Revolut's Revolut Privacy Policy (Superseded URL)

ConductAtlas Analysis

Institutional analysis (Compliance & governance intelligence)

(1) REGULATORY LANDSCAPE: Processing of biometric data used for unique identification and identity document data may engage UK GDPR special category provisions, requiring an explicit legal basis such as explicit consent or a legal obligation basis alongside the standard lawful basis. The ICO's guidance on biometric data and identity verification applies. AML and KYC regulations under the Money Laundering Regulations 2017 impose independent obligations to collect and retain identity documents, creating a regulatory basis that partially overlaps with the privacy obligations. (2) GOVERNANCE EXPOSURE: High. Identity document data is among the most sensitive personal data categories because it is difficult to change if compromised. Data breaches involving passport or driving licence copies trigger mandatory ICO notification obligations and can result in significant harm to affected individuals. Data Protection Impact Assessments are likely required for this processing under UK GDPR given the high risk to individuals. (3) JURISDICTION FLAGS: UK GDPR and the DPA 2018 govern this processing for UK customers. Illinois BIPA would apply to biometric data if any US operations process Illinois residents' biometric identifiers. The ICO's Children's Code creates heightened obligations for identity data relating to minors in the Revolut Kids and Teens context. (4) CONTRACT AND VENDOR IMPLICATIONS: Third-party identity verification vendors used by Revolut must be assessed as data processors under data processing agreements that meet UK GDPR standards, with clear provisions on data retention, security standards, and sub-processor use. Vendor certifications such as ISO 27001 should be reviewed as part of due diligence. (5) COMPLIANCE CONSIDERATIONS: Legal teams should confirm that DPIAs have been completed for identity document and biometric data processing, that retention periods for these documents are limited to what is necessary under AML regulations, and that appropriate technical and organizational security measures are documented. The lawful basis for processing beyond AML obligations, such as for ongoing eligibility verification, should be clearly documented.

Full compliance analysis

Regulatory citations, enforcement risk, and due diligence action items.

Track 3 platforms — free Get Monitor

Free: track 3 platforms + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.

Applicable agencies

  • FTC
    The FTC has jurisdiction over data security practices for sensitive consumer data including identity documents, and may investigate inadequate security practices as unfair trade practices.
    File a complaint →

Applicable regulations

Connecticut Data Privacy Act Amendments
US-CT
CAN-SPAM
United States Federal
FCRA
United States Federal
FTC Act Section 5
United States Federal
GDPR
European Union
GLBA
United States Federal
Indiana Consumer Data Protection Act
US-IN
Kentucky Consumer Data Protection Act
US-KY
UK GDPR
United Kingdom
Universal Opt-Out Mechanism Expansion 2026
US

Provision details

Document information
Document
Revolut Privacy Policy (Superseded URL)
Entity
Revolut
Document last updated
May 5, 2026
Tracking information
First tracked
May 7, 2026
Last verified
May 9, 2026
Record ID
CA-P-007674
Document ID
CA-D-00538
Evidence Provenance
Source URL
Wayback Machine
Content hash (SHA-256)
3f454e91dd6036e21544d2d7f616cb24e6b62cdc91bd14ac3626b944cdb7ec1f
Analysis generated
May 7, 2026 09:22 UTC
Methodology
Evidence
✓ Snapshot stored   ✓ Hash verified
Citation Record
Entity: Revolut
Document: Revolut Privacy Policy (Superseded URL)
Record ID: CA-P-007674
Captured: 2026-05-07 09:22:24 UTC
SHA-256: 3f454e91dd6036e2…
URL: https://conductatlas.com/platform/revolut/revolut-privacy-policy-superseded-url/provision/CA-P-007674/special-category-and-biometric-data-processing/
Accessed: July 12, 2026
Permanent archival reference. Stable identifier suitable for legal filings, compliance documentation, and research citation.
Classification
Severity
Medium
Categories

Other risks in this policy

Related Analysis

Compliance Governance Intelligence

Need to monitor specific governance provisions?

Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.

Arbitration clauses AI governance Data rights Indemnification Retention policies
Get Compliance

Or start with Monitor →

Built from archived source documents, structured governance mappings, and historical version tracking.

Frequently Asked Questions

What does Revolut's Special Category and Biometric Data Processing clause do?

Identity document data and biometric verification data are treated as special categories under UK GDPR, meaning stricter rules apply to how they are collected, stored, and used, and Revolut must have a stronger legal basis for this processing.

How does this clause affect you?

Revolut retains copies of your passport or driving licence and processes them through identity verification systems, which constitutes high-sensitivity data processing; if there were a data breach involving this data, the consequences for affected individuals could be severe.

How many platforms have this type of clause?

ConductAtlas has identified this type of provision across 287 platforms. See the full comparison.

Is ConductAtlas affiliated with Revolut?

No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Revolut.