Biometrics Policy

Last Updated: 15 July 2026

This Policy describes how Kraken collects, processes, uses, stores, and deletes Biometric Data. It applies to all users of Kraken services where we process Biometric Data, and supplements the Global Privacy Notice and US Privacy Notice, which describe Kraken's broader personal data processing practices.

Biometric Data means data generated from electronic measurements or scans of an individual's biological characteristics, such as facial geometry, or other unique biological patterns or characteristics that can be used to identify a specific individual. Source documents from which Biometric Data is generated, for example, selfie photos, passports, or driver's licences, are not themselves Biometric Data.

Kraken’s treatment of any piece of data or information as “Biometric Data,” pursuant to this policy does not necessarily indicate that such items qualify as or fit the definitions of “Biometric Data,” as that term is used in any particular statute, law, or regulation.

You release in favor of Kraken any claims related to the collection, processing, usage, and storage of your Biometric Data. This includes any past or prior claims as well as any claims that may arise in the future related to your use of Kraken’s services.

Biometric Data Collection Purposes

Kraken collects, uses, stores, and processes Biometric Data to verify your identity, both when you open your Kraken account and at any point thereafter as deemed necessary by Kraken or required by law or regulation. For example, Kraken may request to process your Biometric Data for security purposes, in connection with certain actions where an extra layer of assurance is required to confirm your identity.

Lawful Basis

Before collecting your Biometric Data, Kraken will inform you that Biometric Data is being collected or stored and the purposes for which it will be used.

In the United States, Canada, Australia, and in jurisdictions where another lawful basis is not available, we rely on your consent.

In the EU and UK, we rely on our legal obligation to comply with anti-money laundering (AML), counter-terrorist financing (CTF), and Know Your Customer (KYC) laws and regulations, which are necessary for reasons of substantial public interest.

In the UAE, we rely on performance of a contract and compliance with our AML, CTF and KYC legal obligations to process biometric data.

Retention

Biometric Data is processed on Kraken's behalf by trusted third-party identity verification providers acting as our data processors. These providers are bound by contract, including Data Processing Agreements that define their obligations and restrictions on processing.

Biometric Data is permanently and securely deleted by these providers within 6 months of collection.

The identity documents and records of identity verification, such as copies of your passport or driver's licence, selfies, and verification outcomes, are not themselves Biometric Data. Kraken retains these records for a period (for example, 5 years) after our business relationship with you has ended, to comply with AML, CTF and KYC laws and regulations. Further detail on the retention of these records is set out in our Global Privacy Notice and US Privacy Notice.

If you request deletion of your Biometric Data within this 6-month period, and Kraken has no lawful basis to retain it, we will delete it. Where Biometric Data is subject to a legal hold, investigation, or other lawful retention requirement, it will be retained until the hold or requirement is lifted.

Biometric Data Security

Kraken maintains an Information Security Management System certified to ISO 27001 and SOC 2 standards. For additional information on our information security practices, please see here, and for general security information, click here.

Biometric Data is held by our identity verification providers and protected with equivalent security controls, including ISO 27001 certified information security management, independent SOC 2 audits, and encryption in transit and at rest. Kraken independently assesses each provider's security posture as part of its vendor due diligence.

Biometric Data Disclosures

Kraken uses select, trusted third-party service providers to process Biometric Data on our behalf for the purpose of identity verification. These providers act under Kraken's strict instructions and process the data only as necessary for that purpose. Each is bound by a Data Processing Agreement requiring strict confidentiality, security, and compliance with applicable privacy and data protection laws.

Kraken does not further disclose Biometric Data unless:

  • The individual or the individual's legally authorized representative consents to the disclosure;

  • The disclosure is required by applicable law or regulation; or

  • The disclosure is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction.

Kraken does not sell, lease, trade, or otherwise profit from Biometric Data.

Your Rights

You have rights in relation to your personal data, including your Biometric Data. These rights vary by jurisdiction and may include:

  • The right to know whether we process your Biometric Data;

  • The right to delete your Biometric Data;

  • The right to restrict or object to certain processing;

  • The right to withdraw consent where consent is the lawful basis;

  • The right to lodge a complaint with the data controller;

  • The right to lodge a complaint with your data protection regulator.

To exercise these rights or for any questions about our Biometric Data practices, please reach out by using our contact form.

For more information on the rights you have in relation to the processing of your personal data, please see our Global Privacy Notice and US Privacy Notice.