Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
GoCertify is an identity verification service in the SheerID family, operated by SheerID Inc. from Portland, Oregon. E commerce sites embed a GoCertify form to grant student, military, teacher, first responder or healthcare worker discounts. The verification flow collects full names, dates of birth, email addresses, school or unit names and, when document upload is required, copies of identity or eligibility cards, all processed in the United States.
GoCertify is an identity verification service that belongs to the SheerID product family, operated by SheerID Inc. from Portland, Oregon. Retailers and brands embed a GoCertify form (or an iframe pointing to a SheerID verification page) on the cart or product page in order to grant gated discounts to students, teachers, military personnel, first responders or healthcare workers. The visitor submits a few identifiers, sometimes uploads a copy of an ID document, and GoCertify returns a yes or no eligibility decision plus a single use discount code.
Even when the visual integration is on the merchant origin, the data flow lands on SheerID servers in the United States, which makes GoCertify a third party processor for the purposes of GDPR and ePrivacy.
The verification form collects the first name, last name, date of birth (used to enforce age limits for student programs), the email address, the institution name (school, unit, hospital, school district) and a country. When automated verification fails, the visitor is asked to upload a document such as a student ID card, military ID, NHS or hospital badge, teaching certificate, or first responder credential. The document is stored on SheerID servers and may be reviewed by a US based human verifier.
GoCertify also drops first party and third party cookies (sheerid.com, gocertify.com) to track conversion, store the verification status and prevent multiple submissions from the same browser. The cookies and the document upload together constitute storage and processing in scope of Articles 5(3) ePrivacy and 4(1), 9 GDPR.
The cookies set by GoCertify are not strictly necessary for the merchant site itself, so Article 5(3) of the ePrivacy Directive, the CNIL cookie guidelines and the German TDDDG require prior consent. The verification itself relies on Article 6(1)(b) (steps prior to entering into a contract for the discount) but, when an ID document is uploaded, processing must be analysed under Article 9 GDPR. A student card revealing age under 16 brings Article 8 GDPR (children) into play, and a military or healthcare ID can reveal special categories such as health or trade union membership.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Block the GoCertify embed by default behind a Functional or Verification consent category. Display the form only when the visitor actively asks to claim the discount, so consent is purpose specific. When document upload is required, present a dedicated explicit consent (a clearly worded checkbox stating that an ID document will be processed and may reveal special category data) before the upload widget appears. Log the consent, mention the SheerID transfer to the United States and offer an alternative manual verification channel for users who refuse.
All GoCertify processing happens on SheerID infrastructure in the United States. The transfer is governed by the EU US Data Privacy Framework where SheerID is certified, otherwise by the Standard Contractual Clauses 2021. A transfer impact assessment is mandatory because the dataset includes identity documents and, potentially, special category data; supplementary measures should include encryption in transit and at rest, short retention of uploaded documents, role based access, redaction of unnecessary fields on the ID copy and contractual commitments by SheerID to challenge disproportionate government access requests.
List SheerID and GoCertify in your record of processing activities, your sub processor list and your cookie register. Update the privacy notice and the cart copy to name SheerID, the United States transfer, the categories of data, the retention period and the rights of the data subject. Configure GoCertify to delete uploaded documents as soon as the verification decision is logged, restrict admin access to the verification dashboard, run a DPIA before launch, and review the SheerID security report and DPF certification annually.
Websites using GoCertify must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is required whenever GoCertify is used to verify eligibility for a discount targeting students, teachers, military, first responders or healthcare workers. The processing involves identity documents, may concern minors (students under 16), can reveal special category data (membership in a protected profession or, indirectly, ethnic or religious affiliation through institution names) and routes personal data to a US processor. Document the lawful basis for the cookies (consent), for the verification itself (consent or explicit consent), the categories of documents accepted, the retention period for uploaded files, the use of automated decision making and the transfer impact assessment for the SheerID processing in the United States.
Sample consent text
We use GoCertify, an identity verification service operated by SheerID Inc. (United States), to confirm your eligibility for this discount. With your consent, your name, date of birth, email address, institution and, where required, a copy of your ID document will be transferred to SheerID servers in the United States for review. You can withdraw your consent at any time; refusing will simply mean the discount cannot be applied.
Third-party domains contacted
gocertify.comservices.sheerid.comsheerid.comoffers.sheerid.comcdn.sheerid.netCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| sheerid_sid | Persistent | 1 year | Identifies the verification session and links the form submission to the verification result, so the merchant can issue or revoke the gated discount code. |
| sheerid_fp | Persistent | 6 months | Device fingerprint used by GoCertify and SheerID to detect fraudulent multiple submissions from the same browser, used as a fraud signal for the eligibility check. |
| sheerid_verification_status | Persistent | 1 year | Stores the latest verification outcome and the program identifier so a returning visitor can be served the discount code without resubmitting documents. |
| gocertify_session | Session | Browser session | Temporary CSRF and session cookie set on gocertify.com while the verification form is open in the embedded iframe. |
GoCertify places tracking cookies for advertising — comply with GDPR using FlowConsent.
The verification form collects the first name, the last name, the date of birth (used to enforce age limits on student programs), the email address, the institution or unit name and the country. When automated verification fails, the visitor is asked to upload a copy of an ID document such as a student card, a military ID, a hospital or NHS badge, a teaching certificate or a first responder credential. GoCertify also drops cookies on sheerid.com and gocertify.com to track conversions, prevent multiple submissions and remember the verification status, and it logs IP and user agent for fraud detection.
Yes, at two levels. The cookies and remote scripts loaded by GoCertify are not strictly necessary for the merchant site, so Article 5(3) ePrivacy, the CNIL cookie guidelines and the German TDDDG require prior consent. When the workflow asks for a document upload, GDPR Article 9 requires explicit consent for the processing of data that can reveal special categories. Block the iframe by default, show the form only when the visitor actively claims the discount, and gate the upload widget behind a dedicated explicit consent checkbox.
The cookies rely on Article 6(1)(a) consent and Article 5(3) ePrivacy. The verification itself can rest on Article 6(1)(b) GDPR, since it is a step prior to entering into the discounted contract. When an ID document is uploaded, the processing also engages Article 9 and, in most cases, only Article 9(2)(a) explicit consent is available because employment context (9(2)(b)) and substantial public interest (9(2)(g)) do not apply to a private discount programme. If the document reveals that the candidate is a minor under 16, Article 8 GDPR adds parental consent requirements.
Yes. SheerID Inc., which operates GoCertify, is based in Portland, Oregon and hosts the verification platform on AWS US regions. The identifiers and any uploaded documents are stored in the United States and can be reviewed by US based human verifiers. The transfer relies on the EU US Data Privacy Framework where SheerID is certified, otherwise on Standard Contractual Clauses 2021. A transfer impact assessment is mandatory because the dataset includes identity documents and potential special category data.
Yes, a DPIA is strongly recommended and usually required. The processing combines several DPIA triggers from the EDPB criteria and the CNIL and AEPD high risk lists: identity documents, potential special category data, possible processing of minors, automated decision making (eligibility scoring) and a transfer to a third country with surveillance laws. The DPIA must describe the data flow to SheerID, the categories of documents, the role of automated checks, the human review process, the retention period, the supplementary measures under Schrems II and the rights provided to the user.
Block the GoCertify iframe behind a Functional or Verification consent category in your CMP. Surface the form only when the visitor explicitly chooses to claim a gated discount. Provide a dedicated layer of information on the form that names SheerID, the United States transfer, the categories of data, the retention period and the user rights. Require a separate explicit consent checkbox before the upload widget is rendered. Configure GoCertify to delete uploaded documents as soon as the decision is recorded, and to log only the verification outcome and the timestamp.
EU based identity verification options include ID Now (Germany, EU hosted), Onfido EU instance (Ireland), Veriff (Estonia, with EU data residency), Yoti (UK, with EU data residency) and ID Wall (Spain). For lighter use cases, you can issue a closed batch of student or military codes through a partner association inside the EEA, or rely on email domain checks against a list of recognised institutions. The privacy gain depends mainly on the data residency, the sub processor list and whether the provider can process identity documents with a documented Article 9 exemption or only via explicit consent.
Add a section that names SheerID Inc. and the GoCertify product, lists the cookies set on sheerid.com and gocertify.com with their purpose and lifetime, and explains that the embed is blocked until consent is granted. The privacy notice must also describe the verification flow, the categories of data and documents, the international transfer mechanism (DPF or SCCs plus supplementary measures), the retention period for uploaded documents (ideally just long enough to record the outcome), the legal basis (Art. 6(1)(b) plus Art. 9(2)(a)) and the rights of access, rectification, erasure and withdrawal.