Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
SheerID is a US based identity verification provider that lets retailers offer gated discounts to specific consumer segments (students, teachers, military, healthcare workers, first responders, age verified shoppers). The SheerID verification form is embedded in the checkout flow and confirms eligibility by checking authoritative databases. SheerID processes substantial personal data (full name, date of birth, school or employer name, professional ID) and is a critical GDPR processor with high risk level.
SheerID is an identity verification platform that lets brands offer gated promotions to specific consumer segments. Common segments include students, teachers, military, healthcare workers, first responders, seniors, age verified adults and recent movers. The verification form is embedded in the checkout or signup flow; the consumer provides their details, SheerID checks authoritative databases (university registrars, employer directories, government records) and returns an eligibility verdict. The brand applies the discount only to verified consumers.
Depending on the verification type, SheerID collects full name, date of birth, address, email, phone number, employer or school name, professional or student identification number, and sometimes documentary evidence (uploaded photo ID, pay stub, enrolment certificate, transcript). Some verifications imply special categories of data under Art. 9 GDPR (healthcare profession status indicates health context, religious organisation membership reveals religion). The platform sets cookies on the verification form domain to support session state.
SheerID is a processor of consumer personal data under GDPR. The retailer is the controller and must sign the SheerID DPA, document the processing in its record of processing activities, run a DPIA (mandatory given the scope of data) and inform consumers. For special categories of data (Art. 9), explicit consent is needed or another Art. 9 lawful condition. For verifications that affect access to a service (e.g. military discount), Art. 22 GDPR considerations on automated decision making apply.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Before opening the verification form, disclose to the consumer that SheerID will process their data on US servers, what data will be collected, the legal basis (consent or contract), the purpose (verifying eligibility for a discount), the retention, and that the consumer can refuse and pay full price instead. The form itself collects the personal data only after the consumer has clicked through, and SheerID provides standard consent language that can be customised.
SheerID is US headquartered and processes data primarily in the United States, with EU sub-processors for some specific data sources (university registrars in the EU, EU based military identity systems). Transfers to the US rely on SCCs and the EU, US Data Privacy Framework. A Transfer Impact Assessment is required and should be substantive given the categories involved.
Sign the SheerID DPA, run a DPIA before launch (mandatory), inform consumers clearly in your checkout flow about the data transfer and verification process, present an alternative way to access the price (no discount but no data sharing), avoid using SheerID for special categories without explicit consent, set short retention for verification outcomes (the verdict needs to be retained only as long as the discount is valid), and audit Art. 22 GDPR safeguards (human review for refused verifications).
Websites using SheerID must obtain user consent under GDPR regulations.
DPIA considerations
SheerID processes substantial personal data: full name, date of birth, residential address, email address, phone number, employer or school name, professional or student ID number, sometimes supporting documents (uploaded ID, pay stub, enrolment certificate). For some verifications, sensitive data (health profession, military status) is processed under Art. 9 GDPR. Key DPIA considerations: (1) the data category is substantial and includes some sensitive categories; (2) authoritative database lookups happen across multiple jurisdictions, creating additional flows; (3) US hosting and processing requires SCCs and TIA; (4) document upload for manual verification raises stronger security obligations; (5) verification outcomes can affect access to discounts, raising fairness considerations under Art. 22 GDPR. A DPIA is mandatory.
Sample consent text
We use SheerID to verify your eligibility for special pricing. SheerID processes your full name, date of birth, professional or student status, and may transfer this data to SheerID Inc. in the United States. Your data is used only for the verification and is not shared for marketing. You can refuse verification, but in that case the discount will not apply.
SheerID is an essential service, but transparency matters. Manage all your consent with FlowConsent.