Privacy Policy For Persona Identity Verification
Last Updated: June 5, 2024
This Persona Identities, Inc. (“Persona,” “we”, “us”, or “our”) Privacy Policy applies to the following individuals using the Persona identity verification service (the “Service”) who have a direct relationship with Persona:
- individuals who are verifying their identities through LinkedIn’s partnership with Persona, and
- individuals using the Persona Reusable Personas feature
Persona may handle personal data in different ways depending on our underlying relationship with you or with our customers who use our services. This Privacy Policy explains our collection, use, and disclosure of personal data as an independent data controller (or such similar term under applicable law) in connection with the Service.
This Privacy Policy does not apply to personal data we process as a service provider or data processor on behalf of our other partners or business customers. Individuals using our identity verification services through a business customer or using our other verification services can learn about how our data handling practices differ in relation to those services here.
California residents can find specific disclosures, including “Notice at Collection” details, by clicking here.
1. Service Specific Information
This section provides specific information about our processing activities via the Service in the context of: (A) our partnership with LinkedIn, and (B) Persona's Reusable Persona feature. Unless signposted otherwise, the other sections in this Privacy Policy will apply to both LinkedIn members and users of Reusable Persona.
(A) If you are verifying your identity as a LinkedIn member
If you were directed to Persona via LinkedIn's website or app then this section applies to you. In connection with the Service, Persona will ask you to submit a photo of your government issued identity document, together with a selfie to: (i) verify the authenticity of the identity document and, (ii) confirm that you are the individual pictured in the identity document. Persona may also request additional information to corroborate identity details via our global network of third-party data partners.
The Service will generate a verification result for LinkedIn, but it is LinkedIn that ultimately decides how it uses the verification result provided to them. If you have any questions about the outcome of a verification check relating to you or your identity document, please contact LinkedIn. It’s important to note that this Privacy Policy does not apply to LinkedIn’s use of your personal data or its privacy practices and we encourage you to read LinkedIn’s privacy policy for further information on their use of your personal data.
(B) If you are using our Reusable Personas feature
If you have created a Reusable Persona then the following applies to you. Our Reusable Persona feature allows you to securely save certain identity information in an encrypted Persona account and speed up future verification flows with other businesses that use Persona to verify your identity. For further information about our Reusable Persona feature, see here.
Use of the Reusable Persona is managed by you. The personal data stored in the Reusable Persona is not readable by Persona in its encrypted form, and can only be unencrypted when you successfully authenticate to access the encryption key stored on your device for the purpose of identity verification on behalf of Persona’s business customers.
2. Personal Data We Collect and Process
This section describes the personal data we collect and process in order to provide the Service to you. The personal data we collect depends on how you interact with the Service and the choices you make.
We collect information about you from different sources and in various ways when you use the Service, including information you provide directly, information collected automatically, information from third-party data sources, and data we infer or generate from other data.
Information that you provide directly
You may directly provide personal data to the Service, including the following:
- Name;
- Contact Information, including email address, postal address, and phone number;
- Demographic Data, including sex, nationality, birthdate and age;
- Uploaded Content, including a photo or video of you (i.e. selfie) and a photo or video of your government issued identity document (such as driver’s license or passport), together with any personal data contained on the face of the document and within the NFC chip that corresponds to the information on the face of the document (if your identity document is NFC compatible). Your fingerprints are not collected;
- Government Identifiers, such as National ID numbers; and
- Biometric Information, which we use for the purpose of uniquely identifying an individual.
Some of this information, such as Biometric Information when used to uniquely identify you, may be sensitive or afforded protected status under local laws (for example, “sensitive information” in California or “special category data” in the EU and the UK). For further details on our collection and processing of biometric information, see the section entitled “Facial Scan and Biometric Information” below.
If you have created a Reusable Persona, we will store certain personal data in your Reusable Persona account which will include: Name and Contact Information, Demographic Data, Uploaded Content and Government Identifiers. We do not store your Biometric Information in the Reusable Persona.
Information we collect indirectly
We may indirectly collect personal data from the device via which you access the Service as well as information about your use of the Service, including the following:
- Identifiers and Device Information: When you access our Service via a browser or an app, our web servers automatically log your Internet Protocol (IP) address and information about your device, including device identifiers (such as MAC address); device type; and your device’s operating system, browser, and other software including type, version, language, settings, and configuration.
- Geolocation Data: Depending on your device and app settings, we collect geolocation data when you use the Service. We do not collect precise geolocation data. We infer your general geographic location (such as city, state, and country) based on your IP address.
- Usage Data: We automatically log your activity on the Service, including how long it takes to complete the verification, access times, and other details about your use of and actions on the Service such as hesitation detection and copy and paste detection. If you use our Reusable Persona feature, we will also collect information about when the Reusable Persona was accessed, to which business customer the information was provided, from which IP address, and how often it was accessed, for fraud prevention purposes.
Some data that we collect indirectly is collected through automated means from your device when you use the Service, such as through cookies and similar technologies. See our Cookies Policy to learn more.
Information we obtain from third party sources
We may receive unique reference numbers from our customers, and provide unique reference numbers to our customers, to enable each of us to identify you in our systems ("Account Identifiers").
We may obtain personal data about you from our global network of trusted third-party data sources, including the following: publicly available sources (such as open government databases), government and national ID registries, consumer credit agencies, utility companies, mobile network providers and postal address databases. The types of this “Additional Identity Data” we obtain from these sources will vary depending on the verification checks available in the particular country.
We also use service providers to determine your device’s location based on its IP address and to generate device identifiers.
3. How We Use Personal Data and Our Legal Basis for Processing
We use the personal data we collect for purposes described in this section or as otherwise disclosed to you at the time of collection.
The following table provides details on our purposes for processing your personal information and the related legal bases on which we rely. Where we rely on legitimate interests, it will be in a way which is reasonable for you to expect as part of the running of our business and which does not materially affect your rights and freedoms. We will only use your personal data where we are permitted to do so by applicable law. Under EU and UK data protection law, the use of personal data must be justified under one of a number of legal grounds. For EU and UK users of the Service, the principal legal grounds that justify our use of your personal data are set out in the table below. In all other circumstances, where consent is required, we will rely on your consent.
4. How We Disclose Personal Data
(A) Disclosure to LinkedIn
If you are a LinkedIn member and are using the Service in connection with verifying your identity for LinkedIn, then the following applies to you. Where we have your consent to do so, we will disclose the following personal data to LinkedIn:
- Account Identifiers (i.e., reference numbers that enable each of us to identify you in our systems)
- Your full name (first, middle and last);
- Identity document type and issuing authority; and
- Verification result, including NFC check result (i.e., the result of the verification of the personal data extracted from the NFC chip in the identity document compared to the information on the face of the document), if the document contains an NFC chip.
If you are using the Service to recover access to your LinkedIn account, the following additional information will be sent:
- Address (city, state, country);
- Birth year;
- Image of your identity document with personal information blurred except name and portrait; and
- Results of the verifications performed by Persona.
We provide LinkedIn with this information to allow LinkedIn to determine whether to confirm verification of your identity.
(B) Use of Reusable Persona
If you consent to share your personal data with a business customer, please note that the business customer is an independent controller of any copy of your Reusable Persona personal data provided to that business customer, and the business customer’s use of such data is subject to the business customer’s privacy policy. Once such personal data has been provided to the business customer, any additional processing on behalf of the business customer will be done by us as a processor to that business customer under that business customer’s instructions.
(C) Other Disclosures
In addition, we may disclose some or all of the categories of personal data described in “Personal Data We Collect and Process” above, to the types of third parties described below, for the following business purposes:
5. Facial Scan and Biometrics Information
This section describes how Persona treats scans of facial geometry extracted from the uploaded images of your identity documents and your selfie.
Biometric information is generally understood to be unique physical characteristics such as your face geometry through which you can be identified or recognized. We will only process biometric information for the purpose of uniquely identifying you where we have your consent to do so.
Persona, in providing the Service:
- compares the data from a scan of facial geometry extracted from the government identification document that you upload to the data from a scan of facial geometry extracted from the photo of your face that you upload (“Scan Data”), in order to help verify your identity (“Verification”); and
- may also use your information, including Scan Data, to detect and prevent fraud (“Fraud Prevention”).
The uploaded images and Scan Data, are collected, used and stored directly by Persona.
Persona stores all uploaded images and Scan Data in an encrypted format. Persona’s third party vendors may have access to the Scan Data to provide some or all of the analysis, to store the data, to maintain backup copies, and to service the systems on which such data is stored. Persona will permanently destroy Scan Data upon completion of Verification or within six months of your last interaction with Persona, unless Persona is otherwise required by law or legal process to retain the data.
If you are a Reusable Persona user, Persona does not store the Scan Data in the Persona.
Notice for Illinois Residents:
Persona uses the reasonable standards of care within its industry to store, transmit, and protect from disclosure Scan Data in a manner that is the same as or more protective than the manner in which it stores, transmits, and protects other confidential and sensitive information. Persona will not sell, lease, trade, or, other than to provide the Verification and Fraud Prevention services to LinkedIn described in this policy, otherwise benefit from data from scans of facial geometry extracted from the photos of your face that you upload. Other than as set forth herein, Persona will not disclose, redisclose, or otherwise disseminate data from scans of facial geometry extracted from the photos of your face that you upload unless doing so:
- Completes a transaction requested and authorized by you or your legally authorized representative;
- Is required by state or federal law, or municipal ordinance;
- Is required pursuant to a warrant or subpoena issued by a court of competent jurisdiction; or
- Is expressly consented to by you.
6. Data Retention
We retain personal data for as long as necessary to provide the Service and fulfill the verification you have requested.
We may retain certain personal data for a longer period in order to comply with our legal obligations, resolve disputes, enforce our agreements, and other legitimate and lawful business purposes, such as fraud detection and prevention and enhancing safety and security across our services. Because these needs can vary for different data types in the context of different services, actual retention periods will vary based on criteria such as the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we use your personal data and our legal or contractual obligations.
When we have no ongoing legitimate business need to process your personal data, we will either delete or anonymize it or, if this is not possible, then we will securely store your personal data and isolate it from any further processing until deletion is possible.
7. Your Rights and Choices
We provide a variety of ways for you to control the personal data we hold about you, including choices about how we use that data. In some jurisdictions, these controls and choices may be enforceable as rights under applicable law. We respond to all requests we receive from individuals in accordance with applicable laws.
Depending on where you are located and subject to applicable privacy laws, you may have the following privacy rights:
- You may access, correct, update or request deletion of your personal data.
- You can object to processing of your personal data, ask us to restrict processing of your personal data or request portability of your personal data (i.e., your data to be transferred in a readable and standardised format).
- If we have collected and processed your personal data with your consent, then you can withdraw consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal data conducted in reliance on lawful processing grounds other than consent.
You also have the right to lodge a complaint with your local supervisory authority, but we encourage you to first contact us with any questions or concerns. For more information, please contact your local supervisory authority.
If you wish to exercise any of your privacy rights, you may email [email protected] to make your request.
Residents of California may have certain additional privacy rights. Please refer to the section entitled “California Privacy Rights” below for more information.
Choices for Cookies and Similar Technologies. For information about how you can control cookies and other similar tracking technologies we use on the Service, please see our Cookie Policy.
If you are a California resident and the processing of personal data about you is subject to the California Consumer Privacy Act (CCPA), you have certain rights with respect to that information.
Notice at Collection. At or before the time of collection, you have a right to receive notice of our practices, including the categories of personal data, the purposes for which such information is collected or used, whether such information is sold or shared, and how long such information is retained. You can find those details in this policy by clicking on the above links.
Right to Know. You have a right to request that we disclose to you the personal data we have collected about you. You also have a right to request additional information about our collection, use, disclosure, or sale of such personal data. Note that we have provided much of this information in this Privacy Policy. You may make such a “request to know” by emailing us at [email protected].
Rights to Request Correction or Deletion. You also have rights to request that we correct inaccurate Personal Data and that we delete personal data under certain circumstances, subject to a number of exceptions. To make a request to correct or delete, email us at [email protected].
Right to Opt-Out / “Do Not Sell or Share My Personal Information”. You have a right to opt-out from future “sales” or “sharing” of personal data as those terms are defined by the CCPA. Note that we do not “sell” or “share” personal information subject to this Privacy Policy as defined by the CCPA and have not done so in the past 12 months.
Right to Limit Use and Disclosure of Sensitive Personal Information. You have a right to limit our use of sensitive personal data for any purposes other than to provide the services or goods you request or as otherwise permitted by law. Note that we do not use sensitive personal data for any such additional purposes.
You may designate, in writing or through a power of attorney, an authorized agent to make requests on your behalf to exercise your rights under the CCPA. Before accepting such a request from an agent, we will require the agent to provide proof you have authorized it to act on your behalf, and we may need you to verify your identity directly with us.
Further, to provide, correct, or delete specific pieces of personal data will need to verify your identity to the degree of certainty required by law. We will verify your request by asking you to send it from the email address associated with your account or requiring you to provide information necessary to verify your account. For some types of personal data we may have, there may be no reasonable method by which we can verify your identity as the person to whom that data relates.
Finally, you have a right to not be discriminated against for exercising these rights set out in the CCPA.
Additionally, under California Civil Code section 1798.83, also known as the “Shine the Light” law, California residents who have provided personal data to a business with which the individual has established a business relationship for personal, family, or household purposes (“California Customers”) may request information about whether the business has disclosed personal data to any third parties for the third parties’ direct marketing purposes.
Please be aware that we do not disclose personal data to any third parties for their direct marketing purposes as defined by this law.
California Customers may request further information about our compliance with this law by e-mailing [email protected]. Please note that businesses are required to respond to one request per California Customer each year and may not be required to respond to requests made by means other than through the designated e-mail address.
8. Processing Locations and Data Transfers
Persona is headquartered in the United States, with offices in San Francisco and New York City as well as employees globally.
The personal data we collect may be stored and processed in your country or region, or in any other country where we or our affiliates, subsidiaries, service providers or third-party data partners process data. This means that we may process your personal data in and transfer your personal data to countries outside of the country in which you are based. These countries may have data protection laws that are different to the laws of your country (and, in some cases, may not be as protective). We take steps designed to ensure that personal data is processed and protected as described in this policy and in accordance with applicable law wherever the data is located.
Currently, we primarily use data centers in the United States and Germany to host your personal data. The storage location(s) are chosen to operate efficiently and improve performance.
We transfer personal data from the European Economic Area (EEA), United Kingdom (UK), and Switzerland to other countries, some of which have not been determined by the European Commission to have an adequate level of data protection. When we do so, we use legal mechanisms, including the EU-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework, the European Commission’s Standard Contractual Clauses (and similar measures in the UK and Switzerland) or other available transfer mechanisms, to help ensure your rights and protections.
Compliance with Data Privacy Framework Principles
Persona complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Persona has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. Persona has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this Privacy Policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/
We are subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission. If third-party agents process Personal Data on our behalf in a manner inconsistent with the Data Privacy Framework Principles, we remain liable unless we prove we are not responsible for the event giving rise to any damages. If you have a question or complaint related to our compliance with the Data Privacy Framework Principles, please contact us as described in the Contact Us section below.
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Persona commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF to JAMS, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://www.jamsadr.com/dpf-dispute-resolution for more information or to file a complaint. The services of JAMS are provided at no cost to you.
Finally, under limited circumstances and after other available dispute resolution mechanisms have been exhausted, binding arbitration is available to address certain residual complaints under the EU-U.S. Data Privacy Framework Principles, Swiss-U.S. DPF Principles, and the UK-Extension Framework not resolved by other means.
Notice for Australian Residents
Persona will comply with the Privacy Act 1988(Cth) including the Australian Privacy Principles. You may contact Persona with questions or to complain about any privacy issues by contacting Persona at [email protected]. If you believe that we have failed to resolve the privacy complaint satisfactorily you have the option of contacting the OIAC. Contact details of the OIAC may be found here.
9. Security
We take reasonable and appropriate technical and organizational measures to protect personal data that we collect and process about you. The measures are designed to provide a level of security appropriate to the risk of processing your personal data.
10. Does Persona undertake automated decision making?
Automated decision making means that a significant decision concerning you is made automatically based on a computer determination (using software algorithms), without human review.
Persona itself does not undertake automated decision making. In the case of LinkedIn, the Service will generate a verification result for LinkedIn, but it is LinkedIn that ultimately decides how it uses the verification results provided to them (for example, whether to confirm your identity verification on your LinkedIn profile). If you have any questions about the outcome of a verification check relating to you or your identity document, please contact LinkedIn.
11. Changes to the Privacy Policy
We will update this Privacy Policy when necessary to reflect changes in our services, how we use personal data, or the applicable law. When we post changes to the Privacy Policy, we will revise the “Last Updated” date at the top of the Privacy Policy. If we make material changes to the Privacy Policy, we will provide additional notice regarding such changes if required by law.
12. Contact us
If you have a privacy concern, complaint, or a question for Persona, please feel free to use this form or contact us at [email protected].
Our postal address is Persona Identities, Inc., 981 Mission Street #95, San Francisco, CA 94103, United States.
Our data protection representative for the European Economic Area and Switzerland is George Barry, 4 St Christopher's Rd, Montenotte, Cork, T23 E9TR, Ireland. To make an inquiry to George Barry, please contact [email protected].
Our data protection representative for the UK is: S. Alec Lawton, Graigwen, Plasycoed road, Pontypool Torfaen, NP4 6QH, UK. To make an inquiry to S. Alec Lawton, please contact [email protected].
To contact our data protection office (DPO) please feel free to contact them at [email protected]