Privacy Policy

Welcome

Welcome to the website (the “Site”) of Persona Identities, Inc. (“Persona,” “we”, “us”, or “our”). Persona allows its business customers (“Customers”) to securely verify the identity of individuals (collectively, including the Site, the “Service”).

This Privacy Policy explains what Personal Data (defined below) we collect, how we use and share that data, and your choices concerning our data practices.

Please read this Privacy Policy before using our Service or submitting any Personal Data to Persona and contact us if you have any questions.

Personal data we collect

Personal Data Collected From Customers

We also collect Personal Data from individuals in the course of verifying their identities and/or preventing fraud for our Customers. This Personal Data includes names, birthdates, addresses, phone numbers, email addresses, government identification numbers and copies of government identification documents, face photos, IP addresses, browser fingerprints, cookie and device identifiers, and location data. We may also collect scans of facial geometry (“Biometric Data”). We retain Biometric Data until the identity verification and/or fraud prevention purposes have been satisfied or for any shorter period required by applicable law, at which point the Biometric Data is permanently destroyed. We have no direct relationship with the individuals whose Personal Data we process on behalf of Customers – we process their Personal Data pursuant to our Terms of Service and other agreements with our Customers. If you are such an individual and would no longer like your Personal Data to be used by one of our Customers or you would like to access, correct or request deletion of your Personal Data, please contact the Customer that you interact with directly.

Social Media Pages

We have pages on social media sites like LinkedIn, Facebook, and Twitter (“Social Media Pages”). When you interact with our Social Media Pages, we will collect Personal Data that you elect to provide to us through your settings on the Social Media Site, such as your contact details. In addition, the companies that host our Social Media Pages may provide us with aggregate information and analytics regarding the use of our Social Media Pages.

Use of the Site

When you visit, use and interact with the Site, we may receive certain information about your visit, use or interactions. For example, we may monitor the number of people that visit our Site, peak hours of visits, which page(s) are visited on our Site, the domains our visitors come from (e.g., google.com, yahoo.com, etc.), and which browsers people use to access and visit our Site (e.g., Firefox, Microsoft Internet Explorer, etc.), broad geographical information, and Site-navigation pattern. In particular, the following information is created and automatically logged in our systems:

  • Log data
    Information (“log data”) that your browser automatically sends whenever you visit the Site. Log data includes your Internet Protocol (“IP”) address (so we understand which country you are connecting from when you visit the Site), browser type and settings, the date and time of your request, and how you interacted with the Site.
  • Cookies
    Please see the “Cookies” section below to learn more about how we use cookies.
  • Device information
    Includes name of the device, operating system, and browser you are using. Information collected may depend on the type of device you use and its settings.
  • Usage Information
    We collect information about how you use our Site, such as the types of content that you view or engage with, the features you use, the actions you take, and the time, frequency and duration of your activities.

Personal Data Collected on Behalf of Customers

We also collect Personal Data from individuals in the course of verifying their identities for our Customers. This Personal Data includes names, birthdates, addresses, phone numbers, email addresses, government identification numbers and copies of government identification documents, face photos, IP addresses, browser fingerprints, cookie and device identifiers, and location data. We have no direct relationship with the individuals whose Personal Data we process on behalf of Customers – we process their Personal Data pursuant to our Terms of Service and other agreements with our Customers. If you are such an individual and would no longer like your Personal Data to be used by one of our Customers or you would like to access, correct or request deletion of your Personal Data, please contact the Customer that you interact with directly.

How we use personal data

We use Personal Data to provide our Customers with the Service so they can verify the identity of individuals. This processing is necessary to perform our contract with our Customers.

We also use Personal Data as necessary for the following legitimate business interests:

  • To respond to inquiries, comments, feedback or questions;
  • To manage our relationship with our Customers, which includes sending administrative information relating to our Service and changes to our terms, conditions, and policies, and asking Customers to leave a review or take a survey;
  • To analyze how you interact with our Service and provide, maintain and improve the content and functionality of the Service and our customer relationships and experiences, develop our business and inform our marketing strategy;
  • To administer and protect our business and the Site, prevent fraud, criminal activity, or misuses of our Site, and to ensure the security of our IT systems, architecture and networks (including troubleshooting, testing, system maintenance, support and hosting of data); and
  • To comply with legal obligations and legal process and to protect our rights, privacy, safety or property, and/or that of our affiliates, you or other third parties, and recover debts due to us.

For information about what we mean by legitimate interests and the rights of individuals in the European Union (“EU”), please see the “EU Users” section below.

Facial Scan Policy and Release

The terms of this Facial Scan Policy and Release describe how Persona Identities, Inc.(“Persona”) treats scans of facial geometry extracted from photos. Notwithstanding anything that could be construed to the contrary in Persona’s Privacy Policy, Terms of Service or any other document, where there is any inconsistency or ambiguity between the terms of this Facial Scan Policy and Release and any other document, these terms shall prevail.


Persona, acting as a service provider to the company that owns or operates the website or app that you are using or is providing the services you wish to access (“Customer”):

  • compares the data from a scan of facial geometry extracted from the government identification document that you upload to the data from a scan of facial geometry extracted from the photos of your face that you upload, in order to help verify your identity (“Verification”)
  • may also use your information, including data from scans of facial geometry extracted from the government identification document and photos of your face that you upload, to detect and prevent fraud (“Fraud Prevention”)

The images of you obtained from government identification document and photos of your face that you upload, and data from scans of facial geometry extracted from the government identification document and photos of your face that you upload, are collected, used and stored directly by Persona on behalf of Customer as Customer’s service provider through Customer’s website or app that you currently are using.


Persona securely stores all photos of identity documents that you upload, photos of your face that you upload, and data from scans of facial geometry extracted from the photos of your face that you upload in an encrypted format. Persona’s third-party vendors may have access to the data from scans of facial geometry extracted from the photos of your face that you upload to store the data, to maintain backup copies, and to service the systems on which such data is stored. Consistent with Persona’s directions from the Customer, Persona will permanently destroy data from scans of facial geometry extracted from the photos of your face that you upload upon completion of Verification, or within one year of your last interaction with Persona, whichever occurs first, unless otherwise required by law or legal process to retain the data.


Persona uses the reasonable standards of care within its industry to store, transmit, and protect from disclosure data from scans of facial geometry extracted from the photos of your face that you upload in a manner that is the same as or more protective than the manner in which it stores, transmits, and protects other confidential and sensitive information. Persona will not sell, lease, trade, or, other than to provide the Verification and Fraud Prevention services to Customer described in this policy, otherwise benefit from data from scans of facial geometry extracted from the photos of your face that you upload. Other than as set forth herein, Persona will not disclose, redisclose, or otherwise disseminate data from scans of facial geometry extracted from the photos of your face that you upload unless doing so: A. Completes a Customer transaction requested and authorized by you or your legally authorized representative; B. Is required by state or federal law, or municipal ordinance; C. Is required pursuant to a warrant or subpoena issued by a court of competent jurisdiction; or D. Is expressly consented to by you.


By clicking on the “Accept” button or otherwise proceeding to use the services Persona provides on behalf of Customer, you agree that you have read, understand, and voluntarily consent to Persona’s Facial Scan Policy and Release, Privacy Policy, and Terms of Service and that you release any claims related to data from scans of facial geometry extracted from the photos of your face that you upload.

Marketing

We may contact you to provide information we believe will be of interest to you. For instance, if you elect to provide your email address, we may use that information to send you promotional information about our products and services. If we do, where required by law, for example if you are in the EU, we will only send you such emails if you consent to us doing so at the time you provide us with your Personal Data. You may opt out of receiving emails by following the instructions contained in each promotional email we send you or by contacting us. If you unsubscribe from our marketing lists, you will no longer receive marketing communications, but we will continue to contact you regarding our Site and Services and to respond to your requests.

How we share and disclose personal data

In certain circumstances we may share your Personal Data with third parties without further notice to you, unless required by the law, as set forth below:

  • Vendors and Service Providers
    To assist us in meeting business operations needs and to perform certain services and functions, we may share Personal Data with service providers, including hosting, cloud services and other information technology services providers; email communication and SMS software providers and email newsletter providers; database and sales/customer relationship management services; payment processors; identity verification services, background check providers, public and private records database providers, consumer reporting services, and fraud and identity management providers; and web and advertising analytics services. Pursuant to our instructions, these parties will access, process or store Personal Data while performing their duties to us.
  • Business Transfers
    If we are involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, sale of all or a portion of our assets, or transition of service to another provider, your Personal Data and other information may be shared in the diligence process with counterparties and others assisting with the transaction and transferred to a successor or affiliate as part of that transaction along with other assets.
  • Wireless Operator Authorization
    To assist us in meeting business operations needs and to perform certain services and functions, you authorize wireless operators to disclose your mobile number, name, address, email, network status, customer type, customer role, billing type, mobile device identifiers (IMSI and IMEI) and other subscriber status and device details, if available, to our third party service providers, solely to verify your identity and prevent fraud for the duration of the business relationship.

Data Retention

We keep Personal Data for as long as reasonably necessary for the purposes described in this Privacy Policy, while we have a legitimate business need to do so, or as required by law (e.g. for tax, legal, accounting or other purposes), whichever is the longer.

If you have elected to receive marketing communications from us, we retain information about your marketing preferences until you opt out of receiving these communications and in accordance with our policies.

To determine the appropriate retention period for your Personal Data, we will consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorized use or disclosure of your Personal Data, the purposes for which we use your Personal Data and whether we can achieve those purposes through other means, and the applicable legal requirements.

Update your information

If you need to change or correct your Personal Data, or wish to have it deleted from our systems, you may contact us. We will address your request as required by applicable law.

California Privacy Rights Disclosures

If you are a consumer located in California, we process your personal data in accordance with the California Consumer Privacy Act (CCPA). This section provides additional details about the personal information we collect and use for purposes of CCPA.

a. How We Collect, Use, and Disclose your Personal Information

The Personal Data We Collect section describes the personal information we may have collected about you, including the categories of sources of that information. We collect this information for the purposes described in the How We Use Personal Data section. We share this information as described in the How We Share and Disclose Personal Data section. Persona, Inc. uses cookies, including advertising cookies, as described in our Cookie Policy.

b. Your CCPA Rights and Choices

As a California consumer and subject to certain limitations under the CCPA, you have choices regarding our use and disclosure of your personal information:

Exercising the right to know

You may request the following information about the personal information we have collected about you:

  • the categories and specific pieces of personal information we have collected about you;
  • the categories of sources from which we collected the personal information;
  • the business or commercial purpose for which we collected the personal information;
  • the categories of third parties with whom we shared the personal information; and
  • the categories of personal information about you that we disclosed for a business purpose, and the categories of third parties to whom we disclosed that information for a business purpose.

Exercising the right to delete

You may request that we delete the personal information we have collected from you, subject to certain limitations under applicable law.

Exercising the right to opt-out from a sale

You may request to opt out of any “sale” of your personal information that may take place. As described in Advertising, we do not use, share, rent or sell the Personal Data of our Users’ Customers for interest-based advertising. We do not sell or rent the Personal Data of our Users, their Customers or our Site visitors.

Non-discrimination

The CCPA provides that you may not be discriminated against for exercising these rights.

To submit a request to exercise any of the rights described above, contact our privacy department at privacy@withpersona.com

Online Tracking and Do Not Track Signals

We may, and we may allow third party service providers to, use cookies or other tracking technologies to collect information about your browsing activities over time and across different websites following your use of the Site. Our Site currently does not respond to “Do Not Track” (“DNT”) signals and operates as described in this Privacy Policy whether or not a DNT signal is received. If we do respond to DNT signals in the future, we will describe how we do so in this Privacy Policy.

Children

Our Service is not directed to children who are under the age of 13. Persona does not knowingly collect Personal Data from children under the age of 13. If you have reason to believe that a child under the age of 13 has provided Personal Data to Persona through the Service please contact us and we will endeavor to delete that information from our databases.

EU Users

Scope

This section applies to individuals in the EU (for these purposes, reference to the EU also includes the European Economic Area countries of Iceland, Liechtenstein and Norway, the United Kingdom, and, to the extent applicable, Switzerland).

Data Controller

Data protection laws in the EU differentiate between the “data controller” and “data processor” of Personal Data. Persona is the data controller for the processing of Personal Data relating to representatives of Customers and potential Customers. You can find our contact information, and the contact information of our EU-based representative, in the “contact us” section below.

Data Processor

Persona is the data processor for the processing of your Personal Data relating to verifying the identity of individuals on behalf of its Customers. If you are an individual whose identity has been verified through Persona, please contact the appropriate Customer to exercise the rights described below.

Legal Bases for Processing

This Privacy Policy (the paragraph “How We Use Personal Data”) describes the legal bases we rely on for the processing of your Personal Data. Please contact us if you have any questions about the specific legal basis we are relying on to process your Personal Data.

As used in this Privacy Policy, “legitimate interests” means our interests in conducting our business and developing a business relationship with you. This Privacy Policy describes when we process your Personal Data for our legitimate interests, what these interests are and your rights. We will not use your Personal Data for activities where the impact on you overrides our interests, unless we have your consent or those activities are otherwise required or permitted by law.

Your Rights

Pursuant to the European Union General Data Protection Regulation (or GDPR), you have the following rights in relation to your Personal Data, under certain circumstances:

  • Right of access
    If you ask us, we will confirm whether we are processing your Personal Data and, if so, provide you with a copy of that Personal Data along with certain other details. If you require additional copies, we may need to charge a reasonable fee.
  • Right to rectification
    If your Personal Data is inaccurate or incomplete, you are entitled to ask that we correct or complete it. If we shared your Personal Data with others, we will tell them about the correction where possible. If you ask us, and where possible and lawful to do so, we will also tell you with whom we shared your Personal Data so you can contact them directly.
  • Right to erasure
    You may ask us to delete or remove your Personal Data, such as where you withdraw your consent. If we shared your data with others, we will tell them about the erasure where possible. If you ask us, and where possible and lawful to do so, we will also tell you with whom we shared your Personal Data with so you can contact them directly.
  • Right to restrict processing
    You may ask us to restrict or ‘block’ the processing of your Personal Data in certain circumstances, such as where you contest the accuracy of the data or object to us processing it (please read below for information on your right to object). We will tell you before we lift any restriction on processing. If we shared your Personal Data with others, we will tell them about the restriction where possible. If you ask us, and where possible and lawful to do so, we will also tell you with whom we shared your Personal Data so you can contact them directly.
  • Right to data portability
    You have the right to obtain your Personal Data from us that you consented to give us or that was provided to us as necessary in connection with our contract with you, and that is processed by automated means. We will give you your Personal Data in a structured, commonly used and machine-readable format. You may reuse it elsewhere.
  • Right to object
    You may ask us at any time to stop processing your Personal Data, and we will do so: If we are relying on a legitimate interest to process your Personal Data — unless we demonstrate compelling legitimate grounds for the processing or we need to process your data in order to establish, exercise, or defend legal claims; If we are processing your Personal Data for direct marketing. We may keep minimum information about you in a suppression list in order to ensure your choices are respected in the future and to comply with data protection laws (such processing is necessary for our and your legitimate interest in pursuing the purposes described above);
  • Right to withdraw consent
    If we rely on your consent to process your Personal Data, you have the right to withdraw that consent at any time. Withdrawal of consent will not affect any processing of your data before we received notice that you wished to withdraw consent.
  • Right to lodge a complaint with the data protection authority
    If you have a concern about our privacy practices, including the way we handled your Personal Data, you can report it to the data protection authority that is authorized to hear those concerns (in the UK, the Information Commissioner’s Office (ICO), who can be contacted at https://ico.org.uk/concerns, and in other EU countries the data protection authority of the country in which you are located).

Please see the “Contact Us” section below for information on how to exercise your rights.

International Transfers of Personal Data

Persona is based in the U.S. The U.S. may have data protection laws less stringent than or otherwise different from the laws in effect in the EU. Transfers of your Personal Data to Persona in the U.S. are necessary to perform the agreement we have entered into, or are about to enter into, with you.

Before July 16, 2020, we relied on our EU-U.S. Privacy Shield certification to transfer Personal Data that we received from the EU to Persona in the U.S. On July 16, 2020, the European Court of Justice ruled that the EU-U.S. Privacy Shield is no longer available for these data transfers. Before September 8, 2020, we relied on our Swiss-U.S. Privacy Shield certification to transfer Personal Data that we received from Switzerland to Company in the U.S. but on September 8, 2020 the Swiss Federal Data Protection and Information Commissioner determined that the Swiss-U.S. Privacy Shield is no longer available for these data transfers. We continue to comply with the Privacy Shield Principles described in the “Privacy Shield” section below as required by the U.S. Department of Commerce.

Privacy Shield

Persona complies with the EU-U.S. and Swiss-U.S. Privacy Shield frameworks (“Frameworks”) as set forth by the U.S. Department of Commerce regarding the processing of personal data transferred from the EU, United Kingdom, and Switzerland to the U.S. (for these purposes, reference to the EU also includes the European Economic Area countries of Iceland, Liechtenstein and Norway). Persona has certified that it adheres to the Privacy Shield Principles (described below). If there is any conflict between the policies in this Privacy Policy and the EU or Swiss Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Frameworks and to view our certification page, please visit https://www.privacyshield.gov/.

With respect to personal data received or transferred pursuant to the Frameworks, Persona is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, Persona may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

General

Prior to July 16 and September 8, 2020, we relied on our Privacy Shield certification to transfer Personal Data that we received from the EU and Switzerland to Persona in the U.S. We process such Personal Data in accordance with the Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement and Liability (“Privacy Shield Principles”), as described below.

Notice and Choice

This Privacy Policy provides notice of the Personal Data collected and transferred under the Privacy Shield and the choice that you have with respect to such Personal Data. It also provides information about other Privacy Shield Principles that are set forth below.

Accountability for Onward Transfers

We may be accountable for the Personal Data we receive under the Privacy Shield that we may transfer to third-party service providers. If we are and our third party service providers process Personal Data in a manner inconsistent with the Privacy Shield Principles, we are responsible and liable for the harm caused, unless we prove that we are not responsible for the event giving rise to the damage.

Security

We maintain security measures to protect Personal Data as described in the “Security” section of this Privacy Policy.

Data Integrity and Purpose Limitation

We take reasonable steps to ensure that Personal Data is reliable for its intended use, and that it is accurate, complete and current for as long as we retain it. We will retain the data as long as necessary for the following purposes: delivering the Services, engaging in customer service, complying with legal obligations, auditing, performing security and fraud prevention, responding to legal and regulatory inquiries, and preserving or defending our legal rights or those of other users or third parties.

Access

European Union users have certain rights to access, correct, amend, or delete Personal Data where it is inaccurate, or has been processed in violation of the Privacy Shield Principles. Please see the “Your Rights” section above for more information on the rights of users in the EU (and, to the extent applicable, users in Switzerland).

Resource, Enforcement, Liability

In compliance with the Privacy Shield Principles, Persona commits to resolve complaints about our processing of your Personal Data. European Union, United Kingdom, and Swiss users with inquiries or complaints regarding this Privacy Shield Policy should first contact Persona as follows:

Email: privacy@withpersona.com

Mail to: Persona Identities, Inc.
Attention: Privacy Shield
981 Mission Street #95
San Francisco, California, 94103
United States of America

We must respond to such inquiries or complaints within 45 days.

We have further committed to refer unresolved Privacy Shield complaints to an alternative dispute resolution provider. If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider JAMS (free of charge) at https://www.jamsadr.com/eu-us-privacy-shield. Persona will cooperate with JAMS pursuant to the JAMS International Mediation Rules, available on the JAMS website at https://www.jamsadr.com/international-mediation-rules/.

If your complaint is not resolved through these channels, under certain conditions a binding arbitration option may be available before a Privacy Shield Panel. For additional information, please visit: https://www.privacyshield.gov/article?id=ANNEX-I-introduction.

We are subject to the investigatory and enforcement powers of the Federal Trade Commission with respect to Personal Data received or transferred pursuant to the Frameworks.

Links to other websites

The Service may contain links to other websites not operated or controlled by Persona, including social media services (“Third Party Sites”). The information that you share with Third Party Sites will be governed by the specific privacy policies and terms of service of the Third Party Sites and not by this Privacy Policy. By providing these links we do not imply that we endorse or have reviewed these sites. Please contact the Third Party Sites directly for information on their privacy practices and policies.

Cookies

We and our partners use cookies to operate and administer our Site, make it easier for you to use the Site during future visits, and gather usage data on our Site.

For more information about the cookies used on our Site, please refer to our Cookie Policy, which forms part of this Privacy Policy.

Security

You use the Service at your own risk. We comply with industry standards to protect Personal Data both online and offline from loss, misuse, and unauthorized access, disclosure, alteration or destruction. However, no Internet or e-mail transmission is ever fully secure or error free. In particular, e-mail sent to or from us may not be secure. Therefore, you should take special care in deciding what information you send to us via the Service or e-mail. Please keep this in mind when disclosing any Personal Data to Persona via the Internet. In addition, we are not responsible for circumvention of any privacy settings or security measures contained on the Service, or third party websites.

Your Choices

Whether or not you provide Personal Data to us is completely up to you, but if you choose not to provide information that is needed to use some features of our Site, you may be unable to use those features. You can also contact us to request access to your data or to ask us to update, correct, or delete your Personal Data.

Changes to the privacy policy

The Service, and our business may change from time to time. As a result, we may change this Privacy Policy at any time. When we do we will post an updated version on this page, unless another type of notice is required by the applicable law. By continuing to use our Service or providing us with Personal Data after we have posted an updated Privacy Policy, or notified you if applicable, you consent to the revised Privacy Policy and practices described in it.

Contact Us

If you have any questions about our Privacy Policy or the information practices of the Site, please feel free to contact us at privacy@withpersona.com.

If you are an individual in the EU, you can also contact Jack Baylor, who is based in the Republic of Ireland and has been appointed as Persona’s representative in the EU pursuant to Article 27 of the GDPR on matters related to the processing of personal data activities that take place in the EU. To make such an inquiry, please contact Jack Baylor at privacy@withpersona.com.