Privacy Policy

This Persona Identities, Inc. (“Persona,” “we”, “us”, or “our”) Privacy Policy is divided into two parts. The first applies to individuals using the Persona Service to verify their identities. The second applies to our business customers (“Customers”) and visitors to our website (the “Site”).

Privacy Policy applicable to individuals verifying their identity through the Persona Service

Persona’s Customers offer the Persona service (the “Service”) to securely verify the identity of individuals (“you”). Persona processes Personal Data of individuals at the direction of its Customers. This section of the Privacy Policy explains how Persona, under the direction of its Customers, processes Personal Data in order to provide the Service for its Customers. Personal Data provided to Persona by Customers, and Personal Data provided to Customers from Persona, is subject to the Customers’ Privacy Policy. This section explains what Personal Data (defined below) we collect through the Service, how we use and share that data, and how individuals can exercise choices regarding their Personal Data.

How We Collect and Use Personal Data to Provide the Service

This section describes the Personal Data we collect and how we use it in order to provide the Service to our Customers. Personal Data means information that relates to an identified or identifiable individual.

You provide Personal Data to us at the direction of our Customers so that our Customer may verify your identity and/or prevent fraud. In the course of performing the Service, we may also obtain Personal Data from other sources such as third party databases, government records, and other publicly available sources. The Personal Data we collect varies based on what you provide, what the Customer has directed us to analyze, and what Personal Data is available from third parties.   

You may directly provide:

  • Name and contact information, including name, email address, address, and phone number; 
  • Demographic data, including birthdate and age; 
  • Files you upload, such as tax forms and utility bills;
  • Government documents and identifiers, such as driver's license and Social Security Number; and
  • Photos of you, namely the selfie you provide and from your government identification document.

Our Services may also collect the following from you, our Customer, or third parties: 

  • Current and previous name and contact information, including name, email address, address, and phone number; 
  • Demographic data, including birthdate and age, gender, marital status, and similar demographic details; 
  • Government documents and identifiers, such as drivers license and Social Security Numbers;
  • Device information, including IP address, device type, your device’s operating system, browser, cookie and device identifiers, and other software including type, version, language, settings, and configuration;
  • Account information, such as details about your account with our Customer or other third parties; 
  • Geolocation data; and 
  • Biometric Data, including a scan of your facial geometry based on the photos you provide. For more information about Biometric Data, see the Facial Scan and Biometrics Information section below.

Based on the Personal Data we collect from you and other sources, we infer information about you for identity verification and fraud prevention purposes.  For example, we may use certain information about you including your IP address and home address to inform our verification process. 

Some data that we collect automatically is collected through cookies and similar technologies.  See our  Cookies section below to learn more. 

We use Personal Data to provide our Customers with the Service so they can verify the identity of individuals and prevent fraud. This processing is necessary to perform our contract with our Customers. As part of performing the Service, we use Personal Data to improve and troubleshoot our Services.  

How We Disclose Personal Data

We may engage third parties to assist us in providing the Services, in which case we may disclose Personal Data to them. We may also disclose Personal Data to service providers, including hosting, cloud services and other information technology services providers; email communication and SMS software providers; and identity verification services, background check providers, public and private records database providers, consumer reporting services, and fraud and identity management providers. For example, we may disclose your  name and address to a third party database provider in order to request information they may have about you.  Pursuant to our instructions, these parties will access, process or store Personal Data while performing their duties to us.  We may also disclose Personal Data when required to do so by law. 

Facial Scan and Biometrics Information

This section describes how Persona treats scans of facial geometry extracted from photos. 

Persona, acting as a service provider to the Customer:

  • compares the data from a scan of facial geometry extracted from the government identification document that you upload to the data from a scan of facial geometry extracted from the photos of your face that you upload, in order to help verify your identity (“Verification”); and
  • may also use your information, including data from scans of facial geometry extracted from the government identification document and photos of your face that you upload, to detect and prevent fraud (“Fraud Prevention”).

The images obtained from government identification document and photos of your face that you upload, and data from scans of facial geometry extracted from the government identification document and photos of your face that you upload, are collected, used and stored directly by Persona on behalf of Customer as Customer’s service provider through Customer’s website or app that you accessed.  Depending on our relationship with the Customer, the Customer may upload your government identification document and photos of your face directly to us.

Persona securely stores all photos of identity documents that you upload, photos of your face that you upload, and data from scans of facial geometry extracted from the photos of your face that you upload in an encrypted format. Persona’s third-party vendors may have access to the data from scans of facial geometry extracted from the photos of your face that you upload to provide some or all of the analysis, to store the data, to maintain backup copies, and to service the systems on which such data is stored. Persona will permanently destroy data from scans of facial geometry extracted from the photos of your face that you upload upon completion of Verification or within three years of your last interaction with Persona, consistent with the Customer’s instructions unless Persona is otherwise required by law or legal process to retain the data.      

Persona uses the reasonable standards of care within its industry to store, transmit, and protect from disclosure data from scans of facial geometry extracted from the photos of your face that you upload in a manner that is the same as or more protective than the manner in which it stores, transmits, and protects other confidential and sensitive information. Persona will not sell, lease, trade, or, other than to provide the Verification and Fraud Prevention services to Customer described in this policy, otherwise benefit from data from scans of facial geometry extracted from the photos of your face that you upload. Other than as set forth herein, Persona will not disclose, redisclose, or otherwise disseminate data from scans of facial geometry extracted from the photos of your face that you upload unless doing so: 

  • Completes a Customer transaction requested and authorized by you or your legally authorized representative; 
  • Is required by state or federal law, or municipal ordinance; 
  • Is required pursuant to a warrant or subpoena issued by a court of competent jurisdiction; or 
  • Is expressly consented to by you.

Choices Regarding Personal Data

Persona is the data processor for the processing of Personal Data on behalf of its Customers. If you are an individual whose identity has been verified through Persona, please contact the appropriate Customer to exercise any rights that you may have under applicable law. If you have further concerns or questions regarding the processing of your Personal Data, please email privacy@withpersona.com.

Privacy Policy applicable to Customers and Site visitors

Personal Data Collected From Customers and Site Visitors

The Personal Data we collect depends on how you interact with us, the services you use, and the choices you make.

We collect information about you from different sources and in various ways when you use our services, including information you provide directly, information collected automatically, third-party data sources, and data we infer or generate from other data.

Information you provide directly. We collect Personal Data you provide to us. For example:  

  • Name and contact information. We collect name, username or alias, and contact details such as email address, postal address, and phone number.
  • Demographic data. In some cases, such as when you register or participate in surveys, we request that you provide age, gender, marital status, and similar demographic details.
  • Payment information. If you make a purchase or other financial transaction, we collect credit card numbers, financial account information, and other payment details.
  • Content and files. We collect the photos, documents, or other files you upload to our services; and if you send us email messages or other communications, we collect and retain those communications.  

Information we collect automatically. When you use our services, we collect some information automatically. For example:

  • Identifiers and device information. When you visit our websites, our web servers automatically log your Internet Protocol (IP) address and information about your device, including device identifiers (such as MAC address); device type; and your device’s operating system, browser, and other software including type, version, language, settings, and configuration. As further described in the Cookies, Mobile IDs, and Similar Technologies section below, our websites and online services store and retrieve cookie identifiers, mobile IDs, and other data.
  • Geolocation data. Depending on your device and app settings, we collect geolocation data when you use our apps or online services.  
  • Usage data. We automatically log your activity on our websites, apps and connected products, including the URL of the website from which you came to our sites, pages you viewed, how long you spent on a page, access times, and other details about your use of and actions on our website.

Information we create or generate. We infer new information from other data we collect, including using automated means to generate information about your likely preferences or other characteristics (“inferences”). For example, we infer your general geographic location (such as city, state, and country) based on your IP address.

Information we obtain from third-party sources.  We also obtain information from third parties. These third-party sources include, for example:

  • Data brokers. Data brokers and aggregators from which we obtain data to supplement the data we collect.
  • Third party partners.  Third party applications and services, including social networks you choose to connect with or interact with through our services.
  • Co-branding/marketing partners.  Partners with which we offer co-branded services or engage in joint marketing activities
  • Service providers.  Third parties that collect or provide data in connection with work they do on our behalf, for example companies that determine your device’s location based on its IP address.
  • Publicly available sources.  Public sources of information such as open government databases.

When you are asked to provide Personal Data, you may decline. And you may use web browser or operating system controls to prevent certain types of automatic data collection. But if you choose not to provide or allow information that is necessary for certain services or features, those services or features may not be available or fully functional.

Cookies, Mobile IDs, and Similar Technologies

We use cookies, web beacons, mobile analytics and advertising IDs, and similar technologies to operate our websites and online services and to help collect data, including usage data, identifiers, and device information.  

For more information about what cookies and similar technologies we use and how we use them, see our Cookie Policy.

How we use Personal Data

We use the Personal Data we collect for purposes described in this privacy policy or otherwise disclosed to you. For example, we collect and use the categories of Personal Data described above for the following purposes: 

  • Product and service delivery, including to provide and deliver our services, including troubleshooting, improving our services, and personalizing our services; 
  • Business operations, including to operate our business, such as billing, accounting, improving our internal operations, securing our systems, detecting fraudulent or illegal activity, and meeting our legal obligations;
  • Product improvement, development, and research, including to develop new services or features, and conduct research;
  • Personalization, including to understand you and your preferences to enhance your experience and enjoyment using our services;
  • Customer support, including to provide customer support and respond to your questions;
  • Communications, including to send you information, including confirmations, invoices, technical notices, updates, security alerts, and support and administrative messages;
  • Marketing, including to communicate with you about new services, offers, promotions, rewards, contests, upcoming events, and other information about our services and those of our selected partners (see the Choice and Control section of this privacy statement for how to change your preferences for promotional communications); and
  • Advertising, including to display advertising to you (see the Cookies section of this privacy statement for information about personalized advertising and your advertising choices).

How we disclose Personal Data

We disclose Personal Data with your consent or as necessary to complete your transactions or provide the services you have requested or authorized. In addition, we disclose each of the categories of Personal Data described above, with the types of third parties described below, for the following business purposes:

  • Public information. You may select options available through our services to publicly display and share your name and/or username and certain other information, such as your profile, demographic data, content and files, or geolocation data.
  • Service providers. We share Personal Data with vendors or agents working on our behalf for the purposes described in this statement. For example, companies we've hired to provide customer service support or assist in protecting and securing our systems and services may need access to Personal Data to provide those functions.
  • Financial services & payment processing. When you provide payment data, for example to make a purchase, we will share payment and transactional data with banks and other entities as necessary for payment processing, fraud prevention, credit risk reduction, or other related financial services.
  • Affiliates. We enable access to Personal Data across our subsidiaries, affiliates, and related companies, for example, where we share common data systems or where access is needed to provide our services and operate our business.
  • Corporate transactions. We may disclose Personal Data as part of a corporate transaction or proceeding such as a merger, financing, acquisition, bankruptcy, dissolution, or a transfer, divestiture, or sale of all or a portion of our business or assets.
  • Legal and law enforcement. We will access, disclose, and preserve Personal Data when we believe that doing so is necessary to comply with applicable law or respond to valid legal process, including from law enforcement or other government agencies.
  • Security, safety, and protecting rights. We will disclose Personal Data if we believe it is necessary to:
    • protect our customers and others, for example to prevent spam or attempts to commit fraud, or to help prevent the loss of life or serious injury of anyone;
    • operate and maintain the security of our services, including to prevent or stop an attack on our computer systems or networks; or
    • protect the rights or property or ourselves or others, including enforcing our agreements, terms, and policies.

Third party analytics and advertising companies also collect Personal Data through our website and apps including identifiers and device information (such as cookie IDs, device IDs, and IP address), geolocation data, usage data, and inferences based on and associated with that data, as described in the Cookies section of this statement. These third party vendors may combine this data across multiple sites to improve analytics for their own purpose and others. For example, we use Google Analytics on our website to help us understand how users interact with our website; you can learn how Google collects and uses information at www.google.com/policies/privacy/partners.

Please note that some of our services include integrations, references, or links to services provided by third parties whose privacy practices differ from ours. If you provide Personal Data to any of those third parties, or allow us to share Personal Data with them, that data is governed by their privacy statements. Finally, we may share de-identified information in accordance with applicable law.

Data Retention

We keep Personal Data for as long as reasonably necessary for the purposes described in this Privacy Policy, while we have a legitimate business need to do so, or as required by law (e.g. for tax, legal, accounting or other purposes), whichever is the longer.

To determine the appropriate retention period for your Personal Data, we will consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorized use or disclosure of your Personal Data, the purposes for which we use your Personal Data and whether we can achieve those purposes through other means, and the applicable legal requirements.

Choice and Control of Personal Data

Communications preferences. You can choose whether to receive promotional communications from us by email, mail, and telephone. If you receive promotional email from us and would like to stop, you can do so by following the directions in that message or by contacting us as described in the Contact Us section below. If you receive a sales call from us, you can ask to be placed on our do-not-call list. These choices do not apply to certain informational communications including surveys and mandatory service communications.  

Choices for Cookies and Similar Technologies. See the Cookies section for choices about cookies and other analytics and advertising controls.

European Data Protection Rights

If the processing of Personal Data about you is subject to European Union data protection law, you have certain rights with respect to that data:  

  • You can request access to, and rectification or erasure of, Personal Data;  
  • If any automated processing of Personal Data is based on your consent or a contract with you, you have a right to transfer or receive a copy of the Personal Data in a usable and portable format;
  • If the processing of Personal Data is based on your consent, you can withdraw consent at any time for future processing;  
  • You can object to, or obtain a restriction of, the processing of Personal Data under certain circumstances; and
  • For residents of France, you can send us specific instructions regarding the use of your data after your death.

To make such requests please use the contact information at the bottom of this statement. You also have the right to lodge a complaint with a supervisory authority, but we encourage you to first contact us with any questions or concerns.

We rely on different lawful bases for collecting and processing Personal Data about you, for example, with your consent and/or as necessary to provide the services you use, operate our business, meet our contractual and legal obligations, protect the security of our systems and our customers, or fulfill other legitimate interests.

California Privacy Rights 

The CCPA requires us to describe the categories of Personal Data we sell to third parties and how to opt-out of future sales. The CCPA defines Personal Data to include online identifiers, including IP addresses, cookies IDs, and mobile IDs. The law also defines a “sale” broadly to include simply making data available to third parties in some cases.  We let advertising and analytics providers collect IP addresses and cookie IDs along with associated device and usage data, when you access our Website, but we do not “sell” any other Personal Data. 

If you do not wish for us or our partners to “sell” Personal Data relating to your visits to our Website for advertising purposes, you can make your Do Not Sell Request by clicking on the choices in Cookies and Similar Technologies section of this Privacy Policy. If you opt-out using these choices, we will not share or make available such Personal Data in ways that are considered a “sale” under the CCPA.  However, we will continue to make available to our partners (acting as our service providers) some Personal Data to help us perform advertising-related functions. Further, using these choices will not opt you out of the use of previously “sold” Personal Data or stop all interest-based advertising. 

We do not knowingly sell the Personal Data of minors under 16 years of age.

Additionally, under California Civil Code section 1798.83, also known as the “Shine the Light” law, California residents who have provided Personal Data to a business with which the individual has established a business relationship for personal, family, or household purposes (“California Customers”) may request information about whether the business has disclosed Personal Data to any third parties for the third parties’ direct marketing purposes.  

Please be aware that we do not disclose Personal Data to any third parties for their direct marketing purposes as defined by this law.

California Customers may request further information about our compliance with this law by e-mailing privacy@withpersona.com. Please note that businesses are required to respond to one request per California Customer each year and may not be required to respond to requests made by means other than through the designated e-mail address.  

Children

If you have reason to believe that a child under the age of 13 has provided Personal Data to Persona through the Service, please contact us and we will endeavor to delete that information from our databases.

Location of Personal Data

The Personal Data we collect may be stored and processed in your country or region, or in any other country where we or our affiliates, subsidiaries, or service providers maintain facilities. Currently, we primarily use data centers in the United States. The storage location(s) are chosen to operate efficiently and improve performance. We take steps designed to ensure that the data we collect under this statement is processed and protected according to the provisions of this statement and applicable law wherever the data is located.

Location of Processing European Personal Data. We transfer Personal Data from the European Economic Area (EEA), United Kingdom (UK), and Switzerland to other countries, some of which have not been determined by the European Commission to have an adequate level of data protection. When we do so, we use legal mechanisms, including contracts, to help ensure your rights and protections. To learn more about the European Commission’s decisions on the adequacy of Personal Data protections, please visit: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en.  

EU-U.S. / Swiss-U.S. Privacy Shield. We also participate in the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks. Although the Privacy Shield Frameworks have been ruled invalid as a legal basis for data transfers to the U.S., we continue to comply with the Privacy Shield Principles with respect to Personal Data transferred from the EEA, UK, and Switzerland to the United States. Our controlled U.S. subsidiaries, as identified in our self-certification, also adhere to the Privacy Shield Principles.  If there is any conflict between the terms in this privacy statement and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit www.privacyshield.gov.  

We are subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission. If third-party agents process Personal Data on our behalf in a manner inconsistent with the Privacy Shield Principles, we remain liable unless we prove we are not responsible for the event giving rise to any damages. If you have a question or complaint related to our compliance with the Privacy Shield Principles, please contact us as indicated at the bottom of this privacy statement. For any complaints related to the Privacy Shield that cannot be resolved with us directly, you may refer the matter to JAMS, an independent dispute resolution body, at https://www.jamsadr.com/eu-us-privacy-shield. Finally, under limited circumstances and after other available dispute resolution mechanisms have been exhausted, binding arbitration is available to address certain residual complaints under the Privacy Shield not resolved by other means.

Security

You use the Service at your own risk. We comply with industry standards to protect Personal Data both online and offline from loss, misuse, and unauthorized access, disclosure, alteration or destruction. However, no Internet or e-mail transmission is ever fully secure or error free. In particular, e-mail sent to or from us may not be secure. Therefore, you should take special care in deciding what information you send to us via the Service or e-mail. Please keep this in mind when disclosing any Personal Data to Persona via the Internet. In addition, we are not responsible for circumvention of any privacy settings or security measures contained on the Service, or third party websites.

To help us protect Personal Data, we request that you use a strong password and never share your password with anyone or use the same password with other sites or accounts.

Changes to the Privacy Policy

The Site, and our business may change from time to time. As a result, we may change this Privacy Policy at any time. When we do we will post an updated version on this page, unless another type of notice is required by the applicable law. By continuing to use our Service or providing us with Personal Data after we have posted an updated Privacy Policy, or notified you if applicable, you consent to the revised Privacy Policy and practices described in it.

Contact Us

If you have any questions about our Privacy Policy or the information practices of the Site, please feel free to contact us at privacy@withpersona.com.

If you are an individual in the EU, you can also contact Jack Baylor, who is based in the Republic of Ireland and has been appointed as Persona’s representative in the EU pursuant to Article 27 of the GDPR on matters related to the processing of Personal Data activities that take place in the EU. To make such an inquiry, please contact Jack Baylor at privacy@withpersona.com.

Persona Identities, Inc.
981 Mission Street #95 
San Francisco, CA 94103
United States of America