Last updated: 12/19/2023
California Customers and visitors to our Site can find specific disclosures, including “Notice at Collection” details, by clicking here.
How We Collect and Use Personal Data to Provide the Service
This section describes the Personal Data we collect and how we use it in order to provide the Service to our Customers. Personal Data means information that relates to an identified or identifiable individual.
You provide Personal Data to us at the direction of our Customers so that our Customer may verify your identity and/or prevent fraud. In the course of performing the Service, we may also obtain Personal Data from other sources such as third party databases, government records, and other publicly available sources. The Personal Data we collect varies based on what you provide, what the Customer has directed us to analyze, and what Personal Data is available from third parties.
You may directly provide:
- Name and contact information, including name, email address, address, and phone number;
- Demographic data, including birthdate and age;
- Files you upload, such as tax forms and utility bills;
- Government documents and identifiers, such as driver's license and Social Security Number; and
- Audio, Video, and Photos of you, namely from the selfie you provide and from your government identification document.
Our Services may also collect the following from you, our Customer, or third parties:
- Current and previous name and contact information, including name, email address, address, and phone number;
- Demographic data, including birthdate and age, gender, marital status, and similar demographic details;
- Government documents and identifiers, such as drivers license and Social Security Numbers;
- Device information, including IP address, device type, your device’s operating system, browser, cookie and device identifiers, and other software including type, version, language, settings, and configuration;
- Account information, such as details about your account with our Customer or other third parties;
- Geolocation data; and
- Biometric Data, including a scan of your facial geometry based on the photos you provide. For more information about Biometric Data, see the Facial Scan and Biometrics Information section below.
Based on the Personal Data we collect from you and other sources, we infer information about you for identity verification and fraud prevention purposes. For example, we may use certain information about you including your IP address and home address to inform our verification process.
Some data that we collect automatically is collected through cookies and similar technologies. See our Cookies section below to learn more.
We use Personal Data to provide our Customers with the Service so they can verify the identity of individuals and prevent fraud. This processing is necessary to perform our contract with our Customers. As part of performing the Service, we use Personal Data to improve and troubleshoot our Services.
Wireless Operator Authorization
How We Disclose Personal Data
We may engage third parties to assist us in providing the Services, in which case we may disclose Personal Data to them. We may also disclose Personal Data to service providers, including hosting, cloud services and other information technology services providers; email communication and SMS software providers; and identity verification services, mobile device operators, background check providers, public and private records database providers, consumer reporting services, and fraud and identity management providers. For example, we may disclose your name and address to a third party database provider in order to request information they may have about you. Pursuant to our instructions, these parties will access, process or store Personal Data while performing their duties to us. We may also disclose Personal Data when required to do so by law.
Facial Scan and Biometrics Information
This section describes how Persona treats scans of facial geometry extracted from photos.
Persona, acting as a service provider to the Customer:
- compares the data from a scan of facial geometry extracted from the government identification document that you upload to the data from a scan of facial geometry extracted from the photos of your face that you upload, in order to help verify your identity (“Verification”); and
- may also use your information, including data from scans of facial geometry extracted from the government identification document and photos of your face that you upload, to detect and prevent fraud (“Fraud Prevention”).
The images obtained from government identification document and photos of your face that you upload, and data from scans of facial geometry extracted from the government identification document and photos of your face that you upload, are collected, used and stored directly by Persona on behalf of Customer as Customer’s service provider through Customer’s website or app that you accessed. Depending on our relationship with the Customer, the Customer may upload your government identification document and photos of your face directly to us.
Persona securely stores all photos of identity documents that you upload, photos of your face that you upload, and data from scans of facial geometry extracted from the photos of your face that you upload in an encrypted format. Persona’s third-party vendors may have access to the data from scans of facial geometry extracted from the photos of your face that you upload to provide some or all of the analysis, to store the data, to maintain backup copies, and to service the systems on which such data is stored. Persona will permanently destroy data from scans of facial geometry extracted from the photos of your face that you upload upon completion of Verification or within three years of your last interaction with Persona, consistent with the Customer’s instructions unless Persona is otherwise required by law or legal process to retain the data.
Persona uses the reasonable standards of care within its industry to store, transmit, and protect from disclosure data from scans of facial geometry extracted from the photos of your face that you upload in a manner that is the same as or more protective than the manner in which it stores, transmits, and protects other confidential and sensitive information. Persona will not sell, lease, trade, or, other than to provide the Verification and Fraud Prevention services to Customer described in this policy, otherwise benefit from data from scans of facial geometry extracted from the photos of your face that you upload. Other than as set forth herein, Persona will not disclose, redisclose, or otherwise disseminate data from scans of facial geometry extracted from the photos of your face that you upload unless doing so:
- Completes a Customer transaction requested and authorized by you or your legally authorized representative;
- Is required by state or federal law, or municipal ordinance;
- Is required pursuant to a warrant or subpoena issued by a court of competent jurisdiction; or
- Is expressly consented to by you.
Choices Regarding Personal Data
Persona is the data processor for the processing of Personal Data on behalf of its Customers. If you are an individual whose identity has been verified through Persona, please contact the appropriate Customer to exercise any rights that you may have under applicable law. If you have further concerns or questions regarding the processing of your Personal Data, please email [email protected].
Class Action Waiver
YOU AND PERSONA IDENTITIES, INC., INCLUDING ITS PARENTS, SUBSIDIARIES, AFFILIATES, SUCCESSORS, AND ASSIGNS (“COMPANY”) AGREE THAT ANY PROCEEDINGS TO RESOLVE OR LITIGATE ANY DISPUTE WILL BE CONDUCTED SOLELY ON AN INDIVIDUAL BASIS, AND THAT NEITHER YOU NOR COMPANY WILL SEEK TO HAVE ANY DISPUTE HEARD AS A CLASS ACTION, A REPRESENTATIVE ACTION, A COLLECTIVE ACTION, A PRIVATE ATTORNEY-GENERAL ACTION, OR IN ANY PROCEEDING IN WHICH YOU OR COMPANY ACTS OR PROPOSES TO ACT IN A REPRESENTATIVE CAPACITY. YOU AND COMPANY FURTHER AGREE THAT NO PROCEEDING WILL BE JOINED, CONSOLIDATED, OR COMBINED WITH ANOTHER PROCEEDING WITHOUT THE PRIOR WRITTEN CONSENT OF YOU, COMPANY, AND ALL PARTIES TO ANY SUCH PROCEEDING. THIS CLASS ACTION WAIVER COVERS ALL DISPUTES BETWEEN YOU AND COMPANY AND ALSO INCLUDES ANY DISPUTE BETWEEN YOU AND ANY OFFICER, DIRECTOR, BOARD MEMBER, AGENT, EMPLOYEE, VENDOR, AFFILIATE, OR CLIENT OF COMPANY, IF COMPANY COULD BE LIABLE, DIRECTLY OR INDIRECTLY, FOR SUCH DISPUTE.
The Personal Data we collect depends on how you interact with us, the services you use, and the choices you make.
We collect information about you from different sources and in various ways when you use our services, including information you provide directly, information collected automatically, third-party data sources, and data we infer or generate from other data.
Information you provide directly. We collect Personal Data you provide to us. For example:
- Name and contact information. We collect name, username or alias, and contact details such as email address, postal address, and phone number.
- Demographic data. In some cases, such as when you register or participate in surveys, we request that you provide age, gender, marital status, and similar demographic details.
- Payment information. If you make a purchase or other financial transaction, we collect credit card numbers, financial account information, and other payment details.
- Content and files. We collect the photos, documents, or other files you upload to our services; and if you send us email messages or other communications, we collect and retain those communications.
Information we collect automatically. When you use our services, we collect some information automatically. For example:
- Identifiers and device information. When you visit our websites, our web servers automatically log your Internet Protocol (IP) address and information about your device, including device identifiers (such as MAC address); device type; and your device’s operating system, browser, and other software including type, version, language, settings, and configuration. As further described in the Cookies, Mobile IDs, and Similar Technologies section below, our websites and online services store and retrieve cookie identifiers, mobile IDs, and other data.
- Geolocation data. Depending on your device and app settings, we collect geolocation data when you use our apps or online services.
- Usage data. We automatically log your activity on our websites, apps and connected products, including the URL of the website from which you came to our sites, pages you viewed, how long you spent on a page, access times, and other details about your use of and actions on our website.
Information we create or generate. We infer new information from other data we collect, including using automated means to generate information about your likely preferences or other characteristics (“inferences”). For example, we infer your general geographic location (such as city, state, and country) based on your IP address.
Information we obtain from third-party sources. We also obtain the types of information described above from third parties. These third-party sources include, for example:
- Data brokers. Data brokers and aggregators from which we obtain data to supplement the data we collect.
- Third party partners. Third party applications and services, including social networks you choose to connect with or interact with through our services.
- Co-branding/marketing partners. Partners with which we offer co-branded services or engage in joint marketing activities.
- Service providers. Third parties that collect or provide data in connection with work they do on our behalf, for example companies that determine your device’s location based on its IP address.
- Publicly available sources. Public sources of information such as open government databases.
When you are asked to provide Personal Data, you may decline. And you may use web browser or operating system controls to prevent certain types of automatic data collection. But if you choose not to provide or allow information that is necessary for certain services or features, those services or features may not be available or fully functional.
- Product and service delivery, including to provide and deliver our services, including troubleshooting, improving our services, and personalizing our services;
- Business operations, including to operate our business, such as billing, accounting, improving our internal operations, securing our systems, detecting fraudulent or illegal activity, and meeting our legal obligations;
- Product improvement, development, and research, including to develop new services or features, and conduct research;
- Personalization, including to understand you and your preferences to enhance your experience and enjoyment using our services;
- Customer support, including to provide customer support and respond to your questions;
- Communications, including to send you information, including confirmations, invoices, technical notices, updates, security alerts, and support and administrative messages;
We disclose Personal Data with your consent or as necessary to complete your transactions or provide the services you have requested or authorized. In addition, we disclose each of the categories of Personal Data described above, with the types of third parties described below, for the following business purposes:
Please note that some of our services include integrations, references, or links to services provided by third parties whose privacy practices differ from ours. If you provide Personal Data to any of those third parties, or allow us to share Personal Data with them, that data is governed by their privacy statements. Finally, we may share de-identified information in accordance with applicable law.
Some of the data disclosures to these third parties may be considered a “sale” or “sharing” of Personal Data as defined under the laws of California and other U.S. states. Please see the Choice and Control and California Privacy Rights sections for more details.
We retain Personal Data for as long as necessary to provide the services and fulfill the transactions you have requested, comply with our legal obligations, resolve disputes, enforce our agreements, and other legitimate and lawful business purposes. Because these needs can vary for different data types in the context of different services, actual retention periods can vary significantly based on criteria such as the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorized use or disclosure of your Personal Data, the purposes for which we use your Personal Data and whether we can achieve those purposes through other means, and our legal or contractual obligations.
We provide a variety of ways for you to control the personal data we hold about you, including choices about how we use that data. In some jurisdictions, these controls and choices may be enforceable as rights under applicable law.
Access, portability, correction, and deletion. If you wish to access, correct, or delete Personal Data about you that we hold, you may use this form or email [email protected] to make your request.
Communications preferences. You can choose whether to receive promotional communications from us by email, and telephone. If you receive promotional email from us and would like to stop, you can do so by following the directions in that message or by contacting us as described in the Contact Us section below. If you receive a sales call from us, you can ask to be placed on our do-not-call list. These choices do not apply to certain informational communications including surveys and mandatory service communications.
Data sales and targeted advertising. Some privacy laws define “sale” broadly to include some the disclosures described in the How we Disclose Personal Data section above. To opt-out from such data “sales” or targeted advertising, click on “Do Not Sell or Share My Personal Information” on the footer of our website.
Except for the automated controls described above, if you send us a request to exercise your rights or these choices, to the extent permitted by applicable law, we may decline requests in certain cases. For example, we may decline requests where granting the request would be prohibited by law, could adversely affect the privacy or other rights of another person, would reveal a trade secret or other confidential information, or would interfere with a legal or business obligation that requires retention or use of the Personal Data. Further, we may decline a request where we are unable to authenticate you as the person to whom the Personal Data relates, the request is unreasonable or excessive, or where otherwise permitted by applicable law. If you receive a response from us informing you that we have declined your request, in whole or in part, you may appeal that decision by submitting your appeal as described in the Contact Us section below.
European, UK, Swiss Data Protection Rights
If the processing of Personal Data about you is subject to European Union, United Kingdom, and/or Swiss data protection laws, you have certain rights with respect to that data:
- You can request access to, and rectification or erasure of, Personal Data;
- If any automated processing of Personal Data is based on your consent or a contract with you, you have a right to transfer or receive a copy of the Personal Data in a usable and portable format;
- If the processing of Personal Data is based on your consent, you can withdraw consent at any time for future processing;
- You can object to, or obtain a restriction of, the processing of Personal Data under certain circumstances; and
- For residents of France, you can send us specific instructions regarding the use of Personal Data after your death.
To make such requests please contact us as described in the Contact Us section below. You also have the right to lodge a complaint with a supervisory authority, but we encourage you to first contact us with any questions or concerns.
We rely on different lawful bases for collecting and processing Personal Data about you, for example, with your consent and/or as necessary to provide the services you use, operate our business, meet our contractual and legal obligations, protect the security of our systems and our customers, or fulfill other legitimate interests.
If you are a California resident and the processing of Personal Data about you is subject to the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), you have certain rights with respect to that information.
Notice at Collection. At or before the time of collection, you have a right to receive notice of our practices, including the categories of Personal Data, the purposes for which such information is collected or used, whether such information is sold or shared, and how long such information is retained. You can find those details in this policy by clicking on the above links.
Rights to Request Correction or Deletion. You also have rights to request that we correct inaccurate Personal Data and that we delete Personal Data under certain circumstances, subject to a number of exceptions. To make a request to correct or delete, email us at [email protected].
Right to Opt-Out / “Do Not Sell or Share My Personal Information”. You have a right to opt-out from future “sales” or “sharing” of Personal Data as those terms are defined by the CCPA.
If you do not wish for us or our partners to “sell” or “share” Personal Data relating to your visits to our websites for advertising purposes, you can make your request by clicking on Do Not Sell or Share My Personal Information page, using a Global Privacy Control, or emailing us at [email protected]. If you opt-out using these choices, we will not share or make available such Personal Data in ways that are considered a “sale” or “sharing” under the CCPA. However, we will continue to make available to our partners (acting as our service providers) some Personal Data to help us perform advertising-related functions. Further, using these choices will not opt you out of the use of previously “sold” or “shared” Personal Data or stop all interest-based advertising.
We do not knowingly sell or share the Personal Data of minors under 16 years of age.
Right to Limit Use and Disclosure of Sensitive Personal Information. You have a right to limit our use of sensitive Personal Data for any purposes other than to provide the services or goods you request or as otherwise permitted by law. Note that we do not use Sensitive Personal Data for any such additional purposes.
You may designate, in writing or through a power of attorney, an authorized agent to make requests on your behalf to exercise your rights under the CCPA/CPRA. Before accepting such a request from an agent, we will require the agent to provide proof you have authorized it to act on your behalf, and we may need you to verify your identity directly with us.
Further, to provide, correct, or delete specific pieces of Personal Data will need to verify your identity to the degree of certainty required by law. We will verify your request by asking you to send it from the email address associated with your account or requiring you to provide information necessary to verify your account. For some types of Personal Data we may have, there may be no reasonable method by which we can verify your identity as the person to whom that data relates.
Finally, you have a right to not be discriminated against for exercising these rights set out in the CCPA/CPRA.
Additionally, under California Civil Code section 1798.83, also known as the “Shine the Light” law, California residents who have provided Personal Data to a business with which the individual has established a business relationship for personal, family, or household purposes (“California Customers”) may request information about whether the business has disclosed Personal Data to any third parties for the third parties’ direct marketing purposes.
Please be aware that we do not disclose Personal Data to any third parties for their direct marketing purposes as defined by this law.
California Customers may request further information about our compliance with this law by e-mailing [email protected]. Please note that businesses are required to respond to one request per California Customer each year and may not be required to respond to requests made by means other than through the designated e-mail address.
Location of Personal Data
The Personal Data we collect may be stored and processed in your country or region, or in any other country where we or our affiliates, subsidiaries, or service providers process data. Currently, we primarily use data centers in the United States and Germany. The storage location(s) are chosen to operate efficiently and improve performance. We take steps designed to ensure that Personal Data is processed and protected as described in this policy wherever the data is located.
Location of Processing European Personal Data. We transfer Personal Data from the European Economic Area (EEA), United Kingdom (UK), and Switzerland to other countries, some of which have not been determined by the European Commission to have an adequate level of data protection. When we do so, we use legal mechanisms, including contracts, to help ensure your rights and protections.
We are subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission. If third-party agents process Personal Data on our behalf in a manner inconsistent with the Data Privacy Framework Principles, we remain liable unless we prove we are not responsible for the event giving rise to any damages. If you have a question or complaint related to our compliance with the Data Privacy Framework Principles, please contact us as described in the Contact Us section below.
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Persona commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF to JAMS, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://www.jamsadr.com/dpf-dispute-resolution for more information or to file a complaint. The services of JAMS are provided at no cost to you.
Finally, under limited circumstances and after other available dispute resolution mechanisms have been exhausted, binding arbitration is available to address certain residual complaints under the EU-U.S. Data Privacy Framework Principles, Swiss-U.S. DPF Principles, and the UK-Extension Framework not resolved by other means.
We take reasonable and appropriate steps to help protect Personal Data from unauthorized access, use, disclosure, alteration, and destruction.
To help us protect Personal Data, we request that you use a strong password and never share your password with anyone or use the same password with other sites or accounts.
Our postal address is Persona Identities, Inc., 981 Mission Street #95, San Francisco, CA 94103, United States.
Our data protection representative for the European Economic Area and Switzerland is George Barry, 4 St Christopher's Rd, Montenotte, Cork, T23 E9TR, Ireland. To make an inquiry to George Barry, please contact [email protected].
Our data protection representative for the UK is: S. Alec Lawton, Graigwen, Plasycoed road, Pontypool Torfaen, NP4 6QH, UK. To make an inquiry to S. Alec Lawton, please contact [email protected].
To contact our data protection office (DPO) please feel free to contact them at [email protected]