How We Collect and Use Personal Data to Provide the Service
This section describes the Personal Data we collect and how we use it in order to provide the Service to our Customers. Personal Data means information that relates to an identified or identifiable individual.
You provide Personal Data to us at the direction of our Customers so that our Customer may verify your identity and/or prevent fraud. In the course of performing the Service, we may also obtain Personal Data from other sources such as third party databases, government records, and other publicly available sources. The Personal Data we collect varies based on what you provide, what the Customer has directed us to analyze, and what Personal Data is available from third parties.
You may directly provide:
- Name and contact information, including name, email address, address, and phone number;
- Demographic data, including birthdate and age;
- Files you upload, such as tax forms and utility bills;
- Government documents and identifiers, such as driver's license and Social Security Number; and
- Photos of you, namely the selfie you provide and from your government identification document.
Our Services may also collect the following from you, our Customer, or third parties:
- Current and previous name and contact information, including name, email address, address, and phone number;
- Demographic data, including birthdate and age, gender, marital status, and similar demographic details;
- Government documents and identifiers, such as drivers license and Social Security Numbers;
- Device information, including IP address, device type, your device’s operating system, browser, cookie and device identifiers, and other software including type, version, language, settings, and configuration;
- Account information, such as details about your account with our Customer or other third parties;
- Geolocation data; and
- Biometric Data, including a scan of your facial geometry based on the photos you provide. For more information about Biometric Data, see the Facial Scan and Biometrics Information section below.
Based on the Personal Data we collect from you and other sources, we infer information about you for identity verification and fraud prevention purposes. For example, we may use certain information about you including your IP address and home address to inform our verification process.
Some data that we collect automatically is collected through cookies and similar technologies. See our Cookies section below to learn more.
We use Personal Data to provide our Customers with the Service so they can verify the identity of individuals and prevent fraud. This processing is necessary to perform our contract with our Customers. As part of performing the Service, we use Personal Data to improve and troubleshoot our Services.
How We Disclose Personal Data
We may engage third parties to assist us in providing the Services, in which case we may disclose Personal Data to them. We may also disclose Personal Data to service providers, including hosting, cloud services and other information technology services providers; email communication and SMS software providers; and identity verification services, background check providers, public and private records database providers, consumer reporting services, and fraud and identity management providers. For example, we may disclose your name and address to a third party database provider in order to request information they may have about you. Pursuant to our instructions, these parties will access, process or store Personal Data while performing their duties to us. We may also disclose Personal Data when required to do so by law.
Facial Scan and Biometrics Information
This section describes how Persona treats scans of facial geometry extracted from photos.
Persona, acting as a service provider to the Customer:
- compares the data from a scan of facial geometry extracted from the government identification document that you upload to the data from a scan of facial geometry extracted from the photos of your face that you upload, in order to help verify your identity (“Verification”); and
- may also use your information, including data from scans of facial geometry extracted from the government identification document and photos of your face that you upload, to detect and prevent fraud (“Fraud Prevention”).
The images obtained from government identification document and photos of your face that you upload, and data from scans of facial geometry extracted from the government identification document and photos of your face that you upload, are collected, used and stored directly by Persona on behalf of Customer as Customer’s service provider through Customer’s website or app that you accessed. Depending on our relationship with the Customer, the Customer may upload your government identification document and photos of your face directly to us.
Persona securely stores all photos of identity documents that you upload, photos of your face that you upload, and data from scans of facial geometry extracted from the photos of your face that you upload in an encrypted format. Persona’s third-party vendors may have access to the data from scans of facial geometry extracted from the photos of your face that you upload to provide some or all of the analysis, to store the data, to maintain backup copies, and to service the systems on which such data is stored. Persona will permanently destroy data from scans of facial geometry extracted from the photos of your face that you upload upon completion of Verification or within three years of your last interaction with Persona, consistent with the Customer’s instructions unless Persona is otherwise required by law or legal process to retain the data.
Persona uses the reasonable standards of care within its industry to store, transmit, and protect from disclosure data from scans of facial geometry extracted from the photos of your face that you upload in a manner that is the same as or more protective than the manner in which it stores, transmits, and protects other confidential and sensitive information. Persona will not sell, lease, trade, or, other than to provide the Verification and Fraud Prevention services to Customer described in this policy, otherwise benefit from data from scans of facial geometry extracted from the photos of your face that you upload. Other than as set forth herein, Persona will not disclose, redisclose, or otherwise disseminate data from scans of facial geometry extracted from the photos of your face that you upload unless doing so:
- Completes a Customer transaction requested and authorized by you or your legally authorized representative;
- Is required by state or federal law, or municipal ordinance;
- Is required pursuant to a warrant or subpoena issued by a court of competent jurisdiction; or
- Is expressly consented to by you.
Choices Regarding Personal Data
Persona is the data processor for the processing of Personal Data on behalf of its Customers. If you are an individual whose identity has been verified through Persona, please contact the appropriate Customer to exercise any rights that you may have under applicable law. If you have further concerns or questions regarding the processing of your Personal Data, please email email@example.com.
Personal Data Collected From Customers and Site Visitors
The Personal Data we collect depends on how you interact with us, the services you use, and the choices you make.
We collect information about you from different sources and in various ways when you use our services, including information you provide directly, information collected automatically, third-party data sources, and data we infer or generate from other data.
Information you provide directly. We collect Personal Data you provide to us. For example:
- Name and contact information. We collect name, username or alias, and contact details such as email address, postal address, and phone number.
- Demographic data. In some cases, such as when you register or participate in surveys, we request that you provide age, gender, marital status, and similar demographic details.
- Payment information. If you make a purchase or other financial transaction, we collect credit card numbers, financial account information, and other payment details.
- Content and files. We collect the photos, documents, or other files you upload to our services; and if you send us email messages or other communications, we collect and retain those communications.
Information we collect automatically. When you use our services, we collect some information automatically. For example:
- Identifiers and device information. When you visit our websites, our web servers automatically log your Internet Protocol (IP) address and information about your device, including device identifiers (such as MAC address); device type; and your device’s operating system, browser, and other software including type, version, language, settings, and configuration. As further described in the Cookies, Mobile IDs, and Similar Technologies section below, our websites and online services store and retrieve cookie identifiers, mobile IDs, and other data.
- Geolocation data. Depending on your device and app settings, we collect geolocation data when you use our apps or online services.
- Usage data. We automatically log your activity on our websites, apps and connected products, including the URL of the website from which you came to our sites, pages you viewed, how long you spent on a page, access times, and other details about your use of and actions on our website.
Information we create or generate. We infer new information from other data we collect, including using automated means to generate information about your likely preferences or other characteristics (“inferences”). For example, we infer your general geographic location (such as city, state, and country) based on your IP address.
Information we obtain from third-party sources. We also obtain information from third parties. These third-party sources include, for example:
- Data brokers. Data brokers and aggregators from which we obtain data to supplement the data we collect.
- Third party partners. Third party applications and services, including social networks you choose to connect with or interact with through our services.
- Co-branding/marketing partners. Partners with which we offer co-branded services or engage in joint marketing activities
- Service providers. Third parties that collect or provide data in connection with work they do on our behalf, for example companies that determine your device’s location based on its IP address.
- Publicly available sources. Public sources of information such as open government databases.
When you are asked to provide Personal Data, you may decline. And you may use web browser or operating system controls to prevent certain types of automatic data collection. But if you choose not to provide or allow information that is necessary for certain services or features, those services or features may not be available or fully functional.
Cookies, Mobile IDs, and Similar Technologies
How we use Personal Data
- Product and service delivery, including to provide and deliver our services, including troubleshooting, improving our services, and personalizing our services;
- Business operations, including to operate our business, such as billing, accounting, improving our internal operations, securing our systems, detecting fraudulent or illegal activity, and meeting our legal obligations;
- Product improvement, development, and research, including to develop new services or features, and conduct research;
- Personalization, including to understand you and your preferences to enhance your experience and enjoyment using our services;
- Customer support, including to provide customer support and respond to your questions;
- Communications, including to send you information, including confirmations, invoices, technical notices, updates, security alerts, and support and administrative messages;
- Marketing, including to communicate with you about new services, offers, promotions, rewards, contests, upcoming events, and other information about our services and those of our selected partners (see the Choice and Control section of this privacy statement for how to change your preferences for promotional communications); and
- Advertising, including to display advertising to you (see the Cookies section of this privacy statement for information about personalized advertising and your advertising choices).
How we disclose Personal Data
We disclose Personal Data with your consent or as necessary to complete your transactions or provide the services you have requested or authorized. In addition, we disclose each of the categories of Personal Data described above, with the types of third parties described below, for the following business purposes:
Third party analytics and advertising companies also collect Personal Data through our website and apps including identifiers and device information (such as cookie IDs, device IDs, and IP address), geolocation data, usage data, and inferences based on and associated with that data, as described in the Cookies section of this statement. These third party vendors may combine this data across multiple sites to improve analytics for their own purpose and others. For example, we use Google Analytics on our website to help us understand how users interact with our website; you can learn how Google collects and uses information at www.google.com/policies/privacy/partners.
Please note that some of our services include integrations, references, or links to services provided by third parties whose privacy practices differ from ours. If you provide Personal Data to any of those third parties, or allow us to share Personal Data with them, that data is governed by their privacy statements. Finally, we may share de-identified information in accordance with applicable law.
To determine the appropriate retention period for your Personal Data, we will consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorized use or disclosure of your Personal Data, the purposes for which we use your Personal Data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Choice and Control of Personal Data
Communications preferences. You can choose whether to receive promotional communications from us by email, mail, and telephone. If you receive promotional email from us and would like to stop, you can do so by following the directions in that message or by contacting us as described in the Contact Us section below. If you receive a sales call from us, you can ask to be placed on our do-not-call list. These choices do not apply to certain informational communications including surveys and mandatory service communications.
Choices for Cookies and Similar Technologies. See the Cookies section for choices about cookies and other analytics and advertising controls.
European Data Protection Rights
If the processing of Personal Data about you is subject to European Union data protection law, you have certain rights with respect to that data:
- You can request access to, and rectification or erasure of, Personal Data;
- If any automated processing of Personal Data is based on your consent or a contract with you, you have a right to transfer or receive a copy of the Personal Data in a usable and portable format;
- If the processing of Personal Data is based on your consent, you can withdraw consent at any time for future processing;
- You can object to, or obtain a restriction of, the processing of Personal Data under certain circumstances; and
- For residents of France, you can send us specific instructions regarding the use of your data after your death.
To make such requests please use the contact information at the bottom of this statement. You also have the right to lodge a complaint with a supervisory authority, but we encourage you to first contact us with any questions or concerns.
We rely on different lawful bases for collecting and processing Personal Data about you, for example, with your consent and/or as necessary to provide the services you use, operate our business, meet our contractual and legal obligations, protect the security of our systems and our customers, or fulfill other legitimate interests.
California Privacy Rights
The CCPA requires us to describe the categories of Personal Data we sell to third parties and how to opt-out of future sales. The CCPA defines Personal Data to include online identifiers, including IP addresses, cookies IDs, and mobile IDs. The law also defines a “sale” broadly to include simply making data available to third parties in some cases. We let advertising and analytics providers collect IP addresses and cookie IDs along with associated device and usage data, when you access our Website, but we do not “sell” any other Personal Data.
We do not knowingly sell the Personal Data of minors under 16 years of age.
Additionally, under California Civil Code section 1798.83, also known as the “Shine the Light” law, California residents who have provided Personal Data to a business with which the individual has established a business relationship for personal, family, or household purposes (“California Customers”) may request information about whether the business has disclosed Personal Data to any third parties for the third parties’ direct marketing purposes.
Please be aware that we do not disclose Personal Data to any third parties for their direct marketing purposes as defined by this law.
California Customers may request further information about our compliance with this law by e-mailing firstname.lastname@example.org. Please note that businesses are required to respond to one request per California Customer each year and may not be required to respond to requests made by means other than through the designated e-mail address.
If you have reason to believe that a child under the age of 13 has provided Personal Data to Persona through the Service, please contact us and we will endeavor to delete that information from our databases.
Location of Personal Data
The Personal Data we collect may be stored and processed in your country or region, or in any other country where we or our affiliates, subsidiaries, or service providers maintain facilities. Currently, we primarily use data centers in the United States. The storage location(s) are chosen to operate efficiently and improve performance. We take steps designed to ensure that the data we collect under this statement is processed and protected according to the provisions of this statement and applicable law wherever the data is located.
Location of Processing European Personal Data. We transfer Personal Data from the European Economic Area (EEA), United Kingdom (UK), and Switzerland to other countries, some of which have not been determined by the European Commission to have an adequate level of data protection. When we do so, we use legal mechanisms, including contracts, to help ensure your rights and protections. To learn more about the European Commission’s decisions on the adequacy of Personal Data protections, please visit: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en.
EU-U.S. / Swiss-U.S. Privacy Shield. We also participate in the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks. Although the Privacy Shield Frameworks have been ruled invalid as a legal basis for data transfers to the U.S., we continue to comply with the Privacy Shield Principles with respect to Personal Data transferred from the EEA, UK, and Switzerland to the United States. Our controlled U.S. subsidiaries, as identified in our self-certification, also adhere to the Privacy Shield Principles. If there is any conflict between the terms in this privacy statement and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit www.privacyshield.gov.
We are subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission. If third-party agents process Personal Data on our behalf in a manner inconsistent with the Privacy Shield Principles, we remain liable unless we prove we are not responsible for the event giving rise to any damages. If you have a question or complaint related to our compliance with the Privacy Shield Principles, please contact us as indicated at the bottom of this privacy statement. For any complaints related to the Privacy Shield that cannot be resolved with us directly, you may refer the matter to JAMS, an independent dispute resolution body, at https://www.jamsadr.com/eu-us-privacy-shield. Finally, under limited circumstances and after other available dispute resolution mechanisms have been exhausted, binding arbitration is available to address certain residual complaints under the Privacy Shield not resolved by other means.
You use the Service at your own risk. We comply with industry standards to protect Personal Data both online and offline from loss, misuse, and unauthorized access, disclosure, alteration or destruction. However, no Internet or e-mail transmission is ever fully secure or error free. In particular, e-mail sent to or from us may not be secure. Therefore, you should take special care in deciding what information you send to us via the Service or e-mail. Please keep this in mind when disclosing any Personal Data to Persona via the Internet. In addition, we are not responsible for circumvention of any privacy settings or security measures contained on the Service, or third party websites.
To help us protect Personal Data, we request that you use a strong password and never share your password with anyone or use the same password with other sites or accounts.
If you are an individual in the EU, you can also contact Jack Baylor, who is based in the Republic of Ireland and has been appointed as Persona’s representative in the EU pursuant to Article 27 of the GDPR on matters related to the processing of Personal Data activities that take place in the EU. To make such an inquiry, please contact Jack Baylor at email@example.com.