Controller Privacy Policy
Last Updated: April 10, 2026
This Controller Privacy Policy explains how Persona Identities, Inc. (“Persona,” “we,” “us,” or “our”) collects, uses, and discloses personal data when we act as a data controller (or similar role under applicable law) for our services. These services include Relay, Persona Wallet, age assurance services, and identity verification services (together, the “Services”). It applies to the following individuals who have a direct relationship with us:
A. Direct users of Relay;
B. Direct users of Persona Wallet (also known as Reusable Persona); and
C. Individuals who are using Services through partnering customers (“partnering customers”).
How we handle your personal data depends on your relationship with us. We explain those differences in Section 1 (“Relationship-Specific Information”). Sections 2 through 11 apply to everyone listed above.
This Controller Privacy Policy does not apply to personal data we process as a service provider or data processor. Individuals using our Services through business customers where we are the processor or service provider should look at the privacy disclosures provided by the customers with whom they have a direct relationship. You may also learn about our data handling practices as a processor in our Processor Privacy Policy.
Where Persona processes "nonpublic personal information" subject to the GLBA, such data will be governed by our GLBA Privacy Notice.
See FAQ about Relay here.
See FAQ about Persona Wallet (also known as Reusable Persona) here.
1. Relationship-Specific Information
A. Direct users of Relay
Relay allows you to confirm certain information about yourself (a “claim”), such as your age or whether you are a real person, as part of your interaction with a business.
Once you verify a particular claim (e.g., a certain age) and the request to evaluate the claim is completed, all supporting information collected during the verification process is deleted.
The claim result is transmitted using security measures intended to prevent unauthorized access and restrict access to the business requesting the verification.
Personal Data We Collect and Process
The information we collect depends on the claim requested. We do not require all of the information listed below for every claim request. Depending on the request, you may be asked to provide only a subset of the following information:
Name.
Contact Information, including email address, postal address, and phone number.
Demographic Data, including birthdate and age.
Uploaded Content, including a photo or video of you (i.e. selfie) and a photo or video of your government issued identity document (such as driver’s license or passport), together with any personal data contained on the face of the document and within the NFC chip that corresponds to the information on the face of the document (if your identity document is NFC compatible).
Biometric Information, which we use for the purpose of age estimation.
We may also collect the following information from you, our customer, or third parties to determine and perform the appropriate check for your jurisdiction and to support compliance with applicable laws and regulations:
Identifiers and Device Information: Internet Protocol (IP) address and information about your device, including device identifiers (such as MAC address); device type; and your device’s operating system, browser, and other software including type, version, language, settings, and configuration.
Geolocation Data: Depending on your device and app settings, we collect geolocation data when you use the Service. We do not collect precise geolocation data. We infer your general geographic location (such as city, state, and country) based on your IP address.
Usage Data: We log your activity during the verification process, including how long it takes to complete the verification, access times, from which IP address, and other details about your use of and actions such as copy and paste detection.
Persona does not store your facial geometry, as such biometric information is deleted upon completion of your requested verification. Please also see Section 2 “Facial Scans and Biometric Information”.
We also use non-advertising cookies and similar technologies to operate our online Services and to help collect data, such as usage data, identifiers, and device information. For more information about what cookies and similar technologies we use and how we use them, see our Cookie Policy.
How We Use Personal Data and Our Legal Basis for Processing
We use the personal data we collect for purposes described in this Controller Privacy Policy or as otherwise disclosed to you at the time of collection. The following table provides details on our purposes for processing your personal data and the related legal bases on which we rely. Where we rely on legitimate interests, it will be in a way which is reasonable for you to expect as part of the running of our business and which does not materially affect your rights and freedoms. We will only use your personal data where we are permitted to do so by applicable law. Under European Economic Area (EEA), United Kingdom (UK), and Switzerland data protection law, the use of personal data must be justified under one of a number of legal grounds. For EEA, UK and Swiss users of Relay, the principal legal grounds that justify our use of your personal data are set out in the table below. In other jurisdictions, if consent is required under applicable data protection law, we will seek and rely on your consent.
We do not use your personal data, including biometric data, for any AI or model training.
PURPOSE | TYPE OF DATA (SEE PERSONAL DATA WE COLLECT AND PROCESS FOR DEFINITIONS) | OUR LEGAL JUSTIFICATIONS (EACH CALLED A ‘LEGAL BASIS’) UNDER DATA PROTECTION LAW, FOR EACH PURPOSE |
|---|---|---|
Providing and delivering Relay to you, including operating and troubleshooting Relay | Name Contact Information Uploaded Content Government Identifiers Biometric Information Demographic Data Geolocation Data Identifiers and Device Information Usage Data | To perform our contract with you for use of Relay and to fulfill our obligations under applicable terms of service. Necessary for our legitimate interests to operate and provide Relay. Consent (to process your Biometric Information in order to identify you). |
Promoting security of Relay and detecting fraudulent acts by bad actors including verifying that the individual using Relay is the individual they purport to be. | Name Contact Information Uploaded Content Government Identifiers Biometric Information Demographic Data Geolocation Data Identifiers and Device Information Usage Data | Necessary for our legitimate interests to detect or prevent illegal activities (e.g., fraud prevention); and/or to manage the security of our IT infrastructure, and the safety and security of our customers and users. Consent (to process your Biometric Information in order to identify you). |
To provide customer support and respond to your questions. | This depends on the nature of support requested and/or your question but may include the following: Name Contact Information | Necessary for our legitimate interests to operate and provide Relay. |
How We Disclose Personal Data
We send the claim result (e.g., “pass/fail”) to the business you are verifying to access.
Please also see Section 3 “How We Disclose Personal Data” below.
Data Retention
We delete all personal data once your claim has been verified and the request to evaluate the claim is complete.
B. Direct users of Persona Wallet
Persona Wallet (also known as Reusable Persona) allows you to save certain identity information in an encrypted Persona account and speed up future verification flows with other businesses that use Persona to verify your identity. For further information about the Persona Wallet, see here.
Use of Persona Wallet is managed by you. The personal data stored in the Persona Wallet is not readable by Persona in its encrypted form, and can only be unencrypted when you successfully authenticate to access the encryption key for the purpose of verification.
Personal Data We Collect and Process
The information we collect depends on the identity verification method used. We do not require all of the information listed below for every identity verification method. Depending on the method selected, you may be asked to provide only a subset of the following information:
Name.
Contact Information, including email address, postal address, and phone number.
Demographic Data, including sex, nationality, birthdate and age.
Uploaded Content, including a photo or video of you (i.e. selfie), a photo or video of your government issued identity document (such as driver’s license or passport), any personal data contained on the face of the document and within the NFC chip that corresponds to the information on the face of the document (if your identity document is NFC compatible), and any other relevant documents depending on your verification request. Your fingerprints are not collected.
Government Identifiers, such as National ID numbers.
Biometric Information, which we use for the purpose of uniquely identifying an individual.
We may also collect the following information from you, our customer, or third parties to determine and provide the appropriate identity verification method for your jurisdiction and to support compliance with applicable laws and regulations:
Identifiers and Device Information: Internet Protocol (IP) address and information about your device, including device identifiers (such as MAC address); device type; and your device’s operating system, browser, and other software including type, version, language, settings, and configuration.
Geolocation Data: Depending on your device and app settings, we collect geolocation data when you use the Service. We do not collect precise geolocation data. We infer your general geographic location (such as city, state, and country) based on your IP address.
Usage Data: We log your activity during the verification process, including how long it takes to complete the verification, access times, from which IP address, and other details about your use of and actions such as copy and paste detection.
Account Identifiers: We may receive unique reference numbers from our customers, and provide unique reference numbers to our customers, to enable each of us to identify you in our systems ("Account Identifiers").
Additional Identity Data: We may verify personal data about you with our network of trusted third-party data sources, including the following: publicly available sources (such as open government databases), government and national ID registries, consumer credit bureaus, utility companies, mobile network providers and postal address databases. The types of this “Additional Identity Data” we obtain from these sources will vary depending on the verification checks available in the particular country. We also use service providers to determine your device’s location based on its IP address and to generate device identifiers.
Persona does not store your facial geometry, as such biometric information is deleted upon completion of your requested verification. Please also see Section 2 “Facial Scans and Biometric Information”.
We also use non-advertising cookies and similar technologies to operate our online Services and to help collect data, such as usage data, identifiers, and device information. For more information about what cookies and similar technologies we use and how we use them, see our Cookie Policy.
How We Use Personal Data and Our Legal Basis for Processing
We use the personal data we collect for purposes described in this Controller Privacy Policy or as otherwise disclosed to you at the time of collection. The following table provides details on our purposes for processing your personal data and the related legal bases on which we rely. Where we rely on legitimate interests, it will be in a way which is reasonable for you to expect as part of the running of our business and which does not materially affect your rights and freedoms. We will only use your personal data where we are permitted to do so by applicable law. Under European Economic Area (EEA), United Kingdom (UK), and Switzerland data protection law, the use of personal data must be justified under one of a number of legal grounds. For EEA, UK and Swiss users of Persona Wallet, the principal legal grounds that justify our use of your personal data are set out in the table below. In other jurisdictions, if consent is required under applicable data protection law, we will seek and rely on your consent.
We do not use your personal data, including biometric data, for any AI or model training. We may use non-personal data to improve our Service to better detect fraud.
PURPOSE | TYPE OF DATA (SEE PERSONAL DATA WE COLLECT AND PROCESS FOR DEFINITIONS) | OUR LEGAL JUSTIFICATIONS (EACH CALLED A ‘LEGAL BASIS’) UNDER DATA PROTECTION LAW, FOR EACH PURPOSE |
|---|---|---|
Providing and delivering Persona Wallet to you, including performing the requested identity verification and operating and troubleshooting Persona Wallet | Name Contact Information Uploaded Content Government Identifiers Biometric Information Demographic Data Additional Identity Data Geolocation Data Identifiers and Device Information Usage Data Account Identifiers | To perform our contract with you for use of Persona Wallet and to fulfill our obligations under applicable terms of service. Necessary for our legitimate interests to operate and provide Persona Wallet. Consent (to process your Biometric Information in order to identify you). |
Promoting Security of Persona Wallet and detecting fraudulent acts by bad actors including verifying that the individual using Persona Wallet is the individual they purport to be. | Name Contact Information Uploaded Content Government Identifiers Biometric Information Demographic Data Geolocation Data Identifiers and Device Information Usage Data Account Identifiers | Necessary for our legitimate interests to detect or prevent illegal activities (e.g., fraud prevention); and/or to manage the security of our IT infrastructure, and the safety and security of our customers and users. Consent (to process your Biometric Information in order to identify you). |
To provide customer support and respond to your questions. | This depends on the nature of support requested and/or your question but may include the following: Name Contact Information Uploaded Content Government Identifiers Demographic Data Geolocation Data Identifiers and Device Information Usage Data Account Identifiers | Necessary for our legitimate interests to operate and provide Persona Wallet. |
How We Disclose Personal Data
We do not send personal data to any businesses without your consent. In the context of performing an identity verification requested by you, we may send select data in the Persona Wallet to the business you are verifying your identity to access, as disclosed to you when obtaining your consent.
Please note that the business is an independent controller of any copy of your personal data provided to that business, and the business’s use of such data is subject to the business’s privacy policy.
Please also see Section 3 “How We Disclose Personal Data” below.
Data Retention
Persona does not store your facial geometry, as such biometric data is deleted upon completion of your requested verification. We retain all other personal data for as long as necessary to provide the Persona Wallet and fulfill the verification you have requested.
We may also retain certain personal data to comply with our legal obligations, resolve disputes, enforce our agreements, and other legitimate and lawful business purposes, such as fraud detection and prevention and enhancing safety and security across our services. Because these needs can vary for different data types in the context of different services, actual retention periods will vary based on criteria such as the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we use your personal data and our legal obligations.
C. Individuals using Services through partnering customers
This section applies to you if you were directed to Persona through certain partnering customers notified to you when providing consent.
If you are a LinkedIn user, please see our LinkedIn-specific notice here.
If you are an Indeed user, please see our Indeed-specific notice here.
In connection with the Services, Persona will ask you to submit a photo of your government issued identity document, together with a selfie, to verify the authenticity of the identity document, confirm that you are the individual pictured in the identity document and prevent fraud. Persona may also request additional information to corroborate identity details via our network of third-party data partners. The Services will generate a verification result for the partnering customer, but it is the partnering customer that ultimately decides how it uses the verification result provided to it. If you have any questions about the outcome of a verification check relating to you or your identity document, please contact the appropriate partnering customer. This Controller Privacy Policy does not apply to our partnering customers’ use of your personal data or its privacy practices, and we encourage you to read the applicable partnering customer’s privacy disclosures.
Personal Data We Collect and Process
The information we collect depends on the verification requested. We do not require all of the information listed below for every verification method. Depending on the method selected, you may be asked to provide only a subset of the following information or other information disclosed to you when you consent:
Name.
Contact Information, including email address, postal address, and phone number.
Demographic Data, including sex, nationality, birthdate and age.
Uploaded Content, including a photo or video of you (i.e. selfie) and a photo or video of your government issued identity document (such as driver’s license or passport), together with any personal data contained on the face of the document and within the NFC chip that corresponds to the information on the face of the document (if your identity document is NFC compatible). Your fingerprints are not collected.
Government Identifiers, such as National ID numbers.
Biometric Information, which we use for the purpose of uniquely identifying an individual. Please also see Section 2 “Facial Scans and Biometric Information”.
Wireless Device Data, which consists of information about your account and wireless device, if available. To assist our customers in meeting business operations needs and to perform certain services and functions, you authorize your wireless carrier to use or disclose Wireless Device Data, if available, to us or our service provider for the duration of your business relationship with customers, solely to help them identify you or your wireless device and to prevent fraud.
We may also collect the following information from you, our customer, or third parties to determine and provide the appropriate verification method for your jurisdiction and to support compliance with applicable laws and regulations:
Identifiers and Device Information: Internet Protocol (IP) address and information about your device, including device identifiers (such as MAC address); device type; and your device’s operating system, browser, and other software including type, version, language, settings, and configuration.
Geolocation Data: Depending on your device and app settings, we collect geolocation data when you use the Service. We infer your general geographic location (such as city, state, and country) based on your IP address. Unless otherwise disclosed to you at the time of the inquiry, we do not collect precise geolocation.
Usage Data: We log your activity during the verification process, including how long it takes to complete the verification, access times, from which IP address, and other details about your use of and actions such as copy and paste detection.
Account Identifiers: We may receive unique reference numbers from our customers, and provide unique reference numbers to our customers, to enable each of us to identify you in our systems ("Account Identifiers").
Additional Identity Data: We may verify personal data about you with our network of trusted third-party data sources, including the following: publicly available sources (such as open government databases), government and national ID registries, consumer credit bureaus, utility companies, mobile network providers and postal address databases. The types of this “Additional Identity Data” we obtain from these sources will vary depending on the verification checks available in the particular country. The purpose of the verification is never identified and your information is not sold to these third-party data sources. We also use service providers to determine your device’s location based on its IP address and to generate device identifiers.
We also use non-advertising cookies and similar technologies to operate our online Services and to help collect data, including usage data, identifiers, and device information. For more information about what cookies and similar technologies we use and how we use them, see our Cookie Policy.
How We Use Personal Data and Our Legal Basis for Processing
PURPOSE | TYPE OF DATA (SEE PERSONAL DATA WE COLLECT AND PROCESS FOR DEFINITIONS) | OUR LEGAL JUSTIFICATIONS (EACH CALLED A ‘LEGAL BASIS’) UNDER DATA PROTECTION LAW, FOR EACH PURPOSE |
|---|---|---|
Providing and delivering Services to you, including performing the requested verification and operating and troubleshooting the Services | Name Contact Information Uploaded Content Government Identifiers Biometric Information Demographic Data Additional Identity Data Geolocation Data Identifiers and Device Information Usage Data Account Identifiers | To perform our contract with you for use of the Services and to fulfill our obligations under applicable terms of service. Necessary for our legitimate interests to operate and provide the Services. Consent (to process your Biometric Information in order to identify you). |
Promoting Security of the Services and detecting fraudulent acts by bad actors including verifying that the individual using the Services is the individual they purport to be. | Name Contact Information Uploaded Content Government Identifiers Biometric Information Demographic Data Geolocation Data Identifiers and Device Information Usage Data Account Identifiers | Necessary for our legitimate interests to detect or prevent illegal activities (e.g., fraud prevention); and/or to manage the security of our IT infrastructure, and the safety and security of our customers and users. Consent (to process your Biometric Information in order to identify you). |
To provide customer support and respond to your questions. | This depends on the nature of support requested and/or your question but may include the following: Name Contact Information Uploaded Content Government Identifiers Demographic Data Geolocation Data Identifiers and Device Information Usage Data Account Identifiers | Necessary for our legitimate interests to operate and provide the Services. |
How We Disclose Personal Data
Where we have your consent to do so, we will disclose to the applicable partnering customers the personal data described in the notice provided to you when you consent.
Please also see Section 3 “How We Disclose Personal Data” below.
Data Retention
Subject to our partnering customers’ retention periods, we retain personal data for as long as necessary to provide the Services and fulfill the verification you have requested.
We may also retain certain personal data to comply with our legal obligations, resolve disputes, enforce our agreements, and other legitimate and lawful business purposes, such as fraud detection and prevention and enhancing safety and security across our services. Because these needs can vary for different data types in the context of different services, actual retention periods will vary based on criteria such as the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we use your personal data and our legal or contractual obligations.
2. Facial Scans and Biometric Information
This section describes how Persona treats scans of facial geometry extracted from the uploaded images of your identity documents and your selfie. Biometric information is generally understood to be unique physical characteristics such as your face geometry through which you can be identified or recognized. Persona collects, uses and stores biometric information as detailed below for the verification purposes disclosed to you when obtaining your consent.
Depending on the method selected and only as necessary to provide the Service, Persona may do the following:
If only selfie age estimation is used, we analyze data from a non-uniquely identifying facial geometry extracted from your selfie (“Age Estimation Scan Data”) to estimate your age. Age Estimation Scan Data is deleted immediately as soon as an outcome has been determined;
Compare a scan of facial geometry extracted from a government identification document that you upload to a scan of facial geometry extracted from a photo of your face that you upload (collectively “Identity Scan Data”), in order to perform the requested verification (“Verification”); and
Use your information, including Identity Scan Data, to detect and prevent fraud (“Fraud Prevention”).
Regarding Persona Wallet and Relay, Persona does not store any Age Estimation Scan Data or Identity Scan Data (collectively “Scan Data”).
Regarding partnering customers, Persona will delete your Identity Scan Data upon completion of Verification or within three years (or two years if you let us know you are a Colorado resident) of your last interaction with Persona for Fraud Prevention purposes, subject to the partnering customer-specific retention period disclosed to you when you consent. If Identity Scan Data is stored, Persona stores such data in an encrypted format. Age Estimation Scan Data is not stored as is deleted immediately as soon as an outcome has been determined.
Persona may use one or more secure cloud service providers to process biometric data for purposes of providing the Services, including: (i) Amazon Web Services (AWS); (ii) Google Cloud; and (iii) MongoDB.
Notice for Illinois Residents: Persona uses the reasonable standards of care within its industry to store, transmit, and protect from disclosure Scan Data in a manner that is the same as or more protective than the manner in which it stores, transmits, and protects other confidential and sensitive information. Persona will not sell, lease or trade Scan Data. Other than as set forth herein, Persona will not disclose, redisclose, or otherwise disseminate Scan Data unless doing so:
Completes a transaction requested and authorized by you or your legally authorized representative;
Is required by state or federal law, or municipal ordinance;
Is required pursuant to a warrant or subpoena issued by a court of competent jurisdiction; or
Is expressly consented to by you.
3. How We Disclose Personal Data
We may also disclose your personal data to the below parties:
Service providers working on our behalf for the purposes described in this Controller Privacy Policy. For example, our data storage and hosting provider, and companies we've hired to provide customer service support or assist in protecting and securing our systems and services may need access to personal data to provide those functions.
Subsidiaries, only where access is needed to provide our services and operate our business.
Corporate transactions, only where required as part of a corporate transaction or proceeding such as a merger, financing, acquisition, bankruptcy, dissolution, or a transfer, divestiture, or sale of all or a portion of our business or assets.
Legal enforcement, only where necessary to comply with applicable law.
Security, safety, and protecting rights. We will disclose personal data if we believe it is necessary to:
protect our customers and others, for example to prevent spam or attempts to commit fraud, or to help prevent the loss of life or serious injury of anyone;
operate and maintain the security of our services, including to prevent or stop an attack on our computer systems or networks; or
protect the rights or property of ourselves or others, including enforcing our agreements, terms and policies.
We make these disclosures for purposes of providing and delivering the Services to you; promoting security of the Services and detecting fraudulent acts; and providing customer support.
4. Your Rights and Choices
We provide a variety of ways for you to control the personal data we hold about you, including choices about how we use that data. In some jurisdictions, these controls and choices may be enforceable as rights under applicable law. We respond to all requests we receive from individuals in accordance with applicable laws.
Depending on where you are located and subject to applicable privacy laws, you may have the following privacy rights:
To access, correct, update or request deletion of your personal data.
To object to processing of your personal data, ask us to restrict processing of your personal data or request portability of your personal data (i.e., your data to be transferred in a readable and standardised format).
If we have collected and processed your personal data with your consent, then you can withdraw consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal data conducted in reliance on lawful processing grounds other than consent.
We do not “sell”, “share” or otherwise process for consideration including monetary value or targeted advertising the personal data of individuals subject to this Controller Privacy Policy.
We do not engage in profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.
For residents of Oregon, you may also have the right to request from us a list of specific third parties to whom we have disclosed your personal data.
For residents of France, you can send us specific instructions regarding the use of personal data after your death.
You also have the right to lodge a complaint with your local supervisory authority, but we encourage you to first contact us with any questions or concerns. For more information, please contact your local supervisory authority. If you are a UK resident, you may lodge a complaint with the Information Commissioner’s Office (ICO) at https://ico.org.uk/.
If we decline to take action on a request, you may have the right to appeal our decision. In these cases, we will notify you providing our reasons for denying the request and instructions for how you can appeal the decision in accordance with applicable law.
To exercise any of your privacy rights, please feel free to use this form or contact us at idv-privacy@withpersona.com. When contacting us, please do not send us any personal data beyond what is required for us to communicate with you, such as copies of your government ID.
Residents of California may have certain additional privacy rights. Please refer to the Supplemental California Consumer Privacy Act Privacy Policy for more information.
For information about how you can control cookies and other similar tracking technologies please see our Cookie Policy.
5. Processing Locations and Data Transfers
Persona is headquartered in the United States, with offices in San Francisco and New York City as well as employees globally.
The personal data we collect may be stored and processed in your country or region, or in any other country where we or our affiliates, subsidiaries, service providers or third-party data partners process data. This means that we may process your personal data in and transfer your personal data to countries outside of the country in which you are based. These countries may have data protection laws that are different to the laws of your country (and, in some cases, may not be as protective). We take steps designed to ensure that personal data is processed and protected as described in this policy and in accordance with applicable law wherever the data is located.
Currently, we primarily use data centers in the United States and Germany to host your personal data. The storage location(s) are chosen to operate efficiently and improve performance.
We transfer personal data from the European Economic Area (EEA), United Kingdom (UK), and Switzerland to other countries, some of which have not been determined by the European Commission to have an adequate level of data protection. When we do so, we use legal mechanisms, including the EU-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework, the European Commission’s Standard Contractual Clauses (and similar measures in the UK and Switzerland) or other available transfer mechanisms, to help ensure your rights and protections.
Compliance with Data Privacy Framework Principles
Persona complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Persona has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. Persona has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this Controller Privacy Policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/
We are subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission. If third-party agents process personal data on our behalf in a manner inconsistent with the Data Privacy Framework Principles, we remain liable unless we prove we are not responsible for the event giving rise to any damages. If you have a question or complaint related to our compliance with the Data Privacy Framework Principles, please contact us as described in the Contact Us section below.
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Persona commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF to JAMS, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://www.jamsadr.com/dpf-dispute-resolution for more information or to file a complaint. The services of JAMS are provided at no cost to you.
Finally, under limited circumstances and after other available dispute resolution mechanisms have been exhausted, binding arbitration is available to address certain residual complaints under the EU-U.S. Data Privacy Framework Principles, Swiss-U.S. DPF Principles, and the UK-Extension Framework not resolved by other means.
6. Automated Decision Making
Automated decision making means that a significant decision concerning you is made automatically based on a computer determination (using software algorithms), without human review.
Persona itself does not undertake automated decision making. In the case of partnering customers, the Service will generate a verification result for partnering customers, but it is the partnering customers that ultimately decides how they use the verification results provided to them (for example, whether to confirm your identity verification on your applicable profile). If you have any questions about the outcome of a verification check relating to you or your identity document, please contact the appropriate partnering customer.
7. Changes to this Controller Privacy Policy
We will update this Controller Privacy Policy when necessary to reflect changes in our services, how we use personal data, or the applicable law. When we post changes to the Controller Privacy Policy, we will revise the “Last Updated” date at the top of the Controller Privacy Policy. If we make material changes to the Controller Privacy Policy, we will provide additional notice regarding such changes if required by law.
8. Contact Us
If you have a privacy concern, complaint, or a question for Persona, please feel free to use this form or contact us at idv-privacy@withpersona.com.
Our postal address is Persona Identities, Inc., 981 Mission Street #95, San Francisco, CA 94103, United States.
Our data protection representative for the European Economic Area and Switzerland is Darina Byrne, 88 Harcourt Street, Dublin 2, DUBLIN, Ireland, D02 DK18. To make an inquiry to Darina Byrne, please contact idv-privacy@withpersona.com.
Our data protection representative for the UK is: S. Alec Lawton, Graigwen, Plasycoed road, Pontypool Torfaen, NP4 6QH, UK. To make an inquiry to S. Alec Lawton, please contact idv-privacy@withpersona.com.
To contact our data protection office (DPO) please feel free to contact them at dpo@withpersona.com
9. Supplemental Notice for Australian Residents
Persona will comply with the Privacy Act 1988(Cth) including the Australian Privacy Principles. If you wish to complain to the OAIC about how Persona has handled your personal information, you should first complain to us in writing. You may contact Persona with questions at idv-privacy@withpersona.com, or submit a complaint about any privacy issues through this webform. If we receive a complaint from you about how Persona has handled your personal information, we will acknowledge receipt of your complaint, investigate it in a timely manner, and determine what (if any) action should be taken to resolve the complaint. If we decide that a complaint should be investigated further, the complaint will usually be handled by our privacy and compliance team. We will take reasonable steps to address any substantiated issues and notify you of the outcome of our investigation. We will assess and handle complaints in accordance with our internal complaint handling policy.
If you believe that we have failed to resolve the privacy complaint satisfactorily, you have the option of contacting the Office of the Australian Information Commissioner (OIAC). Contact details of the OIAC may be found here.
10. Supplemental Notice for UK Residents
Fraud Prevention and Identity Verification. The personal data we have collected from you will be shared with fraud prevention agencies who will use it to prevent fraud and money-laundering and to verify your identity. If fraud is detected, you could be refused certain services, finance or employment. Further details of how your information will be used by us and these fraud prevention agencies, and your data protection rights, can be found at www.cifas.org.uk/fpn.
11. Supplemental Notice for California Residents
If you are a California resident, please also see our California Consumer Privacy Act Privacy Policy.