California Consumer Privacy Act Privacy Policy
Last Updated: April 10, 2026
This notice is intended to supplement our Controller Privacy Policy and Website Privacy Policy, and applies solely to residents of California (“consumers” or “you”) with respect to personal information we process as a business. Any terms defined in the California Consumer Privacy Act of 2018, as amended from time to time, including by the California Privacy Rights Act of 2020 and its implementing regulations (“CCPA”) have the same meaning when used in these disclosures. These disclosures do not reflect our collection, use or disclosures of California residents’ personal information, or data subject rights, where an exception or exemption under the CCPA applies.
Our Personal Information Handling Practices
We have set out below categories of personal information about California residents we have collected, and as applicable disclosed, for a business purpose in the preceding 12 months. The table is followed by a description of the purposes for which we collected personal information. If we process deidentified information, we will maintain the information in a deidentified form and not attempt to reidentify the information, except that we may attempt to reidentify the information solely for the purpose of determining whether deidentification processes used satisfy legal requirements.
“Website visitor” means a visitor to our website at withpersona.com and other sites that may link to this privacy policy. “Business customer” means an entity that uses our products and services for its business purposes. “Direct user of our Services” means a user of Persona Wallet and/or Relay. “Member of partnering customer” means users of certain business customers notified to them when providing their consent.
Category of personal information | Did we collect? If so, from what source? | Did we sell or share? If so, to whom and for what purpose? | Did we disclose? If so, to whom and for what purpose? |
|---|---|---|---|
Personal information | |||
Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers. | Yes, from the consumer. | Yes, that of website visitors only; we may have “sold” or “shared” unique personal identifiers and IP addresses collected from website visitors to business partners for the purposes of supporting our advertising efforts. | Yes, to service providers where necessary to obtain services. |
Any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. | Yes, from the consumer. | No. | Yes, to service providers where necessary to obtain services. |
Characteristics of protected classifications under California or federal law. | Yes, from the consumer. | No. | Yes, to service providers where necessary to obtain services. |
Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. | Yes, from website visitors including business customers. | No. | Yes, to service providers where necessary to obtain services. |
Biometric information. | Yes, from direct users of our Services and members of partnering customers. | No. | Yes, to service providers where necessary to obtain services. |
Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website application, or advertisement. | Yes, from website visitors. | Yes, that of website visitors only; we may have “sold” or “shared” this category of personal information to business partners for the purposes of supporting our advertising efforts. | Yes, to service providers where necessary to obtain services. |
Geolocation data. | Yes, from the consumer. | Yes, that of website visitors only; we may have “sold” or “shared” IP addresses collected from website visitors to business partners for the purposes of supporting our advertising efforts. | Yes, to service providers where necessary to obtain services. |
Audio, electronic, visual, thermal, olfactory, or similar information. | Yes, from the consumer. | No. | Yes, to service providers where necessary to obtain services. |
Professional or employment-related information. | Yes, from business customers. | No. | Yes, to service providers where necessary to obtain services. |
Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g; 34 C.F.R. Part 99). | No. | No. | No. |
Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. | Yes, from business customers. | No. | Yes, to service providers where necessary to obtain services. |
Sensitive personal information | |||
A consumer’s social security, driver’s license, state identification card, or passport number. | Yes, from direct users of our Services and members of partnering customers. | No. | Yes, to service providers where necessary to obtain services. |
A consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account. | No. | No. | No. |
A consumer’s precise geolocation. | No. | No. | No. |
A consumer’s racial or ethnic origin, citizenship or immigration status, religious or philosophical beliefs, or union membership. | Yes, from direct users of our Services and members of partnering customers. | No. | Yes, to service providers where necessary to obtain services. |
The contents of a consumer’s mail, email, and text messages unless the business is the intended recipient of the communication. | No. | No. | No. |
A consumer’s genetic data. | No. | No. | No. |
A consumer’s neural data. | No. | No. | No. |
The processing of biometric information for the purpose of uniquely identifying a consumer. | Yes, from direct users of our Services and members of partnering customers. | No. | Yes, to service providers where necessary to obtain services. |
Personal information collected and analyzed concerning a consumer’s health. | No. | No. | No. |
Personal information collected and analyzed concerning a consumer’s sex life or sexual orientation. | No. | No. | No. |
Business or Commercial Purpose for Collecting Personal Information
To perform the services or provide the goods reasonably expected by consumers in their role;
To prevent, detect, and investigate security incidents that compromise the availability, authenticity, integrity, or confidentiality of stored or transmitted personal information;
To resist malicious, deceptive, fraudulent or illegal actions directed at us and to prosecute those responsible for those actions;
For short-term, transient use;
To perform services on behalf of us;
To verify or maintain the quality or safety of our services and products;
To update or enhance our services and products;
To perform functions that are required under laws that apply to us;
To market to consumers such as website visitors including business customers;
To collect or process it where such collection or processing is not for the purpose of inferring characteristics about a consumer such as to perform functions that are required under laws that apply to us and to support any claim or defense that we could face before any jurisdictional and/or administrative authority, arbitration, or mediation panel, and cooperating with – or informing – law enforcement or regulatory authorities to the extent required by law.
We do not have actual knowledge that we sell or share for cross context behavioral advertising, the personal information of California residents under 16 years of age.
CCPA Rights
As a California resident, you have the following rights under the CCPA:
The right to know what personal information we have collected about you, including the categories of personal information, the categories of sources from which the personal information is collected, the business or commercial purpose for collecting, selling, or sharing personal information, the categories of third parties to whom we disclose personal information, and the specific pieces of personal information we have collected about you. You may only exercise your right to know twice within a 12-month period.
The right to delete personal information that we have collected from you, subject to certain exceptions.
The right to correct inaccurate personal information that we maintain about you.
The right to opt out of the sale or sharing of your personal information by us. We disclose the personal information of California website visitors including business customers visiting our website to advertising business partners for the purposes of supporting our advertising efforts and, as such, we "sell" and "share" personal information as these terms are defined under the CCPA. Please note that we do not monetize personal information in the sense of disclosing your personal information in exchange for money. If you exercise your right to opt-out of the “sale” and "sharing" of your personal information, we may still disclose your personal information to third parties for purposes other than cross-contextual behavioral advertising, as described in our privacy disclosures.
The right to limit our use and disclosure of sensitive personal information to purposes specified in Cal. Civil Code 1798.121(a). We do not use or disclose sensitive personal information that is subject to Cal. Civil Code 1798.121 for purposes other than those specified in Cal. Civil Code 1798.121(a).
The right not to receive discriminatory treatment by the business for the exercise of privacy rights conferred by the CCPA, in violation of California Civil Code § 1798.125, including an employee's, applicant's, or independent contractor's right not to be retaliated against for the exercise of their CCPA rights.
How to Exercise CCPA Rights
Methods of Submission and Instructions: To submit a request to exercise your rights to know, delete or correct, please contact us using the information provided in the “Contact Us” section above.
Verification: Only you, or someone legally authorized to act on your behalf, may make a request related to your personal information. You may designate an authorized agent by taking the steps outlined under "Authorized Agent" further below. In your request or in response to us seeking additional information, you, or your authorized agent, must provide sufficient information to allow us to reasonably verify that you are, in fact, the person whose personal information was collected which will depend on your prior interactions with us and the sensitivity of the personal information being requested. We may ask you for information to verify your identity and, if you do not provide enough information for us to reasonably verify your identity, we will not be able to fulfill your request. We will only use the personal information you provide to us in a request for the purposes of verifying your identity and to fulfill your request.
Opt-Out Preference Signals: We respond to opt-out preference signals communicated via the Global Privacy Control and will process such signals with respect to the browser or device communicating the signals. To use Global Privacy Control opt-out preference signals, please follow the instructions here: https://globalprivacycontrol.org/.
Authorized Agents: You can designate an authorized agent to make a request under the CCPA on your behalf if:
The authorized agent is a natural person or a business entity and the agent provides proof that you gave the agent signed permission to submit the request; and
For verifiable consumer requests, you directly confirm with Persona that you provided the authorized agent with permission to submit the request.
If you provide an authorized agent with power of attorney pursuant to Probate Code sections 4121 to 4130, it may not be necessary to perform these steps and we will respond to any request from such authorized agent in accordance with the CCPA.