persona-logo

Processor Privacy Policy

Last updated: April 9, 2026

‍We, Persona Identities, Inc. (“Persona”), provide this Processor Privacy Policy (“Privacy Policy”) to you using Persona’s age assurance or identity verification services through Persona’s customers with whom individuals have a direct relationship. Persona acts as a processor (or similar role under applicable law) on behalf of the customer controller who has contracted with us to provide the age assurance or identity verification services. This Privacy Policy is intended to provide general information about how Persona processes your personal data as a processor, and you should look at the privacy disclosures provided by the customers with whom you have a direct relationship for specific information regarding your personal data, as the customer is the data controller over your personal data.

If you are a website visitor who visits our website, signs up to receive marketing materials or otherwise communicates with us, please review our Website Privacy Policy.

Skip to Age Assurance

Skip to Identity Verification

If you are a US Resident, please carefully read this Class Action Waiver.

Where Persona processes "nonpublic personal information" subject to the GLBA, such data will be governed by our GLBA Privacy Notice.

Age Assurance 

Personal Data We Collect and How We Collect 

You provide personal data to us at the direction of our customers so that our customers may verify your age and prevent fraud (“age assurance services”). 

The information we collect depends on the age assurance method used. We do not require all of the information listed below for every age assurance check. Depending on the method selected, you may be asked to provide only a subset of the following information:

  • Name and contact information, including name, email address, address, and phone number; 

  • Demographic data, including birthdate and age; 

  • Government documents, barcodes, and identifiers, such as a passport or driver's license;

  • Audio, Video, and Photos of you, namely from the selfie or video you provide and from your government identification document; and 

  • Biometric Data, only with your express consent, including a scan of your facial geometry based on the photos or video you provide. For more information about Biometric Data, see the Facial Scan and Biometrics Information section below.

We may also collect the following information from you, our customer, or third parties to determine and provide the appropriate age assurance method for your jurisdiction and to support compliance with applicable laws and regulations: 

  • Device information, including IP address, device type, your device’s operating system, browser, cookie and device identifiers, and other software including type, version, language, settings, and configuration;

  • Account information, such as details about your account with our customer or other third parties;

  • Geolocation data, as we may infer your general geographic location (such as city, state, and country) based on your IP address. We do not collect precise geolocation data; 

  • Usage data, including how long it takes to complete the verification, access times, and other details about your use of and actions such as copy and paste detection; 

  • Wireless Device Data, which includes information about your wireless device and, if available, your account information. To help our customers meet age assurance requirements and enable certain related services and functions, you authorize your wireless carrier to use or disclose information about your account and wireless device, if available, to us or our service providers for the duration of your relationship with the customer, solely to help assess your age or evaluate your wireless device and to detect and prevent fraud; and

  • Additional Age Assurance  Data: We may verify personal data about you for age assurance purposes with our network of trusted third-party data sources, including the following: publicly available sources (such as open government databases), government and national ID registries, consumer credit bureaus, utility companies, mobile network providers and postal address databases. The types of this “Additional Age Assurance Data” we obtain from these sources will vary depending on the verification checks available in the particular country. 

Facial Scan and Biometrics Information

This section describes how Persona treats scans of facial geometry extracted from your selfie and government ID. Biometric information is generally understood to be unique physical characteristics such as your face geometry through which you can be identified or recognized. 

Persona, acting as a processor or service provider on behalf of the customer, may, depending on the age assurance method selected and only as necessary to provide the service, do the following:

  • If only selfie age estimation is used, we analyze data from a non-uniquely identifying facial geometry extracted from your selfie (“Age Estimation Scan Data”) to estimate your age. Age Estimation Scan Data is deleted immediately as soon as an outcome has been determined;

  • If your government ID is compared against your selfie, we analyze the facial geometry extracted from your ID document to compare it against the facial geometry extracted from your selfie (collectively “Identity Scan Data”), and confirm that the document belongs to you;

  • Use your information, including Identity Scan Data, to detect, prevent, and investigate fraud and abuse.

The Age Estimation Scan Data and Identity Scan Data are collected, used and stored directly by Persona on behalf of the customer through the customer's website or app that you accessed. Persona’s default setting is to automatically delete all personal data, including Age Estimation Scan Data and Identity Scan Data, immediately as soon as processing is complete and an outcome has been determined. Persona’s customers may direct us to retain certain data, which may include Identity Scan Data, for longer periods, as disclosed to you at the time you provide consent, when necessary to detect, investigate or prevent suspicious or fraudulent activity. If Identity Scan Data is stored, Persona stores such data in an encrypted format. 

Persona may use one or more secure cloud service providers to process biometric data for purposes of providing the age assurance services, including: (i) Amazon Web Services (AWS); (ii) Google Cloud; and (iii) MongoDB. 

Notice for Illinois Residents: Persona uses the reasonable standards of care within its industry to store, transmit, and protect from disclosure Age Estimation Scan Data and Identity Scan Data in a manner that is the same as or more protective than the manner in which it stores, transmits, and protects other confidential and sensitive information. Persona will not sell, lease or trade Age Estimation Scan Data and Identity Scan Data. Other than as set forth herein, Persona will not disclose, redisclose, or otherwise disseminate Age Estimation Scan Data and Identity Scan Data unless doing so: 

  • Completes a customer transaction requested and authorized by you or your legally authorized representative; 

  • Is required by state or federal law, or municipal ordinance; 

  • Is required pursuant to a warrant or subpoena issued by a court of competent jurisdiction; or 

  • Is expressly consented to by you.

How We Use Personal Data

Persona does not use any personal data, including biometric data, for any AI or model training. Persona does not sell or share personal data with third parties. Persona does not use such data for marketing or for any purpose other than providing the age assurance services as requested by customers.

Depending on the age assurance method performed, we may collect, hold, use and disclose personal data to provide our customers with the age assurance services in accordance with their written instructions, which includes verifying the age of individuals, preventing fraud, and complying with applicable laws. 

How We Disclose Personal Data

We may engage third parties to assist us in providing the age assurance service, in which case we may disclose personal data to them. We may disclose personal data to service providers, including hosting, cloud services and other information technology services providers; email communication and SMS software providers; and mobile device operators, public and private records database providers, consumer reporting services, and fraud and identity management providers. 

Data Retention

Persona’s default setting is to automatically delete all personal data immediately as soon as processing is complete and an outcome has been determined. However, Persona’s customers may retain certain data for longer periods, as disclosed to you at the time you provide consent, when necessary to detect, investigate or prevent suspicious or fraudulent activity.

Identity Verification 

Personal Data We Collect and How We Collect  

You provide personal data to us at the direction of our customers so that our customers may verify your identity and prevent fraud (“identity verification services”). 

The information we collect depends on the identity verification method used. We do not require all of the information listed below for every identity verification method. Depending on the method selected, you may be asked to provide only a subset of the following information:

  • Name and contact information, including name, email address, address, and phone number; 

  • Demographic data, including birthdate and age; 

  • Files you upload, such as tax forms and utility bills;

  • Government documents, barcodes, and identifiers, such as a passport, driver's license or Social Security Number; 

  • Audio, Video, and Photos of you, namely from the selfie or video you provide and from your government identification document; and 

  • Biometric Data, only with your express consent, including a scan of your facial geometry based on the photos or video you provide. For more information about Biometric Data, see the Facial Scan and Biometrics Information section below.

We may also collect the following information from you, our customer, or third parties to determine and provide the appropriate identity verification method for your jurisdiction and to support compliance with applicable laws and regulations:

  • Current and previous name and contact information, including name, email address, address, and phone number; 

  • Demographic data, including birthdate and age, gender, marital status, and similar demographic details; 

  • Government documents, barcodes, and identifiers, such as drivers license and Social Security Numbers;

  • Device information, including IP address, device type, your device’s operating system, browser, cookie and device identifiers, and other software including type, version, language, settings, and configuration;

  • Account information, such as details about your account with our customer or other third parties;

  • Publicly available data, including data from governmental public records, the public internet and social media; 

  • Geolocation data as we may infer your general geographic location (such as city, state, and country) based on your IP address. We do not collect precise geolocation data; 

  • Wireless Device Data, which consists of information about your account and wireless device, if available. To assist our customers in meeting business operations needs and to perform certain services and functions, you authorize your wireless carrier to use or disclose information about your account and your wireless device, if available, to us or our service provider for the duration of your business relationship, solely to help them identify you or your wireless device and to prevent fraud; and 

  • Additional Identity Data: We may verify personal data about you with our network of trusted third-party data sources, including the following: publicly available sources (such as open government databases), government and national ID registries, consumer credit bureaus, utility companies, mobile network providers and postal address databases. The types of this “Additional Identity Data” we obtain from these sources will vary depending on the verification checks available in the particular country. The purpose of the verification is never identified and your information is not sold to these third-party data sources. We also use service providers to determine your device’s location based on its IP address and to generate device identifiers.

Facial Scan and Biometrics Information

This section describes how Persona treats scans of facial geometry extracted from the uploaded images of your identity documents and your selfie. Biometric information is generally understood to be unique physical characteristics such as your face geometry through which you can be identified or recognized. 

Persona, acting as a processor or service provider on behalf of the customer, may, depending on the identity verification method selected and only as necessary to provide the service, do the following:

  • Compare the facial geometry extracted from your ID document (“ID Scan Data”) against a facial geometry extracted from your selfie (“Selfie Scan Data”), in order to help verify your identity;

  • Use your information, including ID and Selfie Scan Data, to detect, prevent, and investigate fraud and abuse.

The ID and Selfie Scan Data are collected, used and stored directly by Persona on behalf of the customer through the customer's website or app that you accessed. Depending on our relationship with the customer, the customer may upload your government ID document and photos of your face directly to us. 

Subject to the customer’s retention period, Persona will permanently destroy ID and Selfie Scan Data upon completion of identity verification services or within three years of your last interaction with Persona, consistent with the customer’s instructions unless Persona is otherwise required by law or legal process to retain the data. If ID or Selfie Scan Data is stored, Persona stores such data in an encrypted format.  

Persona may use one or more secure cloud service providers to process biometric data for purposes of providing the identity verification services, including: (i) Amazon Web Services (AWS); (ii) Google Cloud; and (iii) MongoDB.

Notice for Illinois Residents: Persona uses the reasonable standards of care within its industry to store, transmit, and protect from disclosure ID and Selfie Scan Data in a manner that is the same as or more protective than the manner in which it stores, transmits, and protects other confidential and sensitive information. Persona will not sell, lease or trade ID and Selfie Scan Data. Other than as set forth herein, Persona will not disclose, redisclose, or otherwise disseminate ID and Selfie Scan Data unless doing so:  

  • Completes a customer transaction requested and authorized by you or your legally authorized representative; 

  • Is required by state or federal law, or municipal ordinance; 

  • Is required pursuant to a warrant or subpoena issued by a court of competent jurisdiction; or 

  • Is expressly consented to by you.

How We Use Personal Data

Persona does not use any personal data, including biometric data, for any AI or model training. Persona does not sell or share personal data with third parties. Persona does not use such data for marketing or for any purpose other than providing the age assurance services as requested by customers.

Depending on the identity verification method used, we may collect, hold, use and disclose personal data to provide our customers with the identity verification services in accordance with their written instructions, which includes verifying the identity of individuals, preventing fraud, and complying with applicable laws, for example performing AML/KYC checks for regulated customers.  

How We Disclose Personal Data

We may engage third parties to assist us in providing the identity verification service, in which case we may disclose personal data to them. We may disclose personal data to service providers, including hosting, cloud services and other information technology services providers; email communication and SMS software providers; and identity verification services, mobile device operators, background check providers, public and private records database providers, consumer reporting services, and fraud and identity management providers. 

Data Retention

We retain personal data in accordance with written instructions from our customers, including as long as necessary to provide the identity verification service, fulfill the transactions customers have requested and comply with legal obligations. 

Additional Notices

The below apply to both our identity verification and age assurance services “Services”. 

Location of Personal Data

The personal data we collect may be stored and processed in your country or region, or in any other country where we or our affiliates, subsidiaries, or service providers process data. Currently, we primarily use data centers in the United States and Germany. The storage location(s) are chosen to operate efficiently and improve performance. We take steps designed to ensure that personal data is processed and protected as described in this policy wherever the data is located.

Location of Processing European Personal Data. We transfer personal data from the European Economic Area (EEA), United Kingdom (UK), and Switzerland to other countries, some of which have not been determined by the European Commission to have an adequate level of data protection. When we do so, we use legal mechanisms, including contracts, to help ensure your rights and protections.

Compliance With Data Privacy Framework Principles. Persona complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce.  Persona has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.  Persona has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.  If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern.  To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/

We are subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission. If third-party agents process personal data on our behalf in a manner inconsistent with the Data Privacy Framework Principles, we remain liable unless we prove we are not responsible for the event giving rise to any damages. If you have a question or complaint related to our compliance with the Data Privacy Framework Principles, please contact us as described in the Contact Us section below.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Persona commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF to JAMS, an alternative dispute resolution provider based in the United States.  If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://www.jamsadr.com/dpf-dispute-resolution for more information or to file a complaint.  The services of JAMS are provided at no cost to you.

Finally, under limited circumstances and after other available dispute resolution mechanisms have been exhausted, binding arbitration is available to address certain residual complaints under the EU-U.S. Data Privacy Framework Principles, Swiss-U.S. DPF Principles, and the UK-Extension Framework not resolved by other means.

Choices Regarding Personal Data

Persona processes personal data on behalf of its customers, with whom you have a direct relationship. To exercise any privacy rights you may have, please contact the appropriate customer who will be better able to help you. Depending on where you are located and subject to applicable privacy laws, you may have certain privacy rights, such as the right to access or correct your personal data. 

If you have further concerns or questions regarding the processing of your personal data, please fill out this form or email idv-privacy@withpersona.com. When contacting us, please do not send us any personal data beyond what is required for us to communicate with you, such as copies of your government ID. 

‍Class Action Waiver - US Residents Only 

YOU (IF YOUR ARE A RESIDENT OF THE UNITED STATES) AND PERSONA IDENTITIES, INC., INCLUDING ITS PARENTS, SUBSIDIARIES, AFFILIATES, SUCCESSORS, AND ASSIGNS (“COMPANY”) AGREE THAT ANY PROCEEDINGS TO RESOLVE OR LITIGATE ANY DISPUTE WILL BE CONDUCTED SOLELY ON AN INDIVIDUAL BASIS, AND THAT NEITHER YOU NOR COMPANY WILL SEEK TO HAVE ANY DISPUTE HEARD AS A CLASS ACTION, A REPRESENTATIVE ACTION, A COLLECTIVE ACTION, A PRIVATE ATTORNEY-GENERAL ACTION, OR IN ANY PROCEEDING IN WHICH YOU OR COMPANY ACTS OR PROPOSES TO ACT IN A REPRESENTATIVE CAPACITY. YOU AND COMPANY FURTHER AGREE THAT NO PROCEEDING WILL BE JOINED, CONSOLIDATED, OR COMBINED WITH ANOTHER PROCEEDING WITHOUT THE PRIOR WRITTEN CONSENT OF YOU, COMPANY, AND ALL PARTIES TO ANY SUCH PROCEEDING. THIS CLASS ACTION WAIVER COVERS ALL DISPUTES BETWEEN YOU AND COMPANY AND ALSO INCLUDES ANY DISPUTE BETWEEN YOU AND ANY OFFICER, DIRECTOR, BOARD MEMBER, AGENT, EMPLOYEE, VENDOR, AFFILIATE, OR CLIENT OF COMPANY, IF COMPANY COULD BE LIABLE, DIRECTLY OR INDIRECTLY, FOR SUCH DISPUTE.

THE TERM “DISPUTE” SHALL BE INTERPRETED AS BROADLY AS PERMITTED UNDER THE LAW AND SHALL APPLY TO ALL PAST, PRESENT, AND FUTURE LEGAL DISPUTES AND LEGAL CLAIMS BETWEEN YOU AND COMPANY THAT ARE NOW IN EXISTENCE OR THAT MAY ARISE IN THE FUTURE, INCLUDING, BUT NOT LIMITED TO LEGAL DISPUTES OR LEGAL CLAIMS ARISING OUT OF OR RELATING IN ANY WAY TO THESE TERMS, THE COLLECTION OF FACIAL SCANS OR BIOMETRIC INFORMATION, THE PRIVACY POLICY OR COMPANY’S SERVICES; YOUR RELATIONSHIP WITH COMPANY; YOUR USE OF ANY COMPANY PRODUCT OR SERVICE; COMPANY’S CONDUCT; AND ANY FEDERAL, STATE, OR LOCAL STATUTE, LAW, RULE, REGULATION OR ORDINANCE APPLICABLE TO THE RELATIONSHIP BETWEEN YOU AND COMPANY AS TO WHICH A COURT WOULD BE AUTHORIZED BY LAW TO GRANT RELIEF IF THE CLAIM WERE SUCCESSFUL (“DISPUTE” OR “DISPUTES”).

Supplemental Notice for Australian Residents 

Persona will comply with the Privacy Act 1988(Cth) including the Australian Privacy Principles. If you wish to complain to the OAIC about how Persona has handled your personal information, you should first complain to us in writing. You may contact Persona with questions at idv-privacy@withpersona.com, or submit a complaint about any privacy issues through this webform. If we receive a complaint from you about how Persona has handled your personal information, we will acknowledge receipt of your complaint, investigate it in a timely manner, and determine what (if any) action should be taken to resolve the complaint. If we decide that a complaint should be investigated further, the complaint will usually be handled by our privacy and compliance team. We will take reasonable steps to address any substantiated issues and notify you of the outcome of our investigation. We will assess and handle complaints in accordance with our internal complaint handling policy. 

If you believe that we have failed to resolve the privacy complaint satisfactorily, you have the option of contacting the Office of the Australian Information Commissioner (OIAC). Contact details of the OIAC may be found here.

Changes to the Privacy Policy

We will update this Privacy Policy when necessary to reflect changes in our Services, how we use personal data, or the applicable law. When we post changes to the Privacy Policy, we will revise the “Last Updated” date at the top of the Privacy Policy. If we make material changes to the Privacy Policy, we will provide notice or obtain consent regarding such changes as may be required by law.

Contact Us

If you have a privacy concern, complaint, or a question for Persona, please feel free to use this form or contact us via email at idv-privacy@withpersona.com.

Our postal address is Persona Identities, Inc., 981 Mission Street #95, San Francisco, CA 94103, United States.

Our data protection representative for the European Economic Area and Switzerland is Darina Byrne, 88 Harcourt Street, Dublin 2, DUBLIN, Ireland, D02 DK18. To make an inquiry to Darina Byrne, please contact idv-privacy@withpersona.com.

Our data protection representative for the UK is: S. Alec Lawton, Graigwen, Plasycoed road, Pontypool Torfaen, NP4 6QH, UK. To make an inquiry to S. Alec Lawton, please contact idv-privacy@withpersona.com.

To contact our data protection office (DPO) please feel free to contact them at dpo@withpersona.com