I’m a new user to Privacy.com for virtual credit cards, as recommended by Privacy Guides. I’ve previously been a victim of credit card fraud and multiple data breaches, so it felt refreshing to make use of this service to protect my information. It’s often recommended throughout the online privacy community. The service obviously requires KYC, which was done via Plaid and Persona Identities, Inc via selfie / ID identification. I should have listened to my instincts, but I proceeded with the verification.
A couple weeks later, I learn that there Persona has been doing some very shady stuff behind-the-scenes.
I feel so defeated and sick to my stomach, as if I can’t escape from any of this no matter how hard I try. I feel as if, in the act of becoming more privacy-conscious, I have committed an online privacy cardinal sin by providing my face / ID.
Whether it’s corporations that purposefully sell my information, or it gets hacked in the seemingly endless data breaches… or it all ends up in the hands of the government and its programs.
What can I do about any of this? Does it make sense to shut down my Privacy.com account? I still find it very useful. I’m not sure what my options are regarding reaching out to Plaid / Persona and requesting my information be deleted. Not that I think that would matter anymore; the damage is done. Or this all just clickbait that I’m falling for? I’m trying to make sense of all this recent news.
Regulated financial stuff like this is always a very tricky situation. Just like banks or certain jobs that sort of require that kind of verification, you’re forced to comply which feels worse given the company is tied to he who shall not be named.
To clarify the news (I’m just pointing it out here because a lot of people elsewhere are saying it) they weren’t actually hacked in a data breach researchers just identified what kind of data gets collected, though that is still troubling to see. But I mean many of us hold jobs where we have to do this, especially if you do any sort of online work. There is really not much you can do to get around the system.
And when you start feeling defeated by this kind of thing, you have to remember the reality is it definitely is not ideal, and it definitely sucks, but we’re going for privacy here and not really total anonymity. Yes, that ID had to go to the witch king, but at the same time you’re keeping it out of the hands of others by using privacy.com Keep up with as much harm mitigation as you can, and keep your privacy in check in other areas where you actually have control. The stuff I’m saying is for someone with a normal threat model btw.
In my opinion, services like Privacy.com should verify your ID through your bank. Meaning that they get your bank to confirm you are an adult, but they don’t actually get a copy of your ID or your DOB, or anything like that.
I just signed up for Privacy, and I can’t agree more. It’s harder to set up than a bank account (at least the last time I set one up), and that makes no sense. They needed my ID, face scans, bank info, address. Bank info and ID should be more than enough. I signed up for it anyway, but I didn’t love doing so.
@Crawfish what you’ve gone through sucks and unfortunately is becoming the norm for so many people. the upside is like @Menkork said they weren’t breached. if you’re still weary I’d say the only thing you can do is exercise your rights to try to have your data deleted. the process will depend on where you are located (you don’t have to post this info in this forum if you don’t want. just know that California, U.S., EU, and UK residents have stronger protections).
i did a quick scan of the privacy policies for Plaid, Persona (Persona Identity, withpersona.com), and Privacy.
Plaid works on behalf of their customer which means whatever service that used Plaid for your identity verification (idv) is responsible for your data and data deletion. That brings us to Privacy. They retain identity verification data for 5 years after account closure. You can send an email to support@privacy.com (double check that on their site since this can update at anytime Privacy Policy | Privacy Virtual Cards and Services scroll to the bottom for contact info). In the email you can request a data summary of info they’ve collected on you. You can request data deletion but that will probably lead to a dead end. You can request your info be anonymized after the retention period though. Plus, you can contact Plaid and inform them you submitted a data deletion request with the “customer” or Privacy. Plaid most likely won’t do anything but you can let them know and see what they say: privacy@plaid.com (Privacy and security policies | Plaid scroll to 9 Contacting Plaid).
Persona, ouch! You can request data deletion for scan data after six months per section 5. Facial Scan and Biometrics Information (https://withpersona.com/legal/idv-privacy-policy): privacy@withpersona.com andidv-privacy@withpersona.com. From what I’ve read it seems for other data they can try to weasel their way out of deletion with their “legitimate business” clause. I’d still push back and try to get as much deleted as possible and request a summary of everything they logged on you and potentially who they sold it to. Again, your protections vary depending where you are (see GDPR for EU and CCPA for California, US).
if you need more guidance i can do a deeper dive. just remember you have rights and hope is not all lost. continue taking precautions like you are doing. if your spidey senses are tingling take a step back and read their privacy policy. think on it and decide what you are willing to give up. i think privacy is still a good service (i did get in before the insane know your customer [kyc] practices you guys are citing though).