No. 1. Stripe cares tremendously about and knows the importance of security—we’ve learned a lot from securely processing hundreds of billions of dollars in payments annually, and Identity is built from those learnings. (https://stripe.com/docs/security/stripe).
2. Any biometric identifiers that are created to perform the verification are never stored or retained—they are fully removed from all of our systems within 48 hours (usually within minutes).
> We will typically store the rest of your submitted identity information for 3 years. This includes all images captured, extracted data from your ID document including name, date of birth, and ID number, and any information submitted via forms such as name, date of birth, SSN, email, and phone number, and the verification response.
That doesn't make me feel a lot better. :( The images are enough to generate biometric data such as facial recognition profiles.
It's simply not legal to "not keep records" if you are running payments.
If you ran a payment to "O Bin Laden" but you have a driver's license picture showing that it is Oscar Bin Laden, from CA, DoB 2001, you'd better keep all that information for your records in case you get audited for potential OFAC violations.
We are very specific about collecting consent before doing anything with your data.
We ask for permissions before beginning the verification process, and if you consent, we will only use your biometric identifiers for the verification itself. (And again, those identifiers—which contain the most sensitive info—aren't stored.)
Specifically, we ask for an additional level of permissions before conducting any additional biometric analysis.
https://support.stripe.com/questions/common-questions-about-...
I think you might be missing the point. I'm sure gp does not doubt that you collect consent before collecting and using data. However, when presented with the choice of not giving up personal data and not using $awesome_service (or maybe even $essential_service), I’d imagine all but a very tiny percentage of people would reluctantly give up personal data. The data is then stored for three years, and if there's ever a leak, it would be hugely damaging given the scope:
> all images captured, extracted data from your ID document including name, date of birth, and ID number, and any information submitted via forms such as name, date of birth, SSN, email, and phone number, and the verification response.
> We are very specific about collecting consent before doing anything with your data.
How do you foresee that consent working if your product is used in account recovery flows?
For example, imagine if Steam adopted Stripe Identity as their only way to allow people with $$$$ worth of games to recover hacked accounts. If the user's only choice is to "consent" or lose their valuable account, that makes the "consent" something of a joke.
I'd be interested to hear how you plan to square that circle!
I have an account with a lot of content in it on an online service. When I signed up, they didn't require any personal information. Now they want some significant info or I can't get back into my account.
Well, I don't believe what Stripe (or anyone) says; I believe what you do.
Does Stripe have a legal contract with users that says something to the effect of "if it does 1 and 2 above (by mistake or by choice doesn't matter) - that they will be liable for it". If not, all the support documents and technical security documentation is moot. I want to see "skin in the game" by Stripe. If you're so sure about "security" sign a legal contract.
This is only about the specific image processing Stripe does to match your selfie with your ID document. The rest of the information on the document—which is what the GP comment was asking about—is retained for 3 years. Referencing the 48 hour retention period instead of the 3 year one is very misleading in this case.
Since we are storing these IDs on behalf of businesses using Identity, we need to retain non-biometric information for a period of time to support their use cases.
For example: KYC is a core use case for identity, which requires us to retain ID information for audit purposes.
For businesses who don’t need to keep the ID for as long, we provide a deletion API that lets them automatically delete the IDs from our system.
Yes, I agree that Stripe's policy makes sense here. But your original comment was misleading, in that it implied the information contained on your ID card was deleted after 48 hours. (It looks like you may have since edited it to clarify that you were talking about biometric signals? Maybe you haven't edited it, but it was definitely unclear enough that I, like the other responders, was confused.)
2. Any biometric identifiers that are created to perform the verification are never stored or retained—they are fully removed from all of our systems within 48 hours (usually within minutes).
More on this at https://support.stripe.com/questions/managing-your-id-verifi....