All of which is meaningless if it's not reflected properly in their legal documents/terms. I've had interactions with the Flock CEO here on Hacker News and he also tried to reassure us that nothing fishy is/was going on. Take it with a grain of salt.

But why believe that when their policy says any of it may not be true, or could change at any time?

Even if the CEO believes it right now, what if the team responsible for the automatic-deletion merely did a soft-delete instead of a hard delete "just in case we want to use it for something else one day"?

Facebook at some period was pushing users to enable 2fa for security reasons, and guess what they did with the phone numbers they collected.

> that require legal to get involved and you do end up with documents that sound excessively broad

If you let your legal team use such broad CYA language, it is usually because you are not sure what's going on and want CYA, or you actually want to keep the door open for broader use with those broader permissive legal terms. On the other hand, if you are sure that you will preserve user's privacy as you are stating in marketing materials, then you should put it in legal writing explicitly.

I am wondering what the 'sub-processor' means here. Am I right in assuming that the Persona architecture uses Kafka, S3 data lake in AWS and GCP, Elastic Search, MongoDB for configuration or user metadata, and Snowflake for analytics, thus all these end up on sub-processle list as the data physically touches these company's products or infra hosted outside Persona? I hope all these aren't providing their own identity services and all of them aren't seeing my passport for further validation.

As an industry we really need a better way to tell what’s going g where than:

- someone finally reading the T&Cs

- legal drafting the T&Cs as broadly as possible

- the actual systems running at the time matching what’s in the T&Cs when legal last checked in

Maybe this is a point to make to the Persona CEO. If he wants to avoid a public issue like this then maybe some engineering effort and investment in this direction would be in his best interest.

  > - All biometric personal data is deleted immediately after processing.

I'm not a security expert so please correct me. Or if I'm on the right track please add more nuance because I'd like to know more and I'm sure others are interested

I'm not convinced there's any significant overlap between "people who are worried about which subprocessors have their data" and "people who don't think that eight subprocessors is a lot"

A KYC provider is a company that doesn't start with neutral trust. It starts with a huge negative trust.

Thus it is impossible to believe his words.

This reads like their entire software stack. I don’t understand the role ElasticSearch plays; are people still using it for search?

Infrastructure: AWS and Google Cloud Platform

Database: MongoDB

ETL/ELT: Confluent and DBT

Data Warehouse and Reporting: Sigma Computing and Snowflake

Why would anyone believe this?

What possible use legitimate use is Snowflake in verifying your identity? ES?

All of those statements require trust and/or the credible threat of a big stick.

Trust needs to earned. It hasn't been.

The big stick doesn't really exist.

Ah yes, because companies never lie about how they process your data...

Why would we believe they are deleted after processing and not shared with the government?

this is just "trust me bro" with more words. even if true, the point is not what they do right now, the point is what they CAN do, which clearly as pointed in terms is a lot more than that.

Whelp, so long as the CEO says it's fine, we've no reason to worry about what's in the legal verbiage.