[ben1040]

I submitted a data request to a third party processor recently (to Sift, after they were mentioned in an NYT article) and they sent me a link to your service to submit ID and two selfie photos.

The consumer facing experience on this is not the best. Here I am filing a request to a third party processor for data that I never personally sent them. And in order to handle that, I have to send even more sensitive information to yet another third party processor. See the irony here?

Sift’s email said the ID data would be retained for no more than 14 days, while Berbix’ privacy policy says the retention period is the shorter of “until no longer needed” or for 3 years from my last interaction with your customer.

Who’s right here, and if your customer quotes end users a retention period that’s shorter than 3 years, how do you hold them to that?

[ericlevine]

Absolutely understand where you’re coming from. It can be jarring to be asked to go through those steps by a set of companies with whom you have no direct relationship. That said, data access requests can contain some extremely sensitive information and it’s important companies responding to such requests don't share information with the wrong person.

Regarding your question on data deletion; we abide by the retention policies chosen by our customers, which are typically much shorter than 3 years. For Sift specifically, the retention policy is indeed 14 days, after which point we automatically delete all the personally identifiable information we've collected on Sift's behalf. We'll be taking in your feedback, however, as this could be made clearer in both our privacy policy and our product.