Collecting an ID or using a consumer’s biometric information is subject to heightened scrutiny under privacy laws in many countries. Please review our best practices before going live to ensure that you are setting the right expectations with users and building a secure integration. You can also use this FAQ template to help you explain how ID verification works through Stripe Identity to your users.
Stripe Identity helps you comply with some of these requirements by notifying all end-users that their information will be used and shared by both you and Stripe, according to each of our privacy policies, and requires all end-users to explicitly consent to the use of their biometric information for the verification.
While Stripe will store a copy of the end-users image and ID for you in the Stripe Dashboard, as well as a record of the consent, there may be additional obligations that apply to your retention, use, and deletion of this data.
You should always check with your legal counsel to understand how you should use, retain, and delete this sensitive personal data, but here are a few specific examples of obligations that apply in some areas and which you should keep in mind:
If a customer does not consent to the use of their biometric information, you may need to provide them an alternative means to access your service that does not require creation of a biometric identifier. Check with your legal counsel, but one alternative may be to have a manual, human review flow for the verification.
A growing number of privacy laws prohibit companies from keeping personal data longer than necessary for the purpose it was obtained or after an individual has requested deletion. By default, Stripe balances your business needs with these requirements by retaining data in your Stripe Dashboard for 3 years and providing you with the ability to delete it sooner if you are requested by the end-user or if you no longer have a need for it.
Some countries, such as Singapore and Germany, treat ID cards as particularly sensitive information. You may not be able to request a Singaporean ID Card absent a sufficient justification or retain a copy of a German ID Card after the initial verification was conducted absent express consent to store it. Check applicable laws to make sure that your use case is acceptable and use the redaction endpoint to delete data that you have no lawful basis to retain.
Stripe does not know your legal obligations and when acting as your data processor, cannot delete data on your behalf. Instead, Stripe will request that customers reach out directly to you to request deletion of their information. If a customer asks you to delete their data, you can redact the VerificationSession which will remove the personal data from that
VerificationSession. The process may take up to 4 days. Upon completion, Stripe will no longer store the personal data from that
VerificationSession as your service provider.
We recommend that you remind your customers that Stripe is also an independent controller of their personal data and direct them to Stripe at firstname.lastname@example.org to request deletion of their data by Stripe.