How to get confirmation/information about age verification data stored by VRChat/Persona?

As per GDPR, a company that collects sensitive personal data is required to respond to a request as to what personal data is being stored, for how long, and why.

I know that VRChat claims to request deletion of said data (i.e. pictures of personal ID and personal pictures of individuals) but there is no information forthcoming how to obtain official confirmation that these requests are actually being complied with.

Again, as per GDPR compliance, such confirmation (or any information as to what data remains in storage) would have to be provided by whomever is storing said data (be it VRChat or Persona).

This is not a formal personal request, but a question regarding whom to contact with regards to the personal data being stored after completing the age verification process.

Whom would I have to communicate with if I want to obtain confirmation about the deletion of my personal data which I provided for the verification process? Whom can I contact to request information about the personal data being stored about me?

Give this wiki page a read Age Verification - VRChat Wiki as it includes answers for your questions along with links if you want to contact Persona directly as VRChat does not receive or store personal information from the verification process, except for the user’s verified date of birth.

After my verficiation I have requested DSAR - Data Subject Access Request with the request for persona to send me a copy of data they have collected through the verification process for VRchat age verification.

image945×638 91.3 KB

As to my request I did not get the information regarding whether they hold any of my data, so I replied with more information:

image944×568 98.8 KB

Next replay from Persona was to ask me for more information how they can identify me in their system by asking more questions regarding personal information, I presume so they can compare and search for it in their database

image945×539 62.5 KB

And I provided them with the required information

image945×369 51.7 KB

There was no more communication from Persona till 14th ;

image945×413 54.3 KB

n the General Data Protection Regulation (GDPR), controllers and processors (service providers) have distinct roles when handling personal data.

1. Data Controller

Definition: The controller determines the purposes and means of processing personal data.

Responsibilities:

Decides why and how personal data should be processed.

Ensures compliance with GDPR (e.g., obtaining consent, fulfilling data subject rights).

Must have legal grounds for processing data.

Responsible for data breaches and compliance with GDPR principles.

Example: A company that collects customer data for marketing is a controller.

2. Data Processor (Service Provider)

Definition**:** A processor processes personal data on behalf of the controller.

Responsibilities:

Processes data only as instructed by the controller.

Implements security measures to protect data.

Assists the controller in fulfilling GDPR obligations.

Must sign a Data Processing Agreement (DPA) with the controller.

Example: A cloud storage provider that stores customer data for a company is a processor.

That means that Persona is Data Processor (Service Provider) for VRchat.

Once again, I request that all my data be deleted, regardless of where it is stored or the role under which it is held, whether as a Service Provider or Data Controller.

image944×415 61.3 KB

Two days after my last email, I finally received a response from Persona.I must now emphasize the highlighted part of their message, which implies that they still held the data.

image702×266 48.7 KB

As shown in the communication with Persona, they responded within the legal timeframe required by GDPR. However, their replies were largely auto-generated. Despite this, they clearly stated their role in the processing of personal data as a Data Processor (Service Provider).

Persona did not explicitly confirm or deny whether they held any of my personal data collected during the verification process. They also did not specify what data they retained or whether my data was deleted as requested by VRChat, the Data Controller, after the completion of the age verification process. Additionally, I must highlight and emphasize that they did not address the topic of personal data exchanged during the DSAR request, as shown in the picture below, which I sent to them for identifying my data.

image621×232 54.6 KB

After completing the process, VRchat stated that the data would be deleted. However, as the user and owner of my personal data, I did not receive any confirmation that this deletion took place once the verification was complete. This leaves me uncertain as to whether my personal data has been deleted or not. There should be a clear notification from VRChat or Persona confirming the deletion of personal data once the process is finished.

image704×824 116 KB

FYI:

GDPR applies primarily within the European Union (EU) and European Economic Area (EEA), but it also has an extraterritorial effect. EU-US Data Privacy Framework (DPF) is a legal mechanism for transferring personal data from the EU to the US while complying with GDPR. It was introduced in July 2023 to replace the Privacy Shield, which the EU Court of Justice invalidated in 2020.
If a US company is certified under the EU-US Data Privacy Framework, they can freely receive and use EU data.

You can check which companies are certified under the EU-US Data Privacy Framework by visiting:

https://www.dataprivacyframework.gov/list

And persona is one of them.

VRchat Inc. isnt in the list for EU-US Data Privacy Framework (DPF)

Upon further review of privacy policy, there is mention using Binding Corporate Rules (BCR) for data transfers from the EU to outside of it . However, I am unable to locate VRchat Inc. on Approved Binding Corporate Rules | European Data Protection Board

More for BCR you can find here Binding Corporate Rules (BCR)

You should probably ask for someone higher up. Some random support center employee probably doesn’t know or care what VRChat is and probably doesn’t know anything about the DPA contract VRChat has with them nor’ what information they use for it and is just giving a general response for the entirety of Persona’s services without any consideration.

That’s exactly why I’ve created this topic. Persona doesn’t give out those kinds of contact details, but VRChat’s community team ought to be able to tell us whom to contact on this subject.

Thank you for linking the relevant article! Unfortunately, it doesn’t provide any contact information at all.

I want to stress again that this isn’t about VRChat ensuring us that everything’s going to be okay, it is about their legal requirement to inform me what specific information is being stored about me, as an individual, on their and Persona’s servers, or to confirm that this information has actually been deleted as requested.

Also please, for the record, I don’t hate on the verification process. I actually went through it, I am age verified and provided Persona very personal, sensitive information such as my ID, IRL name and IRL pictures that can trivially be linked back to my IRL person.

That’s exactly why I need VRChat and Persona to actually justify the expectation of trust we put in them, as is required by the GDPR they claim to be in compliance with.

The GDPR in full

VRChat probably will just give you Persona’s privacy@ email. If you wanna still ask them I suggest https://help.vrchat.com/hc/en-us/requests/new because they’re typically more responsive there than on the forums.

Otherwise I recommend just sending another email in your chain with Persona’s privacy support asking for someone higher up who will know what you’re actually talking about. Typically with my experience talking to customer support employees anywhere they’ll redirect it and will be able to get what you need.