// Trust & Security Report
Privy Operations, LLC
Email and SMS Marketing Platform (eCommerce)
Certifications held
4
Maturity
Growth
Trains on your data
Unknown
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on privy.com“Not claimed on any official privy.com page. A third-party HIPAA checker (keragon.com, 2023) flagged a question about privy.com HIPAA compliance, but privy.com's own documentation contains no HIPAA BAA or certification claim.”
Verify on privy.com“To the extent we process (as defined in the GDPR) that Personal Information solely in order to provide the Services to the End Customer, under the GDPR, to the extent applicable, we will act as a processor (as defined in the GDPR) on behalf of the End Customer.”
Verify on privy.com“Standard Contractual Clauses (SCCs) govern these restricted transfers. [Sub-processors listed include Amazon Web Services, DigitalOcean, Snowflake, SparkPost, Twilio, PostHog, Statsig.]”
Verify on privy.com“Privy functions as a service provider under California law, obligated to maintain commercially reasonable security procedures and prohibited from selling consumer information.”
> Show 3 unconfirmed / not-held certifications
source: privy.comNo SOC 2 claim found on privy.com, privy.com/security, or the DPA document.
source: privy.comNo ISO 27001 claim found on any official privy.com page reviewed.
source: privy.comNo PCI DSS claim found on any official privy.com page reviewed.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
United States (Privy Operations, LLC, governed by laws of Massachusetts). EU data is processed in the US under SCCs. Privacy policy states data may be transferred to jurisdictions without adequate protection designations.
Terms of service permit use of aggregated or de-identified Customer Materials for Privy's own business purposes including product development: 'Privy may collect and utilize data and other information, including without limitation the Customer Materials, in aggregated or other de-identified form...for the purposes of developing, delivering and enhancing Privy's products and services.' No explicit AI training clause found. No opt-out mechanism described for this aggregate use.
// Security controls
Vulnerability disclosure
Email-based disclosure to vulnerability-reports@privy.com. PGP key available (fingerprint: 8099 E9C3 A8D2 5E6E 5751 198F EBD4 0FAD 1208 7DBA via Keybase).
privy.comBug bounty program
Discretionary. Not on HackerOne or Bugcrowd. Privy states: 'While Privy does not participate in a formal bug bounty program, we award tokens of our appreciation for original, valid, responsibly disclosed security bugs. Bounties are awarded at our discretion and paid out via PayPal.'
privy.comPenetration testing
Not mentioned on any public privy.com page. No third-party pen test results disclosed.
privy.comEncryption in transit
Not explicitly stated on security page. DPA references 'commercially reasonable technical and organizational measures' per GDPR Article 32.
privy.comBreach notification
DPA requires Privy to 'notify Customer promptly' upon awareness of security incidents affecting personal data.
privy.comData deletion
Upon service termination, customer data deleted or returned within 90 days upon request, per DPA.
privy.comSub-processors
Amazon Web Services (cloud hosting), DigitalOcean (IP hosting), Snowflake (data platform), SparkPost (email delivery), Twilio (communications), PostHog (analytics), Statsig (analytics).
privy.comIMPORTANT: Name collision with privy.io
privy.io is a completely separate company (wallet infrastructure, a Stripe subsidiary) with SOC 2 Type II (April 2026), independent audits (Cure53, Zellic, SwordBytes, Doyensec), and HackerOne bug bounty. That product's certifications MUST NOT be attributed to privy.com.
privy.io// Products & data scope
data: Collects and processes subscriber email addresses, phone numbers, names, device IDs, IP addresses, browser type, and custom data via embedded forms. Processes customer subscriber lists for campaign delivery. Transmits hashed/encrypted contact data to third-party ad platforms at customer direction.
Primarily serves Shopify merchants. Also integrates with BigCommerce, Squarespace, Weebly, Wix, WooCommerce. Features: popup/opt-in displays, drag-and-drop email editor, SMS campaigns, marketing automation flows, segmentation, real-time reporting. Pricing based on number of contacts. 15-day free trial available. 10,000+ customers as of 2026.
data: Following the acquisition of Emotive, Privy now includes conversational SMS capabilities. Data scope extends to two-way SMS conversations with store customers.
Acquisition announced 2026. Adds conversational/two-way SMS to the existing broadcast email and SMS toolset. Full integration details pending.
// What to watch
- NAME COLLISION: privy.io (Stripe-owned wallet infrastructure, SOC 2 Type II, HackerOne) is a completely different company from privy.com (email/SMS marketing). Do not conflate their certifications.
- No enterprise security certifications (SOC2, ISO27001, HIPAA) found on any official privy.com page. Maturity reflects the product's market position, not a certified security posture.
- Terms of service permit aggregate/de-identified use of customer data for product development. No explicit AI training prohibition or opt-out described.
- Bug bounty is discretionary and not on a recognized platform (HackerOne/Bugcrowd) — lower assurance for enterprise procurement teams.
- No penetration testing disclosure found. Security page is minimal.
- Data transferred to the US from the EU; Privy explicitly notes transfers to jurisdictions 'that have not been designated as providing an adequate level of protection' — SCCs are the safeguard, not adequacy decisions.
- Privy acquired Emotive (conversational SMS) in 2026. Data practices for the combined product are not yet fully documented.
// At a glance
Pricing model
Subscription, tiered by number of contacts. No long-term commitment required. Annual plans available. Free 15-day trial. No pricing listed for specific tiers on the public page (links to a separate pricing page).
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Privy Operations, LLC's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
privy.com