// Trust & Security Report

    Privy Operations, LLC logo

    Privy Operations, LLC

    Email and SMS Marketing Platform (eCommerce)

    Certifications held

    4

    Maturity

    Growth

    Trains on your data

    Unknown

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    HIPAA
    HELD

    Not claimed on any official privy.com page. A third-party HIPAA checker (keragon.com, 2023) flagged a question about privy.com HIPAA compliance, but privy.com's own documentation contains no HIPAA BAA or certification claim.

    Verify on privy.com
    GDPR (processor posture)
    HELD

    To the extent we process (as defined in the GDPR) that Personal Information solely in order to provide the Services to the End Customer, under the GDPR, to the extent applicable, we will act as a processor (as defined in the GDPR) on behalf of the End Customer.

    Verify on privy.com
    Standard Contractual Clauses (SCCs) for EU transfers
    HELD

    Standard Contractual Clauses (SCCs) govern these restricted transfers. [Sub-processors listed include Amazon Web Services, DigitalOcean, Snowflake, SparkPost, Twilio, PostHog, Statsig.]

    Verify on privy.com
    CCPA service provider
    HELD

    Privy functions as a service provider under California law, obligated to maintain commercially reasonable security procedures and prohibited from selling consumer information.

    Verify on privy.com
    > Show 3 unconfirmed / not-held certifications
    SOC 2 Type II
    NOT CONFIRMED

    No SOC 2 claim found on privy.com, privy.com/security, or the DPA document.

    source: privy.com
    ISO 27001
    NOT CONFIRMED

    No ISO 27001 claim found on any official privy.com page reviewed.

    source: privy.com
    PCI DSS
    NOT CONFIRMED

    No PCI DSS claim found on any official privy.com page reviewed.

    source: privy.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    United States (Privy Operations, LLC, governed by laws of Massachusetts). EU data is processed in the US under SCCs. Privacy policy states data may be transferred to jurisdictions without adequate protection designations.

    Terms of service permit use of aggregated or de-identified Customer Materials for Privy's own business purposes including product development: 'Privy may collect and utilize data and other information, including without limitation the Customer Materials, in aggregated or other de-identified form...for the purposes of developing, delivering and enhancing Privy's products and services.' No explicit AI training clause found. No opt-out mechanism described for this aggregate use.

    // Security controls

    Vulnerability disclosure

    Email-based disclosure to vulnerability-reports@privy.com. PGP key available (fingerprint: 8099 E9C3 A8D2 5E6E 5751 198F EBD4 0FAD 1208 7DBA via Keybase).

    privy.com

    Bug bounty program

    Discretionary. Not on HackerOne or Bugcrowd. Privy states: 'While Privy does not participate in a formal bug bounty program, we award tokens of our appreciation for original, valid, responsibly disclosed security bugs. Bounties are awarded at our discretion and paid out via PayPal.'

    privy.com

    Penetration testing

    Not mentioned on any public privy.com page. No third-party pen test results disclosed.

    privy.com

    Encryption in transit

    Not explicitly stated on security page. DPA references 'commercially reasonable technical and organizational measures' per GDPR Article 32.

    privy.com

    Breach notification

    DPA requires Privy to 'notify Customer promptly' upon awareness of security incidents affecting personal data.

    privy.com

    Data deletion

    Upon service termination, customer data deleted or returned within 90 days upon request, per DPA.

    privy.com

    Sub-processors

    Amazon Web Services (cloud hosting), DigitalOcean (IP hosting), Snowflake (data platform), SparkPost (email delivery), Twilio (communications), PostHog (analytics), Statsig (analytics).

    privy.com

    IMPORTANT: Name collision with privy.io

    privy.io is a completely separate company (wallet infrastructure, a Stripe subsidiary) with SOC 2 Type II (April 2026), independent audits (Cure53, Zellic, SwordBytes, Doyensec), and HackerOne bug bounty. That product's certifications MUST NOT be attributed to privy.com.

    privy.io

    // Products & data scope

    Privy Email and SMS MarketingeCommerce Marketing Automation

    data: Collects and processes subscriber email addresses, phone numbers, names, device IDs, IP addresses, browser type, and custom data via embedded forms. Processes customer subscriber lists for campaign delivery. Transmits hashed/encrypted contact data to third-party ad platforms at customer direction.

    Primarily serves Shopify merchants. Also integrates with BigCommerce, Squarespace, Weebly, Wix, WooCommerce. Features: popup/opt-in displays, drag-and-drop email editor, SMS campaigns, marketing automation flows, segmentation, real-time reporting. Pricing based on number of contacts. 15-day free trial available. 10,000+ customers as of 2026.

    Privy (post-Emotive acquisition)Conversational SMS Marketing

    data: Following the acquisition of Emotive, Privy now includes conversational SMS capabilities. Data scope extends to two-way SMS conversations with store customers.

    Acquisition announced 2026. Adds conversational/two-way SMS to the existing broadcast email and SMS toolset. Full integration details pending.

    // What to watch

    • NAME COLLISION: privy.io (Stripe-owned wallet infrastructure, SOC 2 Type II, HackerOne) is a completely different company from privy.com (email/SMS marketing). Do not conflate their certifications.
    • No enterprise security certifications (SOC2, ISO27001, HIPAA) found on any official privy.com page. Maturity reflects the product's market position, not a certified security posture.
    • Terms of service permit aggregate/de-identified use of customer data for product development. No explicit AI training prohibition or opt-out described.
    • Bug bounty is discretionary and not on a recognized platform (HackerOne/Bugcrowd) — lower assurance for enterprise procurement teams.
    • No penetration testing disclosure found. Security page is minimal.
    • Data transferred to the US from the EU; Privy explicitly notes transfers to jurisdictions 'that have not been designated as providing an adequate level of protection' — SCCs are the safeguard, not adequacy decisions.
    • Privy acquired Emotive (conversational SMS) in 2026. Data practices for the combined product are not yet fully documented.

    // At a glance

    Pricing model

    Subscription, tiered by number of contacts. No long-term commitment required. Annual plans available. Free 15-day trial. No pricing listed for specific tiers on the public page (links to a separate pricing page).

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Privy Operations, LLC's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    privy.com

    > Browse all vendor trust reports