Privacy Policy:
Incognia Mobile Fraud Solution

Last update: June 5, 2020

About Incognia

Incognia’s location technology provides mobile fraud solutions for mobile applications and connected devices (“Clients”). Our behavioral identity verification solutions help financial services and consumer internet companies to prevent fraudulent operations. Incognia provides an SDK for companies to embed into mobile applications enabling precise location context awareness, distinguishing whether a user is real or fraud. We add security to apps preventing fraud without adding friction to your customer experience while respecting user privacy. 

Incognia works in the background to capture location signals from on-device sensors, including gyroscope and accelerometer, and network data from Wi-Fi, Bluetooth and GPS signals. Incognia creates a unique, anonymized location behavioral pattern for each user which acts as a private user identity that can be used to verify the device integrity, checking for any anomaly or attempt to forge the device location; verify addresses, comparing the address filled at the time of registration with the user's actual residence; alert suspicious changes in the user location behavior pattern (fingerprint) that may indicate a possible account theft; verify that the user is in a trusted location at key moments in the app, such as login, according to their historical behavior; and validate transactions within the application with more security, automatically analyzing the behavioral profile of each user. Incognia’s location technology requires no storage or access to users’ directly identifiable information.

Technology

To offer services, Incognia collects data from mobile devices through a Software Development Kit installed in client applications. These apps are required to present this Privacy Policy in their own policies, and inform users that some personal data might be collected by our SDK. After users accept their policies, apps will request the needed permissions to use mobile device location functionalities. Once authorized, Incognia starts data collection safely and without identifying users.

With the location functionality active, Incognia’s technology can detect the presence of mobile devices in establishments disassociated from users identity. We do not collect data from visits to sensitive places such as religious temples, hospitals, political parties, places of adult entertainment, and others that might be used to make sensitive inferences.

Incognia then creates a unique, anonymized location behavioral pattern for each user, which acts as a private user identity. These patterns are used to help identity verification and authentication processes for applications in many industry segments. 

Privacy and security

Incognia’s technology requires no storage or access to data that can directly identify users; and it was developed in a way to prevent access to information that is capable of identifying them indirectly. Incognia does not collect unique static identifiers from mobile devices (IMEI and MAC), associated accounts (email address and telephone number), civil identification data (name, Social Security Number etc.), or sensitive data, including information that reveals ethnicity, religion, political opinion, religious, philosophical, political or union entities membership or data regarding health, sex life, genetics and biometrics.

We use security mechanisms in both data transport and storage, in addition to constantly updating our protection systems. All our requests are made with HTTPS, which is a secure protocol and industry standard.

Data is transferred and stored in encrypted form on the AWS Cloud - data storage in cloud servers is also an industry standard, as it allows for simple ways to gain scalability and security for all kinds of technological services. Incognia stores data for a maximum of  2 years, for the purposes described in this Privacy Policy. Exceptionally, we may retain and use personal data to: (i) fulfill contracts, agreements and policies; (ii) fulfill legal obligations (for instance, if necessary to abide applicable laws); (iii) resolve disputes by court order. Incognia may also store anonymized data for analytics purposes.

To increase data security and privacy, Incognia applies an encryption and hash function on the Mobile Advertising ID, to create new  identifiers for different uses, which are: (i) hashed ID, for single counting and users profiling, which will be aggregated in clusters without the use of Mobile Advertising ID; (ii) encrypted ID, for recovering Mobile Advertising ID in strictly necessary cases, such as legal obligations or guarantee of data subjects’ rights. The encrypted IDs are accessible to a restricted number of employees who have access to the encryption key.

The elimination of the Mobile Advertising ID ends risks associated with data access by any person without the key to decrypt the encrypted ID. Both identifiers that are kept (hashed ID and encrypted ID) are sufficient for all Incognia’s services and do not allow direct identification of data subjects, as well as decreasing risks of the Mobile Advertising ID being used to identify them in the case of integration with a third-party database that contains this ID linked to other personal data, such as email address, SSN etc. Therefore, in case of leakage or improper access of the information collected and processed by Incognia, data subjects will not be directly associated with their personal data, reducing the risk of being physically or morally affected.

Personal data collection

Incognia follows the minimization principle established by the EU General Data Protection Regulation, which states that “personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed” (Art. 5, 1, (c), GDPR). For that reason, and because Incognia is committed to being transparent, we have detailed all data that is collected through our technology and for which purposes.

Category

Description

Purpose

Location

 

 

 

GPS

Wi-Fi signals

Bluetooth-LE signals

Telephone signals

Activity (running, walking, driving)[²]

Address verification[¹]

Visit classification
Population mobility patterns and size
Location behaviour fingerprint[³]

Identifier

Advertising identifiers (only stored after hashing with salt or encrypting)

Device identification and unique user counting. Ex.: How many users have visited place X?

Device Data

 

 

 

 

Device models

Operating system

Operating system version

Performance metrics

IP (the last four digits being ignored to lose precision)

Network type (3G, 4G, Wi-fi)

Network Provider

Screen resolution

Installed apps

Manufacturing company

Phone Carrier

Device fingerprinting

Debugging and monitoring of our SDK to improve its functionalities and the usage of resources (CPU, memory, network, battery etc.)
Network resource optimization. Ex.: For poor internet connection, we reduce the internet usage

App Data

Apps session (when is the app opened and how much time does it remain open)

Events defined by apps developers (registration of new user, in-app transactions, visualization of certain areas of the app and use of certain functionalities)

Intelligence about the app usage to understand usage patterns and identify frauds

¹ Address verification based on device behavior compared to the declared address on client apps.

² Google Play Services provides to Android devices a way to get this kind of data directly from the operational system, called activity recognition.

³ Location fingerprint is used to provide security and anti-fraud features as a behavioral authentication strategy.

Child data

Incognia complies with the Children’s Online Privacy Protection Act (COPPA) from the United States. We do not make partnerships with child and teenage-oriented applications, nor do we offer services for companies that have children and teenagers as target audience. Therefore, we do not intentionally gather personal information from users under 18 years old.

In case you are a parent or guardian and know your child has provided personal data for us, please let us know. If we find out that we have collected personal data from children without the client application having verified their parents or guardians’ consent, we will take the necessary measures to remove this information from our servers and end the partnership with that application, in the case the issue is not permanently solved.

Data sharing

Incognia shares anonymized data with its clients. Therefore, in general, client applications will not have access to your individualized visits history or any data that can re-identify you in a direct or indirect way. The exceptions are described below.

In the case you have consented for electronic address verification for an application registration, through Incognia’s technology, we will receive from the application an address associated with a device (the “request”) and send, using inferences about locations collected by that device, a digital proof of address (the “answer”). The proof consists of a positive or inconclusive answer from our technology. In the case of an inconclusive answer, we do not send anything else about the user and it’s assumed we don’t have enough information for an automatic validation. In the case of a positive answer, we send a location count aggregation in a small region from 100 and 1150 meters of radius around the received address to certify the positive answer.

For fraud analysis, we may also share with clients information collected about the device integrity (root, fake location, apps from outside the official store, etc.) and user behavior analysis (if the user's behavior is consistent through time and through devices they might log in).

We store data on the AWS Cloud and use a secure protocol to protect the data transfer to our servers in encrypted form.

Service provider responsibility according to the California Consumer Privacy Act

The California Consumer Privacy Act (“CCPA”) provides consumers (the “data subjects”) with specific rights regarding their personal information. When offering anti-fraud services to clients, Incognia acts as a “service provider” under the CCPA, which means our collection of any consumer personal information is completed on behalf of our clients in order to provide them with anti-fraud services. 

You have the right to request that businesses subject to the CCPA (which may include our clients with whom you have a relationship) disclose certain information to you about their collection and use of your personal information, including the information used or shared with Incognia to perform a business purpose.  

According to CPPA, “business purpose” means the use of personal information for the business or service provider’s operational purposes or other notified purposes, provided that the use of personal information shall be reasonably necessary and proportionate to achieve the operational purpose for which the information was collected or processed, or for another operational purpose that is compatible with the context in which the information was collected. The business purposes regarding the services provided by Incognia are (i) detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity;  (ii) performing services on behalf of the clients, including maintaining or servicing accounts,  processing or fulfilling orders and transactions, verifying customer information, or providing similar services on behalf of the business. Incognia does not further collect, sell, or use consumers’ personal information except as necessary to perform the informed business purposes.

Incognia shall not be required to comply with data subjects’ requests to delete their personal information once it is necessary to (i) complete the transaction for which the personal information was collected, provide a good or service requested by the consumer, or reasonably anticipated within the context of a business’ ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer; or to (ii) detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity.

As a service provider, Incognia is not required or permitted to substantively respond to data subjects’ requests unless our client (the “controller”) has specifically delegated the authority to act on their behalf in response to those requests. Incognia is prepared, however, to assist clients, when requested, with their obligation to respond to requests from data subjects. 

Data subjects’ rights

Data processing confirmation

Data subjects (the “consumers”) have the right to know if any personal information about them is being processed. You may direct a request for the exercise of this right to the client with whom you have a direct relationship or by submitting us a request to dpo@incognia.com

Access your own personal information

Data subjects have the right to know which personal data of theirs is being collected by our technology, as well as to request a copy of any collected information. You may direct a request for the exercise of this right to the client with whom you have a direct relationship or by submitting us a request to dpo@incognia.com.

Information on data sharing

Data subjects have the right to know if their personal data is being shared, and with whom. This information can be observed in the previous section “Data sharing", in which we explain how and why we share data with our clients. However, if you want to know in more detail through which applications your personal data is collected by Incognia’s technology, you may check the Privacy Policies of the apps installed in your device, as our clients are contractually required to make express reference to the use of our technology. Since we are a third party in the relationship between apps and users, we cannot expose our clients due to confidentiality issues provided for in contracts and required by those companies.

Opt-out

In order to have control over their own personal information, data subjects shall have the right, at any time, to direct a business not to sell personal information about them to third parties. This right may be referred to as the right to opt out. However, this type of request does not apply, once Incognia does not sell personal information.

Anti-discrimination clause

Data subjects have the right to equal service and price, even when they exercise privacy rights. Incognia encourages personal data subjects’ control over their data and users will not be harmed morally or financially for the exercise of rights. However, providing personal data is a requirement necessary for the performance of services and functionalities offered by Incognia, such as ID verification, multi-factor authentication, risk assessment, fraud detection and location-aware services, as detailed in the “Personal data collection” section.

Privacy policy amendments

We may update and change the terms of this Privacy Policy from time to time. On our website, you will always find the latest version of the terms. If you prefer, we can also notify you via email every time the Privacy Policy changes. To receive these notifications, please send an email to us at dpo@incognia.com.

Contact us

If you have any questions, comments or suggestions, please contact our Data Protection Officer by sending an email to dpo@incognia.com.