Last update: June 14, 2022
Incognia is a location-based digital identity company (for mobile) that aims to bring greater security and reduce fraud in the use of mobile applications and connected devices without adding friction during your user experience while respecting your privacy as a User of our services. We believe that no one should need to give up privacy for convenience, so preserving your privacy and protecting your personal data is an essential part of our values and mission.
These definitions will be mentioned throughout this Policy with a capital letter and must be interpreted in conjunction with the provisions of the GDPR and CCPA. Words and terms not defined in this Glossary shall have their meaning in accordance with the provisions of the GDPR and CCPA.
From the analysis of mobile device location data, we create User behavior patterns. These standards act as a User's private anonymous identity and are used to support identity verification and authentication processes for Applications in various industry segments. In addition, associating the location behavior pattern with data about the device's health (root, fake location, apps purchased from an unofficial store, etc.) further contributes to fraud detection.
In order to offer our services, we install a Software Development Module (“SDK”) in our Client’s' mobile Applications. Once you download and install an Application that has our SDK embedded and provide the appropriate access permissions (when necessary) your data is collected and processed by us to bring greater security during the use of the Application, reducing the incidence of fraud and, at the same time, improving your user experience by reducing friction during onboarding, login, transactions and browsing the Application.
We only collect and process personal data that is necessary to achieve the processing purposes related to security in the use of the Applications and reducing the incidence of fraud.
We do not collect any personal data that can directly identify you such as name, ID, e-mail, etc. We also do not collect any personal data considered sensitive, that is, any information that reveals your racial or ethnic origin, religious conviction, political opinion, affiliation to a union or organization of a religious, philosophical or political nature, or data relating to health or sex life, genetic or biometric data.
Check out the categories of personal data we collect through our SDK below:
Location data: location information such as GPS, wifi signals and Bluetooth signals.
Device Identifier Data. refers to the identifying information of your device on which the Application is installed. Ex: mad id (only stored after applying hash with a secret).
Device Data: information related to your device, such as Device model, operating system, and operating system version, among others.
Application data: information related to the Application, such as the app session and events defined by the Application Developers, such as registration of new Users, among others.
The owners or Data Subjects of personal data are the Users who download and install Applications that have our embedded technology (SDK installed), granting the appropriate permissions to share their data, when applicable.
Incognia complies with the Children’s Online Privacy Protection Act (COPPA) from the United States. We do not make partnerships with child and teenage-oriented applications, nor do we offer services for companies that have children and teenagers as the target audience. Therefore, we do not intentionally gather personal information from children or adolescents.
In case you are a parent or guardian and know your child has provided personal data to us, please let us know. If we find out that we have collected personal data from children without the Client Application having verified their parents' or guardians’ consent, we will take the necessary measures to remove this information from our servers and end the partnership with that application, in the case the issue is not permanently solved.
Incognia is contracted by the Application Developers, our Clients, to carry out the processing of your data, as a User, for security and anti-fraud purposes on their behalf and under their determination. Thus, our Clients are the Data Controllers and we act as the Data Processor, according to the definitions of the applicable privacy laws.
The processing of your personal data takes place to achieve the purposes determined by the Controller, which are to provide greater security in the use of the Application, avoid the incidence of fraud and reduce friction in your experience while using the Application. We do not use the data collected through the integration of our SDK with the Application for any purpose other than those related to the provision of our services.
Below we list in more detail the purposes to be achieved with the processing of your data:
Verification of the integrity of the device: through the collected data we check if there is any anomaly or attempt to forge the location of your mobile device;
Verification of addresses: we verify that the address filled in at the time of registration on the Application matches the user´s real address;
Alert on Suspected Account Theft: We alert the user to suspicious changes in location behavior pattern (“Location Fingerprint”) that may indicate a possible theft of your account;
Trusted Locations Check: We verify that the user accessing the app is in a trusted location at key moments in the app: an example of a key moment is login, and this verification is done based on the user’s historical behavior.
Validation of transactions within the Application: We automatically analyze your behavioral profile to more securely validate transactions on the Application.
The data collected is also used for network effect purposes and to generate intelligence and derived data to improve the Solution and increase the accuracy of anti-fraud analyses. Also, the data is processed for the purpose of debugging and monitoring the SDK in order to improve it, aiming at the consumption of fewer resources, such as memory, network, battery, etc.
In accordance with the provisions of the privacy laws, it is up to the Controller, our Client, to define the most appropriate legal basis to justify the processing of personal data.
We store your personal data on Amazon Web Service (AWS Cloud) servers located in the United States of America. We use secure and encrypted protocols to protect data transfer to our servers. It is worth mentioning that the data is hosted in technological environments managed solely and exclusively by Incognia through the use of a public cloud platform provided by AWS Cloud which is the industry standard, as it simplifies the technology's operation and increases the security level of all services that use it. In addition, we have strict and granular control over the data we store in the AWS cloud.
We use security mechanisms both in transporting and storing data, in addition to updating constantly. All requests are made using the secure version of HTTPS, which is a secure and industry-standard protocol. In addition, the AWS cloud provides a variety of security features and services to increase privacy and control access to the network, including firewalls, encryption (both for data in storage and in transit), defense and automatic response to DDoS attacks, security traces, backup, as well as constant monitoring, activity logging and access control.
As described in the previous item, the data is transferred and stored in encrypted form on the AWS Cloud. We store your data obtained via SDK for a maximum period of 6 (six) months from the date of collection. After this period, your data is securely and permanently deleted. Exceptionally, we may retain your personal data to: (i) fulfill contracts, agreements and policies; (ii) compliance with legal or regulatory obligations (for instance, if necessary to abide by applicable laws); (iii) audit purposes; (iv) regular exercise of rights in judicial and administrative proceedings .
We verify the processes of creating accounts or authenticating actions in the mobile applications, such as logins and transactions, in order to automatically provide the Controller with a result of risk analysis or data validation. However, we do not adopt any automated decisions as all decisions relating to you, your data and your use of the Application are the sole and exclusive responsibility of the Controller.
Your personal data collected by our SDK is shared with the Amazon Web Service (AWS Cloud), for the exclusive purposes of storage, as described in item 9.
Furthermore, the result of our risk analysis may also be shared with the Controller, developer of the Applications, for security and anti-fraud decision-making purposes. That is, for fraud analysis, we share with our Client information collected about the integrity of your device (root, fake location, information about acquisition from an unofficial store, etc.) and behavior pattern analysis (if the User's behavior is consistent over time and across devices it registers on, whether it has any history of fraud, etc). In cases of electronic address verification, we send a location count aggregation in a small region around the address received from the Application to confirm the response if it is positive. All data shared with the Controller is associated with hashed IDs and, therefore, does not allow us to identify you directly.
If you want to know in more detail through which Applications your personal data is collected by Incognia’s technology, you may check the Privacy Policies of the apps installed in your Device. Since we are a third party in the relationship between Applications and Users, we cannot expose our Clients due to confidentiality issues provided for in contracts and required by those companies.
As previously stated, your personal data is stored on Amazon Web Service (AWS Cloud) servers located in the United States of America. We use secure protocol to protect data transfer to our servers in encrypted form.
So, when there is a data collection from Users that is not in the United States, there will be an international transfer.
Incognia applies a series of measures to protect your data, such as:
You have a number of rights in relation to your personal data, such as data processing confirmation; access to your own personal information; information on data sharing and opt-out. These rights are made available by the Controller (our Clients), but Incognia, as the Processor, takes all measures to assist the Controller in fulfilling its obligation to make its rights available.
In other words, your rights must be requested directly from the Data Controller, who, in turn, will forward your right request to us so that, if applicable, we can take the appropriate measures according to instructions received from the Controller. All communications relating to your rights shall be made solely between you and the Controller.
Data subjects have the right to equal service and price, even when they exercise privacy rights. Incognia encourages personal Data Subjects’ control over their data and Users will not be harmed morally or financially for the exercise of rights. However, providing personal data is a requirement necessary for the performance of services and functionalities offered by Incognia, such as ID verification, multi-factor authentication, risk assessment, fraud detection and location-aware services, as detailed in the item 7.
The California Consumer Privacy Act (“CCPA”) provides consumers (the “Data subjects”) with specific rights regarding their personal information. When offering anti-fraud services to clients, we act as a “service provider” under the CCPA, which means our collection of any consumer personal information is completed on behalf of our Clients in order to provide them with anti-fraud services.
You have the right to request that businesses subject to the CCPA (which may include our Clients with whom you have a relationship) disclose certain information to you about their collection and use of your personal information, including the information used or shared with us to perform a business purpose.
The business purposes regarding the services provided by Incognia are:
(i) detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity;
(ii) performing services on behalf of the Clients, including maintaining or servicing accounts, processing or fulfilling orders and transactions, verifying User information, or providing similar services on behalf of the business. Incognia does not further collect, sell, or use consumers’ personal information except as necessary to perform the informed business purposes.
Incognia shall not be required to comply with your requests to delete your personal information once it is necessary to (i) complete the transaction for which the personal information was collected, provide a good or service requested by you, or reasonably anticipated within the context of a business’ ongoing business relationship with you, or otherwise perform a contract between the business and you; or to (ii) detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity.
If you have any questions, comments or suggestions, you can contact our Personal Data Processing Officer/DPO directly by sending an email to firstname.lastname@example.org.
555 Bryant St, Box 423
Palo Alto CA USA 94301
DPO: Dayana Caroline Costa (email@example.com)