Privacy Policy:
Incognia Mobile Fraud Solution


Last update: September 23, 2020

The purpose of this Privacy Policy is to demonstrate the commitment of Incognia US, Inc, a Delaware Corporation, located in 2479 East Bayshore Road, Suite 150 - Palo Alto, CA 94303, USA with the privacy and protection of personal data collected through its technology in accordance with the applicable privacy laws and regulations, ensuring transparency and best practices for the protection of personal data.

About Incognia

Incognia is a mobile fraud prevention solution offered by Inloco for mobile applications and connected devices (the "clients"), which aims to increase the security of applications without adding friction to the user experience and respecting their privacy. This solution creates a unique and anonymous pattern of location behavior for each user, which acts as a private user identity that can be used to verify Device Integrity, checking for any anomaly or attempt to forge the location of the device; Address Verification, comparing the address provided by the user at the time of registration with their real home address; alert suspicious changes in the user’s location behavior pattern ("Location Fingerprint") that may indicate a possible account takeover; verify whether the user is in a Trusted Location at key moments in the app such as login according to their historical behavior; and validate transactions within the application with more security, automatically analyzing the behavior profile of each user. Incognia's location technology does not require storage or access to information that can directly identify you, guaranteeing you a non-negotiable right: the right to privacy.

Personal data processing

Data source

Incognia collects data from mobile devices through a Software Development Kit (SDK) that consumer internet companies and financial services can integrate to their mobile applications, allowing an accurate perception of the location context in order to prevent account theft and ensure safer payments. The applications inform users about the use of the mobile device location functionality, and only when it is active Incognia performs data collection, securely detecting the device's presence in establishments disassociated from the user's identity, to create a unique and anonymous location behavior pattern. 

As mobile fraud prevention solution, the processing of personal data carried out by Incognia is based on the legitimate interest of the controller (in this case, the clients), which, according to the Brazilian General Data Protection Law (LGPD), may substantiate the processing of personal data for legitimate purposes, considered from concrete situations, which include the protection, in relation to the data subject, of the regular exercise of their rights or provision of services that benefit them, respecting their legitimate expectations and fundamental rights and freedoms (Art. 10, II, Law No. 13.709/2018, Brazil).

Categories of data and purposes of the processing

Incognia follows the principle of minimization established by the EU General Data Protection Regulation, which states that "personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed" (Art. 5, 1, (c), GDPR), as well as the principle of necessity of the Brazilian General Data Protection Law, defined as the "limitation of processing to the minimum necessary for the accomplishment of its purposes, with scope of the relevant, proportional and not excessive data in relation to the purposes of data processing" (Art. 6, III, Law No. 13.709/2018, Brazil). For this reason, and because Incognia has the commitment of being transparent, we detail all the data that are collected through our technology and for which purposes below.

Category

Description

Purposes

Location

GPS

Wi-Fi Signals

Bluetooth-LE Signals

Telephone signals

Activity (running, walking, driving) [2]

Address verification [1]

Visit classification

Behavioral location pattern for fraud detection

Population mobility analysis [3]

Identifier

Mobile Advertising Identifier (only stored after the application of salt hash or encryption functions)

Targeting and unique user count

Device data

Device model

Operating system

OS Version

Performance Metrics

IP (the last four digits are ignored to remove accuracy)

Network type (3G, 4G, Wi-fi)

Network provider

Screen resolution

Installed apps

Manufacturer

Phone carrier

Fingerprinting and device integrity analysis for fraud detection

Debugging and monitoring the SDK in order to improve it and consume less resources (CPU, memory, network, battery etc.)

Expansion strategies. E.g.: Identifying apps that have a large/growing user base

App data

App session (when the app is open and for how long it stays open)

Events defined by application developers (new user registration, in-app transactions, visualization of certain areas of the application and use of certain functionalities)

Intelligence on the use of apps for fraud detection

[1] Address verification based on device behavior compared to the declared address in client applications.
[2] Google Play Services provides for Android devices a way to query this data directly by the operating system called “activity recognition”.
[3] The behavioral location profile (fingerprint) is used to provide security and anti-fraud functionalities as a behavior-based authentication strategy.

Sensitive data

We do not collect sensitive data - information revealing ethnicity, religion, political, philosophical opinion or of union entities or data related to health, sexual life, genetics and biometry (Art. 5, II, Law No. 13.709/2018, Brazil) - and we do not associate users, not even anonymized, to visits to sensitive places, such as religious temples, hospitals, political parties, adult entertainment places and others that can be used to make sensitive inferences.

Child data

The Brazilian General Data Protection Law (Law No. 13.709/2018, Brazil) establishes that the processing of children's data must be carried out only with the specific and prominent consent given by at least one of the child's parents or legal guardian (Art. 14, §1); and that the institutions involved in the processing of the data must make every reasonable effort to verify that the consent has been given by the person responsible for the child (Art. 14, §5).

We do not integrate Incognia's technology with applications aimed at children, nor do we offer services to companies that have children as their target audience. Therefore, we do not intentionally collect personal information from children.

Form and duration of the processing

Incognia associates the location (coordinates) with a known establishment ("place") and a pseudonymized identifier of the device, resulting in a type of data that we call visit. The pseudonymization of the device identifier allows the original data to be eliminated, making it difficult to re-identify it, as will be better explained in the section "Security Measures". From the visit history analysis of mobile devices, Incognia creates anonymous behavioral patterns for its users. These patterns are used to assist identity verification and authentication processes for applications in many industry segments. In addition, associating the location behavior pattern with device integrity information (root, fake location, applications from outside the official store, etc.) further contributes to fraud detection.

Incognia stores data for a maximum period of two years for the purposes described in this Privacy Policy. Exceptionally, we may retain and use personal data for longer periods to: (i) comply with contracts, agreements and policies; (ii) comply with legal obligations (for example, if necessary to comply with applicable laws); (iii) resolve disputes by court order. Incognia may also store anonymized data for statistical analysis purposes.

Automated decision-making

Incognia verifies account creation or authentication processes such as logins and transactions in applications and provides a positive or negative response in an automated way. By consulting Incognia's APIs (Application Programming Interfaces), decisions can be taken by the client in real time. It is important to highlight that the decision, whether approval or denial, made by the client after receiving a response from our APIs is their responsibility, not Incognia’s.

Security measures

Incognia's technology does not collect or use identified personal data (direct identification data of individuals), and has been developed to prevent access to identifiable personal data (data capable of identifying individuals indirectly, i.e. after some effort or association with other data). Therefore, Incognia does not collect unique static identifiers from mobile devices (IMEI and MAC), associated accounts (email and telephone number), civil identification data (name, CPF, RG etc.), or sensitive data - information revealing ethnicity, religion, political, religious, philosophical or trade union opinion or data relating to health, sex life, genetics and biometrics.

We use security mechanisms both in the transportation and storage of data, and we constantly update our protection system. All our requests are made with HTTPS, which is an industry standard safe protocol. Data is transferred and stored in encrypted form in the AWS Cloud - data storage on cloud servers ('cloud computing') is also an industry standard as it simplifies the operation of technology, scalability and security for any technology services. 

To increase data security and privacy, Incognia applies encryption and hash functions to the mobile advertising ID, creating distinct identifiers for different uses, which are: (i) hashed ID, for unique counting and creating behavioral profiles of users; (ii) encrypted ID, to retrieve the advertising identifier in cases strictly necessary, such as legal obligations or guaranteeing the rights of data subjects (the "users"). Incognia performs key management and uses cryptographic signature techniques that allow the detection of any changes made to the data, protecting the encrypted IDs. The elimination of the original mobile advertising identifier puts an end to the risks associated with improper access to data. Both maintained identifiers (hashed ID and encrypted ID) are sufficient for all Incognia services and do not allow direct identification of data subjects, and reduce the risks of indirect identification in case of confrontation with a third party database containing the original IDs linked to other personal data, such as email, CPF, etc. Therefore, in case of leakage or undue access to the information collected and processed by Incognia, the subjects will not be directly associated with this data, reducing the risk of being physically or morally affected.

Transfer

In general, our clients do not have access to the devices’ individualized visit history or any data that could directly or indirectly re-identify an individual - the vast majority of data shared by Incognia is anonymous. The exceptions are described below:

For electronic address verification, we will receive from the app an address associated with your device (the "request") and send a digital proof of address (the "response"), using inferences made from the location data collected on your device. The proof consists of a positive or inconclusive response from our technology. In case of inconclusive response, we will not send anything else about the user and it is assumed that we do not have enough information for automatic verification. In case of positive response, we will send a location count aggregation in a small region around the received address to confirm the response.

For fraud analysis, we also share information collected about the device integrity (root, fake location, applications from outside the official store, etc.) and user behavior analyses (whether the user's behavior is consistent over time and through devices on which they register) with our clients.

We store data on the AWS Cloud using a safe protocol to protect the transfer of data to our servers in encrypted form. The AWS servers are located in the United States which characterizes international data transfer.

Controller and processor responsibility

Incognia performs the processing of personal data as a processor, that is, an agent who performs data processing on behalf of the controller, to which, in turn, the decisions regarding the processing are incumbent, according to Art. 5, VI and VII of the Brazilian General Data Protection Law. The controllers of the personal data processed by Incognia are our clients, consumer internet companies and financial services to which Incognia provides mobile fraud prevention services. Incognia does not use data collected through the integration of the SDK with the controllers’ applications for any purpose other than those intended by them.

As to our operation, we only use one processor or service provider, that being the AWS Cloud, for data storage.

According to Chapter VI, Section III of the Brazilian LGPD, the controller or processor who causes another person patrimonial, moral, individual or collective damage due to the processing of personal data is obliged to repair it. In addition, when the processor fails to comply with the obligations of the data protection legislation or when it has not followed the lawful instructions of the controller, the processor is jointly liable for the damage caused by the processing, as well as the controllers directly involved in this processing. Processing agents (controller and/or processor) will be held liable unless they prove that they have not carried out the processing of personal data assigned to them; that there has been no violation of data protection legislation; or that the damage is due to the exclusive fault of the data subject or third party.

Rights of the data subject

Incognia performs the processing of personal data on behalf of a controller, thus characterizing itself as a processor, in accordance with Art. 5, VII of the Brazilian General Data Protection Law. Therefore, we guarantee the exercise of the rights of the data subject under the Brazilian LGPD and the EU General Data Protection Regulation ('GDPR'), however, these rights must be requested to the controller, who in turn must forward us the requests. Every request from the controller responded by us will be notified back to the controller, who, in turn, shall inform the data subject.

We emphasize that Incognia's mission is to respect the privacy and ensure data protection of our users. Below is the simplified list of rights provided in Law No. 13.709/2018, Brazil.

Right of access to information: The information required by the data protection laws are detailed in this Privacy Policy: Incognia Solution. Other information can be requested to the controller or directly to us, when applicable, through the email 'dpo@incognia.com'. 

Right to confirmation of the personal data processing: The confirmation of the processing should be requested directly to the controller, who will forward us the request.

Right of access to data:  The access to data should be requested directly to the controller, who will forward us the request. When exercising the right of access to data, we will inform the controller the types and categories of data we have about you, as well as the purposes. The electronic copy of the data undergoing processing, however, applies only when the processing is based on the consent of the data subject or contract, and not on the legitimate interests of the controller, according to art. 19, § 3 of Law No. 13.709/2018, Brazil.

Right to correction of incomplete, inaccurate or outdated data: Incognia guarantees the accuracy, clarity, relevance and updating of personal data collected through our technology. However, if you consider that the personal data processed by Incognia are incomplete, inaccurate or outdated, you may request the rectification directly to the controller, who will forward the request to us.

Right to anonymization, blocking, elimination or restriction of unnecessary, excessive or treated data in breach of the law: Incognia only processes data strictly necessary for the provision of its services, observing all the determinations of the Brazilian General Data Protection Law and other applicable rules. However, if you wish to request the anonymization, blocking, deletion or restriction of your data, please contact the controller who will forward your request for us to evaluate. 

Right to data portability: Incognia has developed its proprietary location technology in an innovative way and not compatible with other location technologies, thus, it is not possible to exercise data portability from Incognia to another similar service provider without prejudice to the company's trade and industrial secrets, besides implying a technical effort disproportionate to the benefit that the data subject could have with the portability of such data. Furthermore, data portability is not suitable for anti-fraud services, as those are hired by the controller (consumer internet companies and financial services), not the data subject.. The portability of data to another similar fraud prevention service provider would have no effect, since the user would be unable to use the controller application in case the similar service is not used by the controller. We emphasize that there is no regulation of the National Data Protection Authority to exercise this right, as determined by the Brazilian General Law of Data Protection. 

Right to information of public and private entities with which Incognia has made shared use of data: In the "Transfer” section of this Privacy Policy, we inform the platform used for data storage. In case you wish to request any additional information, please contact us at 'dpo@incognia.com'. 

Right to review automated decisions: Automated decisions are already detailed in the section "Automated decision-making", and their review should be requested directly to the controller, who will forward the request to us.

Right not to be subject to automated decision-making: Automated decision-making for fraud prevention is carried out for the purpose of fulfilling legal and regulatory obligations. Even so, if you consider exercising this right, you can request directly to the data controller, who will forward the request to us. 

Rights to copy of data; information about refusing to consent and consequences; revocation of consent ("opt-out"); delete data processed with the consent of the user: These rights only apply to the processing of personal data based on consent, not on the legitimate interest, which substantiates the data processing performed by Incognia.

Contact

If you have any questions, comments or suggestions, please contact our Data Protection Officer by sending an email to 'dpo@incognia.com'.