PRODUCT LAUNCH

Meet Incognia AI-Powered Browser ID: The New Standard in Web Risk Intelligence>>

Global Privacy Policy: Incognia Solution

Last update: April, 16th 2026

Incognia is a technology company specializing in fraud-prevention solutions for mobile applications and websites. We serve multiple sectors that depend on trust and secure user interactions, such as mobility platforms, delivery services, and the financial industry.

While we continuously invest in innovation, we also believe that trust from both our clients and their users is essential to the success of our solutions. Therefore, our commitment extends beyond preventing fraud and ensuring safe digital experiences: we implement strict data-protection compliance measures and treat privacy as a core company value.

The purpose of this Privacy Policy (“Policy” or “Notice”) is to clearly and transparently explain how we process personal data within the scope of our services and to reaffirm our commitment to privacy and compliance with the applicable data protection legislation.. 

Incognia operates globally, providing fraud-prevention technology to clients across multiple jurisdictions. To promote consistency and high standards in our privacy practices, Incognia structures its internal governance around internationally recognized data-protection principles, such as those reflected in comprehensive frameworks like the GDPR and the UK GDPR. In regions where local legislation imposes stricter data protection obligations, Incognia complies with such requirements in accordance with the contractual arrangements established with its Clients.

This Policy applies to all data processing operations carried outside the United States (U.S.) and Brazil.  For information on data collected in these countries, please refer to our US Privacy Policy or to BR Privacy Policy.

The information in this Policy reflects Incognia’s standard practices for processing personal data. Certain conditions, however, may vary depending on the nature of the contracted services, local requirements, and the specific agreements entered into with each client.

Glossary

For the purposes of this Privacy Policy, the following definitions should be considered:

  • Account ID: A unique internal account identifier used by the Platform. It serves as the Client’s “key” to distinguish between different user accounts and may correspond, for example, to a random number. All account IDs received are hashed by Incognia, and processing is performed on its hashed representation.

  • Applicable Privacy Law: means the GDPR, UK GDPR and local laws that govern the processing activities performed through our services.

  • API (Application Programming Interface): An interface that enables communication between the Client’s servers and ours. In Incognia’s services, the API allows Clients to send requests for risk analysis to our servers and receive the corresponding results in return.

  • Applications: or “App”, refers to programs developed for mobile devices such as smartphones and tablets, that have the Incognia Solution embedded, that is, the Incognia SDK integrated.

  • Clients: digital and service companies that develop the Applications or companies that make their products and services available on Websites, and have contracted our Solution.

  • Cookies: Small data files stored in the user’s browser to manage sessions, preferences, or authentication.

  • Controller: legal person, which, alone or jointly with others, determines the purposes and means of the processing of personal data. When deciding to use our SDK, our Clients act as Controllers.

  • Data subject(s): refers to the natural person; the “owner” of the Personal Data, that is, the person to whom the Data refers. It means Application or Website User.

  • Device: computer or mobile device on which the Application is installed or where the Website is accessed.

  • Device ID: A unique identifier generated by Incognia to recognize the same device over time. It is created from data collected through the SDK and may remain persistent even if the app is reinstalled or a browser tab is closed.

  • Encryption: a security technique that converts data from a readable format into a coded format. Encrypted data can only be returned to its original format if decrypted using encryption keys.

  • GDPR: General Data Protection Regulation (Regulation (EU) 2016/679). It is the European data protection law. References to the GDPR in this Policy shall be deemed to include the UK GDPR, where applicable.

  • Hashing: A technique that transforms a piece of data into an apparently random alphanumeric string in a deterministic but irreversible way. The resulting value is called a “hashed” data element.

  • Personal Data: any information related to an identified or identifiable natural person. Directly identifiable Personal Data are those that, by themselves, allow the identification of the person. Indirectly identifiable personal data depend on complementing or combining with other information to achieve this goal, as in the case of location data that we process. References to “Data” or “Personal Data” in this Policy refer to the Personal Data of Data Subjects.

  • Platforms: refers to the App and/or Website.

  • Processing: operations or set of operations performed on Personal Data, including collection, use, storage, disclosure, analysis, deletion, or modification of Personal Data.

  • Processor: legal person, which processes Personal Data on behalf of the Controller.

  • Risk Policy: The set of rules configured by each Client that define the criteria for Incognia to classify events as high or low risk, depending on the context.

  • SDK: Software Development Kit. It is the module installed in our Clients' Applications and Websites to collect User Data.

  • Solution: refers to the Incognia service delivered to the Clients via SDK integration to the Application (Mobile Solution) or Website (Web Solution).

  • User: natural person who downloads and installs the Application of our Client or accesses their Website. It refers to the Application or Website User; the Data Subject.

  • Website: refers to webpages or web-based services accessed through internet browsers, that have the Incognia Solution embedded, that is, the Incognia Web SDK integrated.

These definitions will be capitalized throughout this document and any other terms mentioned in this Policy and not listed in the glossary shall have the meaning given by the Applicable Privacy Law, and related terms shall be interpreted consistently.

1. How does the Incognia Solution work?

Incognia provides a fraud-prevention technology that works integrated into Clients’ Applications and Websites through a software module called the Software Development Kit (SDK). This module is embedded directly into the Platforms in order to collect the Data described in the Next section, for the sole purpose of fraud-risk analysis.

Once Incognia’s SDK is integrated, our Clients can send us, via API, risk analysis requests for events that occur on the Platform, meaning, at decisive moments in the User's journey, such as when creating a new account (onboarding), during login attempts, or during other relevant actions that require risk analysis.

Upon receiving the request, Incognia processes the Data collected by the SDK and/or sent directly by the Client via API to, based on this information and the criteria previously defined in the Client’s Risk Policy, return in the API itself a result that indicates whether the risk is low, high or unknown (when there is not enough information for the analysis).

The risk result is accompanied by the reasons justifying the classification, such as the identification of signals that compromise the Device's integrity, such as the presence of malicious software, evidence of operating system manipulation, use of emulation tools, among other factors. Furthermore, contextual elements such as location inconsistencies and recurrent fraudulent access attempts, among others, may be considered. Incognia provides the risk assessment, according to the Client's instructions and the rules defined in the Risk Policy configured by the Client. The decision on what measures to adopt based on this result is solely up to the Client. When receiving a high risk result, the Client may, for example, include a new verification step, such as biometrics, continue with the interaction without impacting the User, or apply any other procedure provided for in its policies and terms of use.

This model allows Incognia to offer real-time risk intelligence, enabling fraud prevention without creating unnecessary friction for the legitimate User. As part of this process, the Data analyzed by the Solution is used exclusively to support risk assessment and is never sold, shared for advertising purposes, or used to build profiles unrelated to fraud prevention.

2. How is Personal Data collected?

After being hired, our SDK is integrated by the Client (the Controller) to their Application or Website to enable the collection of the User’s Device Data. Once the User downloads and installs an Application or accesses the Website and grants the appropriate data access permissions (when necessary) the Data is collected and processed by us to bring greater security during the use of the Platform, reducing the incidence of fraud and, at the same time, improving the User experience by reducing friction during onboarding, login, transactions and other events on the Application or Website.

The integration of our SDK, as well as the collection and processing of Personal Data through the Application or Website for the purposes described in this Policy are only and exclusively due to the Clients’ decisions, who are responsible for collecting any permissions or consents, if applicable, as well as for providing appropriate transparency to their Users.

To seek more details about which Applications or Websites collect Personal Data using Incognia’s technology, please refer to the Privacy Policies of the respective applications installed in the Device or the websites visited and request the Platform developers for information on Personal Data sharing with third parties. As we are a third party in the relationship between Platform and Users, we cannot expose our Clients due to confidentiality obligations set forth in our agreements and required by our Clients.

We therefore advise to always read an application’s Privacy Policy before downloading it into Devices, as well as the Privacy Policies of the websites logged into, so that it will be possible to access detailed information about the processing and sharing of Personal Data.

3. Which Personal Data is collected?

We only collect and process Personal Data pursuant to the agreements established with our Clients and to the extent necessary to achieve the processing purposes defined by them, related to security in the use of the Applications and Websites, for User authentication, reducing the incidence of fraud and improving User’s experience.

Below are the categories of Personal Data we collect through our SDK embedded in the Platforms, noting that additional data may be collected depending on each Client’s specific scenario:

Mobile Solution (Application)

Location

Location information such as GPS, or other signals that make it possible to infer the location of the Device, such as Wi-Fi and Bluetooth, always with the User's location permission.

Identifiers

Information that aims to uniquely identify the User's Device, such as vendor ID and android ID, or serve as an identifier for the Application account, such as the Account ID.

Device

Mobile  device-related information, IP, VPN, connection type, operating system data, model and other information that aims to characterize the Device and its network environment, including integrity data.

Application

Information related to the use of the Application, such as app session, installation data, and other Application metadata.

 

Web Solution (Website)

Location

Location information provided by the browser if   the User has granted location permission. 

Identifiers

Information that aims to uniquely identify the User's Device, such as session ID.

Device

Device and network related information, such as operating system, hardware information, screen resolution, IP and device integrity data

Browser and network

Information related to the browser in which the website is open, such as browser settings, permissions, plugins, connectivity and language information, cookie ID and cookie hash.

4. How does Incognia process geolocation?

Incognia processes geolocation data strictly for fraud-risk analysis, and collects this data only if the User has granted the location permission required by the operating system. The location permission prompt is displayed and managed by the Application or Website, and it is our Client’s responsibility to define the wording and context for such notices.

Once permission is granted, geolocation Data is collected at specific and limited moments, typically only when the Application or Website is open in the foreground. Incognia does not collect location Data continuously and does not monitor or track Users.

Depending on the Platform, geolocation Data results from the combination of signals such as GPS, Wi-Fi and Bluetooth, and may also be complemented by location data from IP addresses.

5. What are the purposes of processing Personal Data?

The processing of Personal Data takes place to achieve the purposes determined by our Clients, related to providing greater security and reducing the incidence of fraud and friction in User experience while using the Application or browsing Clients' Websites. We do not use the Datacollected through the integration of our SDK with Client Platforms for any purpose other than those related to the provision of our services. If we identify that any Controller's instruction about the Personal Data processing is unlawful, we will take appropriate contractual and legal action.

Below we list in more detail the general purposes to be achieved with the processing of Personal Data:

  • Creation of Device ID: to enable the unique and persistent identification of a Device, assisting in fraud detection and prevention.

  • Verification of Device integrity: to check for any failure in the Device’s integrity, such as technical anomalies, malicious software, or attempts to forge its location.

  • Address validation: to verify whether the address provided at the time of registration on the Platform corresponds with the frequent locations of the Device.

  • Location analysis: to use geolocation Data to assess, for example, whether the event is occurring in a place previously associated with legitimate use of the Device (trusted location), helping to identify potential risk signals, such as access attempts made in locations incompatible with the User’s usage history.

  • Suspicious pattern analysis: to evaluate patterns contrary to the Platform’s policies, such as access to multiple accounts from the same Device, constant reinstallation of the Application, etc.

The Data collected is also used for network effect purposes and to generate intelligence and derived Data aiming to improve and increase the accuracy of risk analyses among Platforms. Furthermore, the Data may be processed, in general, in anonymized or aggregated format, for monitoring the SDK with the aim of improving it to consume fewer Device resources (memory, network, battery, etc.) and for debugging.

6. What is Incognia’s role in the processing of Personal Data?

Incognia is hired by the Application or Websites developers, our Clients, to carry out the processing of Personal Data, for security and fraud-prevention purposes on their behalf and under their instructions. Thus, our Clients are the Data Controllers and we act as the Data Processor, according to the definitions of the Applicable Privacy Law.

However, the definition of processing roles is not static. Hence, Incognia may eventually act as a Controller when the data processing is aimed at achieving our own purposes, such as complying with legal or regulatory obligations, for example, or other purposes provided for in the Applicable Privacy Laws or in contracts entered into and between Incognia and the Client.

7. What is the legal basis that justifies the processing of personal data?

In accordance with the provisions of the Applicable Privacy Law, it is up to the Controller (Clients) to define the most appropriate legal basis to justify the processing of Personal Data.

We act as a Data Processor and process Personal Data on behalf of the Controller, in accordance with its instructions and applicable agreements.

However, if in any situation we become a Data Controller, we will adopt all legal requirements to conduct the data processing for the purposes of our legitimate interests, for compliance with legal/regulatory obligation, judicial orders, defend Incognia in legal claims or any other legal basis provided by the Applicable Privacy Law.

8. Who owns the Personal Data collected by Incognia?

The owners or Data Subjects of the Personal Data are the Users who download and install Applications or access Websites that have our embedded technology (SDK integrated), granting the appropriate permissions to share their Data, if and when applicable.

9. Does Incognia process Personal Data from children or adolescents?

Incognia does not process data for the purpose of identifying or profiling Users based on age. Incognia processes technical signals related to application, device, and location, which are used exclusively to support security and fraud prevention purposes.

The determination of a User’s age and the application of any age-related restrictions remain under the responsibility of the Client, as the business relationship with the User. Regardless of the type of User, Incognia applies consistent technical and organizational safeguards, including hashing and other security measures, to ensure that the data processed is protected and used solely for its intended purpose.

10. Does Incognia make automated decisions?

Incognia performs automated risk analyses through its proprietary fraud-prevention technology, which processes Data in accordance with the parameters and criteria defined by each Client in their Risk Policy. These automated analyses are limited to evaluating technical inputs and producing a risk result intended to support the Client’s fraud-prevention activities.

Incognia does not make automated decisions about Users, and the risk results generated by our technology do not, by themselves, produce legal effects or similarly significant impacts on individuals. Any action taken in response to a risk result, such as approving or declining a transaction, suspending an account, requesting additional verification, or applying other measures, is determined exclusively by the Client, in accordance with its own policies and internal review procedures.

Incognia’s role is to provide automated intelligence that assists Clients in making decisions. We do not determine outcomes, do not make eligibility decisions, and do not engage in automated decision-making that produces direct effects on Users.

11. With whom does Incognia share the collected Personal Data?

The Personal Data collected by our SDK are stored and processed by Amazon Web Service (AWS Cloud) and are not shared with any other third parties, unless expressly determined in the contracts signed with our Clients, as Controllers.

12. How and where is Personal Data stored?

The Personal Data is stored on Amazon Web Service (AWS Cloud) servers located in the U.S. The Data is hosted in technological environments managed solely by Incognia through the use of a public cloud platform provided by AWS. Cloud storage (cloud computing) is the industry standard, as it simplifies technological operations and increases the security level of all services that use it. In addition, we have restricted and granular access control over the Personal Data we store in AWS Cloud.

We adopt security mechanisms both in the transport and storage of Data, and we constantly update our protection systems. All requests are made using secure versions of HTTPS, which is an industry-standard protocol. Additionally, AWS Cloud provides various security resources and services to enhance privacy and control network access, including firewalls, Encryption (for Personal Data both at rest and in transit), security tracking, backup, as well as constant monitoring, activity log registration, and access control.

For more information on the technical and administrative measures adopted by Amazon to protect Personal Data as well as to fulfill the Applicable Privacy Law, click here.

13. For how long is the Personal Data stored?

We store the Personal Data obtained by SDK for the period defined by our Client, the Controller, which, as a standard, is limited to 180 (one hundred and eighty) days, which is the time necessary to achieve the Processing purposes determined by our Clients. After this period, these Data are securely and permanently deleted.

If it is necessary to retain Personal Data after the purpose for which they were collected has been achieved, the criteria for defining the retention period will be as follows:

  • Legal, regulatory, contractual obligation, or determination by a competent authority;
  • Maintenance of historical, commercial, and financial records, within the necessary limits;
  • For audit purposes or the regular exercise of rights in judicial or administrative proceedings.

14. Is there international Personal Data transfer?

As previously stated, Incognia stores Personal Data on Amazon Web Services (AWS) servers located in the United States. All Personal Data collected by our SDK or received through the API is handled exclusively within this U.S.-based infrastructure, which is protected by industry-standard security safeguards.

As such, the international transfer of Personal Data will be carried out in accordance with the applicable transfer mechanisms set out in the Applicable Privacy Law.

In addition, with regard to the collection of Data in countries within the European Economic Area (EEA), Incognia enters into the European Union Standard Contractual Clauses (SCCs) with its Clients, ensuring that all international transfers are carried out under recognized and reliable mechanisms for the protection of Personal Data. Transfers from the United Kingdom (UK) are conducted under the UK Addendum to the EU Standard Contractual Clauses approved by the UK Information Commissioner’s Office (ICO). Also, it is worth mentioning that Amazon Web Services is part of the EU-US Data Privacy Framework, which reinforces the protection of Data transferred from EEA to the United States.

15. What are the rights of Personal Data Subjects?

Incognia is committed to ensuring that the rights of Data Subjects are respected in accordance with the Applicable Privacy Law.

These rights are made available by our Clients, as Controllers, who is the party that holds the information that allows the direct identification of Users. However, Incognia maintains legal and contractual commitments under which it supports its Clients in taking the necessary actions to fulfill Data Subjects requests, subject to the applicable technical, legal and contractual limitations.

For reference purposes, Incognia lists below the main rights recognized by the Applicable Privacy Law, which may be exercised directly before the Platforms.

In general, Data Subjects have the right to request access to their Personal Data, to request correction of inaccurate or incomplete data, to request deletion or restriction of processing, to object to certain types of processing, and to request data portability, where applicable.

If the User is a resident in the United Kingdom or European Economic Area (EEA), the rights provided under the GDPR and UK GDPR include:

  • Right to access;
  • Right to rectification;
  • Right to erasure;
  • Right to restrict processing;
  • Right to object to processing;
  • Right to data portability;
  • Right to withdraw consent at any time;
  • Right not to be subject to a decision based solely on automated processing, including profiling.

Each request submitted by a Data Subject shall be assessed by the Controller, considering the feasibility of exercising the requested right and the context in which the Personal Data are processed. Certain requests may not be fulfilled immediately or entirely due to confidentiality obligations or other legally justified reasons. In such cases, the Controller shall provide proper justification.

16. How does Incognia incorporate privacy into its Solution?

Incognia develops its fraud-prevention technology based on the fundamental principles of data protection, seeking to minimize the need to use Personal Data as much as possible.

All Data processed is protected by Encryption, with managed and restricted access to authorized employees, who operate under confidentiality agreements, undergo regular training, and follow internal procedures to ensure data protection and market best practices.

Furthermore, we follow the seven fundamental principles of Privacy by Design as the foundation for creating and developing our solutions, implementing privacy protection from conception to the final use of our products and solutions. To learn more about how we implement Privacy by Design in our Solution, consult our e-book “Delivering Privacy by Design.

Incognia also maintains specific data protection agreements (Data Processing Agreements – DPAs) signed with its Clients, which establish the technical and organizational measures to be applied during Processing, ensuring that each operation complies with legal and contractual requirements.

In addition, we undergo independent audits annually to ensure our compliance with major privacy laws as well as with the most rigorous security requirements.

Other privacy and data protection assurance procedures are detailed throughout this Privacy Policy, and our Data Protection Officer/DPO (dpo@incognia.com) may always be contacted to provide further details on how we handle privacy and the protection of Personal Data within the scope of our Solutions.

17. What security measures are in place to protect Personal Data?

Incognia applies technical measures that follow industry-recognized standards, including those required in independent audits such as SOC 2, to ensure the confidentiality, integrity, and security of the Personal Data processed in our Solution. These measures include:

  • Encryption in the transport and storage of Data, with key control and restricted access, ensuring that only authorized parties can access them;
  • Advanced cryptographic signature techniques that allow the identification of any unauthorized alteration in the Personal Data collected by the SDK;
  • Hashing with a secret applied to identifying Data (IDs like Account ID). This process ensures that the identifiers used by Incognia do not allow direct identification of the Users and reduces the risk of reidentification in the event of a comparison with external databases containing Personal Data, such as email or telephone number;
  • Segregated Personal Data storage, with additional access, auditing, and monitoring controls
  • In the context of the Web Solution, collection of Cookies only when authorized by the Client and subject to the appropriate user permissions, where applicable.
  • Periodic execution of penetration tests (pentests) conducted by specialized companies, aiming to identify and correct vulnerabilities before they can be exploited.
  • Continuous monitoring of access and segregation of duties among technical teams, ensuring that critical activities related to critical Personal Data are performed with full traceability and in accordance with the principle of least privilege.
  • These measures are continuously improved and audited to ensure that the Processing carried out by Incognia complies with applicable legislation and aligns with the contractual commitments made with our Clients.

18. What Security and Privacy certifications does Incognia have?

Incognia undergoes annual audits to attest to its compliance with SOC 2 Type II standards, one of the most widely recognized international frameworks for information security. This audit evaluates our information systems against the Trust Services Criteria (TSC) established by the American Institute of Certified Public Accountants (AICPA), including security, availability, processing integrity, confidentiality, and privacy. SOC 2 compliance demonstrates that Incognia implements effective security measures, such as continuous risk monitoring, logical and physical access controls, mitigation mechanisms, recurring risk assessments, and governance controls across our technology environment.

In addition, Incognia is subject to annual assessments of its controls in relation to the GDPR requirements. The most recent letter of attestation is available here.

19. How can I contact Incognia's DPO?

If you have any questions, requests, comments or suggestions, you can contact our Data Protection Officer/DPO directly by sending an email to dpo@incognia.com.

Privacy Policy Updates

We may update and change the terms of this Privacy Policy from time to time. The most recent version will always be available on our website. Previous versions may be obtained upon request by contacting dpo@incognia.com.

Incognia Inc.
555 Bryant St, Box 423
Palo Alto CA USA 94301
DPO: Dayana Caroline Costa (dpo@incognia.com).

Deputy DPO: Rayanne Conceição de Almeida Santos.




Check out the prior version here.

By clicking "Accept" or continuing to use this Website after this notice, you agree to our Terms of Use - including your rights, responsibilities, and how we handle disputes.