Privacy Notice: Incognia Solution (Web and Mobile)

For the purposes of this Privacy Notice, the following definitions should be considered:

• Applications: or “App”, refers to programs developed for mobile devices such as smartphones and tablets, that have the Incognia Solution embedded, that is, the Incognia SDK integrated.

• CCPA: California Consumer Privacy Act. It is the Californian data protection law.

• Clients: digital and service companies that develop the Applications or companies that make their products and services available on Websites, and have contracted our Solution.

• Controller: natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. When deciding to use our SDK, our Clients act as Controllers.

• Data subject(s): refers to the natural person, “owner” of the Personal Data, that is, the person to whom the Data refers. It means you, Application or Website User.

• DDoS: acronym for “distributed denial of service”, which consists of a type of cyber-attack that aims to make the application or network resource unavailable by relentlessly sending malicious traffic.

• Device: computer or mobile device on which the Application is installed or where the Website is accessed.

• Encryption: a security technique that converts data from a readable format into a coded format. Encrypted data can only be returned to its original format if decrypted using encryption keys.

• GDPR: General Data Protection Regulation (Regulation (EU) 2016/679). It is the European data protection law.

• Hash: sequence of random letters and numbers (bits generated by dispersion algorithms) generated to uniquely identify a certain file or information.

• Personal Data: any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly. According to the CCPA, information that could reasonably be linked with you or your household - indirect personal data - is also Personal Data/Information. Indirect personal data depends on the combination with complementary information to achieve that goal, as is the case for personal data we process. Direct personal information is information that, by itself, allows you to be identified.  Sensitive Personal Data/Information: according to the CCPA, precise geolocation is considered as Sensitive Personal Data. The types of Personal Data considered Sensitive by the GDPR do not include geolocation data or any data processed by Incognia.

• Platforms: refers to the App and/or Website.

• Processing: any operation which is performed on Personal Data, whether or not by automated means, such as those relating to the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

• Processor: natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.

• SDK: Software development kit or Software Development Module. It is the module installed in our Clients' Applications and Websites to collect Data.

• Solution: refers to the Incognia service delivered to the Clients via SDK integration to the Application (Mobile Solution) or Website (Web Solution).

• User: natural person who downloads and installs the Application of our Client or access the area logged into their Website. It refers to you, Application or Website User, the Data Subject.

These definitions will be capitalized throughout this Notice and must be interpreted in conjunction with the provisions of the GDPR and CCPA. Words and terms not defined in this Glossary shall have their meaning in accordance with the provisions of the GDPR and CCPA.

Incognia provides its Clients with a software module of the Incognia solution, which is integrated into the Applications and Websites that these Clients develop. This module is called the Software Development Kit (SDK). Once the application is installed or the restricted area of the Website is accessed, Incognia's SDK begins to collect your Personal Data, through which analyses are carried out to identify fraud risks. These analyses assist our Clients in identity verification processes and validation of specific events on the Platforms.

After being contacted by our Client, we embed our Software Development Module (“SDK”) to the Client’s Application or Website to enable the collection of your Data. Once you download and install an Application or access the restricted area of the Website that has our SDK embedded and provide the appropriate access permissions (when necessary) the data is collected and processed by us to bring greater security during the use of the Application and browsing the Website, reducing the incidence of fraud and, at the same time, improving the user experience by reducing friction during onboarding, login, transactions and other events on the Application or Website.

The embedding of our SDK, as well as the collection and processing of your Personal Data through the Application or Website for the purposes described in this Notice are only and exclusively due to the Clients’ decisions that have hired us.

Should you seek more details about which Applications or Websites collect your Personal Data using the Incognia technology, please refer to the Privacy Notices of the respective applications installed in your Device or the websites you visit and request the application developers and those responsible for the websites for information on Personal Data sharing with third parties. As we are a third party in the relationship between Applications/Websites and Users, we cannot expose our Clients due to confidentiality issues provided for in agreements and required by our Clients.

We therefore advise you to always read an application’s Privacy Notice before downloading it into your Devices, as well as the Privacy Notices of the websites you are logging into, so that you are able to access detailed information pertaining to the processing and sharing of your Personal Data.

We only collect and process Personal Data pursuant to the agreements established with our Clients and to the extent necessary to achieve the processing purposes related to security in the use of the Applications and Websites for User authentication, reducing the incidence of fraud and and improving your experience as a User.. 

Below are the categories of Personal Data we collect through our SDK embedded in the Platforms:

The owners or Data Subjects of Personal Data are the Users who download and install Applications or access restricted areas of Websites that have our embedded technology (SDK integrated), granting the appropriate permissions to share their data, if and when applicable.

We do not make partnerships with child and teenage-oriented Platforms, nor do we offer services for companies that have children and teenagers as the target audience. Therefore, we do not intentionally process Personal Data from children or adolescents.

Incognia is hired by the Application or Websites developers, our Clients, to carry out the processing of your Personal Data, as a User, for security and fraud prevention purposes on their behalf and under their determination. Thus, our Clients are the Data Controllers and we act as the Data Processor, according to the definitions of the applicable privacy laws.

However, the definition of processing roles is not static. Hence, Incognia may eventually act as Controller when the data processing is aimed at achieving our own purposes, such as to comply with legal or regulatory obligations, for the improvement of our services, or other purposes provided for in the applicable privacy laws or in contracts entered into and between Incognia and our Clients.

The processing of your Personal Data takes place to achieve the purposes determined by our Clients, related to providing greater security and reducing the incidence of fraud and friction in your experience while using the Application or browsing Clients' Websites. We do not use the Data collected through the integration of our SDK with Client Platforms for any purpose other than those related to the provision of our services, and, where we identify that the Controller's guidance about the Data processing is unlawful, we will take appropriate legal action.

Below we list in more detail the general purposes to be achieved with the processing of your data: 

• Verification of the integrity of the device: through the collected Data we check if there is any Device integrity flaw, such as any technical anomaly or attempt to forge the location of your mobile device;

• Verification of addresses: we verify that the address filled in at the time of registration on the Platform corresponds to the frequent locations of the Device;

• Trusted Locations Check: we verify if the user accessing the Platform is in a trusted location at key moments, such as during login or other events defined by the Client;

• Validation of transactions: we automatically analyze your location behavioral profile to more securely validate transactions. 

The collected Data is also used for network effect purposes and to generate intelligence and derived Data to improve the Solution and increase the accuracy of anti-fraud analyses. Also, the Data may be processed, in many cases in an anonymous format, for the purpose of debugging and monitoring the SDK in order to improve it, aiming at the consumption of fewer resources, such as memory, network, battery, etc.

In accordance with the provisions of the privacy laws, it is up to the Controller, our Client, to define the most appropriate legal basis to justify the processing of personal data.

However, if in any situation we become a Data Controller, we will adopt all legal requirements to conduct the data processing for the purposes of our legitimate interests, for compliance with legal/regulatory obligation, judicial orders, defend Incognia in legal claims or any other legal basis provided by the applicable law.

We store your Personal Data on Amazon Web Service (AWS Cloud) servers located in the United States of America.  We use secure and encrypted protocols to protect data transfer to our servers. It is worth mentioning that the data is hosted in technological environments managed solely and exclusively by Incognia through the use of a public cloud platform provided by AWS Cloud which is the industry standard, as it simplifies the technology's operation and increases the security level of all services that use it. In addition, we have strict and granular control over the data we store in the AWS cloud.

We use security mechanisms both in transporting and storing data, in addition to updating constantly. All requests are made using the secure version of HTTPS, which is a secure and industry-standard protocol. In addition, the AWS cloud provides a variety of security features and services to increase privacy and control access to the network, including firewalls, encryption (both for data in storage and in transit), defense and automatic response to DDoS attacks, security traces, backup, as well as constant monitoring, activity logging and access control.

For more information on the technical and administrative measures adopted by Amazon to protect your Personal Data, as well as to fulfill the applicable privacy laws, click here for GDPR and here for CCPA.

We store your Data obtained directly via SDK for a maximum period of 6 (six) months, which is the time necessary for us to achieve the processing purposes determined by our Clients. After this period, this Data is securely and permanently deleted.

When it is necessary to retain Personal Data after the purpose for which it was collected has been achieved, the criteria for delimiting the retention period will be as follows:

• we have a legal, regulatory, contractual or competent authority obligation to retain such Data;  

• the Data is essential to maintain our historical, commercial and financial records, to the extent necessary; or the Data is necessary for auditing purposes or to regularly exercise rights in judicial or administrative proceedings.

No. We only provide to our Client information that allows fraud identification and/or identity verification. Any decisions that impact the Data Subject and arise from the results of the data processing carried out by us must be adopted exclusively by the Client under its sole and exclusive responsibility. In other words, tsit is up to our Clients take  human or automated decisions that can impact the Data Subjects..

Your Personal Data collected by our SDK is shared with the Amazon Web Service (AWS Cloud), to be processed and stored, as described in item 9. 

All of your Personal Data collected directly via SDK, including location data, is encrypted and processed directly by Incognia to fulfill previously determined processing purposes by our Clients; such data is not shared with Clients, partners, or any other non-authorized third party.

We only share the results of risk checks and electronic checks based on your Personal Data, as well as the respective analysis results. These data will be shared with Clients, so that they make the relevant decisions regarding security. All of these data are associated to hashed IDs, thus not enabling us to identify you directly.

Furthermore, our products are created using zero-knowledge techniques, whereby one party (us, Incognia) confirms to the other (our Client) that a piece of information is true, without revealing the information itself.

As previously stated, your Personal Data is stored on Amazon Web Service (AWS Cloud) servers located in the United States of America. We use secure protocol to protect Data transfer to our servers in encrypted form and our operations (and the ones of our partners) are subject to the applicable safeguards. 

As such, the international transfer of Personal Data will be carried out in accordance with the applicable transfer mechanisms set out in the applicable privacy laws.

In addition, with regard to the collection of Data in European territory, it is worth mentioning that Amazon Web Services is part of the EU-US Data Privacy Framework, which reinforces the protection of Data transferred from Europe to the US.

We have taken all possible technical, administrative and organizational measures to make your identity as close to anonymous as possible. We do not want or need to know your identity in order to provide our services and achieve the security and anti-fraud purposes determined by our Clients.

Therefore, we do not collect any Directly Identifiable Personal Data such as name, e-mail address, or government-issued identification. All Personal Data that we collect is encrypted and the access to cryptographic keys is extremely restricted.

We follow the 7 fundamental principles of Privacy by Design as the basis for creating and developing our solutions, implementing privacy protection from conception to end use of our products and solutions. For more information on how we implement Privacy by Design in our Solution, please visit our E-book: Delivering Privacy by Design.

We only collect location data upon granting your location permission which can be managed through the App, Device or Website settings. We do not perform continuous data collection, but only at specific times defined according to statistical and intelligence analysis of our solution. 

Our staff sign confidentiality agreements, undergo recurrent training and follow internal procedures to guarantee the protection of your Data. Access to Data is extremely restricted and we have robust access management controls. 

In addition, we assess our suppliers and third parties before hiring them to make sure they adopt at least the same privacy and data protection standards as we do.

Other privacy assurance and data protection procedures are detailed throughout this Privacy Notice and you can always contact our Data Protection Officer/DPO (dpo@incognia.com) for more details on how we protect your privacy and your Personal Data.

We undergo regular third-party audits to certify our products against SOC 2 Type II certification, which guarantees security by Incognia's technology and an international standard on cybersecurity risk management systems. SOC 2 is a report based on the existing Trust Services Criteria (TSC) of the American Institute of Certified Public Accountants' Auditing Standards Council (AICPA). The purpose of this report is to assess an organization's information systems relevant to security, availability, processing integrity, confidentiality and privacy. As a result, Incognia has security measures such as risk monitoring, systems and the application of controls; environment management and logical and physical access; communication channels; risk mitigation and assessment mechanisms, change management and others. 

Below you will find other specific measures put in place to protect your Personal Data:

• Secure data transport and storage using industry standards and encryption.

• Advanced encryption on all ID data collected via the SDK, as well as cryptographic signature techniques, which allow the detection of any changes made to the data received via the SDK.

• We do not store the original data in our database, keeping only its hashed version. The identifiers kept (hashed ID) are sufficient for all Incognia services and do not allow the direct identification of Data Subjects. The elimination of the original data reduces the risks of identifying you in the event of a confrontation with a third-party database that contains this ID linked to other Personal Data, such as email, Social Security Number, etc.

• Periodic pentests via outsourced companies.

• We employ techniques to hide or obscure sensitive data in reports or documents as needed.

• Access to your personal data is restricted to authorized personnel who require it for legitimate purposes only. We regularly review and update access permissions to minimize the risk of unauthorized access.

You have a number of rights in relation to your Personal Data. These rights are made available by our Clients, as only they, as Controllers, have information that allows them to directly identify you. Incognia only acts with information that does not allow for the User’s direct identification. However, we have legal and contractual commitments in which we undertake to assist our Clients in carrying out acts that are necessary to fulfill requests for Users' rights, subject to the applicable technical, legal and contractual limits.

Nonetheless, Incognia lists below what your rights are so that they can be exercised directly to our Clients, namely the developer of the Website or Application of which you are a User, according to the GDPR:

• Right to access;

• Right to rectification;

• Right to erasure;

• Right to restrict processing;

• Right to object to processing;

• Right to data portability;

• Right to withdraw consent at any time;

• Right not to be subject to a decision based solely on automated processing, including profiling.

As of the CCPA, your rights are:

• Right to know about the personal information a business collects about you and how it is used and shared;

• Right to delete personal information collected from you;

• Right to opt-out of the sale or sharing of their personal information;

• Right to non-discrimination for exercising their CCPA rights;

• Right to correct inaccurate personal information that a business has about you;

• Right to limit the use and disclosure of sensitive personal information collected about you.

It will be up to the Controller to analyze each request submitted by you, whether in terms of the feasibility of exercising a certain right or complying with the requested measures, taking into account the entire context in which your Personal Data is processed and the level of regulation in place at the time of your request.

It is possible that your request cannot be fulfilled at the time of your request or is not fully fulfilled due to issues related to commercial confidentiality or other legally permissible justifications. If this occurs, the Controller will duly justify its decision.

To exercise your rights as a Personal Data Subject, access the Privacy Notice of the Application or Website and submit your request directly through the channels provided by the Controller.

In any case, you can always contact our Data Controller/DPO to deal with this and other issues relating to your privacy and your Data (dpo@incognia.com).

Data Subjects have the right to equal service and price, even when they exercise privacy rights. Incognia encourages personal Data Subjects’ control over their Data and Users will not be harmed morally or financially for the exercise of rights. However, providing Personal Data is a requirement necessary for the performance of services and functionalities offered by Incognia..

The California Consumer Privacy Act (“CCPA”) provides consumers (the “Data Subjects”) with specific rights regarding their personal information. When offering anti-fraud services to Clients, we act as a “service provider” under the CCPA, which means our collection of any consumer personal information is completed on behalf of our Clients in order to provide them with anti-fraud services. 

You have the right to request that businesses subject to the CCPA (which may include our Clients with whom you have a relationship) disclose certain information to you about their collection and use of your personal information, including the information used or shared with us to perform a business purpose.  

The business purposes regarding the services provided by Incognia are: 

1. detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity;  

2. performing services on behalf of the Clients, including maintaining or servicing accounts, processing or fulfilling orders and transactions, verifying User information, or providing similar services on behalf of the business. Incognia does not further collect, sell, or use consumers’ personal information except as necessary to perform the informed business purposes.

Incognia shall not be required to comply with your requests to delete your Personal Data once it is necessary to (i) complete the transaction for which the personal information was collected, provide a good or service requested by you, or reasonably anticipated within the context of a business’ ongoing business relationship with you, or otherwise perform a contract between the business and you; or to (ii) detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity.

If you have any questions, requests, comments or suggestions, you can contact our Personal Data Processing Officer/DPO directly by sending an email to dpo@incognia.com.

We may update and change the terms of this Privacy Notice from time to time. On our website, you will always find the latest version of the terms and, if you want,  you can access previous versions here or by registering a request by sending an email to dpo@incognia.com.

Incognia Inc.
555 Bryant St, Box 423
Palo Alto CA USA 94301
DPO: Dayana Caroline Costa (dpo@incognia.com)