U.S. Privacy Policy: Incognia Solution (Web and Mobile)

After being hired, our SDK is integrated by the Client (the Business) to their Application or Website to enable the collection of the User’s Device Information. Once the User downloads and installs an Application or accesses the Website and grants the appropriate data access permissions (when necessary) the Information is collected and processed by us to bring greater security during the use of the Platform, reducing the incidence of fraud and, at the same time, improving the User experience by reducing friction during onboarding, login, transactions and other events on the Application or Website.

The integration of our SDK, as well as the collection and processing of Personal Information through the Application or Website for the purposes described in this Policy are only and exclusively due to the Clients’ decisions, who are responsible for collecting any permissions or consents, if applicable, as well as for providing appropriate transparency to their Users.

To seek more details about which Applications or Websites collect Personal Information using Incognia’s technology, please refer to the Privacy Policies of the respective applications installed in the Device or the websites visited and request the Platform developers for information on Personal Information sharing with third parties. As we are a third party in the relationship between Platform and Users, we cannot expose our Clients due to confidentiality obligations set forth in our agreements and required by our Clients.

We therefore advise to always read an application’s Privacy Policy before downloading it into Devices, as well as the Privacy Policies of the websites logged into, so that it will be possible to access detailed information about the processing and sharing of Personal Information.

We only collect and process Personal Information pursuant to the agreements established with our Clients and to the extent necessary to achieve the processing purposes defined by them, related to security in the use of the Applications and Websites, for User authentication, reducing the incidence of fraud and improving User’s experience.

Below are the categories of Personal Information we collect through our SDK embedded in the Platforms:

In addition to the Data collected via the SDK, our Clients can also send us, via the API, address data for validation purposes, and other types of Information, according to the agreements signed by the parties, and always for the purpose of risk analysis and fraud prevention. We also receive Account ID through the API, which is subjected to hashing techniques by Incognia.

Incognia processes geolocation data strictly for fraud-risk analysis, and collects this data only if the User has granted the location permission required by the operating system. The location permission prompt is displayed and managed by the Application or Website, and it is our Client’s responsibility to define the wording and context for such notices.

Once permission is granted, geolocation Information is collected at specific and limited moments, typically only when the Application or Website is open in the foreground. Incognia does not collect location Information continuously and does not monitor or track Users.

Depending on the Platform, geolocation Information results from the combination of signals such as GPS, Wi-Fi and Bluetooth, and may also be complemented by location data from IP addresses.

In some U.S. states, precise geolocation may be classified as Sensitive Personal Information and be subject to additional legal protections under the Applicable Privacy Law. In light of this, Incognia treats geolocation according to the highest market standards from a security and governance perspective, applying rigorous minimization, access control and retention practices, and using this information only to support the fraud risk analysis requested by our Clients.

The processing of Personal Information takes place to achieve the purposes determined by our Clients, related to providing greater security and reducing the incidence of fraud and friction in User experience while using the Application or browsing Clients' Websites. We do not use the Information collected through the integration of our SDK with Client Platforms for any purpose other than those related to the provision of our services. If we identify that any Business's instruction about the Personal Information processing is unlawful, we will take appropriate contractual and legal action.

Below we list in more detail the general purposes to be achieved with the processing of Personal Information:

• Creation of Device ID: to enable the unique and persistent identification of a Device, assisting in fraud detection and prevention.

• Verification of Device integrity: to check for any failure in the Device’s integrity, such as technical anomalies, malicious software, or attempts to forge its location.

• Address validation: to verify whether the address provided at the time of registration on the Platform corresponds with the frequent locations of the Device.

• Location analysis: to use geolocation Information to assess, for example, whether the event is occurring in a place previously associated with legitimate use of the Device (trusted location), helping to identify potential risk signals, such as access attempts made in locations incompatible with the User’s usage history.

• Suspicious pattern analysis: to evaluate patterns contrary to the Platform’s policies, such as access to multiple accounts from the same Device, constant reinstallation of the Application, etc.

The Information collected is also used for network effect purposes and to generate intelligence and derived Information aiming to improve and increase the accuracy of risk analyses among Platforms. Furthermore, the Information may be processed, in general, in anonymized or aggregated format, for monitoring the SDK with the aim of improving it to consume fewer Device resources (memory, network, battery, etc.) and for debugging.

Incognia is hired by the Application or Websites developers, our Clients, to carry out the processing of Personal Information, for security and fraud-prevention purposes on their behalf and under their instructions. Thus, our Clients are the Businesses and we act as the Service Provider, according to the definitions of the Applicable Privacy Law.

However, the definition of processing roles is not static. Hence, Incognia may eventually act in another role when the data processing is aimed at achieving our own purposes, such as complying with legal or regulatory obligations, for example, or other purposes provided for in the Applicable Privacy Laws or in contracts entered into and between Incognia and the Client.

In accordance with the provisions of the Applicable Privacy Law, it is up to the Business (Clients) to define the scope and parameters for the processing of Personal Information carried out through the Solution.

We act as a Service Provider and process Personal Information on behalf of the Business, in accordance with its instructions and applicable agreements.

If in any situation we process Personal Information to comply with legal or regulatory obligations, to maintain the security, availability and integrity of the Solution, or to defend Incognia in legal claims, such processing is performed within the limits permitted under the Applicable Privacy Law, is compatible with Incognia’s role as a Service Provider and does not constitute the use of Personal Information for independent commercial purposes.

The owners of the Personal Information are the Consumers or Users who download and install Applications or access Websites that have our embedded technology (SDK integrated), granting the appropriate permissions to share their Information, if and when applicable.

Incognia does not process data for the purpose of identifying or profiling Users based on age. Incognia processes technical signals related to application, device, and location, which are used exclusively to support security and fraud prevention purposes.

The determination of a User’s age and the application of any age-related restrictions remain under the responsibility of the Client, as the business relationship with the User. Regardless of the type of User, Incognia applies consistent technical and organizational safeguards, including hashing and other security measures, to ensure that the data processed is protected and used solely for its intended purpose.

Under the Applicable Privacy Law, Consumers are able to opt out of certain processing activities, such as the sale or sharing of Personal Information, targeted advertising, or profiling with legal or similarly significant effects. Incognia’s processing is limited to fraud-prevention services provided on behalf of our Clients and is not intended for advertising or similar purposes. In this context, and as Incognia acts as a Service Provider and does not interact directly with end users, requests related to opt-out rights should generally be directed to the Platform with which the User interacts. Where applicable, we support our Clients in responding to such requests.

Incognia performs automated risk analyses through its proprietary fraud-prevention technology, which processes Information in accordance with the parameters and criteria defined by each Client in their Risk Policy. These automated analyses are limited to evaluating technical inputs and producing a risk result intended to support the Client’s fraud-prevention activities.

Incognia does not make automated decisions about Users, and the risk results generated by our technology do not, by themselves, produce legal effects or similarly significant impacts on individuals. Any action taken in response to a risk result, such as approving or declining a transaction, suspending an account, requesting additional verification, or applying other measures, is determined exclusively by the Client, in accordance with its own policies and internal review procedures.

Incognia’s role is to provide automated intelligence that assists Clients in making decisions. We do not determine outcomes, do not make eligibility decisions, and do not engage in automated decision-making that produces direct effects on Users.

The Personal Information collected by our SDK are stored and processed by Amazon Web Service (AWS Cloud) and are not shared with any other third parties, unless expressly determined in the contracts signed with our Clients, as Businesses.

The Personal Information is stored on Amazon Web Service (AWS Cloud) servers located in the U.S. The Information is hosted in technological environments managed solely by Incognia through the use of a public cloud platform provided by AWS. Cloud storage (cloud computing) is the industry standard, as it simplifies technological operations and increases the security level of all services that use it. In addition, we have restricted and granular access control over the Personal Information we store in AWS Cloud.

We adopt security mechanisms both in the transport and storage of Information, and we constantly update our protection systems. All requests are made using secure versions of HTTPS, which is an industry-standard protocol. Additionally, AWS Cloud provides various security resources and services to enhance privacy and control network access, including firewalls, Encryption (for Personal Information both at rest and in transit), security tracking, backup, as well as constant monitoring, activity log registration, and access control.

For more information on the technical and administrative measures adopted by Amazon to protect Personal Information as well as to fulfill the Applicable Privacy Law, click here.

We store the Personal Information obtained by SDK for the period defined by our Client, Business, which, as a standard , is limited to 180 (one hundred and eighty) days, which is the time necessary to achieve the Processing purposes determined by our Clients. After this period, these Information are securely and permanently deleted.

If it is necessary to retain Personal Information after the purpose for which they were collected has been achieved, the criteria for defining the retention period will be as follows:

• Legal, regulatory, contractual obligation, or determination by a competent authority;
• Maintenance of historical, commercial, and financial records, within the necessary limits;
• For audit purposes or the regular exercise of rights in judicial or administrative proceedings.

As previously stated, Incognia stores Personal Information on Amazon Web Services (AWS) servers located in the United States. All Personal Information collected by our SDK or received through the API is handled exclusively within this U.S.-based infrastructure, which is protected by industry-standard security safeguards.

Because all processing activities described in this Policy occur within the United States, Incognia does not carry out international transfers of Personal Information.

Incognia is committed to ensuring that the rights of Consumers are respected in accordance with the Applicable Privacy Law.

These rights are made available by our Clients, as Business, who is the party that holds the information that allows the direct identification of Consumers. However, Incognia maintains legal and contractual commitments under which it supports its Clients in taking the necessary actions to fulfill Consumers requests, subject to the applicable technical, legal and contractual limitations.

For reference purposes, Incognia lists below the main rights recognized by the CCPA/CPRA, which may be exercised directly before the Platforms.

• Right to know about the personal information a Business collects and how it is used and shared;
• Right to delete Personal Information collected;
• Right to opt-out of the sale or sharing of Personal Information;
• Right to non-discrimination for exercising CCPA rights;
• Right to correct inaccurate personal information that a Business has;
• Right to limit the use and disclosure of sensitive personal information collected.

Incognia does not discriminate against Consumers for exercising their rights under applicable privacy laws. As a Service Provider, Incognia processes Personal Information on behalf of its Clients and does not determine how services or pricing are offered to end users.

Consumers may be entitled to additional or different rights under other applicable U.S. state privacy laws, depending on their place of residence. Incognia supports its Clients in addressing such rights in accordance with applicable legal and regulatory requirements.

Incognia develops its fraud-prevention technology based on the fundamental principles of data protection, seeking to minimize the need to use Personal Information as much as possible.

All Information processed is protected by Encryption, with managed and restricted access to authorized employees, who operate under confidentiality agreements, undergo regular training, and follow internal procedures to ensure data protection and market best practices.

Furthermore, we follow the seven fundamental principles of Privacy by Design as the foundation for creating and developing our solutions, implementing privacy protection from conception to the final use of our products and solutions. To learn more about how we implement Privacy by Design in our Solution, consult our e-book “Delivering Privacy by Design.”

Incognia also maintains specific data protection agreements (Data Processing Agreements – DPAs) signed with its Clients, which establish the technical and organizational measures to be applied during Processing, ensuring that each operation complies with legal and contractual requirements.

In addition, we undergo independent audits annually to ensure our compliance with major privacy laws as well as with the most rigorous security requirements.

Other privacy and data protection assurance procedures are detailed throughout this Privacy Policy, and our Data Protection Officer/DPO (dpo@incognia.com) may always be contacted to provide further details on how we handle privacy and the protection of Personal Information within the scope of our Solutions.

Incognia applies technical measures that follow industry-recognized standards, including those required in independent audits such as SOC 2, to ensure the confidentiality, integrity, and security of the Personal Information processed in our Solution. These measures include:

• Encryption in the transport and storage of Information, with key control and restricted access, ensuring that only authorized parties can access them;
• Advanced cryptographic signature techniques that allow the identification of any unauthorized alteration in the Personal Information collected by the SDK;
• Hashing with a secret applied to identifying Information (IDs like Account ID). This process ensures that the identifiers used by Incognia do not allow direct identification of the Users and reduces the risk of reidentification in the event of a comparison with external databases containing personal information, such as email or telephone number;
• Segregated Personal Information storage, with additional access, auditing, and monitoring controls
• In the context of the Web Solution, collection of Cookies only when authorized by the Client and subject to the appropriate user permissions, where applicable.
• Periodic execution of penetration tests (pentests) conducted by specialized companies, aiming to identify and correct vulnerabilities before they can be exploited.
• Continuous monitoring of access and segregation of duties among technical teams, ensuring that critical activities related to critical Personal Information are performed with full traceability and in accordance with the principle of least privilege.
• These measures are continuously improved and audited to ensure that the Processing carried out by Incognia complies with applicable legislation and aligns with the contractual commitments made with our Clients.

Incognia undergoes annual audits to attest to its compliance with SOC 2 Type II standards, one of the most widely recognized international frameworks for information security. This audit evaluates our information systems against the Trust Services Criteria (TSC) established by the American Institute of Certified Public Accountants (AICPA), including security, availability, processing integrity, confidentiality, and privacy. SOC 2 compliance demonstrates that Incognia implements effective security measures, such as continuous risk monitoring, logical and physical access controls, mitigation mechanisms, recurring risk assessments, and governance controls across our technology environment.

In addition, Incognia is subject to annual assessments of its controls in relation to applicable U.S. data privacy requirements. The most recent letter of attestation is available here.

If you have any questions, requests, comments or suggestions, you can contact our Data Protection Officer/DPO directly by sending an email to dpo@incognia.com.