This notice was last modified on and has an effective date of August 24, 2023.
We have recently updated our Data Privacy Framework Notice. Be sure to review the notice carefully to understand our privacy practices.
For transfers of personal information from the EU, UK, and Switzerland to the US: iovation, Inc., (“iovation” or “Company”), a TransUnion company, complies with the EU-US Data Privacy Framework (“EU-US DPF”), the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Framework (“Swiss-US DPF”) as set forth by the US Department of Commerce. iovation has certified to the US Department of Commerce that it adheres to the EU-US Data Privacy Framework Principles (“EU-US DPF Principles”) with regard to the processing of personal information received from the European Union in reliance on the EU-US DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-US DPF. iovation has certified to the US Department of Commerce that it adheres to the Swiss-US Data Privacy Framework Principles (“Swiss-US DPF Principles”) with regard to the processing of personal information received from Switzerland in reliance on the Swiss-US DPF. If there is any conflict between the terms in this DPF Notice and the EU-US DPF Principles and/or the Swiss-US DPF Principles (collectively, the “DPF Principles”), the DPF Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
This Data Privacy Framework Notice (the “DPF Notice”) sets forth the privacy principles that iovation follows when processing personal information received from customers or prospective customers located in the European Economic Area (“EEA”), Switzerland, and the United Kingdom while providing services from the United States (“US”). This DPF Notice does not apply to information collected in other jurisdictions or through other iovation websites or to information collected during iovation sponsored sales and marketing activities. For purposes of this DPF Notice, personal information means data about an identified or identifiable individual that is received by iovation in the United States from the EEA, Switzerland, or the United Kingdom, and recorded in any form, and is within the scope of Regulation (EU) 2016/679 (“General Data Protection Regulation” or “GDPR”), the Swiss Federal Data Protection Act, or the UK Data Protection Act 2018, respectively.
iovation is the creator of certain fraud detection, prevention, and protection solutions, and in connection with these solutions, iovation provides product demonstrations, product development, product enhancements, and product technical support services (collectively “Services”) for the benefit of its Customers in the EEA, Switzerland, and the United Kingdom through employees and/or systems that may be located in the US. These US-based employees and/or systems may process personal information to provide Services to Customers located in the EEA, Switzerland, or the United Kingdom.
Regarding the provision of iovation fraud detection and protection services to iovation’s customers, both iovation and its customer are each considered independent Controllers of personal information under the European Data Protection Legislation. iovation will individually determine the purposes and means of its processing of personal information; and will comply with the data protection and privacy obligations applicable to it under the European Data Protection Legislation. Characterization of iovation and/or its Customers as independent Controllers shall not affect any restrictions on either party’s rights to use or otherwise process personal information under any agreement for iovation services and solutions.
When iovation processes personal information, iovation does so only for the purpose of providing Services.
iovation Customers may choose to include personal information among the data shared with iovation in connection with the provision of iovation Services.
iovation processes only the personal information that its customers have chosen to share with iovation. iovation has no direct or contractual relationship with the subject of such personal information (a "Data Subject"). As a result, when a customer or prospective customer shares personal information, the customer or prospective customer is solely responsible for satisfying all legal obligations owed directly to the Data Subject under applicable data protection laws.
iovation employees and/or systems located in the United States may be used to provide Services for Customers located in the EEA, Switzerland, or the United Kingdom. To provide such services, iovation may process personal information. iovation will apply the following DPF Principles to personal information physically or remotely transferred from the EEA, Switzerland, or the United Kingdom to the United States.
Data Subjects have the right to access the personal information an organization holds about them. If such personal information is inaccurate or processed in violation of the DPF Principles, a Data Subject may also request that personal information be corrected, amended, or deleted.
Please note, that where personal information is collected within iovation’s services, iovation is not able to directly identify end users of the services provided by our customers. In these circumstances, iovation invite data subjects to contact the iovation customer who they believe used iovation fraud prevention and account authentication solutions. We will cooperate with our customers to enact data subject rights requests.
Data subjects have the right to opt out of (a) disclosures of their personal information to third parties not identified at the time of collection or subsequently authorized, and (b) uses of personal information for purposes materially different from those disclosed at the time of collection or subsequently authorized. iovation’s Customers are responsible for informing Data Subjects when they have the right to opt out of such uses or disclosures.
Data Subjects who wish to limit the use or disclosure of their personal information should submit that request to iovation’s customer or prospective customer that controls the use and disclosure of their personal information. iovation will cooperate with its customers’ instructions regarding Data Subjects’ choices but iovation is not able to directly identify end users of the services provided by our customers.
iovation is committed to safeguarding the personal information that it receives. iovation will use appropriate security measures to help protect your personal information. These measures include technical, administrative, physical, and organizational measures to protect your data from misuse, unauthorized access or disclosure, loss, alteration, or destruction. Please be aware that no website is completely secure. Although we will do our best to protect your personal information, you should only access the Website within a secure environment.
iovation limits access to personal information to employees, subcontractors, and third-party agents that have a specific business reason for accessing such personal information. Individuals granted access to personal information are aware of their responsibilities to protect such information and are provided appropriate training and instruction.
iovation's Customers are responsible for limiting their collection of personal information to that which is necessary to accomplish the purposes disclosed to Data Subjects and compatible purposes including for fraud prevention and detection. iovation customers are also responsible for providing iovation with authorization for the processing of personal information consistent with such purposes.
iovation's Customers also are responsible for ensuring that (a) personal information they collect is accurate, complete, current, and reliable for its intended uses; and (b) personal information is retained only for as long as is necessary to accomplish the customer's or prospective customer's legitimate business purposes disclosed to the Data Subject and for compatible purposes. iovation will cooperate with customers' reasonable requests for assistance in meeting these obligations.
In the performance of Services, iovation will request only the minimum amount of information required to perform the applicable Services and will retain such information only for as long as necessary to provide the Services or for compatible purposes, such as to provide additional Services, to comply with legal requirements, or to preserve or defend iovation’s legal rights.
iovation may disclose personal information to subcontractors and third-party agents who assist iovation in providing Services to its Customers. Before disclosing personal information to a subcontractor or third-party agent, iovation will obtain assurances from the recipient that it will: (a) use the personal information only to assist iovation in providing the Services; (b) provide at least the same level of protection for personal information as required by the DPF Principles; and (c) notify iovation if the recipient is no longer able to provide the required protections. Upon notice, iovation will act promptly to stop and remediate unauthorized processing of personal information by a recipient. iovation will remain liable for onward transfers to its subcontractors and third-party agents.
iovation may also be required to disclose, and may disclose, personal information in response to lawful requests by public authorities, including for the purpose of meeting national security or law enforcement requirements. To the extent permitted, iovation will inform its relevant customer or prospective customer before making such disclosure and provide it with a reasonable opportunity to object to such disclosure.
iovation will not otherwise disclose personal information to third parties.
In compliance with the EU-US DPF Principles, including the UK Extension of the EU-US DPF Principles and the Swiss-US DPF Principles, iovation commits to resolve complaints about your privacy and iovation’s collection or use of personal information transferred to the United States pursuant to this DPF Notice.
European Union, Swiss, and United Kingdom individuals with DPF inquiries or complaints should first contact iovation via the methods outlined in the “Contact Us” section below.
iovation has further committed to refer unresolved privacy complaints under the DPF Principles to an independent recourse mechanism, Data Privacy Framework Services, operated by JAMS. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit EU-US Data Privacy Framework | JAMS Mediation, Arbitration, ADR Services (jamsadr.com) for more information and to file a complaint. This service is provided free of charge to you.
If your DFP compliant cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not otherwise resolved by other redress mechanisms. For more information about binding arbitration, visit https://www.dataprivacyframework.gov/s/article/G-Arbitration-Procedures-dpf.
The Federal Trade Commission has jurisdiction over iovation’s compliance with the DPF.
Data Subjects with questions about how iovation processes personal information should first refer to iovation’s Privacy Notice, then contact the iovation customer or prospective customer that collected the personal information. If you have questions or comments about this DPF Notice, you can contact us in the following ways:
TransUnion Data Privacy Request (iovation)
This DPF Notice is executed in English and may be translated into other languages. In the event of any conflict or discrepancy between the English language version and a translated version, the English language version of this DPF Notice shall control.
This DPF Notice is subject to change at any time. If we make any changes to this DPF Notice, we will post the revised DPF Notice on this page with its effective date.