iovation, Inc. Privacy Notice

Privacy Notices

print icon Print

Política de Privacidad en Español

This notice was last modified on and has an effective date of August 24, 2023.

We have recently updated our Privacy Notice. Be sure to review the notice carefully to understand our privacy practices.

Neustar, Sontiq, Argus, and Commerce Signals are now TransUnion companies. To learn how these companies handle personal information about you and the rights you may have regarding that personal information, please visit the Neustar Privacy Notice, the Sontiq Privacy Center, the Argus Privacy Notice, and Commerce Signals Privacy Notice.

iovation, Inc. ("we" or "us") is a US headquartered company, and is part of the TransUnion group of companies, that assists businesses ("Customers" or “Subscribers”) to detect and combat online fraud and other types of cybercrime ("our Services"). Over the years we have helped our Customers to protect millions of end-users from becoming the victim of fraudulent and malicious behavior.

At iovation Inc. we recognize that privacy is important. This iovation Privacy Notice ("Notice") applies to the collection of data by iovation Inc., iovation Limited, its subsidiaries, and affiliates (collectively, "iovation"). This Notice explains our practices regarding the collection, use and disclosure of personal information both through our website ( and its subdomains (collectively “Website”) and in the course of providing our Services.

Use of our Services constitutes your agreement to the terms of this Notice. If you do not agree with the terms of this Notice, please do not use our Services.

Visit our Consumer Privacy Rights page to exercise your privacy choices and rights.

Visit our Data Privacy Framework page if you are in an EU Member country, the UK, or Switzerland and would like to learn more about iovation’s personal information transfers to the US.

Notice at Collection: iovation collects certain data directly via our Website (using cookies and similar trackers) that is subject to the California Privacy Rights Act. The categories of personal information that we collect are listed below in “Personal Information We Collect Through Our Services.” The section titled, “How We Use Personal Information Collected Through Our Services,” describes the purposes for which we collect and use personal information. To learn more about your privacy rights, including your right to opt out of the sale or sharing of data collected via our Website, please navigate to the “Your Privacy Rights – United States” section below. Our retention practices are outlined below under “How Long We Retain the Data We Collect.”

View TransUnion's California Consumer Privacy Act (CCPA) Metrics.

1. Personal Information We Collect Through Our Services

When our Customers subscribe to our Services, the following personal information may be collected to help detect the likelihood that your device or behavior is associated with fraud or other malicious behavior.

Information collected automatically:

When a Customer subscribes to our Services, iovation cookies may be placed on your device and run our JavaScript code and/or use our SDKs to enable the collection of certain device identifiers and IP addresses. This information is no different than the types of information captured by common web analytics tools. The information is sent back to the Customer and subsequently passed onto iovation for further processing.

We may also capture geolocation information, using various technologies to determine the location of your device during specific activities and interactions with a Customer website or app.

In addition, we may collect behavioral information about your interactions with online forms on a Customer’s website or app. This is used to alert our Customers to potentially fraudulent behaviors.

For information about cookies and other similar technologies that are deployed through our Services and how to exercise your cookie preferences, please see the "Use of Cookies and Similar Technologies" section below.

Additional information our Customers provide to us:

In addition, our Customers may send personal information to us for fraud analysis, system abuse purposes and to fulfil their own regulatory obligations and reasons of substantial public interest. They might also optionally provide us with information about the transactions you carry out on their website or app.

Information about our Customers:

If you are a Customer, we may also collect certain personal information about you (from you directly or your employer) to enable us to manage our business relationship with you, such as your name, contact details, job title, billing and payment information.

Automated Decision Making:

iovation does not conduct Automated Decision Making, although iovation does conduct profiling as defined by the General Data Protection Regulation (“EU GDPR), which applies to persons situated in the European Economic Area (“EEA”), and the EU GDPR as amended and incorporated into the law of the United Kingdom (“UK”) (“UK GDPR”), which applies to persons situated in the UK.

When we refer to profiling, we mean using personal information to make predictions about you, or to categorize you into particular groups. Typically, this would involve determining whether a device is reliable when linked to a transaction through a Customer website or app, or whether it is linked to a fraudulent transaction.

2. How We Use Personal Information Collected Through the Services

Once the information above has been passed to iovation, we process the data through our Global Device Intelligence Platform to return a score or scores to our Customer for the device. This score is calculated based on rules that are set by our Customers. The rules set by our Customers will depend on the business they operate and the types of fraud or system abuse pertinent to their services. We may also return fraud ‘flags’ related to our analysis.

Once the Customer receives a score, it is up to the Customer to decide what action to take from there. For example, transactions with certain scores may be denied, flagged for review, or presented with further authentication challenges. In most cases, however, the transaction or activity will proceed with no issues.

In addition, we may provide information assessing the risks associated with a phone number or email address.

We may also use personal information we collect through the Services for the following purposes:

  • To optimize and improve the Services, including the use of Artificial Intelligence (A.I.), Machine Learning and data analytics for the purposes of improving fraud detection and prevention services;
  • To enable our consortium of Customers to share information about known fraudulent or malicious devices;
  • To deliver our products, which includes the use of machine learning algorithms;
  • To analyze the use of the Services for internal business purposes;
  • To provide customer service and support;
  • To send our Customers communications about their account, provide service updates and marketing information (where it is in accordance with their marketing preferences);
  • To investigate any lawful or wrongful activity or unauthorized access to our Services and those of our Customers;
  • To provide services in the substantial public interest; and
  • For other legitimate business purposes and other purposes about which we will notify you.

3. What Is Our Lawful Basis For Processing Personal Information?

Where personal information is collected from the EEA or the UK, it is necessary to have a lawful basis for the processing of personal information. This section explains the legal basis on which we process your personal information.

Legitimate Interests

The EU, EEA and UK’s data protection law allows the use of personal information where necessary for legitimate purposes provided that this isn’t outweighed by the impact it has on you. The law calls this the “legitimate interests” condition for processing personal information.

Most of our processing activities are based on the legitimate interest condition. This includes almost all of our Fraud Prevention and Device Risk products. These legitimate interests include the processing of personal information strictly necessary for the purposes of prevention of fraud, unlawful acts and other forms of cybercrime. This includes the use of Artificial Intelligence/ Machine Learning/ Data Analytics for improving our products and fraud detection services under this lawful basis. 

We may also process business to business marketing data for the purposes of direct marketing to our business customers under this lawful basis.

Our International Transfers of personal information from the EEA and/or UK to Third Countries outside of the EEA and/or UK (including the United States), is also carried out as a legitimate interest of the business.


We sometimes rely on consent in order to process personal information, but this is relatively rare.

Performance of our contract with you

We also use this basis for processing some of our staff data.

Substantial public interests

Where our Device Risk service is used by businesses in regulated industries, such as online gaming, to assist them with their regulatory duties for Responsible Gaming, personal information may be processed of reasons of substantial public interest where an End-User chooses to self-exclude from online gaming with a Subscriber.

4. How We Share Your Personal Information with Third Parties

We may share personal information collected through our Website and Services in the following ways:

Information we share with our group companies: 

We may share any of the above personal information with other members of the iovation and TransUnion group of companies for purposes consistent with this Notice.

Information we share with our customers

In making the internet a safer place, we may share personal information with our Subscribers for the fraud protection and account management purposes described above. Our Subscribers provide the online services that iovation protects from online fraud and abuse. We do not share precise geolocation information, except to the extent that we return it to the Subscriber who shared it with us, though we do share scores based on such information. We do not share behavioral information, though we do share scores based on such information.

Information we share with our service providers: 

We may also engage certain trusted third-party service providers, consultants or vendors to assist us in the provision of the Website and Services. We will only share your personal information with third parties to the extent necessary to perform such functions and in accordance with the purposes set out in this Notice and applicable laws. Our service providers include Cloud Hosting and Data Warehousing Vendors as well as services to identify anomalous behavior to assist with the detection and prevention of fraud.

Information disclosed in connection with business transfers: 

In the event of a corporate sale, merger, reorganization, acquisition, dissolution, financing or other similar event, your personal information may be shared or transferred in connection with, or during negotiations of, such event or transaction with entities involved in the event or transaction as parties or advisors, or otherwise providing services in connection to the event or transaction.

Information disclosed for legal purposes and the protection of others:

We may disclose personal information to a third party where we are legally required to do so in order to comply with applicable laws, regulations, legal process or governmental requests. We will also disclose personal information to the extent we believe necessary or appropriate: (i) to respond to claims, judicial orders, subpoenas, warrants or other process issued by a court of competent jurisdiction; (ii) to protect the vital interests of any person; (iii) to exercise, establish or defend our legal rights; and (iii) to stop any activity we consider illegal, unethical or legally actionable.

As a developer of fraud and identity products, iovation and TransUnion may receive requests from law enforcement and other public authorities along with requests from courts and litigation parties across the world for access to personal information. Such information may relate to consumer and customer data associated with legal, criminal and national security investigations and proceedings.

TransUnion understands that the disclosure of information to public authorities is often an important step in combatting financial crime and other unlawful activities. TransUnion also understands the value of personal privacy and the rights granted by privacy and security laws around the world.

TransUnion has therefore put in place policies, procedures and practices to ensure that all such requests are reviewed appropriately and in accordance with the EU GDPR and UK GDPR, and the Chapter V, Article 46 Transfer Mechanism, which enables personal information to be exported from the EU, EEA and UK.

The policies, procedures and practices ensure that TransUnion associates are aware of the nature of local laws and practices, and the legal limits of those laws and practices. Where legally appropriate, requests for access to personal information will be the subject of legal challenge and appeal, irrespective of the sensitivity and context of the request. Furthermore, suitable supplementary measures have been put in place in order to protect personal information that is exported from the EEA and/or UK, to ensure security, integrity and prevent interception of data in transit.

Data Subjects within the EEA or UK are entitled to a copy of the Art.46 GDPR Standard Contractual Clauses (“SCCs”) that apply to any such transfer of their personal information outside of the EEA or UK. Requests should be submitted to

5. How Long We Retain the Data We Collect

iovation retains data within our Services for the following periods:

Category of Data

Retention Period

Device Data linked to Fraud

5 years from the last activity date recorded by iovation.

Device Data not linked to Fraud

2 years from the last activity date recorded by iovation.

Transaction Insight Data

180 days.

Behavioral data linked to fraud

5 years

Behavioral data not linked to fraud

2 years

Data in TruValidate Insights Centre (online portal enabling clients to review, inputs, outputs and transaction outcomes)

90 days

We retain your personal information for as long as reasonably necessary to fulfill the purposes for which it was collected or processed, as described in this Notice. When determining retention periods, we consider our relationship with you and your information, the nature and sensitivity of the information, and what is reasonably necessary and proportionate to provide and improve our services. We also adjust retention periods to comply with our legal, reporting, or accounting obligations, to resolve disputes, and to enforce our agreements. We regularly review our retention periods and assess our data minimization practices, retaining the least amount of information for the shortest retention period, while still upholding all our obligations.

6. Use of Cookies and Similar Technologies

“Cookies” are small text files that are placed on your device when you visit (i) our Website or (ii) our Customers' websites who have integrated iovation's Services. Cookies are widely used in order to make websites work, or work more efficiently, as well as to provide certain device and other analytical information.

How we use cookies on our Websites:

Identifiers and Internet or other electronic network activity information: We may use cookies to personalize web pages during your visit to our Website, to remember you for easy navigation and access during return visits, to provide you with relevant offers of our products and services, to monitor web traffic routing and aggregate usage, and to customize and improve our Website and Services.

We work with certain third parties (such as web analytics service providers) to provide us with information about our site traffic and usage. These third parties may set and access their own cookies or tracking technologies, such as web beacons and embedded scripts, on our Website in order to recognize your device and for example, to identify whether you have visited our Website before, what you have viewed on our Website and how you found us. Such information is used for statistical purposes.

  • Analytics Disclosure: We use Google Analytics 360, including Google Tag Manager and Google Ads. If you would like to learn more about Google Analytics, or opt out of this data collection and sharing activity, please use this link:
  • Global Privacy Controls: Global Privacy Controls (GPC) is a specific browser setting which sends a signal to each website a user visits to notify the websites of a user’s preferences. GPC is a collaborative effort developed by privacy-focused tech companies, browser and extension developers, as well as website publishers and civil rights groups to help companies facilitate users’ privacy rights as afforded by certain US state legislations. GPC signals are supported through our Cookie Consent Manager and enabled when you visit our Cookie Settings section located in the footer of our Website. You may also learn more about GPC by visiting their site at:

How we use cookies through our Services:

As stated in "How we use personal information collected through our Services" above, our Customers may place iovation cookies and similar technologies in order to collect information about your device and behavior for fraud and malicious activity prevention purposes. Although we seek to give information about our cookies through this Notice, we must also rely on our Customers to ensure that sufficient notice is given for the use of such cookies on their websites and apps.

How to disable cookies: 

If you do not want us to deploy cookies on your browser, you can set your browser to reject cookies. You can find information on popular browsers and how to adjust your cookie preferences at the following websites:

If you disable the cookies placed by our Customers for fraud and malicious activity prevention purposes, you may not have access to all the services provided by our Customer on their website.

We also provide you choices to manage your privacy and selling/sharing on iovation’s own Website in the Cookies Settings section located in the footer of our Website. Please note, however, that if you don’t accept cookies on our Website, you may not be able to access all portions or features of the site. We do not respond to browser Do Not Track requests.

We may also use Flash or Flash Local Shared Objects (LSOs) through our Services to collect the data outlined above. You can manage Flash storage through your browser settings where supported, or you may manage Flash storage. To learn how to manage these, click here for Windows and here for OS/Mac.

7. Security

We will use appropriate security measures to help protect your personal information. These measures include technical, administrative, physical and organizational measures to protect your data from misuse, unauthorized access or disclosure, loss, alteration or destruction. Please be aware that no website is completely secure. Although we will do our best to protect your personal information, you should only access the Website within a secure environment.

8. International Transfers

If you are visiting our Website or using our Services from outside the United States (US), including in the European Economic Area or UK, please be aware that your personal information may be transferred to the US and potentially other countries whose data protection laws may not be as protective as those in your country of residence. However, our collection, storage and use of your personal information will at all times be in accordance with this Notice wherever it is processed.

iovation transfers personal information from the EEA and/or UK using a transfer mechanism known as the EU-US Data Privacy Framework (“EU-US DPF”), the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Framework (“Swiss-US DPF”) as set forth by the US Department of Commerce. iovation has certified to the US Department of Commerce that it adheres to the EU-US Data Privacy Framework Principles (“EU-US DPF Principles”) with regard to the processing of personal information received from the European Union in reliance on the EU-US DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-US DPF. iovation has certified to the US Department of Commerce that it adheres to the Swiss-US Data Privacy Framework Principles (“Swiss-US DPF Principles”) with regard to the processing of personal information received from Switzerland in reliance on the Swiss-US DPF. If there is any conflict between the terms in this Notice and the EU-US DPF Principles and/or the Swiss-US DPF Principles (collectively, the “DPF Principles”), the DPF Principles shall govern. 

To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit

To learn more about iovation’s transfers from the EU, UK, and Switzerland to the US under the DPF Principles visit our Data Privacy Framework page. 

For our Services, we will work with our Customers to put in place any appropriate data export solutions that may be needed under applicable laws.

The General Data Protection Regulation requires that iovation, Inc. have a representative within the EU. In the EU iovation, Inc. have appointed Trustev Limited of Cork Airport Business Park, Building 2100, Rathmacullig West Cork, Co. Cork, Ireland. E:

The United Kingdom Data Protection Act (2018) requires that iovation, Inc. have a representative within the UK. In the UK, iovation, Inc. have appointed iovation Limited of 29/30 Fitzroy Square, London, United Kingdom, W1T 6LQ e:

9. Your Privacy Rights – Outside the United States

If you are from certain territories (such as the European Economic Area or UK) you may have certain rights in relation to your personal information, such as the right of access, rectification, erasure, restriction of processing and/or to object to certain processing.

Where your personal information has been provided to us with your consent, and the EU GDPR or UK GDPR is applicable, you are able to withdraw your consent at any time. Please note that other methods of lawful processing are also used. If you wish to exercise such rights, or you have any questions or comments concerning your personal information, please contact us at

For more information about iovation’s transfers from the EU, UK, and Switzerland to the US, if you reside in one of these jurisdictions, please visit our Data Privacy Framework page.

Please note, that where personal information is collected within iovation’s Services, iovation is not able to directly identify end users of the services provided by our Subscribers. In these circumstances, iovation invite data subjects to contact the iovation Subscriber who they believe used iovation fraud prevention and account authentication solutions. We will cooperate with our Subscribers to enact data subject rights requests.

If you wish to make a general complaint about our privacy practices, please write to us at the email address above and we will respond within a reasonable time and in accordance with applicable laws. If you are situated in the EEA and/or UK, you also have the right to complain to the supervisory authority at any time.

We will consider and respond to your request promptly and in accordance with any applicable laws.

If you wish to be removed from our mailing list, you can do so my clicking "unsubscribe" in any email communications we send you, or by emailing us at the address above.

10. Your Privacy Rights – United States

In the United States, iovation offers its Services to customers as a service provider/processor or subject to other exceptions under the applicable state privacy laws. Since iovation is acting as a service provider/processor, we are processing data on behalf of others who will provide the applicable privacy rights.

If you are a resident of California, Colorado, Connecticut, Utah, or Virginia you have certain rights concerning your personal information, including (depending on the relevant state’s laws) the right to know the categories of personal information we have collected about you, the categories of sources from which we collected information about you, the business or commercial purpose for collecting, selling, or sharing personal information about you, the categories of third parties to whom we disclose personal information, and the specific pieces of personal information we have collected about you; the right to request deletion of this personal information; the right to correct inaccurate personal information; the right to opt-out of the sale or sharing of personal information; the right to opt-out of processing your personal information for targeted or cross-context behavioral advertising; the right to opt-out of processing your information for profiling or automated decision-making; and the right to limit the use or disclosure of your sensitive personal information. You may also have the right to appeal a denial of your privacy rights.

To opt-out of iovation Website cookies, please click on the Cookies Settings link located in the footer of our website.

The information collected by iovation’s Website is pseudonymized and is not linked directly to you as a person, including to your name, phone number, email address, or other directly identifying personal information. We are unable to verify your identity or the identity of a child or dependent of yours for the purposes of providing verifiable consumer requests (such as deletion, access, and correction).

At this time, we are not collecting sensitive personal information subject to the right to limit.

We do not knowingly sell personal information of children under the age of eighteen (18) years.

We do not discriminate against you based on your exercise of your privacy rights.

For more information regarding information collected by TransUnion, visit TransUnion’s Consumer Privacy Rights page.

11. Standard Contractual Clauses

We have made available a contract addendum incorporating the Standard Contractual Clauses (“SCCs”) for any clients whose use of iovation products is subject to the GDPR or UK GDPR and who wish to use the SCCs as their basis for transferring data to iovation. Please download the addendum, sign and return to We have made available a similar addendum for partners or resellers. Please download the addendum, sign and return to

We may also rely on adequacy decisions to transfer data outside of the EEA or UK including the US Data Privacy Framework. For more information on iovation’s participation in the program, please visit our Data Privacy Framework page.

12. Links to Other Sites

Our Website may contain links to other websites and services. Our Notice does not apply to such websites or services and we are not responsible for the content nor the privacy or security practices and policies of those websites or services. To protect your information, we recommend that you carefully review the privacy policies of other websites and services that you access.

13. How to Contact Us

If you have questions or comments about this Notice, you can contact us in the following ways:



Postal Mail


TransUnion Data Privacy Request (iovation)
P.O. Box 130
Woodlyn, PA 19094


14. Changes to Our Privacy Notice

This Notice is subject to change at any time. If we make any changes to this Notice, we will post the revised Notice on this page with its effective date.

What You Need to Know:

The credit scores provided are based on the VantageScore® 3.0 model. Lenders use a variety of credit scores and are likely to use a credit score different from VantageScore® 3.0 to assess your creditworthiness.

Subscription price is $29.95 per month (plus tax where applicable). Cancel anytime.