Privacy Notices
This notice was last modified on and has an effective date of September 12, 2024.
We have recently updated our Privacy Notice. Be sure to review it carefully to understand our privacy practices.
Sontiq, Argus Advisory, and Commerce Signals are now TransUnion Companies. To learn how these companies handle personal information about you and the rights you may have regarding that personal information, please visit the Sontiq Privacy Center, the Argus Privacy Notice, and Commerce Signals Privacy Notice.
This Privacy Notice (“Notice”) provides information about how iovation, Inc. handles personal information and describes the rights you may have regarding your personal information, as it applies to the processing of personal information by iovation, Inc., iovation, Ltd., its subsidiaries, and affiliates (collectively, "iovation," "we," "us," or “our”).
iovation is a US headquartered company, and part of the TransUnion group of companies, that assists businesses ("Customers" or “Subscribers”) to detect and combat online fraud and other types of cybercrime (our “Services"). This Notice explains our practices regarding the processing of personal information both through our website, its subdomains (collectively “Website”), and in the course of providing our Services.
Use of our Website or Services constitutes your agreement to the terms of this Notice. If you do not agree with the terms of this Notice, please do not use our Website or Services. This Notice does not cover practices of other TransUnion businesses or products, nor your interactions with us as a job applicant. Please see those respective privacy notices listed on the left-hand panel of this page for more information on those privacy practices.
Analytics Disclosure: We use Google Analytics 360, including Google Tag Manager and Google Ads. If you would like to learn more about Google Analytics, or opt out of this data collection and sharing activity, please use this link: https://www.google.com/policies/privacy/partners/. Please visit our Cookies and Similar Technologies Notice for information regarding our tracking technologies.
Visit our Consumer Privacy Rights page to exercise your privacy rights and choices.
Visit our Data Privacy Framework page if you are in an EU Member country, the UK, or Switzerland and would like to learn more about iovation’s personal information transfers to the US.
If you are unable to understand the language of this Notice, please use the following links to review our translated versions.
Alternatively, you may use an online translation tool or your browser settings to translate the text to your preferred language. This may not render a perfect translation but should aid your understanding.
Notice at Collection: iovation collects certain data directly via our Website (using cookies and similar trackers) that is subject to the California Privacy Rights Act. The categories of personal information that we collect are listed below in “Personal information we collect,” and the purposes for which we collect and use personal information are listed under, “Purpose for collecting and use of personal information.” To learn more about your privacy rights, including your right to opt out of the sale or sharing of data collected via our Website, please navigate to the “Privacy rights and choices – United States” section below. Our retention practices are outlined below under “Retaining personal information.”
View annual consumer requests metrics (California Consumer Privacy Act (CCPA) and California Data Broker Registration) for TransUnion Companies.
Information collected automatically.
When a Customer subscribes to our Services, our JavaScript code and/or our SDKs enable the collection of certain device identifiers and IP addresses, and iovation cookies may be placed on your device. This information is no different than the types of information captured by common web analytics tools. The information is sent back to the Customer and subsequently passed onto iovation for further processing.
Please visit our Cookies and Similar Technologies Notice for more detailed information regarding our tracking technologies.
Additional information our Customers provide to us.
Our Customers may optionally provide us with information, including personal data you provide, about the transactions you carry out on their website or app. This information is used to alert our Customers to potential risk related to the transaction including fraud and system abuse analysis, to fulfill their own regulatory obligations and for other reasons of substantial public interest. They might also optionally provide us with information about the transactions you carry out on their website or app.
Information about our Customers.
If you are a Customer, we may also collect certain personal information about you (from you directly or your employer) to enable us to manage our business relationship with you, such as your name, contact details, job title, billing, and payment information.
Automated Decision Making.
iovation does not conduct automated decision making, although iovation does conduct profiling as defined by the General Data Protection Regulation (“EU GDPR”), which applies to persons situated in the European Economic Area (“EEA”), and the EU GDPR as amended and incorporated into the law of the United Kingdom (“UK”) (“UK GDPR”), which applies to persons situated in the UK.
Once the information described above has been passed to iovation, we process the data through our Global Device Intelligence Platform to return a score or scores to our Customer for the device. This score is calculated based on rules that are set by our Customers. The rules set by our Customers will depend on the business they operate and the types of fraud or system abuse pertinent to their services. We may also return fraud ‘flags’ related to our analysis.
Once the Customer receives a score, it is up to the Customer to decide what action to take from there. For example, transactions with certain scores may be denied, flagged for review, or presented with further authentication challenges. In most cases, however, the transaction or activity will proceed with no issues.
In addition, we may provide information assessing the risks associated with a phone number or email address.
We may also use personal information we collect through the Services for the following purposes:
Where personal information is collected from the EEA or the UK, it is necessary to have a lawful basis for the processing of personal information. This section explains the legal basis on which we process your personal information.
Legitimate Interests. The EU, EEA and UK’s data protection law allows the use of personal information where necessary for legitimate purposes provided that this isn’t outweighed by the impact it has on you. The law calls this the “legitimate interests” condition for processing personal information.
Consent. We sometimes rely on consent in order to process personal information, but this is relatively rare.
Performance of Our Contract with You. We also use this basis for processing some of our staff data.
Substantial Public Interests. Where our Device Risk service is used by businesses in regulated industries, such as online gaming, to assist them with their regulatory duties for responsible gaming, personal information may be processed of reasons of substantial public interest where an end-user chooses to self-exclude from online gaming with a Subscriber.
We may share personal information collected through our Website and Services in the following ways:
Information Shared with TransUnion Companies.
We may share any of the above personal information with other members of the iovation and TransUnion Companies for purposes consistent with this Notice
Information Shared with Our Customers.
In making the internet a safer place, we may share personal information with our Subscribers for the fraud protection and account management purposes described above. Our Subscribers provide the online services that iovation protects from online fraud and abuse. We do not share precise geolocation information, except to the extent that we return it to the Subscriber who shared it with us, though we do share scores based on such information. We do not share behavioral information, though we do share scores based on such information with the Subscriber who shared it with us. We do not share information about the transactions you carry out, except to the extent that we return it (and scores/alerts based on such information) to the Subscriber who shared it with us.
Information Shared with Our Service Providers.
We may also engage certain trusted third-party service providers, consultants, or vendors to assist us in the provision of the Website and Services. We will only share your personal information with third parties to the extent necessary to perform such functions and in accordance with the purposes set out in this Notice and applicable laws. Our service providers include Cloud Hosting and Data Warehousing vendors as well as services to identify anomalous behavior to assist with the detection and prevention of fraud.
Information Disclosed in Connection with Business Transfers.
In the event of a corporate sale, merger, reorganization, acquisition, dissolution, financing or other similar event, your personal information may be shared or transferred in connection with, or during negotiations of, such event or transaction with entities involved in the event or transaction as parties or advisors, or otherwise providing services in connection to the event or transaction.
Information Disclosed for Legal Purposes and Protection of Others.
We may disclose personal information to a third party where we are legally required to do so in order to comply with applicable laws, regulations, legal process, or governmental requests. We will also disclose personal information to the extent we believe necessary or appropriate: (i) to respond to claims, judicial orders, subpoenas, warrants, or other process issued by a court of competent jurisdiction; (ii) to protect the vital interests of any person; (iii) to exercise, establish, or defend our legal rights; and (iii) to stop any activity we consider illegal, unethical, or legally actionable.
Data Subjects within the EEA or UK are entitled to a copy of the Art.46 GDPR Standard Contractual Clauses (“SCCs”) that apply to any such transfer of their personal information outside of the EEA or UK. Requests should be submitted to PDLGFSPrivacy@transunion.com.
In accordance with applicable laws and their defined terms – NOTICE: We and this website may sell your sensitive personal data.
In the United States, iovation offers its Services to Customers as a service provider/data processor or subject to other exceptions under the applicable state privacy laws. Since iovation is acting as a service provider/data processor, we are processing data on behalf of others who will provide the applicable privacy rights.
To opt out of iovation Website cookies and for information regarding our tracking technologies, please visit our Cookies and Similar Technologies Notice also available by navigating to the “Cookie Preferences” link in the footer of this website.
The information collected by iovation’s Website is pseudonymized and is not linked directly to you as a person, including to your name, phone number, email address, or other directly identifying personal information. We are unable to verify your identity or the identity of a child or dependent of yours for the purposes of providing verifiable consumer requests (such as access, deletion, and correction).
At this time, we are not collecting sensitive personal information subject to the right to limit.
We do not knowingly sell personal information of children under the age of eighteen (18) years.
We do not discriminate against you based on your exercise of your privacy rights.
For more information regarding your general privacy rights with TransUnion Companies, visit TransUnion’s Consumer Privacy Rights page.
If you are from certain territories (such as the EEA or UK) you may have certain rights in relation to your personal information, such as the right of access, rectification, erasure, restriction of processing, and/or to object to certain processing.
Where your personal information has been provided to us with your consent, and the EU GDPR or UK GDPR is applicable, you are able to withdraw your consent at any time. Please note that other methods of lawful processing are also used.
For more information about iovation’s transfers from the EU, UK, and Switzerland to the US, if you reside in one of these jurisdictions, please visit our Data Privacy Framework page.
Please note, that where personal information is collected within iovation’s Services, iovation is not able to directly identify end users of the services provided by our Subscribers. In these circumstances, iovation invite data subjects to contact the iovation Subscriber who they believe used iovation fraud prevention and account authentication solutions. We will cooperate with our Subscribers to enact data subject rights requests.
If you wish to make a general complaint about our privacy practices, please write to us at the email address above and we will respond within a reasonable time and in accordance with applicable laws. If you are situated in the EEA and/or UK, you also have the right to complain to the supervisory authority at any time. We will consider and respond to your request promptly and in accordance with any applicable laws.
If you wish to be removed from our mailing list, you can do so my clicking "unsubscribe" in any email communications we send you, or by emailing us at the address above.
If you are visiting our Website or using our Services from outside the United States (“US”), including in the European Union (“EU”), EEA, or UK, please be aware that your personal information may be transferred to the US and potentially other countries whose data protection laws may not be as protective as those in your country of residence. However, our collection, storage, and use of your personal information will at all times be in accordance with this Notice wherever it is processed.
iovation transfers personal information from the EEA and/or UK using a transfer mechanism known as the EU-US Data Privacy Framework (“EU-US DPF”), the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Framework (“Swiss-US DPF”) as set forth by the US Department of Commerce.
If there is any conflict between the terms in this Notice and the EU-US DPF Principles and/or the Swiss-US DPF Principles (collectively, the “DPF Principles”), the DPF Principles shall govern.
To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
To learn more about iovation’s transfers from the EU, UK, and Switzerland to the US under the DPF Principles visit our Data Privacy Framework page.
For our Services, we will work with our Customers to put in place any appropriate data export solutions that may be needed under applicable laws.
The General Data Protection Regulation requires that iovation, Inc. have a representative within the EU. In the EU, we have appointed Trustev Limited of Cork Airport Business Park, Building 2100, Rathmacullig West Cork, Co. Cork, Ireland. e: Eurepresentative@transunion.com
The United Kingdom Data Protection Act (2018) requires that iovation, Inc. have a representative within the UK. In the UK, we have appointed iovation, Ltd. of 29/30 Fitzroy Square, London, United Kingdom, W1T 6LQ e: PDLGFSPrivacy@transunion.com.
For any Customers whose use of iovation products is subject to the GDPR or UK GDPR and who wish to use the Standard Contractual Clauses (“SCCs”) as their basis for transferring data to iovation, we have made available a contract addendum.
We have made available a similar addendum for partners or resellers. Please download the addendum, sign and return to PDLGFSLegal@transunion.com.
We may also rely on adequacy decisions to transfer data outside of the EEA or UK including the US Data Privacy Framework. For more information on iovation’s participation in the program, please visit our Data Privacy Framework page.
We will use appropriate security measures to help protect your personal information. We maintain a comprehensive information security program with administrative (policies, standards, and processes), physical, technical, and organizational controls designed to protect the confidentiality, integrity, and accessibility of personal information, including protection from misuse, unauthorized access or disclosure, loss, alteration, or destruction. Please be aware that no website is completely secure; and although we will do our best to protect your personal information, you should only access the Website within a secure environment.
iovation retains data within our Services for the following periods:
Category of Data | Retention Period |
Transaction data, including device data (including IP address and geolocation) account identifiers, information about transactions you carry out, behavioral data and scores/alerts based on such information | 180 days from the date of the transaction for customer use and support. 5 years from the date of the transaction for our own internal product analysis, performance monitoring, and product improvements. Aggregated data may be kept for longer. |
Device and account identifiers linked to Fraud | 5 years from the last activity date recorded by iovation. |
Device and account identifiers not linked to Fraud | 2 years from the last activity date recorded by iovation. |
Data in TruValidate Insights Centre (online portal enabling clients to review, inputs, outputs, and transaction outcomes) | 90 days |
We retain personal information for as long as necessary to fulfill the purposes for which it was collected or processed, as previously described in this Notice. For instance, we retain personal information, collected through our services and websites, for as long as a user’s account is active or as needed to provide services to our customers.
When determining retention periods, we consider our relationship with users and their information, the nature and sensitivity of the information, and what is reasonably necessary and proportionate to provide and improve our services. We also adjust retention periods to comply with our legal, reporting, or accounting obligations, to resolve disputes, and to enforce our agreements. We regularly review our retention periods and assess our data minimization practices, retaining the least amount of information for the shortest retention period, while still upholding all our obligations.
Our Website may contain links to other websites and services. This Notice does not apply to such websites or services and we are not responsible for the content nor the privacy or security practices and policies of those websites or services. If you click on a link or browse to a third-party site from our site/service, your activity and interaction is subject to that third-party's rules and policies. We recommend reviewing the privacy statements on those other sites to understand their privacy practices and make an informed decision regarding your use or interaction with their site/service.
If you have questions or concerns regarding this Notice, our privacy practices and the protection of your personal information, or the privacy rights and choices available to you, you may contact us in the following ways:
Phone | |
Postal Mail
| TransUnion Data Privacy Request (iovation) |
This Notice is subject to change at any time. If we make any changes to this Notice, we will post the revised Notice on this page with its effective date.
The credit scores provided are based on the VantageScore® 3.0 model. Lenders use a variety of credit scores and are likely to use a credit score different from VantageScore® 3.0 to assess your creditworthiness.
Subscription price is $29.95 per month (plus tax where applicable). Cancel anytime.