Effective September 24, 2021
View TransUnion’s California Consumer Privacy Act (CCPA) Metrics.
iovation ("we" or "us") is a US headquartered company, and is part of the TransUnion group of companies, that assists businesses ("Customers") to detect and combat online fraud and other types of cybercrime ("our Services"). Over the years we have helped our Customers to protect millions of end-users from becoming the victim of fraudulent and malicious behavior.
When our Customers subscribe to our Services, the following personal information may be collected to help detect the likelihood that your device is associated with fraud or other malicious behavior.
Information collected automatically:
Additional information our Customers provide to us:
In addition, our Customers may send additional information to us for fraud analysis, system abuse purposes and to fulfil their own regulatory obligations and reasons of substantial public interest. For example, they may send us elements of your personal data that you have consented to being shared with us. They might also optionally provide us with information about the transaction you carry out on their site or app.
Information about our Customers:
If you are a Customer, we may also collect certain personal information about you to enable us to manage our business relationship with you – such as your name, contact details, job title, billing and payment information.
Automated Decision Making:
iovation does not conduct Automated Decision Making, although iovation does conduct profiling as defined by the General Data Protection Regulation, which applies to persons situated in the EEA.
When we refer to profiling, we mean using personal data to make predictions about you, or to categorise you into particular groups. Typically, this would involve determining whether a device is reliable when linked to a transaction through a Customer website or app, or whether it is linked to a fraudulent transaction.
Once the information above has been passed to iovation, we process the data through our Global Device Intelligence Platform to return a score to our Customer for the device. This score is calculated based on rules that are set by our Customers. The rules set by our Customers will depend on the business they operate and the types of fraud or system abuse pertinent to their services.
Once the Customer receives a score, it is up to the Customer to decide what action to take from there. For example, transactions with certain scores may be denied, flagged for review, or presented with further authentication challenges. In most cases, however, the transaction or activity will proceed with no issues.
We may also use personal information we collect through the Services for the following purposes:
Where personal data is collected from the EEA or the United Kingdom (UK), it is necessary to have a lawful basis for the processing of personal data. This section explains the legal basis on which we process your personal data.
The EU, EEA and UK’s data protection law allows the use of personal data where necessary for legitimate purposes provided that this isn’t outweighed by the impact it has on you. The law calls this the “legitimate interests” condition for processing personal data.
Most of our processing activities are based on the legitimate interest condition. This includes almost all of our Fraud Prevention and Device Risk products. These legitimate interests include the processing of personal data strictly necessary for the purposes of prevention of fraud, unlawful acts and other forms of cybercrime. This includes the use of Artificial Intelligence/ Machine Learning/ Data Analytics for improving our products and fraud detection services under this lawful basis.
We may also process business to business marketing data for the purposes of direct marketing to our business customers under this lawful basis.
Our International Transfers of personal data from the EEA to Third Countries outside of the EEA (including the United States), is also carried out as a legitimate interest of the business.
We sometimes rely on consent in order to process personal data, but this is relatively rare.
Performance of our contract with you
We also use this basis for processing some of our staff data.
Substantial Public Interests
Where our Device Risk service is used by businesses in regulated industries, such as online gaming, to assist them with their regulatory duties for Responsible Gaming, personal data may be processed of reasons of substantial public interest where an End-User chooses to self-exclude from online gaming with a Subscriber.
We may share personal information collected through our Website and Services in the following ways:
Information we share with our customers: In making the internet a safer place, we may share personal data with our customers, which iovation call “Subscribers”. Our Subscribers provide the online services that iovation protect from online fraud and abuse.
Information disclosed in connection with business transfers: In the event of a corporate sale, merger, reorganization, acquisition, dissolution, financing or other similar event, your personal information may be shared or transferred in connection with, or during negotiations of, such event or transaction.
Information disclosed for legal purposes and the protection of others: We may disclose personal information to a third party where we are legally required to do so in order to comply with applicable laws, regulations, legal process or governmental requests. We will also disclose personal information to the extent we believe necessary or appropriate: (i) to respond to claims, judicial orders, subpoenas, warrants or other process issued by a court of competent jurisdiction; (ii) to protect the vital interests of any person; (iii) to exercise, establish or defend our legal rights; and (iii) to stop any activity we consider illegal, unethical or legally actionable.
As a developer of fraud and identity products, iovation and TransUnion may receive requests from law enforcement and other public authorities along with requests from courts and litigation parties across the world for access to personal data. Such information may relate to consumer and customer data associated with legal, criminal and national security investigations and proceedings.
TransUnion understands that the disclosure of information to public authorities is often an important step in combatting financial crime and other unlawful activities. TransUnion also understands the value of personal privacy and the rights granted by privacy and security laws around The World.
TransUnion has therefore put in place policies, procedures and practices to ensure that all such requests are reviewed appropriately and in accordance with the European Union’s (EU) General Data Protection Regulation, and the Chapter V, Article 46 Transfer Mechanism, which enables personal data to be exported from the EU and European Economic Area (EEA).
The policies, procedures and practices ensure that TransUnion associates are aware of the nature of local laws and practices, and the legal limits of those laws and practices. Where legally appropriate, requests for access to personal data will be the subject of legal challenge and appeal, irrespective of the sensitivity and context of the request. Furthermore, suitable supplementary measures have been put in place in order to protect personal data that is exported from the EEA, to ensure security, integrity and prevent interception of data in transit.
Data Subjects within the EEA are entitled to a copy of the Art.46 GDPR Standard Contractual Clauses that apply to any such transfer of their personal data outside of the EEA. Requests should be submitted to [email protected].
iovation retain data within our services for the following periods:-
|Category of Data||Retention Period|
|Device Data linked to Fraud||5 years from the date last recognized by iovation.|
Device Data linked to Self-Exclusion from gambling
|5 years from the date last recognized by iovation|
|Device Data not linked to Fraud||2 years from the date last recognized by iovation.|
|Transaction Insight Data||180 days.|
“Cookies” are small text files that are placed on your device when you visit (i) our Website or (ii) our Customers' websites who have integrated iovation's Services. Cookies are widely used in order to make websites work, or work more efficiently, as well as to provide certain device and other analytical information.
We work with certain third parties (such as web analytics service providers) to provide us with information about our site traffic and usage. These third parties may set and access their own cookies or tracking technologies, such as web beacons and embedded scripts, on our Website in order to recognize your device and for example, identify whether you have visited our Website before, what you have viewed on our Website and how you found us. Such information is used for statistical purposes.
How to disable cookies: If you do not want us to deploy cookies on your browser, you can set your browser to reject cookies. You can find information on popular browsers and how to adjust your cookie preferences at the following websites:
Please note, however, that if you don’t accept cookies on our Website, you may not be able to access all portions or features of the site.
If you disable the cookies placed by our Customers for fraud and malicious activity prevention purposes, you may not have access to all the services provided by our Customer on their website.
We may also use Flash or Flash Local Shared Objects (LSOs) through our Services to collect the data outlined above. You can manage Flash storage through your browser settings where supported, or you may manage Flash storage. To learn how to manage these, click here for Windows and here for OS/Mac.
We will use appropriate security measures to help protect your personal information. These measures include technical, administrative, physical and organizational measures to protect your data from misuse, unauthorized access or disclosure, loss, alteration or destruction. Data processed within our product environment is pseudonymous in nature and encrypted in transit.
Please be aware that no website is completely secure. Although we will do our best to protect your personal information, you should only access the Website within a secure environment.
iovation transfers personal data from the EEA using a transfer mechanism known as Standard Contractual Clauses. Data Subjects within the EEA are entitled to sight of the Art.46 GDPR Standard Contractual Clauses that apply to any such transfer of their personal data outside of the EEA. Requests should be submitted to [email protected]
For our Services, we will work with our Customers to put in place any appropriate data export solutions that may be needed under applicable laws.
The General Data Protection Regulation (GDPR) requires that iovation, Inc. have a representative within the EU.
In the EU iovation, Inc. have appointed Trustev Limited of Cork Airport Business Park, Building 2100, Rathmacullig West Cork, Co. Cork, Ireland. e:[email protected]
The United Kingdom Data Protection Act (2018) requires that iovation, Inc. have a representative within the UK.
In the UK, iovation, Inc. have appointed iovation Limited of 29/30 Fitzroy Square, London, United Kingdom, W1T 6LQ e: [email protected].
Certain territories (such as the European Economic Area) grant specific rights in relation to your personal information, such as the right to request from iovation access to and rectification or erasure of personal data or restriction of processing concerning your data subject or to object to processing as well as the right to data portability (where applicable), under the General Data Protection Regulation (GDPR), associated Standard Contractual Clauses and iovation’s Privacy Shield certification (for historic data).
Where your personal data has been provided to us with your consent, and the GDPR is applicable, you are able to withdraw your consent at any time. Please note that other methods of lawful processing are also used. If you wish to exercise such rights, or you have any questions or comments concerning your personal information, please contact us at [email protected].
Please note, that where your personal data is collected within iovation’s services, iovation are not able to directly identify end users of the services provided by our subscribers. In these circumstances, iovation invite data subjects to contact the iovation subscriber who they believe used iovation fraud prevention and account authentication solutions. We will cooperate with our subscribers to enact subject rights requests.
If you wish to make a general complaint about our privacy practices, please write to us at the email address above and we will respond within a reasonable time and in accordance with applicable laws. If you are situated in the EEA, you also have the right to complain to the supervisory authority at any time.
We will consider and respond to your request promptly and in accordance with any applicable laws.
If you wish to be removed from our mailing list, you can do so my clicking "unsubscribe" in any email communications we send you, or by emailing us at the address above.
iovation are committed to the principles of the Privacy Shield and all relevant data received from the EU and Switzerland will be processed under these principles.
Should you need to contact the business in relation to anything related to iovation’s participation in the Privacy Shield or any of its principles, please contact the business at [email protected].
In compliance with the Privacy Shield Principles, iovation commits to resolve complaints about our collection or use of your personal information. EU and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact iovation at:
If you prefer to mail your complaint, you can contact us at the following address:
ATTN: Compliance Manager
iovation Inc. 1211 SW 5th Avenue 8th floor
Portland, OR 97204
iovation has further committed to refer unresolved Privacy Shield complaints to JAMS ADR, an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please contact or visit with JAMS ADR for more information or to file a complaint. The services of JAMS ADR are provided at no cost to you.
iovation may share personal data with third party service providers and subscriber organizations for the purposes of the provision of the Service and for other purposes connected with business operations. Examples of third party service providers might include Cloud Storage providers and Data Centers. End User’s covered by the Privacy Shield arrangement may choose to (opt out) whether their personal information is (i) to be disclosed to a third party or (ii) to be used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by the individuals. iovation’s Third Party Service providers act as an agent to perform tasks on behalf and under the instructions of iovation. Where this occurs, it is not necessary to provide this choice. Individuals seeking to act upon this should contact [email protected].
End User’s covered by the Privacy Shield arrangement can contact iovation to access their personal data and/or to discuss the choices and means that iovation use and disclose personal information. In addition to access, End Users are able to correct, amend, or delete that information where it is inaccurate, or has been processed in violation of the Principles, except where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the case in question, or where the rights of persons other than the individual would be violated.
As participants of the Privacy Shield arrangement, iovation are subject to investigatory and enforcement powers of the Federal Trade Commission, who are a statutory body located in the United States.
iovation remind the End User that in certain circumstances, should the need arise, recourse to binding arbitration is available.
iovation may, as required by law, disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
iovation confirms, as participants of the Privacy Shield arrangement, it retains liability for onward transmission, save for circumstances beyond its control and/ or where breaches to the Privacy Shield arrangement are as a consequence of the acts, omissions and/or negligence of the data controller and/or data processor to whom it has transmitted data covered under the Privacy Shield arrangement.
We have made available a contract addendum incorporating the Standard Contractual Clauses (“SCCs”) for any clients whose use of iovation products is subject to the GDPR or UK GDPR and who wish to use the SCCs as their basis for transferring data to iovation. Please download the addendum, sign and return to [email protected]. We have made available a similar addendum for partners or resellers. Please download the addendum, sign and return to [email protected].
ATTN: Compliance Manager/ Data Protection Officer
1211 SW 5th Avenue 8th floor
Portland, OR 97204