Privacy Policy: Incognia Mobile Fraud Solution

Last update: June 14, 2022

Incognia is a location-based digital identity company (for mobile) that aims to bring greater security and reduce fraud in the use of mobile applications and connected devices without adding friction during your user experience while respecting your privacy as a User of our services. We believe that no one should need to give up privacy for convenience, so preserving your privacy and protecting your personal data is an essential part of our values ​​and mission.

This Privacy Policy aims to reinforce our commitment to the Processing of your personal data in accordance with applicable data protection legislation in the USA and Europe, such as the California Consumer Privacy Act (“CCPA”) and the General Data Protection Regulation (“GDPR”), as well as to explain, in a clear and transparent way, how we process your personal data.

If you are from Brazil and want to know how we protect your privacy and personal data in accordance with the Brazilian General Data Protection Law (“LGPD”), see our Privacy Policy BR (in Portuguese).

Glossary

For the purposes of this Privacy Policy, the following definitions should be considered:

  • Applications: applications and connected devices that have the Incognia solution embedded, that is, the Incognia SDK installed.

  • Application Developer: company responsible for the Application. Refers to Client, Controller.

  • CCPA: California Consumer Privacy Act. It is the Californian data protection law.

  • Clients: digital and service companies that develop the Applications.

  • Controller: refers to our Clients, i.e. the Developers of the Applications.

  • Data subject(s): refers to the natural person “owner” of the personal data, that is, the person to whom the data refers. Refers to you, User of the Application and our services.

  • Device: Device or mobile device on which the Application is installed.

  • GDPR: General Data Protection Regulation. Is the European data protection law that is a reference all over the world.

  • Personal Data: any information that directly or indirectly leads to your identification as a natural person.

  • Processing: any operation carried out with your personal data, such as those relating to the collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation or control of information, modification, communication, transfer, diffusion or extraction.

  • Processor: company hired by the Controller to carry out data processing on its behalf and under its determinations. Refers to Incognia.

  • SDK: Software development kit or Software Development Module. It is the module installed in our Clients' Applications to perform data collection.

  • Subprocessor: refers to the company we hire to store your data collected via SDK. Amazon Web Service (“AWS Cloud”) is our Subprocessor.

  • User: natural person who downloads and installs the Application. You are both a user of the Applications and a user of our services. It refers to you, the Data Subject.

These definitions will be mentioned throughout this Policy with a capital letter and must be interpreted in conjunction with the provisions of the GDPR and CCPA. Words and terms not defined in this Glossary shall have their meaning in accordance with the provisions of the GDPR and CCPA.

How does the Incognia Solution work?

From the analysis of mobile device location data, we create User behavior patterns. These standards act as a User's private anonymous identity and are used to support identity verification and authentication processes for Applications in various industry segments. In addition, associating the location behavior pattern with data about the device's health (root, fake location, apps purchased from an unofficial store, etc.) further contributes to fraud detection.

How is personal data collected?

In order to offer our services, we install a Software Development Module (“SDK”) in our Client’s' mobile Applications. Once you download and install an Application that has our SDK embedded and provide the appropriate access permissions (when necessary) your data is collected and processed by us to bring greater security during the use of the Application, reducing the incidence of fraud and, at the same time, improving your user experience by reducing friction during onboarding, login, transactions and browsing the Application.

What personal data is collected?

We only collect and process personal data that is necessary to achieve the processing purposes related to security in the use of the Applications and reducing the incidence of fraud.

We do not collect any personal data that can directly identify you such as name, ID, e-mail, etc. We also do not collect any personal data considered sensitive, that is, any information that reveals your racial or ethnic origin, religious conviction, political opinion, affiliation to a union or organization of a religious, philosophical or political nature, or data relating to health or sex life, genetic or biometric data.

Check out the categories of personal data we collect through our SDK below:

  • Location data: location information such as GPS, wifi signals and Bluetooth signals.

  • Device Identifier Data. refers to the identifying information of your device on which the Application is installed. Ex: mad id (only stored after applying hash with a secret).

  • Device Data: information related to your device, such as Device model, operating system, and operating system version, among others.

  • Application data: information related to the Application, such as the app session and events defined by the Application Developers, such as registration of new Users, among others.

Who owns the personal data collected by Incognia?

The owners or Data Subjects of personal data are the Users who download and install Applications that have our embedded technology (SDK installed), granting the appropriate permissions to share their data, when applicable.

Does Incognia process data from children or adolescents?

Incognia complies with the Children’s Online Privacy Protection Act (COPPA) from the United States. We do not make partnerships with child and teenage-oriented applications, nor do we offer services for companies that have children and teenagers as the target audience. Therefore, we do not intentionally gather personal information from children or adolescents. 

In case you are a parent or guardian and know your child has provided personal data to us, please let us know. If we find out that we have collected personal data from children without the Client Application having verified their parents' or guardians’ consent, we will take the necessary measures to remove this information from our servers and end the partnership with that application, in the case the issue is not permanently solved.

What role does Incognia play as a Processing agent?

Incognia is contracted by the Application Developers, our Clients, to carry out the processing of your data, as a User, for security and anti-fraud purposes on their behalf and under their determination. Thus, our Clients are the Data Controllers and we act as the Data Processor, according to the definitions of the applicable privacy laws.

What are the purposes of processing personal data?

The processing of your personal data takes place to achieve the purposes determined by the Controller, which are to provide greater security in the use of the Application, avoid the incidence of fraud and reduce friction in your experience while using the Application. We do not use the data collected through the integration of our SDK with the Application for any purpose other than those related to the provision of our services.

Below we list in more detail the purposes to be achieved with the processing of your data:

  • Verification of the integrity of the device: through the collected data we check if there is any anomaly or attempt to forge the location of your mobile device;

  • Verification of addresses: we verify that the address filled in at the time of registration on the Application matches the user´s real address;

  • Alert on Suspected Account Theft: We alert the user to suspicious changes in location behavior pattern (“Location Fingerprint”) that may indicate a possible theft of your account;

  • Trusted Locations Check: We verify that the user accessing the app is in a trusted location at key moments in the app: an example of a key moment is login, and this verification is done based on the user’s historical behavior.

  • Validation of transactions within the Application: We automatically analyze your behavioral profile to more securely validate transactions on the Application. 

The data collected is also used for network effect purposes and to generate intelligence and derived data to improve the Solution and increase the accuracy of anti-fraud analyses. Also, the data is processed for the purpose of debugging and monitoring the SDK in order to improve it, aiming at the consumption of fewer resources, such as memory, network, battery, etc.

What is the legal basis that justifies the processing of personal data?

In accordance with the provisions of the privacy laws, it is up to the Controller, our Client, to define the most appropriate legal basis to justify the processing of personal data.

How and where is personal data stored?

We store your personal data on Amazon Web Service (AWS Cloud) servers located in the United States of America. We use secure and encrypted protocols to protect data transfer to our servers. It is worth mentioning that the data is hosted in technological environments managed solely and exclusively by Incognia through the use of a public cloud platform provided by AWS Cloud which is the industry standard, as it simplifies the technology's operation and increases the security level of all services that use it. In addition, we have strict and granular control over the data we store in the AWS cloud.

We use security mechanisms both in transporting and storing data, in addition to updating constantly. All requests are made using the secure version of HTTPS, which is a secure and industry-standard protocol. In addition, the AWS cloud provides a variety of security features and services to increase privacy and control access to the network, including firewalls, encryption (both for data in storage and in transit), defense and automatic response to DDoS attacks, security traces, backup, as well as constant monitoring, activity logging and access control.

How long is the data stored?

As described in the previous item, the data is transferred and stored in encrypted form on the AWS Cloud. We store your data obtained via SDK for a maximum period of 6 (six) months from the date of collection. After this period, your data is securely and permanently deleted. Exceptionally, we may retain your personal data to: (i) fulfill contracts, agreements and policies; (ii) compliance with legal or regulatory obligations (for instance, if necessary to abide by applicable laws); (iii) audit purposes; (iv) regular exercise of rights in judicial and administrative proceedings.

Does Incognia make automated decisions?

We verify the processes of creating accounts or authenticating actions in the mobile applications, such as logins and transactions, in order to automatically provide the Controller with a result of risk analysis or data validation. However, we do not adopt any automated decisions as all decisions relating to you, your data and your use of the Application are the sole and exclusive responsibility of the Controller.

With whom does Incognia share the personal data collected?

Your personal data collected by our SDK is shared with the Amazon Web Service (AWS Cloud), for the exclusive purposes of storage, as described in item 9. 

Furthermore, the result of our risk analysis may also be shared with the Controller, developer of the Applications, for security and anti-fraud decision-making purposes. That is, for fraud analysis, we share with our Client information collected about the integrity of your device (root, fake location, information about acquisition from an unofficial store, etc.) and behavior pattern analysis (if the User's behavior is consistent over time and across devices it registers on, whether it has any history of fraud, etc). In cases of electronic address verification, we send a location count aggregation in a small region around the address received from the Application to confirm the response if it is positive. All data shared with the Controller is associated with hashed IDs and, therefore, does not allow us to identify you directly.

If you want to know in more detail through which Applications your personal data is collected by Incognia’s technology, you may check the Privacy Policies of the apps installed in your Device. Since we are a third party in the relationship between Applications and Users, we cannot expose our Clients due to confidentiality issues provided for in contracts and required by those companies.

Is there international data transfer?

As previously stated, your personal data is stored on Amazon Web Service (AWS Cloud) servers located in the United States of America. We use secure protocol to protect data transfer to our servers in encrypted form. 

So, when there is a data collection from Users that is not in the United States, there will be an international transfer.

How does Incognia protect privacy and personal data?

  • We follow the 7 fundamental principles of Privacy by Design as the basis for creating and developing our solutions, implementing privacy protection from conception to end use of our products and solutions.

  • We apply in our technology techniques such as hashing and encryption, we do not link the location data to any direct identification data, which implies that the data we process is approximate to its total anonymization. With this, we are able to provide our solutions without even knowing who our User is.

  • In addition to applying these techniques to make your identification difficult, we also adopt the best security practices and technical and administrative measures to protect your data and mitigate any risks that may impact your privacy, and we follow all the principles and provisions of the privacy laws (such as , the collection of only strictly necessary data and with a specific purpose).

  • We only collect location data upon granting your location permission which can be managed through the App or device settings.

  • We do not perform continuous data collection, but only at specific times defined according to statistical and intelligence analysis of our solution. 

Other privacy assurance and data protection procedures are detailed throughout this Privacy Policy and you can always contact our Data Protection Officer/DPO (dpo@incognia.com) for more details on how we protect your privacy. and your personal data.

What security measures are in place to protect personal data?

Incognia applies a series of measures to protect your data, such as:

  • Not collecting or associating personal data that can directly identify you.

  • Secure data transport and storage using industry standards and encryption.

  • Advanced encryption and hashing techniques (with secret), as well as cryptographic signature techniques, which allow the detection of any changes made to the data received via the SDK. 

  • We apply an advanced technique of pseudonymization of the Advertising ID (advertising identifier) ​​of users, and the original data is removed from the base and replaced by encrypted and hashed data. The identifiers kept (hashed ID) are sufficient for all Incognia services and do not allow the direct identification of data subjects, in addition to reducing the risks of the advertising identifier identifying you in the event of a confrontation with a third-party database that contains this ID linked to other personal data, such as email, Social Security Number, etc. Therefore, in case of leakage or improper access to the information collected and processed by Incognia, the Data subjects will not be directly associated with this data, reducing the risk of being physically or morally affected.

  • Periodic performance of combs via outsourced companies.

  • We undergo regular third-party audits to certify our products against SOC 2 Type II certification, which guarantees security by Incognia's technology and an international standard on cybersecurity risk management systems. SOC 2 is a report based on the existing Trust Services Criteria (TSC) of the American Institute of Certified Public Accountants' Auditing Standards Council (AICPA). The purpose of this report is to assess an organization's information systems relevant to security, availability, processing integrity, confidentiality and privacy.

  • As a result, Incognia has security measures such as risk monitoring, systems and the application of controls; environment management and logical and physical access; communication channels; risk mitigation and assessment mechanisms, change management and others.

What are your rights regarding your personal data?

You have a number of rights in relation to your personal data, such as data processing confirmation; access to your own personal information; information on data sharing and opt-out. These rights are made available by the Controller (our Clients), but Incognia, as the Processor, takes all measures to assist the Controller in fulfilling its obligation to make its rights available.

In other words, your rights must be requested directly from the Data Controller, who, in turn, will forward your right request to us so that, if applicable, we can take the appropriate measures according to instructions received from the Controller. All communications relating to your rights shall be made solely between you and the Controller.

How Incognia guarantees the non-discrimination?

Data subjects have the right to equal service and price, even when they exercise privacy rights. Incognia encourages personal Data Subjects’ control over their data and Users will not be harmed morally or financially for the exercise of rights. However, providing personal data is a requirement necessary for the performance of services and functionalities offered by Incognia, such as ID verification, multi-factor authentication, risk assessment, fraud detection and location-aware services, as detailed in the item 7.

What is Incognia responsibility according to the CCPA?

The California Consumer Privacy Act (“CCPA”) provides consumers (the “Data subjects”) with specific rights regarding their personal information. When offering anti-fraud services to clients, we act as a “service provider” under the CCPA, which means our collection of any consumer personal information is completed on behalf of our Clients in order to provide them with anti-fraud services. 

You have the right to request that businesses subject to the CCPA (which may include our Clients with whom you have a relationship) disclose certain information to you about their collection and use of your personal information, including the information used or shared with us  to perform a business purpose.  

The business purposes regarding the services provided by Incognia are: 

  1. detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity;  

  2. performing services on behalf of the Clients, including maintaining or servicing accounts,  processing or fulfilling orders and transactions, verifying User information, or providing similar services on behalf of the business. Incognia does not further collect, sell, or use consumers’ personal information except as necessary to perform the informed business purposes.

Incognia shall not be required to comply with your requests to delete your personal information once it is necessary to (i) complete the transaction for which the personal information was collected, provide a good or service requested by you, or reasonably anticipated within the context of a business’ ongoing business relationship with you, or otherwise perform a contract between the business and you; or to (ii) detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity.

How can I contact Incognia's DPO?

If you have any questions, comments or suggestions, you can contact our Personal Data Processing Officer/DPO directly by sending an email to dpo@incognia.com.

Privacy Policy Amendments

We may update and change the terms of this Privacy Policy from time to time. On our website, you will always find the latest version of the terms and, if you want,  you can access previous versions by registering a request by sending an email to dpo@incognia.com.

 

Incognia Inc.
555 Bryant St, Box 423
Palo Alto CA USA 94301
DPO: Dayana Caroline Costa (dpo@incognia.com)