Privacy Policy With Respect to Data Received From Clients

INTRODUCTION

InAuth, Inc. (“InAuth”) provides mobile app and mobile/desktop browser software which enables InAuth clients to collect, process and manage data associated with their consumer’s mobile and desktop devices. InAuth also provides other related offerings to its clients. In connection with providing its services, InAuth may receive personally identifiable information (“personal information”) from its clients about consumer devices confirmed to have been associated with fraudulent activity.

This policy sets forth InAuth’s general privacy and security practices with respect to this personal information. While this policy sets forth InAuth’s general privacy and security practices, the detailed obligations and commitments of InAuth to our clients is set forth in the contractual arrangements with clients. In the event of a conflict between this policy and a contract, the contract prevails, except as otherwise required by Privacy Shield Principles, in which case the Privacy Shield Principles prevail.

The collection and processing of personal data obtained directly by our client is outside the scope of this document. Consumers should review the privacy policies of the business entities with which they directly share their data to learn about such entities’ privacy practices.

For information about InAuth’s privacy and security practices relating to visits to the InAuth website, please review the InAuth Website Privacy Statement.

InAuth also has a registered branch office in England, which adheres to all aspects of this Privacy Statement, including the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework.

NATURE OF THE DATA RECEIVED

InAuth receives consumer device data from its clients, which may be financial institutions, payment processors and/or online retailers. InAuth does not conduct or fulfill consumer transactions, and, except as otherwise disclosed, InAuth does not collect or receive personal information directly from consumers. Rather, InAuth’s products are integrated into the client’s mobile apps and websites. InAuth’s products are used by clients to collect device information from consumer devices.

Device data relates to characteristics about the consumer’s mobile or desktop device.  Device data is analyzed to identify potentially fraudulent consumer devices. The device data may include personal information, including but not limited to, a consumer’s name, billing address, telephone number, email address, IP geolocation information, device identification information, or behavioral analytics.

The determination of which data elements a client should provide to InAuth is made by the client, in consultation with InAuth personnel. InAuth only accepts data elements from clients if the data are rationally related to the performance of the applicable service that a client has purchased. In general, InAuth does not accept data from clients prior to execution of a definitive services agreement. InAuth advises clients not to send data to InAuth in any manner that is outside of InAuth’s hosted software platform.

USE OF THE DATA RECEIVED

InAuth processes personal information to help its clients prevent fraud related to card-not-present purchases, online scams, compromised devices, and policy abuse. InAuth may also process personal information received from its clients to develop and provide other similar types of services to its clients. For purposes of providing these services, InAuth retains records of commercial transactions and other interactions between InAuth’s clients and individual consumers, which may contain personal information collected from a consumer device. Additional data elements may be added to the collected device data, through the use of third-party data services, as determined by clients. At the direction of our clients, InAuth can also collect information from consumers through data scripts placed on a client’s website.

The period for which personal information is retained is determined by the contract between InAuth and each individual client and may vary based on the type of InAuth service.

However, specific elements of a transaction (such as an IP or email address), believed to have been used in a fraudulent manner will be retained for longer periods consistent with InAuth’s agreements with its individual clients. Consumers should contact the business entities with which they directly share their data to learn how long their transaction data may be retained. InAuth has put in place mechanisms to protect the accuracy and integrity of personal information.

In addition, subject to its agreements with clients, InAuth may apply statistical analytics to aggregate data received from clients, in order to identify patterns or anomalies that are useful in predicting the likelihood of fraud in any given transaction.

In certain cases, when agreed to by our clients, InAuth may transfer transaction data from clients to our corporate affiliates.

DISCLOSURES TO THIRD PARTIES

InAuth shares transaction data with third parties only in the following limited circumstances: (1) personal information may be accessible to third-party service providers processing data on behalf of InAuth; however, any such service providers are required by contract to implement privacy and security safeguards consistent with this policy, including the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework; (2) InAuth may be required to disclose an individual’s personal information in response to a lawful request by public authorities, including to meet national security or law enforcement requirements;  and (3) personal information may be provided to a third party to the extent InAuth enters into a transaction for the acquisition of all or substantially all of InAuth’s assets.  InAuth faces potential liability when we onward transfer to third parties.  InAuth’s accountability for personal data that we receive under the Privacy Shield and subsequently transfer to a third party is described in the Privacy Shield Principles set forth by the U.S. Department of Commerce.  InAuth remains responsible and liable under the Privacy Shield Principles if third-parties that we engage to process the personal data on our behalf do so in a manner inconsistent with the Principles, unless InAuth proves that we are not responsible for the event giving rise to the damage.

In addition, as part of one or more of InAuth’s discrete service offerings, such as InExchange®, elements of data may be retained and accessed in a limited manner by other clients of InAuth solely for the purposes of identifying known fraudulent devices (specifically, to validate elements of data independently collected by such client) and only as directed by the client that sent the information to InAuth. InAuth faces potential liability when we onward transfer to third parties.

ACCESS, CHOICE, CORRECTION, AND DELETION OF PERSONAL DATA

Data subjects whose data is received by InAuth have the right under the Privacy Shield Framework to access, correct, or delete their personal data. They may do so by contacting InAuth’s client that collected their data or by contacting InAuth directly at the contact information noted below:

E-mail:

legal@inauth.com (put “Privacy Compliance” in subject line)

Mailing address:

Legal/Privacy Compliance

InAuth, Inc.

376 Boylston Street, Suite 501

Boston, MA 02116 USA

Telephone:

+1 (855) 801-0774 (ask for Legal/Privacy Compliance)

 

CHOICE, OPT OUT OF PERSONAL DATA

Data subjects who have provided data to InAuth for marketing purposes have the right under the Privacy Shield Framework to opt-out or opt-in choice before we share their data with third parties other than our agents, or before we use it for a purpose other than which it was originally collected or subsequently authorized.

They may limit the use and disclosure of their personal information by selecting the opt-out option within marketing communications or by contacting InAuth’s marketing department directly at the contact information noted below:

Mailing address:

Marketing

InAuth, Inc.

376 Boylston Street, Suite 501

Boston, MA 02116 USA

Telephone:

+1 (855) 801-0774 (ask for Marketing)

 

EU-U.S. AND SWISS-U.S. PRIVACY SHIELD FRAMEWORKS

InAuth complies with the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries and Switzerland transferred to the United States pursuant to Privacy Shield.  InAuth has certified that it adheres to the Privacy Shield Principles with respect to such data. If there is any conflict between the policies in this privacy policy and data subject rights under the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification page, please visit https://www.privacyshield.gov/

PRIVACY COMPLAINTS BY EUROPEAN UNION (EU) OR SWISS INDIVIDUALS

EU & Swiss Individuals:

In compliance with the EU-U.S. and Swiss-U.S. Privacy Shield Principles, InAuth commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to Privacy Shield.  European Union or Swiss individuals with inquiries or complaints regarding this privacy policy should first contact InAuth at the contact information noted below:

E-mail:

legal@inauth.com (put “Privacy Compliance” in subject line)

Mailing address:

Legal/Privacy Compliance

InAuth, Inc.

376 Boylston Street, Suite 501

Boston, MA 02116 USA

Telephone:

+1 (855) 801-0774 (ask for Legal/Privacy Compliance)

InAuth has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD, operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbb.org/EU-privacy-shield/for-eu-consumers for more information and to file a complaint. This service is provided free of charge to you.

If your Privacy Shield complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms.  See Privacy Shield Annex 1 at https://www.privacyshield.gov/article?id=ANNEX-I-introduction

ENFORCEMENT

InAuth has implemented internal mechanisms to verify ongoing adherence to this policy. We periodically verify that this policy remains accurate, comprehensive for its intended purpose, and is accessible in accordance with applicable law. InAuth is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).

AMENDMENTS

This privacy policy may be amended from time to time consistent with the requirements of the Privacy Shield. InAuth will post any revised policy on this website.

CONTACT FOR QUESTIONS

Any questions about the accuracy, use, processing or storage of data received by InAuth should be directed to legal@inauth.com.

EFFECTIVE DATE:  May 1, 2018

NORTH AMERICA

Headquarters

376 Boylston Street, Suite 501
Boston, MA 02116
+1.855.801.0774

West Coast Office

227 Broadway, Suite 200
Santa Monica, CA 904011

EMEA

Belgrave House
76 Buckingham Palace Road
London, SW1W 9AX

LATIN AMERICA

Eje 5 Norte 990, Building C, 1st Floor
Santa Barbara, Mexico City 02230
+52 (55) 52097037

ASIA PACIFIC

Australia

Level 9, 12 Shelley Street
Sydney, NSW, Australia, 2000
+61 2 9152 2851

Level 14, 360 Collins Street
Melbourne, VIC, Australia 3000
+61 3 9152 2851

Singapore

Level 15, Marina Bay Financial Centre
Tower 1, Singapore 018940
+65 6317 6414