Privacy Policy With Respect to Data Received From Clients


InAuth, Inc. (“InAuth”) provides mobile app and mobile/desktop browser software which enables InAuth clients to collect, process and manage data associated with their consumer’s mobile and desktop devices. InAuth also provides other related offerings to its clients. In connection with providing its services, InAuth may receive personally identifiable information (“personal information”) from its clients about consumer devices confirmed to have been associated with fraudulent activity.

This policy sets forth InAuth’s general privacy and security practices with respect to this personal information. While this policy sets forth InAuth’s general privacy and security practices, the detailed obligations and commitments of InAuth to our clients is set forth in the contractual arrangements with clients. In the event of a conflict between this policy and a contract, the contract prevails.

The collection and processing of personal data obtained directly by our client is outside the scope of this document. Consumers should review the privacy policies of the business entities with which they directly share their data to learn about such entities’ privacy practices.

For information about InAuth’s privacy and security practices relating to visits to the InAuth website, please review the InAuth Website Privacy Statement.

InAuth also has a registered branch office in England, which adheres to all aspects of this Privacy Statement, including the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework.


InAuth receives consumer device data from its clients, which may be financial institutions, payment processors and/or online retailers. InAuth does not conduct or fulfill consumer transactions, and, except as otherwise disclosed, InAuth does not collect or receive personal information directly from consumers. Rather, InAuth’s products are integrated into the client’s mobile apps and websites. InAuth’s products are used by clients to collect device information from consumer devices.

Device data relates to characteristics about the consumer’s mobile or desktop device. Device data is analyzed to identify potentially fraudulent consumer devices. The device data may include personal information, including but not limited to, a consumer’s name, billing address, telephone number, email address, IP geolocation information, device identification information, or behavioral analytics.

The determination of which data elements a client should provide to InAuth is made by the client, in consultation with InAuth personnel. InAuth only accepts data elements from clients if the data are rationally related to the performance of the applicable service that a client has purchased. In general, InAuth does not accept data from clients prior to execution of a definitive services agreement. InAuth advises clients not to send data to InAuth in any manner that is outside of InAuth’s hosted software platform.


InAuth processes personal information to help its clients prevent fraud related to card-not-present purchases, online scams, compromised devices, and policy abuse. InAuth may also process personal information received from its clients to develop and provide other similar types of services to its clients. For purposes of providing these services, InAuth retains records of commercial transactions and other interactions between InAuth’s clients and individual consumers, which may contain personal information collected from a consumer device. Additional data elements may be added to the collected device data, through the use of third-party data services, as determined by clients. At the direction of our clients, InAuth can also collect information from consumers through data scripts placed on a client’s website.

The period for which personal information is retained is determined by the contract between InAuth and each individual client and may vary based on the type of InAuth service.

However, specific elements of a transaction (such as an IP or email address), believed to have been used in a fraudulent manner will be retained for longer periods consistent with InAuth’s agreements with its individual clients. Consumers should contact the business entities with which they directly share their data to learn how long their transaction data may be retained. InAuth has put in place mechanisms to protect the accuracy and integrity of personal information.

In addition, subject to its agreements with clients, InAuth may apply statistical analytics to aggregate data received from clients, in order to identify patterns or anomalies that are useful in predicting the likelihood of fraud in any given transaction.

In certain cases, when agreed to by our clients, InAuth may transfer transaction data from clients to our corporate affiliates.


InAuth shares transaction data with third parties only in the following limited circumstances: (1) personal information may be accessible to third-party service providers processing data on behalf of InAuth; however, any such service providers are required by contract to implement privacy and security safeguards consistent with this policy, including the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework; (2) InAuth may be required to disclose an individual’s personal information in response to a lawful request by public authorities, including to meet national security or law enforcement requirements;  and (3) personal information may be provided to a third party to the extent InAuth enters into a transaction for the acquisition of all or substantially all of InAuth’s assets.

In addition, as part of one or more of InAuth’s discrete service offerings, such as InExchange®, elements of data may be retained and accessed in a limited manner by other clients of InAuth solely for the purposes of identifying known fraudulent devices (specifically, to validate elements of data independently collected by such client) and only as directed by the client that sent the information to InAuth. InAuth faces potential liability when we onward transfer to third parties.


Data subjects whose data is received by InAuth have the right under the Privacy Shield Framework to access, correct, or delete their personal data. They may do so by contacting InAuth’s client that collected their data or by contacting InAuth directly at the contact information noted below:

E-mail:                            (put “Privacy Compliance” in subject line)

Mailing address:          Legal/Privacy Compliance

InAuth, Inc.

376 Boylston Street, Suite 501

Boston, MA 02116 USA

Telephone:                  +1 (855) 801-0774 (ask for Legal/Privacy Compliance)


InAuth complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information we receive from our clients with respect to their consumers in the European Union and Switzerland, as applicable.  InAuth has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit


EU & Swiss Individuals:

In compliance with the EU-U.S. and Swiss-U.S. Privacy Shield Principles, InAuth commits to resolve complaints about privacy and our collection or use of personal information from European Union and Swiss data subjects. European Union or Swiss individuals with inquiries or complaints regarding this privacy policy should first contact InAuth at the contact information noted below:

E-mail:                            (put “Privacy Compliance” in subject line)

Mailing address:          Legal/Privacy Compliance

InAuth, Inc.

376 Boylston Street, Suite 501

Boston, MA 02116 USA

Telephone:                  +1 (855) 801-0774 (ask for Legal/Privacy Compliance)

InAuth has further committed to refer unresolved privacy complaints under the EU-U.S. and Swiss-U.S. Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD, operated by the Council of Better Business Bureaus. If data subjects do not receive timely acknowledgment of their complaint, or if their complaint is not satisfactorily addressed, they may visit for more information and to file a complaint. Under certain limited conditions, individuals may invoke binding arbitration before the Privacy Shield Panel to be created by the U.S. Department of Commerce and the European Commission.


InAuth has implemented internal mechanisms to verify ongoing adherence to this policy. We periodically verify that this policy remains accurate, comprehensive for its intended purpose, and is accessible in accordance with applicable law. InAuth is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).


This privacy policy may be amended from time to time consistent with the requirements of the Privacy Shield. InAuth will post any revised policy on this website.


Any questions about the accuracy, use, processing or storage of data received by InAuth should be directed to

EFFECTIVE DATE:  March 1, 2018



376 Boylston Street, Suite 501
Boston, MA 02116

West Coast Office

227 Broadway, Suite 200
Santa Monica, CA 904011


Belgrave House
76 Buckingham Palace Road
London, SW1W 9AX


Eje 5 Norte 990, Building C, 1st Floor
Santa Barbara, Mexico City 02230
+52 (55) 52097037



Level 9, 12 Shelley Street
Sydney, NSW, Australia, 2000
+61 2 9152 2851

Level 14, 360 Collins Street
Melbourne, VIC, Australia 3000
+61 3 9152 2851


Level 15, Marina Bay Financial Centre
Tower 1, Singapore 018940
+65 6317 6414