At Riskified, Inc., together with our affiliates, “Riskified”, “we”, “our”, or “us”), we provide online merchants (“Merchants”) with a service that helps them to prevent fraudulent online transactions (the “Fraud Prevention” service). We also may provide you with an alternative payment service (the “Deco” service) that allows you to finalize your purchase with a Merchant even when your original payment method is declined by the Merchant. You may now or in the future place an order with such a Merchant.

Merchants integrate our Fraud Prevention and Deco services on their eCommerce websites and mobile apps, where consumers like you place orders (“eCommerce Platforms”). This requires us to collect personal data from you to provide Fraud Prevention services to the Merchant and/or to provide Deco services to you.

This Privacy Policy (“Policy”) explains our privacy practices with respect to our Fraud Prevention and Deco services. It describes how we collect, use, and share personal information. It also describes your the rights and options with respect to that information. Please note that if you receive a financial product or service from us, the privacy notice titled “What Does Riskified Do With Your Personal Information?” applies to you. This notice, which applies only with respect to the non-public personal information that we obtain in the course of providing you with a financial product or service, is required by the Gramm-Leach-Bliley Act (the “GLBA”). To the extent that there is any conflict between this Privacy Policy and the GLBA privacy notice, the privacy notice shall control.

Please note that this Policy does not cover the practices or policies of Merchants, the eCommerce Platform(s), or any other party that may have access to your personal information. To the extent that we provide your personal information to our agents or service providers, we will take what we believe to be commercially reasonable steps to ensure that they safeguard such information and use it only for the intended purposes. However, we are not responsible for the practices employed by any third party website that we may link to, nor for the information or content contained therein. We encourage you to review the privacy statements of such other websites to understand their information practices and terms of service.

You are not obligated by law to provide us with your personal data, but an eCommerce Platform may require that you provide us with your personal data in order for it to be able to consider or process the order you place, or to be able to provide the Deco service.

In short…

• The following are the key points of the Privacy Policy. They are listed only for your convenience, and do not substitute for the full Policy.
• We collect various information regarding your transaction, including device data, geolocation data, analytical data and cross-referenced data.
• Your information is processed pursuant to your consent or in accordance with the business purposes and legitimate interests of the Merchant and/or Riskified.
• For Fraud Prevention, we use the information first and foremost to analyze whether the transaction is fraudulent. We share your information mainly to facilitate the Fraud Prevention service. For that purpose, we may share elements of the personal data we collect with third parties and operators of online publicly available data sources for cross-referencing and verification purposes.
• The Merchant may use Fraud Prevention to decide whether to accept or decline your order based solely on automated processing.
• For Deco, we use the information to verify your eligibility for this service and payment method, and to collect the payment from you, which may be processed using automated processing. We share that information with our payment service providers, including Synapse, to facilitate collection of payment from you.
• You may request access to your personal information, or to have us update, correct or delete such information, if the law provides you those rights.
• We may store and process information outside the country where you are located.
• Our data protection officer can be contacted at [email protected]. You can also contact us at [email protected].

INFORMATION WE COLLECT

Transaction Data. When you place an order with the eCommerce Platform, we collect various data regarding your transaction, such as your name, email, the items you purchased, price paid, shipping information and basic information from your account on the eCommerce Platform (if you are registered with an account there). We also collect basic information about your payment and billing method, but we do not collect or keep your complete credit card number. For Deco verification and payment purposes, we may also collect your date of birth, login credentials for online access to your bank account, your bank routing number, and bank account number. This transaction data collected for Deco verification and payment purposes is encrypted prior to being sent to our payment service providers and thereafter not retained or used by Riskified.

Device data. We collect information about the personal computer or mobile device you use to access the eCommerce Platform, including its model, its operating system, unique device identifiers, browser type, mobile network information and the Internet Protocol (“IP”) address through which you accessed the eCommerce Platform.

Geo-location data. If you use the eCommerce Platform’s mobile app, we collect your precise geo-location when you actively use the app. If you use the eCommerce Platform’s website we will collect your town-approximate geo-location.

Analytical data. We collect analytical data about your use of the eCommerce Platform. For example, we collect the frequency of your access to the eCommerce Platform, the pages and items on the eCommerce Platform that you viewed or interacted with.

Cookies. We may use “cookies” to collect some of the preceding information. A cookie is a piece of data stored on your hard drive to help us improve your access to our Website and identify repeat visitors to the Website. For instance, when we use a cookie to identify you, you would not have to log in a password more than once. Cookies also can enable us to track and target the interests of our users to enhance the experience on our site. Cookies also may be used to limit the number of times you are shown a particular ad.

Some of Riskified’s business partners may use cookies on our Website (for example, advertisers). However, we have no access to, or control over, these cookies. You may set cookies that tell Riskified or third parties to not use information about what sites you visit to target ads to you. For example, the Network Advertising Initiative (“NAI”) and the Digital Advertising Alliance (“DAA”) offer tools for opting out of targeted advertising. As discussed below, we cannot guarantee that our Website will respond to Do-Not-Track signals from your browser at this time. Further, note that if you delete all cookies, you will also delete the cookies that indicate your preference to opt out of targeted ads.

From time-to-time, we may engage third parties to track and analyze non-personally identifiable usage and volume statistical information from individuals who visit our Services.

You also may see advertisements when you use our Site. These advertisements are for our own products or services or for products and services offered by third parties. Which advertisements you see is often determined using the information that we, our service providers, and other companies that we work with have about you, including information about your relationships with us. To that end, where permitted by applicable law, we may share with others the information that we collect from and about you.

Cross-references. We also cross-reference, verify and enhance the accuracy of the data outlined above, using third party sources such as online search engines, online ‘white pages’ and online mapping services.

Inquiries. If you contact us for questions or complaints, we will collect the information related to your inquiry. This may include your name, email address, postal address, telephone number and other contact information, depending on the nature of your inquiry.

USE OF COLLECTED INFORMATION

We, as a data controller, process your personal data pursuant to our legitimate interests while Merchants may, where relevant, rely on legitimate interests or consent to process your personal data.

We use the information we collect for the following purposes:

• To Provide the Fraud Prevention Service: When you place an order on an eCommerce Platform, we crunch the aggregate data of your activities across the eCommerce Platforms of all Merchants we operate. We use this data to provide the eCommerce Platform a fraud analysis indicating whether or not the order is, in our assessment, a fraudulent online transaction. It is then up to the eCommerce Platform, not us, to determine in its own discretion, whether to accept and process your order, or decline it.
• To Provide the Deco Service and Collect Payment: When you choose to pay for goods or services from a Merchant with Deco, we use the information you’ve already provided to the Merchant during the order process, in addition to information about your bank account, to verify your account and to complete your order with the Merchant. We then use this information to collect the payment directly from you.
• To Improve Our Services or Develop New Services: We may use personal information to improve and enhance Fraud Prevention, Deco, and to develop new services. We also may engage in statistical analysis of consumers’ activities.
• To Respond to Your Inquiries or Complaints: We may use your information to handle complaints and other customer service inquiries.
• To Protect Our Rights and Comply With Legal Obligations: We may use your information to enforce this Policy and prevent misuse of the Fraud Prevention or Deco services. This includes taking any action in any case of dispute involving you, with respect or in relation to Fraud Prevention or Deco, or as otherwise may be mandated by law or to protect our legal rights and property and those of third parties.

SHARING INFORMATION COLLECTED

We may share the information outlined in this Policy with others, in the following instances:

• With Contractors and Service Providers: We may share information with our contractors and service providers, in order to help us to provide Fraud Prevention or Deco. For example, we process the data using cloud service providers, and we process payments using a payment service provider.
• With Third Party Data Sources: We may share limited elements of the personal data we collect with a number of third parties and operators of online publicly available data sources (such as online search engines, online ‘white pages’, online mapping services etc.), which may use the data we share with them for their own purposes in accordance with their own policies. We do this in order to cross-reference, verify and enhance the accuracy of the data we collect. Several of these data sources are companies operating in countries outside your local territory or the European Economic Area, in legal environments that may not be adequate by EU data protection standards. You may opt-out of having your personal data shared with those data sources, but if you opt-out some or all of the Riskified services may be unavailable to you. To exercise this right please contact [email protected].
• With the Merchant You Transact With: On rare occasions, we may share limited elements of your personal data with the Merchant with whom the transaction was made, for review or audit purposes.
• When Required or Permitted by Law: Your personal data may be shared with competent authorities and with any third party, if we believe it is required or is deemed justified by law to protect property or legitimate legal rights (such as pursuant to a subpoena; warrant; investigative demand from law enforcement, regulators or others; national or international security letters; etc.). For example, we may share your information: (i) to investigate, prevent, or take action regarding suspected or actual illegal activities (including fraud or stalking), security or technical issues; (ii) to protect against fraud, claims, or other liability or harm to you, us, or others; or (iii) to exercise or perform a legal, ethical, contractual or other right or obligation, such as to enforce our Terms of Service or other agreements, or to investigate potential violations thereof.
• As Part of a Corporate Transaction: We may share information if the operation of Fraud Prevention or Deco is organized within a different framework, or through another legal structure or entity (including, but not limited to, a voluntary or involuntary change in our business or structure, or a reorganization, financing, change of control, sale of all or part of our stock or assets, spinoff, bankruptcy, dissolution, or any related to similar proceedings),
• With Corporate Affiliates: We may share personally identifiable information with our corporate group entities, but their use of such information must comply with the Policy.

AUTOMATED DECISION MAKING

The eCommerce Platform may, in its own discretion, use Fraud Prevention to make a decision on whether to accept or decline your order, based solely on automated processing. Please direct inquiries concerning the decision about your order to the eCommerce Platform.

ACCESSING, UPDATING OR DELETING YOUR PERSONAL INFORMATION AND OBTAINING A COPY OF IT

If the law grants you such rights, you may ask to access the personal information about you that is stored in our systems. You may also ask for our confirmation as to whether or not we process personal data concerning you.

Subject to the limitations in law, you may request that we update, correct or delete inaccurate or outdated information, and have us suspend the use of personal data whose accuracy you contest while we verify the status of that data.

Subject to law, you may also be entitled to obtain from us the personal data you directly provided us (excluding data we obtained from other sources) in a structured, commonly used and machine-readable format, and may have the right to transmit those data to another party.

If you wish to exercise any of these rights, contact us at: [email protected]. When handling these requests, we may ask for additional information to confirm your identity and your request.

AGGREGATED INFORMATION

We may use the information we collect, as outlined above, to compile anonymized or de-identified information. We may share such anonymized or de-identified information with any other third party, at our sole discretion. However, we will not knowingly or intentionally share information that can be reasonably used to reveal your identity except as provided in this Policy.

TRANSFER OF DATA OUTSIDE YOUR TERRITORY

The personal information that we collect may be stored and processed in the United States or any other country in which we or our subsidiaries, affiliates or service providers maintain facilities. If you are located in the European Union, Canada, or other regions with laws governing data collection and use that may differ from U.S. law, please note that we may transfer information, including personal Information, to a country and jurisdiction that does not have the same data protection laws as your jurisdiction, and you consent to the transfer of information to the U.S. or any other country in which Riskified or its parent, subsidiaries, affiliates or service providers maintain facilities and the use and disclosure of information about you as described in this Privacy Policy.

INFORMATION SECURITY

We care about the security of your information and use what we believe to be commercially reasonable safeguards to preserve the integrity and security of personal information.

Please be advised, however, that no security measure, system, or control is infallible. We accordingly do not guarantee that personal information may not be accessed, disclosed, altered, or destroyed and disclaim any express or implied warranties, duties or conditions in that regard. If any applicable law imposes on us a duty with respect to these matters that cannot be disclaimed, you acknowledge and agree that our commercially reasonable precautions shall be considered to satisfy that duty unless (and only unless) we have engaged in willful misconduct.

In the event that the security of any personal information under our control is compromised, we will take reasonable steps to investigate and mitigate the situation, including, when and where appropriate, by notifying those individuals whose personal information may have been compromised and taking other steps in accordance with applicable laws and regulations.

DATA RETENTION

We retain the personal data we collect only for as long as needed in order to provide the Fraud Prevention, Deco, or newly developed services under this Policy and compliance with applicable laws. We then either delete from our systems or anonymize it, without further notice to you.

POLICY REGARDING CHILDREN

We do not knowingly collect personal data from children under the age of 13. If a parent or guardian becomes aware that his or her child has provided us with personal data without their consent, he or she should contact us at [email protected]. If we become aware that a child under the age of 13 has provided us with personal data, we will delete such information from our files.

CHANGES TO THIS POLICY

We may modify or update this Policy from time to time to reflect the changes in our business and practices. We encourage you to review this Policy whenever you use our services in order to stay informed about our information practices.

To the extent not prohibited by law, any amendment or update to this Policy will apply to personal information that we already have collected and to any personal information that we subsequently may obtain. When required by applicable law, however, we may provide you with advance notice of any changes to this Policy and with an opportunity to object to such changes. If you exercise your right to object, the changes will not become effective with respect to your personal information, but your ability to use our services may be terminated or impaired. We will explicitly notify you of the consequences of objection or non-objection to the extent and in the manner required by law.

MISCELLANEOUS / CALIFORNIA DO-NOT-TRACK DISCLOSURE

We do not respond to browsers’ “Do Not Track” requests.

You may have a right to submit a complaint to the relevant supervisory data protection authority, pursuant to the law.

CONTACT US

You may contact us with any questions or comments, at: [email protected].  Our postal address is: 30 Kalisher Street, Tel Aviv, Israel, postal code 6525724.

Effective date of the policy: [DATE]

Last Updated: May 15, 2019

This notice applies to a U.S. consumer’s use of the Deco service to complete a transaction on a Merchant’s eCommerce Platform for personal, family, or household purposes.

Riskified Privacy Notice

---

---

---

---

---

What we do?

---

---

---

Definitions

---

---

---

Other important information

---

---

_{Last updated: May 15, 2019}