Last updated: May 25th, 2018
Riskified provides online merchants (“Merchant”) a service that helps prevent fraudulent online transactions (“Fraud Prevention”). Merchants integrate our Fraud Prevention on their eCommerce websites and mobile apps where consumers like you place orders (“eCommerce Platform”). After you place an order, the eCommerce Platform may request that we process your personal data to provide our services.
You are not obligated by law to provide us with your personal data, but the eCommerce Platform may require that you provide us with your personal data to enable the processing of orders you place. Please note that this Policy does not cover the practices or policies of Merchants, the eCommerce Platform, or other parties.
This is a quick summary of the policies, listed for your convenience. The summary does not substitute the full Policy.
- We collect information regarding your transaction, including data about your device, geolocation, cross-referenced data, and other analytical points.
- We use the information first and foremost to analyze whether the transaction is fraudulent.
- In some circumstances, we share your information mainly in order to operate the Fraud Prevention service. For that purpose, we may combine it with information acquired from publicly available data sources or contract with third parties for cross-referencing.
- The Merchant may use Riskified’s fraud assessment to decide whether to accept or decline your order, based solely on automated processing.
- You may request access to your personal information and/or seek to have such information updated, corrected, or deleted, if the law provides you those rights.
- We may store and process information outside the country where you are located.
INFORMATION WE COLLECT
Transaction data. When you place an order with an eCommerce Platform we collect various data regarding your transaction, which may include personal information, such as your name, email, address, the items you purchased, price paid, shipping information, and (if you have one) basic information from your account on the eCommerce Platform. We also collect basic information about your payment and billing method. We do not collect or keep your complete credit card number.
Device data. We collect information about the personal computer or mobile device you use to access the eCommerce Platform. This includes the device model, operating system, unique identifiers, browser type, mobile network information, and the Internet Protocol (IP) address through which you accessed the eCommerce Platform.
Geo-location data. If you use the mobile app of an eCommerce Platform we collect your precise geo-location whilst you are actively using the app. If you use the eCommerce Platform’s website we will collect your town-approximate geo-location.
Analytical data. We collect analytical data about your use of the eCommerce Platform. For example, we collect the frequency of your access to the eCommerce Platform as well as the pages and items on the eCommerce Platform that you viewed or interacted with.
Cross-references. We also cross-reference, verify, and enhance the accuracy of the data outlined above using publicly available third party online sources such as search engines, social networks, ‘white pages’, and mapping services. If you have provided the Merchant or the eCommerce Platform with access to information on third party platforms, (including social networks) we may also receive the same access permissions to the information that you made public.
Inquiries. If you contact us for questions or complaints, we will collect the information related to your inquiry and to verify your identity. This may include your name, email address, postal address, telephone number and other contact information, depending on the nature of your inquiry.
USE OF COLLECTED INFORMATION
When a Merchant asks us to review an order you place on an eCommerce Platform, we review the aggregate data of your activities across all the eCommerce Platforms of our Merchants as well as any other data collected. We use this data to provide the Merchant a fraud analysis indicating whether or not the order is, in our assessment, a fraudulent online transaction. It is then at the discretion of the Merchant (not Riskified) to accept or decline your order.
We also use the information we collect for the following purposes:
- Improving and enhancing Fraud Prevention and developing new services;
- Statistical analysis of consumers’ activities;
- Handling your requests and complaints;
- Enforcing this Policy and preventing misuse of the Fraud Prevention;
- Taking any action in any case of disputes involving you, in relation to Fraud Prevention; and
- Any other action that may be mandated by law or undertaken to protect our legal rights and property and/or those of third parties.
SHARING INFORMATION COLLECTED
In certain circumstances, the information outlined in this Policy may be shared with others including:
With our third party service providers
With the Merchant
On rare occasions, we may share limited elements of your personal data with the Merchant from whom you made your transaction was made This information sharing will be for the purpose of reviews, audits or dispute handling.
When required for Legal Purposes
Your personal data may be shared with third parties, if we believe it is required by law or for the purpose of exercising legitimate legal rights. For instance, it could be necessary to share your data in order to comply with legal proceedings, to protect or exercise the legal rights of Riskified or our Merchants, or to respond to lawful requests.
With Corporate Group Entities or in a Business Transfer
We may share personally identifiable information with our corporate group entities but their use of such information must comply with the Policy. Your data may also be shared if the operation of the Fraud Prevention service is organized within a different framework or through another legal structure or entity, such as due to a merger or acquisition.
We may use the information we collect to compile aggregated, anonymized, or de-identified information. We may share anonymized information unless it is combined with personally identifiable information.
Transfer of Data Outside Your Territory
We may store and process information in the US, the EU, Israel, and in other countries. We may also process information using cloud services.
We frequently process information under arrangements aimed at providing an adequate level of data protection. This may include processing in countries that the EU has determined maintain adequate data protection, the use of model contract clauses, or other mechanisms.
However, in certain cases the laws in some of these countries may nevertheless provide a lesser degree of data protection than the laws of your own country. We may transfer your information to entities within other such countries for the purpose of processing as described in this Policy.
If you are a resident of the European Union, Switzerland, or any other territory with similar data protection laws, the following section is applicable to how we collect and manage your personal data.
- As a data controller we rely on our legitimate interests to process your information, including the use of our third party service providers assisting us to deliver the Fraud Prevention. We may also receive your explicit consent through the eCommerce Platform. The eCommerce Platform relies on their own valid legal basis for processing your information, which may be in the form of consent, legitimate interest or execution of a contract.
- The eCommerce Platform may, at its own discretion, use Riskified’s fraud assessment to make a decision on whether to accept or decline your order based solely on automated processing. It may do so if you have given your consent, if needed to enter into or perform a contract, or if authorized by law. Please direct inquiries concerning processing your order based solely on automated means to the eCommerce Platform.
- If the law grants you such rights, you may ask to access, correct, or delete your personal information that is stored in our systems. You may also ask for our confirmation as to whether or not we process your personal data. Subject to the limitations in law, you may request that we update, correct, or delete inaccurate or outdated information. You may also request that we suspend the use of any personal data that you contest the accuracy of, while we verify the status of that data. You may also be entitled to obtain personal data that you directly provided us and have the right to transmit it to another party. However, we will continue retaining, using and sharing certain information if it is associated with fraudulent activity or to comply with legal obligations.
- Several of our data sources are companies operating in countries outside of your local territory or the European Economic Area, in legal environments that may not be adequate by EU data protection standards. You may opt out of having your personal data shared with those data sources. However, opting out may prevent us from providing Fraud Prevention services and, as a result, may prevent you from using the eCommerce Platform. Irrespective of requests to opt out, if your personal data is associated with fraudulent activity we may continue to retain, use and share certain information, in order to prevent unlawful practices.
If you wish to exercise any of these rights, contact us at: email@example.com. When handling these requests we may ask for additional information to confirm your identity and your request.
We implement appropriate measures to reduce risks caused by the potential loss of information, unauthorized access, or use of information. However, no measure can provide absolute information security and we cannot provide protections beyond what is within our reasonable control.
Our data retention policy is in compliance with applicable laws and regulations. The personal data we collect is retained only for as long as necessary to provide the Fraud Prevention service or newly developed services under this Policy. We retain the personal information we receive from the Merchant for no more than four years, unless you request that we delete this information, or if it is required by us to establish, exercise, or defend against legal claims, or comply with legal obligations. When we dispense with data it is either deleted from our system or anonymize without further notice to you.
POLICY REGARDING CHILDREN
We do not knowingly collect personal data from children under the age of 13, and children under the age of 16 in the EU. If a parent or guardian becomes aware that his or her child has provided us with personal data without their consent, he or she should contact us at firstname.lastname@example.org. If we become aware that a child under the age of 13 has provided us with personal data, we will delete such information from our files unless we have appropriate consent, where applicable, or unless we are required to maintain it for law-enforcement or legal purposes
CHANGES TO THIS POLICY
If we materially change this Policy in a manner that adversely affects your rights, or the protections afforded to your personal data, such changes will only affect the personal data we collect after the Policy change, unless you agree to us treating the personal data previously collected in accordance with the new Policy.
We do not respond to browsers’ “Do Not Track” requests.
You may contact us with any questions or comments, at: email@example.com. Our postal address is: 30 Kalischer Street, Tel Aviv, Israel, postal code 6525724.
Effective date of the policy: May 25, 2018
In a brief summary of the changes:
- We have detailed and clarified which data points we collect to provide our Service, which data we share and with whom, what we use the data for, how we use it and for how long, as well as the legal basis of our processing.
- We also provided you with a more detailed explanation as to your rights in connection with the data we collect and how you can contact us to make any required correction, thereby providing you with greater control over your own personal information.
INFORMATION WE COLLECT
Riskified collects information from our users at several different points on our Site. This may include internet traffic data such as a user’s IP address, domain server, type of computer, and type of web browser. This is anonymous information that does not personally identify a user but is helpful for marketing purposes or for improving a user’s experience on the Site.
In general, when you visit our Site you remain anonymous. However, some areas of our Site may require registration. Personal information such as a user’s name, address, contact information, and other personally-identifiable information (“Personal Information”) may be collected from you and stored in our databases when you register to the Site, request support, enter into a sales promotion, or otherwise interact with us (for example through the “contact us” option). It should be made clear that you have no legal obligation to provide us with any Personal Information and the submission of such information is entirely subject to your sole discretion and consent. However, if you do not provide us with the required information we may not be able to provide you with the information/services requested by you. Registered users may have a user name and password to access their information.
We may also collect statistical and other aggregated data related to your use of the Site or services thereon as well as information on Site usage patterns. This information is collected and used as non-individually identifiable information.
HOW WE USE INFORMATION
We use information which does not identify individual users to analyze trends, administer the Site, improve our services, track users movements around the Site, and gather demographic information about our user base. We may use specific information collected to market directly to that person subject to requirements of applicable law. This non-personal information may be shared with third parties.
We compile and store data and information and generate reports related to our users’ access to and use of our Site and services.
To the extent required under applicable data processing laws and regulations any personal information that we collect may be stored in our database and will be used in accordance with such applicable laws and regulations.
We do not share, distribute, sell, or rent any of your Personal Information with/to third parties, except in the following circumstances:
- The information is required by law in order to prevent, investigate, or take action regarding illegal activities;
- In response to legal process, court orders, subpoenas;
- Orto establish or exercise our legal rights or defend against legal claims;
We may also request your permission to use your information in other ways. Such use is subject to your consent.
Any data processing performed by these third parties will, if and when required by law, be governed by a data processing agreement in the form required by law preserving your statutory data protection rights.
In the conduct of our business, we may sell certain of our assets. Information collected from users of the Site, including personal information, could be transferred as part of such transaction. By submitting your Personal Information through the Site, you agree that your information may be transferred to third parties under such circumstances.
Riskified’s Site uses both ‘session’ and ‘persistent’ cookies. ‘Session cookies’ are created and stored temporarily whilst the user browses and are deleted from the device when the browser is closed. ‘Persistent cookies’ are saved on the user’s device for a fixed period and becomes active when they visit the Site.
Users located in the EU will receive a pop up notification informing them that cookies are operating on our Site. Most browsers will allow you to erase cookies from your computer hard drive, block acceptance of cookies, or receive a warning before a cookie is stored.
You have the ability to opt out of receiving marketing communications from Riskified at any time. You can opt out by either changing your email preferences or using the link provided at the bottom of each email message. You may not opt out of administrative emails (for example, emails about your transactions or policy changes) while you are a registered user.
We do not send emails to anyone without permission and we do not sell or rent email addresses to any unauthorized third party. If you believe that you have received an unsolicited email from us, please contact us at firstname.lastname@example.org and we will investigate.
Our data retention policy is in compliance with applicable laws and regulations. The personal data we collect is retained only for as long as necessary to provide the Fraud Prevention service or newly developed services under this Policy. We retain the personal information we receive through the Site for no more than 50 months, unless you request that we delete this information, or if it is required by us to establish, exercise, or defend against legal claims, or comply with legal obligations. When we dispense with data it is either deleted from our system or anonymize without further notice to you.
POLICY TOWARDS CHILDREN
We do not knowingly collect personally identifiable information from children under the age of 13, or 16 in the EU. If a parent or guardian becomes aware that his or her child has provided us with Personal Information without their consent, he or she should contact us at email@example.com. If we become aware that a child under the age of 13 has provided us with Personal Information, we will delete such information from our files unless we have appropriate consent, where applicable, or unless we are required to maintain it for law-enforcement or legal purposes.
We follow generally accepted industry standards and best practices to protect the Personal Information submitted to us, both during transmission and once we receive it. However, due to the nature of Internet communications and evolving technologies, unauthorized entry or use, hardware or software failure, or other factors the security of user information may be compromised at any time. No method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee the absolute security of Personal Information and disclaim any assurance that such information will remain free from loss, misuse, or alteration by third parties who, despite our efforts, obtain unauthorized access.
Our Site may have links to the sites of other companies. We are not responsible for their privacy practices. We encourage you to learn about the privacy policies of those companies.
UPDATE/DELETE USER INFORMATION
You can write to us at any time to obtain a copy of your information, have any inaccuracies corrected, or if you no longer desire our service (in which case we will endeavor to remove your personal data from our systems). Where appropriate and required by law, you may have your Personal Information erased, rectified, amended, or completed. In order to contact us regarding your information please email firstname.lastname@example.org.
To protect your privacy and security, we may take reasonable steps to verify your identity before granting access or making corrections.