Website privacy notice

Date: June 2026

Riskified respects the privacy of the users of our website at https://www.riskified.com (the “Site”) and is committed to protecting the information that is collected and/or is disclosed by the Site users (“users” or “you”). This Website Privacy Notice (“Notice”) explains the privacy practices of Riskified Ltd., on behalf of ourselves and our affiliates (“Riskified”, “we”, “our”, or “us”) and how we collect, use, disclose, store, and otherwise process Personal Data in our role as a Controller when you interact or use our Site.

This Notice does not cover the handling of Personal Data when Riskified is processing Personal Data on behalf of our merchants, e.g. Personal Data submitted by merchants for processing through the Services. For more information, merchants should review the Services Privacy Notice and applicable Data Processing Addendum (DPA) available on our Riskified Security Portal

Definitions

  • “Personal Data” means information made available to Riskified through the Site that, either in isolation or in combination of other information, enables you to be directly or indirectly identified. 
  • Controller” is a “data controller” or “business”, as such terms are defined by applicable data privacy law, and is the party that sets out the purposes and means of processing of Personal Data. 
  • Processor” is a “processor”, “service provider”, “contractor”, and “third party”, as such terms are defined by applicable data privacy law, and is a party that processes Personal Data on behalf of or pursuant to a written contract with Controller. 

Personal data we process and for what purposes

Personal Data you provide to us. We collect Personal Data that you choose to provide to us, for example, on an online form or if you register for any events. We use this data to handle your requests and any complaints, administer our Site, organize and host events, and provide content you request from us. It may also be used for marketing and advertising and, with your consent, to provide direct marketing. We may also rely on our legitimate interest to contact you to offer related services that may be of interest to you based on the services or content that you may have requested from us. 

You always have the right to opt out of receiving marketing communications from Riskified at any time. You can opt out by either changing your email preferences or using the link provided at the bottom of each email message. You may not opt out of administrative emails (for example, emails about your transactions or policy changes) while you are a registered user.

If you believe that you have received an unsolicited email from us, please contact us at [email protected] and we will investigate.

Personal Data we automatically collect. When you visit the Site, we and our third-party partners collect online activity through the use of cookies and other similar trackers. Depending on your browser settings, the information we collect may include, but not be limited to, your device IP address, referring website, what pages your device visited, and the time that your device visited our Site. See the COOKIES section below for more information on the types of cookies and other trackers we use on our Site. We use this data to administer our Site, to improve our Site, for trend monitoring, marketing, and to keep our Site secure. Additionally, we and our advertising and analytics partners use this data to help us understand how you use the Site and deliver content that we think will be of interest to you.

Personal Data we collect from third parties. If your Personal Data has been collected as you interacted with our Site and/or registered or attended one of our events, your Personal Data, as stored in our customer-relationship-management platform (CRM), may be enriched or updated for marketing purposes and to ensure it is accurate, up to date, and to ensure that we achieve the purpose for which it was originally collected.  

How we disclose personal data to third parties 

Vendors and Service Providers. We may disclose your Personal Data with vendors, consultants and other service providers to perform services on our behalf. These Processors include, but are not limited to, website analytics providers, tools to prevent spam and other security risks, CRM service providers, to conduct surveys, and provide event registration. If Riskified transfers your Personal Data to a Processor, Riskified remains responsible for ensuring that such Processor processes your Personal Data to the standard required by applicable privacy and security laws. 

Marketing and Advertising Operations. We may disclose your Personal Data as part of our marketing and advertising operations to third parties (such as advertising networks) through our use of cookies and other tracking technologies on our Site. Our use of cookies and other tracking technologies is subject to the consent preferences you have expressed to us through the consent tools we make available on our Site. 

Event Partners. We may disclose your Personal Data with our events’ sponsors. Please refer to the terms and conditions provided to you during registration for more information. 

Riskified Group. Riskified, Ltd. is the parent company to several wholly-owned subsidiaries, including Riskified, Inc., a Delaware corporation. We may disclose your Personal Data within the Riskified family of companies for the purposes consistent with this Notice, based on our legitimate interests, or out of contractual necessity.

Business Transfer. If we or our assets are acquired, or if we go out of business, enter bankruptcy, or go through some other change of control, Personal Data may be one of the assets transferred to a third party.

Protection of Riskified and Others. Riskified reserves the right to process Personal Data as necessary to (i) comply with law or a court order, (ii) enforce our agreements with you and other our agreements with other parties, or (iii) protect the rights, property, and/or safety of Riskified, our employees, our merchants, or others. 

Disclosure to Law Enforcement. Under certain circumstances, Riskified may be required to disclose your Personal Data in response to a valid request by public authorities, including to meet national security or law enforcement requirements, based on our legitimate interests or legal obligations. Riskified does not voluntarily disclose any Personal Data to government authorities or otherwise grant them access to such data. 

In the event Riskified receives a legally binding subpoena, warrant, or other court order from a government authority requesting that it disclose Personal Data, Riskified will only provide the requested data in response to formal and valid legal process. Specifically, Riskified’s legal team will review the request to ensure that it satisfies applicable legal requirements. If there are legitimate and lawful grounds for challenging the request, Riskified will do so where appropriate. Riskified’s policy is to construe such requests narrowly to limit the scope of the personal data provided. 

Data retention

We store your Personal Data for different time periods depending on the category of Personal Data and the nature of relationship that you have with us. We consider the following criteria when we are making decisions on how long we will retain your Personal Data: (i) the category of Personal Data; (ii) whether the Personal Data is deleted based on specific schedules; (iii) whether further retention of the Personal Data is necessary to achieve the purpose for which Personal Data was collected; (iv) how long we need to retain the Personal Data to comply with our legal obligations or sound professional practices; and (v) legitimate interests or legal purposes, such as fraud prevention, record-keeping, security and integrity, or enforcing our legal rights. 

Security

We use appropriate technical, organizational, and administrative security measures to protect any Personal Data we store from loss, misuse, and unauthorized access, disclosure, alteration, and destruction. For an updated list of our certifications and security reports, please visit our Security Portal, located at https://security.riskified.com/

Third party websites

The Site may include links to other websites that are not owned or controlled by Riskified (“Third Party Websites”). We are not responsible for, and this Notice does not apply to, any personal data collected via Third Party Websites. We do not endorse any of the products or services described or offered on such Third Party Websites, nor the companies who own or operate such Third Party Websites. We remind you to read the Third Party Websites’ privacy notices to understand how your personal data is used and protected. 

Cookies

For users located in the EEA or United Kingdom, please visit EU Cookie Notice. 

A cookie is a piece of data sent from a website while the user is browsing and stored on a user’s hard drive to contain information about the user. Cookies enable websites to recognize a user who has previously visited a site with the same cookie, and to record a user’s browsing activity. The term “cookie” is used here in the broad sense to include all similar techniques and technologies, including pixels, web beacons and log files. We use cookies and similar tracking technologies to enhance the user experience, improve our service, and store your preference information. We and our advertising and analytics partners may also use cookies and similar tracking technologies to track and monitor usage of the Site for the purposes of understanding how you use the Site generally, and for marketing, advertising, and operational improvements.

Riskified’s Site uses both ‘session’ and ‘persistent’ cookies. ‘Session cookies’ are created and stored temporarily while the user browses and are deleted from the device when the browser is closed. ‘Persistent cookies’ are saved on the user’s device for a fixed period and become active when they visit the Site.

Most browsers will allow you to erase cookies from your computer hard drive, block acceptance of cookies, or receive a warning before a cookie is stored. If you block or otherwise reject all cookies, certain parts of our Site may not function as expected.

You can also change certain online tracking preferences by clicking on Your Privacy Choices. More information on how to opt out of targeted advertising practices of some of the ad partners we use is available here: DAA Opt Out.

International data transfers

Riskified operates globally. Therefore, Personal Data of individuals who visit our Site may be transferred and accessed from around the world, such as from countries where Riskified, our affiliates, or Processors operate. We will protect Personal Data in accordance with this Notice wherever it is processed. 

Residents in the European Economic Area (EEA), United Kingdom (UK), and Switzerland (CH)

Riskified may transfer Personal Data from the EEA and the UK to the United States (US) and other countries. When Riskified engages in such transfers, it relies on the below mechanisms.  

Adequacy Decisions, as adopted by the European Commission (EC) based on Article 45 of General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR). For the full list of countries deemed adequate to date, please visit here.

UK Secretary of State, based on Article 45 of the UK GDPR and Section 17A of the Data Protection Act 2018. For the full list of countries deemed adequate to date, please visit here.

Transfer Impact Assessments (TIAs) are performed by Riskified to monitor and audit transfers from the EEA and UK to other countries to ensure a level of protection that is essentially equivalent to the one guaranteed by the EEA and UK. 

Standard Contractual Clauses (SCCs) and the UK Information Commissioner’s Office’s International Data Transfer Addendum (IDTA), as applicable, supplemented by additional security measures as recommended by the European Data Protection Board. 

Riskified, Inc., a Delaware corporation, located at 220 5th Avenue, 2nd Floor, New York, NY 10001, adheres to and is covered by Riskified’s submission to the EU-US Data Privacy Framework, Swiss-US Data Privacy Framework, and the UK Extension to the EU-US Data Privacy Framework (collectively, “DPF”), as set forth by the U.S. Department of Commerce. Riskified has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF.  Riskified has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.  If there is a conflict between the terms in this Notice and any of the DPF Principles, then the DPF Principles shall govern. To learn more about the Data Privacy Framework program, and to view our certification, please visit here.

Riskified remains responsible, and is liable, under the DPF Principles for the processing of your Personal Data it receives and subsequently transfers to third parties, except where Riskified can demonstrate that Riskified was not responsible for the event giving rise to the damages. 

Riskified commits to resolve complaints about your privacy and our collection or use of your Personal Data transferred to the U.S. pursuant to the DPF Principles. Residents of the EEA, UK, or CH with complaints or questions under the DPF Principles should first contact Riskified’s Data Protection Officer, Yossi Yeshua at [email protected].  Riskified will investigate and address the complaint or question within 45 days of our receipt of your email. Unresolved complaints under the DPF Principles may be lodged with JAMS, an independent dispute resolution body at: https://www.jamsadr.com/DPF-Dispute-Resolution. This service is provided at no cost to you. If your complaint remains unresolved, in whole or in part, after contacting Riskified’s DPO directly, and pursuing the arbitration service with JAMS, you may under certain conditions invoke binding arbitration with Riskified as detailed here. Riskified is subject to the Federal Trade Commission (FTC) for the purpose of DPF enforcement. 

How can I exercise my privacy rights?

Depending on your local data privacy laws, you may have certain rights relating to your Personal Data. If you are a resident of the United States, these jurisdictions include the states of California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah and Virginia. Subject to any statutory exceptions and limitations, these rights may include: 

  • The right to know what Personal Data is collected and for what purpose. 
  • The right to know what Personal Data is being “sold” or “shared” and for what purpose and the categories of recipients of your Personal Data.
  • The right to access your Personal Data. 
  • The right to have your Personal Data rectified, corrected, or updated. 
  • The right to have your Personal Data deleted. 
  • The right to object to the processing of your Personal Data based on legitimate interests.
  • The right to opt out of automated decision making and profiling resulting in legal or similarly significant effects. 
  • The right to request a list of the third parties to which we have sold personal data (Minnesota and Oregon residents only, and beginning July 1, 2026 Connecticut residents).

To exercise any of these rights or if you have any questions regarding these rights, please email [email protected]. If you are located in the EEA, you may alternatively contact our EU representative, Lionheart Squared (Europe) Ltd, at [email protected]; 2 Pembroke House, Upper Pembroke Street 28-32, Dublin, D02 EK84 Ireland.  Our privacy team will review your request and respond to you in a timely manner. Please note that certain information may be exempt from such requests under applicable law. For example, we need to retain certain information in order to provide our services to you. We also need to take reasonable steps to verify your identity before responding to a request in accordance with applicable law, which may include, at a minimum, depending on the sensitivity of the information you are requesting and the type of request you are making, verifying your name and email address. If we are unable to comply with your request due to an exception or limitation or if we need more time, we will explain this in writing. 

You may utilize an agent to make a request on your behalf. We will ask for written, signed permission that the agent has been authorized to act on your behalf. Once the authorization has been provided, we will review the request and respond to the agent in a timely manner. You may also make a request on behalf of your minor child.

Riskified does not collect or use any sensitive categories of Personal Data and does not discriminate against you for exercising your privacy rights. 

If you are a resident of the EU, UK, or the states of Colorado, Connecticut, Delaware, Iowa, Indiana, Kentucky, Maryland, Minnesota, Montanna, Oregon, Nebraska, New Hampshire, New Jersey, Rhode Island, Tennessee, Texas, or Virginia and we deny your information request, you have the right to appeal our denial of your request. You may do so by emailing us at [email protected]. We remind you that you have a right to lodge a complaint with a supervisory authority should you feel dissatisfied with our processing of your Personal Data or adherence to the terms of this Notice. For residents of the EEA – you can find the relevant contact details here. Residents of California, please see California Privacy Rights.

Notice of Right to Opt Out of Sales of Personal Information and Processing/Sharing of Personal Information for Targeted Advertising Purposes

Residents of certain jurisdictions—including California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah and Virginia—have a right to opt out of the “sale” of personal information and disclosures or “sharing” of personal information for certain targeted advertising purposes. To exercise those rights, please visit our Your Privacy Choices on the Site’s footer and follow the instructions there. See the sections on “Cookies” above for more information about how we use cookies and other choices you may have related to those cookies. 

You must opt out on each device and each browser where you want your choice to apply. Your preference may be lost if you clear, or your browser is set to clear, cookies. Please note that if you have a legally-recognized browser-based opt out preference signal turned on via your device browser, we recognize such preference in accordance with applicable law. 

Additionally, we may use non-cookie-based means to disclose or use contact information to enable us and our advertising partners to deliver more relevant (targeted) ads to you (for example to display ads to you on a third-party social media platform) and for other advertising activities. To opt out of such disclosures, please email us at [email protected]

You may utilize an agent to make a request on your behalf. We will ask for written, signed permission that the agent has been authorized to act on your behalf. Even if you opt out, you will still see advertising, but it may be less relevant to you, or it may be personalized for you based only on a more limited set of data. 

“Do Not Track” disclosures

Riskified does not monitor or respond to Do Not Track browser signals. 

Notice regarding children

We do not knowingly collect or solicit Personal Data from anyone under the age of 13. If you are under 13, do not send any Personal Data about yourself to us. If we learn that we have collected Personal Data from a child under age 13, we will delete that information as quickly as possible. If you believe that a child under 13 may have provided us their Personal Data, please contact us at [email protected]

Changes to this notice

You can see when this Notice was last updated by checking the date at the top of this page. You are responsible for periodically reviewing this Notice but we will notify you about material updates to this Notice by placing a notice on our Site. 

Contact us

You may contact us with any questions or comments, at:      
By email, to our Data Protection Officer: [email protected]

By email:

[email protected] 

By mail:

Riskified Ltd. 
37 Sderot Sha’ul HaMelech, Tel Aviv, Israel, 6492806     

Riskified, Inc. 
220 Fifth Avenue, Floor 2, New York, NY, USA 10001     

GDPR Representative:

Riskified has appointed Lionheart Squared (Europe) Ltd. as its GDPR Representative in the EEA. You can submit questions and comments pertaining to Riskified’s compliance under the GDPR by email to [email protected] or by mail to Lionheart Squared (Europe) Ltd., 2 Pembroke House, Upper Pembroke Street 28-32, Dublin, D02 EK84 Ireland.