Privacy Policy

Ravelin helps businesses (our “Retailers”) detect and address online fraud and other malicious behaviours through integrating our fraud prevention and authentication services (the “Services”) into their websites and mobile applications (“Retailer Platforms”). In order to provide the Services, we need to collect and process information about the end users of Retailer Platforms (“End Users”).

You are not obligated to provide us with your personal data, however Retailers may require you to provide us with information about you, including personal data to enable you to complete an order on a Retailer Platform.

Data is collected from Retailers, from our service providers, from publicly available sources and through Retailer Platforms and is used by us to predict and prevent fraudulent and/or other malicious activity in real time. Retailers have control over the information that they share with us and each Retailer shares different information with Ravelin, however the types of information they may share includes:

• Personal data such as names, email addresses, postal addresses, user login names or other unique End User identifiers and telephone numbers.

• Device information such as login method, device model, operating system, unique identifiers, browser type, mobile network information and IP addresses of devices used to access Retailer Platforms.

• Platform usage information including the pages of Retailer Platforms viewed by End Users and details of the items viewed, items bid on, items placed in a shopping cart, and items purchased.

• Transaction information such as shipping information, price paid, billing method, credit card BIN number, last four digits of a card number, and whether a chargeback was issued or an order was cancelled.

• Location data such as geo-location data collected when an End User accesses a Retailer Platform.

• Communication information such as End User feedback and comments, including the contents of private messages and information pertaining to the recipient of those messages.

• Cross-referenced data for example, where third-party sources are used to verify, and/or enrich the data outlined above.

Certain information about your device or browser may be collected by us when you access a Retailer Platform, such as your IP address or device type. We use tools which automatically send us information when you interact with a Retailer Platform such as cookies and Javascript code (a short snippet of code added into the Retailer Platform). You can disable JavaScript and cookies by changing the settings on your browser. Information about the procedure to change the settings are usually found on your browser provider’s website in the help section.

Retailers are responsible for ensuring and maintaining compliance with their own privacy policies and other applicable terms in connection with their use of the Services. Ravelin does not control these settings, so we encourage you to check the information on the Retailer platform directly to ensure you are aware of any relevant information and to update your preferences.

We collect and store the data described above, including any other relevant metadata which may contribute to our machine learning algorithms as part of the Services we provide to Retailers. We use machine learning to provide fraud risk scores along with evidence, aggregated reporting, insights and analysis to Retailers based on patterns identified in the data. A fraud risk score is an indicator of the likelihood of fraud or malicious activity for a particular event, such as a transaction, refund or use of a promotional code. Retailers use the Services to assist them in preventing fraudulent activity on Retailer Platforms. For example, a fraud risk score can be used to determine whether a particular event should be accepted, challenged or rejected. Whether a particular order is accepted or not is solely at the Retailer’s discretion and Ravelin has no control over this.

We may use the data we collect to:

• Provide, maintain, improve, and develop the Services.

• Prevent fraud and other malicious activities.

• Consider, investigate and communicate with you in relation to any requests, concerns or complaints you contact us about.

• Enforce this Policy and prevent misuse of the Services.

• Keep our website and Services safe and secure.

• Administer our website and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes.

• Validate your identity when you are seeking to exercise your privacy rights.

• Take any action which may be required or mandated by applicable law.

We will always keep your data safe and never sell your information to third parties. There may be circumstances where the information detailed in this Policy is shared with others for the following reasons:

Service providers

We may share limited information about you with our third party service providers, vendors, or other contractors who provide services to us and with whom the sharing information is necessary in order for them to provide their services - for example, a provider hosting our infrastructure.

Retailers

We may share data about you with Retailers - for example, where Ravelin is providing the Services to a Retailer you have placed an order with or where you have requested access to your personal data from a Retailer.

Data enrichment providers

We may share minimal data about you with third party providers who then enrich data – for example, email addresses or IP addresses. Enriching data enhances the information we have and enables us to make more informed fraud risk assessments and optimise order acceptance for Retailers and End Users. Any information shared with a data enrichment provider will only be used to perform the services they provide and will be shared in compliance with this Policy and any applicable laws.

Retailers’ vendors or other service providers

We may share your information with third party vendors, service providers or other third party contractors of Retailers, strictly where sharing the information is necessary to provide the Services - for example, sending data to the issuing or acquiring bank involved in a transaction.

Professional advisors

We may disclose your personal data to our professional advisors, such as lawyers, bankers, auditors and insurers but only where strictly necessary in the course of the professional services they are providing to us.

Legal purposes

We may disclose your information where we believe it is required by law or in order to exercise our legal rights - for example, we may share your data with a competent law enforcement body, government agency, court or other third party.

Corporate affiliates

We may share your information with Ravelin affiliates (any subsidiary, parent company or company under common control) as necessary to perform the Services and only for the purposes described in this Policy. If Ravelin is involved in an acquisition, merger or sale of its business or assets, your information may be shared or transferred as part of that transaction.

Ravelin relies on valid legal reasons for using personal data, depending on how you are interacting with Ravelin or the Services, our legal basis will be one of the following:

• Legitimate interest – where we collect and use your personal data, or share it as outlined in this Policy because we have a legitimate reason to do so, such as our legitimate interest in preventing fraud.

• Keeping to our contracts – where personal data is required to provide our Services and we cannot provide them without this personal data.

• Legal obligation – where we are required to do so by law or where we believe it is necessary to protect or enforce our legal rights.

• Consent – where we use information about you where you have consented to do so for a specific purpose, such as receiving marketing communications from Ravelin.

Your personal data may be transferred, processed and stored in the United Kingdom, United States, Belgium and other countries. We may also process information using cloud services. These countries may have different data protection and privacy laws to the laws of your country and may provide a different level of protection than in your jurisdiction, however Ravelin takes the necessary steps to ensure that your data is always processed in accordance with this Policy and in line with the requirements of applicable laws.

If you are a resident in the EEA, UK or Switzerland, we will protect your personal data when it is transferred out of your jurisdiction by ensuring that the party receiving the data is either based in a territory which has an adequate level of protection as determined by the relevant authority or using appropriate safeguards to protect your personal data, such as standard contractual clauses.

We will retain your personal data where we have an ongoing legitimate legal reason to keep it and for a length of time consistent with the original purpose it was collected for. The appropriate retention period for personal data will depend on a number of factors including, the reason why it was collected, the amount, nature and sensitivity of the data. We will also consider any applicable legal requirements in relation to data retention.

After data is no longer required for the purpose it was collected for or where you have requested for us to delete the data that we hold about you (unless it is still required to be kept by us and a valid exemption applies), we will either delete or anonymise your personal data. If this is not possible (for example, where the data has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until it is possible to delete it.

Depending on where you are a resident, you may have certain rights in relation to the personal data which is held about you. Subject to legal limitations and exemptions that may apply, you may have the right to:

• Access the personal data we hold about you (a “data subject access request”).

• Correct incomplete or inaccurate data we hold about you.

• Ask us to erase the personal data we hold about you.

• Ask us to restrict the handling of your personal information.

• Ask us to transfer your personal information to a third party.

• Object to how we are using your personal information.

Details on how to contact us to exercise any of these rights can be found below in the Exercising Your Rights section of this Policy.

Automated Decision Making

You may have certain rights in relation to how your data is used to make individual automated decisions. Automated individual decision-making is a decision made by automated means without any human involvement. Retailers may use the Services to make decisions, for example about an order or refund, based solely on automated processing. You may have given the Retailer your consent for this, it may be needed to enter into or perform a contract, or the Retailer may be authorised to do this by law. Please direct any questions concerning automated decision-making to the Retailer directly.

Residents of the EEA, UK or Switzerland

If we have collected and processed your personal information with your consent for a specific purpose, you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing which occurred prior to your withdrawal and it will not affect the processing of your personal data on lawful grounds other than consent. To withdraw your consent, all you need to do is follow the instructions in the Exercising Your Rights section of this Policy.

You have the right to complain to a data protection authority about our collection or use of your personal data. You can contact your local data protection authority for more information. The contact details for the data protection authorities for residents in:

• EEA jurisdictions are available here;

• the UK are available here; and

• Switzerland is available here.

Residents of California

The California Consumer Privacy Act (“CCPA”) provides Californian residents with specific rights regarding their personal information. This section describes your rights and explains how to exercise them.

You have the right to request that we disclose certain information to you about our collection and use of your personal information over the previous 12 months ("right to know"). Once we receive your request and confirm your identity (see Exercising Your Rights), we will disclose to you:

• The categories of personal information we collected about you.

• The categories of sources for the personal information we collected about you.

• Our business or commercial purpose for collecting or selling that personal information.

• The categories of third parties with whom we share that personal information.

• The specific pieces of personal information we collected about you.

You have the right to request that we delete any of your personal information that we have collected and retained (the "right to delete"), subject to certain exemptions. Once we receive your request and confirm your identity (see Exercising Your Rights), we will review your request to see if an exemption allowing us to retain the information applies. We may deny your deletion request if an exemption applies and retaining the information is necessary for us or our service provider(s), for example to detect fraudulent activity or comply with a legal obligation.

You may authorise an agent to submit a request to us on your behalf. Please note that before completing any requests, and in addition to our identification verification process, we will need to verify that your agent has been properly authorised to request information on your behalf which means it may take longer to complete your request.

We will delete or de-identify personal information not subject to an exemption from our records and will direct our service providers to take similar action.

We do not “sell” information, as sales are defined under applicable laws. We will not discriminate against you for exercising any of your CCPA rights.

To exercise any of the rights or options described above, please submit a request to us by emailing us at privacy@ravelin.com.

The request should include your contact information and describe your request in enough detail to allow us to understand, evaluate, and respond to it. You should provide sufficient information that allows us to verify that you are the person about whom we collected the personal data or that demonstrates you are a properly appointed representative. We may need to request additional information in order to verify your identity and we will not be able to honor a request if we cannot verify your identity or authority to make the request.

We will respond to all requests we receive from data subjects wishing to exercise their rights and treat each request according to the requirements of the applicable jurisdiction.

We may update this Policy from time to time in response to changing legal, technical or business developments. Any changes we make to this Policy in the future will be posted on this page and if necessary, notified to you. You can see when this Policy was last updated by checking the “last updated” date displayed at the bottom of this Policy.

You can contact our Data Protection Officer with any questions or concerns about this Policy or our practices at:

Ravelin Technology Ltd

Attn: DPO

5th Floor, 174 - 180 Old Street

London, England

EC1V 9BP

Email: privacy@ravelin.com

We have appointed Ravelin Technology Ireland as our EU Representative, who you can contact at eu.representative@ravelin.com

This Policy was last updated: 23/08/2022

Useful links

Website Policy