Privacy Policy

This Notice is made by Ravelin Technology Ltd (“Ravelin”, “we” or “us”). Our registered office is located at Classic House, 174-180 Old Street, LONDON, EC1V 9BP, United Kingdom.

Ravelin provides businesses (our “Retailers” or “Customers”) solutions to detect and address online fraud and other malicious behaviours through integrating fraud prevention and authentication services (the “Services”) into their websites and mobile applications (“Retailer Platforms”). To provide these services, it is necessary for us to gather and handle information about the end users of Retailer Platforms (“End Users”).

Most of the End User personal data that we process has been directly provided to us through interfaces with Retailer Platforms for the purposes of predicting and preventing fraudulent and/or other malicious activity in real time. These checks require them and us to process personal data about you.

Ravelin also collects personal data about End Users, from third parties. These third parties include publicly available source and our service providers (information exchanges, and data enrichment providers) to support the provision of our services in a number of ways:

• To identify suspicious activities (e.g. online identifiers match those of a known fraudster);

• To analyse behavioural patterns (e.g. an End Users browser location suddenly changes, or transaction from an unusual location or at an unusual time of day);

• To verify End User information (e.g. Third party data can assist with verifying a user during account creation).

The use of third-party data provides a comprehensive view of user activity and helps us identify and prevent online fraud – this also provides the End Users with the following benefits:

• Protection from financial losses – Ravelin helps to protect End Users from financial losses by detecting and preventing fraudulent transactions

• Increased security – the Services enhance the security of the End User accounts by detecting suspicious activity and using it to verify the legitimacy of a transaction; and

• A quicker checkout process – Our checks minimise the impact to End Users as transactions are queried when marked for review.

Retailers have control over the information they share with us – to see the types of information they may share, please see the next section.

Retailers are responsible for ensuring and maintaining compliance with their own transparency requirements and applicable terms in connection with their use of our Services. Ravelin does not control these settings, so we encourage you to check the information on the Retailer platform directly to ensure you are aware of any relevant information and to update your preferences.

The categories of personal data that we may process about you and our purposes for doing so are set out in the table below. The table also identifies our lawful basis for the processing and on the occasion where Retailers provide any special categories or personal data (by way of information contained within the transaction, platform usage, messages or comments or reviews) the condition for processing special categories of data.

It may also be necessary for us to process your personal data other purposes that may be required under a legal obligation or further legitimate interests:

• To consider, investigate and communicate with you in relation to any requests, concerns or complaints you contact us about;

• To enforce this Notice and prevent misuse of the Services;

• To keep our website and Services safe and secure;

• To administer our website and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;

• To validate your identity when you are seeking to exercise your privacy rights; and

• To take any action which may be required or mandated by applicable law.

We collect and process your data, alongside relevant metadata that can help improve our machine learning algorithms. These are necessary for us to provide the Services to Retailers. By using machine learning, we can give Retailers fraud risk scores and provide evidence, reports, insights, and analysis based on patterns we find in the data.

Our platform has been designed to ensure that humans can intervene where necessary when making decisions based on our automated data processing. A fraud risk score is a measure of how likely a particular event, like a transaction, refund, or use of a promotional code, is to involve fraud or other malicious activity. Retailers use our Services to help prevent fraudulent activity on their platforms. For example, a fraud risk score can be used to decide whether to accept, challenge, or reject an online order.

Although our platform may provide a recommendation, it is up to the Retailer to determine how they wish to use that recommendation. Ravelin does not have any authority over this decision-making process. Please direct any questions concerning automated decision-making to the Retailer directly.

The purposes for which we share personal data relating to End Users with trusted third parties are set out below.

A) Service providers

To ensure effective provision of services by our third-party service providers, vendors, and contractors, we may need to share some of your information with them. This limited sharing of information is necessary for them to provide their services to us, such as hosting our infrastructure.

B) Retailers

We may share data about you with Retailers - for example, where Ravelin is providing the Services to a Retailer you have placed an order with or where you have requested access to your personal data from a Retailer.

C) Data enrichment providers

We may share minimal data about you with third party providers who then enrich data – for example, email addresses or IP addresses. Enriching data enhances the information we have and enables us to make more informed fraud risk assessments and optimise order acceptance for Retailers and End Users. Any information shared with a data enrichment provider will only be used to perform the services they provide and will be shared in compliance with this Notice and any applicable laws.

D) Retailers’ vendors or other service providers

We may share your information with third party vendors, service providers or other third party contractors of Retailers, strictly where sharing the information is necessary to provide the Services - for example, sending data to the issuing or acquiring bank involved in a transaction.

E) Professional advisors

We may disclose your personal data to our professional advisors, such as lawyers, bankers, auditors and insurers but only where strictly necessary in the course of the professional services they are providing to us.

F) Legal purposes

We may disclose your information where we believe it is required by law or in order to exercise our legal rights - for example, we may share your data with a competent law enforcement body, government agency, court or other third party.

G) Corporate affiliates

We may share your information with Ravelin affiliates (any subsidiary, parent company or company under common control) as necessary to perform the Services and only for the purposes described in this Notice. If Ravelin is involved in an acquisition, merger or sale of its business or assets, your information may be shared or transferred as part of that transaction.

Data Storage, Transfers and Retention

Your personal data may be transferred, processed, and stored in the United Kingdom, United States, Belgium and other countries. We may also process information using cloud services. These countries may have different data protection and privacy laws to the laws of your country and may provide a different level of protection than in your jurisdiction, however Ravelin takes the necessary steps to ensure that your data is always processed in accordance with this Notice and in line with the requirements of applicable laws.

If you are a resident in the EEA or Switzerland, we will protect your personal data when it is transferred out of your jurisdiction by ensuring that the party receiving the data is either based in a territory which has an adequate level of protection as determined by the relevant authority or using appropriate safeguards to protect your personal data, such as the standard contractual clauses issued by the European Commission. For the UK residents` data, we will rely on the standard contractual clauses issued by the Information Commissioner’s Office (ICO).

We will retain your personal data where we have an ongoing legitimate legal reason to keep it and for a length of time consistent with the original purpose it was collected for. The appropriate retention period for personal data will depend on a number of factors including, the reason why it was collected, the amount, nature and sensitivity of the data. We will also consider any applicable legal requirements in relation to data retention.

After data is no longer required for the purpose it was collected for or where you have requested for us to delete the data that we hold about you (unless it is still required to be kept by us and a valid exemption applies), we will either delete or anonymise your personal data. If this is not possible (for example, where the data has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until it is possible to delete it.

Residents of the UK, EEA, or Switzerland

In any circumstances where we have relied on your consent to process your personal data for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law. This will not affect the lawfulness of any processing carried out before you withdrew your consent. You also have the following rights:

• to obtain access to your personal data - you may request information on how your personal data is handled by us and request a copy of such personal data;

• to request us to correct or update your personal data if it is inaccurate or out of date;

• to object to the processing of your personal data for the purposes of our legitimate interests, unless we:

  • demonstrate compelling legitimate grounds which override your right to object, or

  • the processing is necessary for the establishment, exercise or defence of legal claims;

• to erase your personal data held by us:

  • which are no longer necessary in relation to the purposes for which they were collected,

  • to the processing of which you object, or

  • which may have been unlawfully processed by us;

• to restrict processing by us, i.e. the processing will be limited to storage only:

  • where you oppose deletion of your personal data and prefer restriction of processing instead, or

  • where you object to the processing by us on the basis of its legitimate interests; and

• to transmit personal data you submitted to us back to you or to another organisation in certain circumstances.

• to have a right not to be subject to a decision based solely on automated processing;

  • Automated decision-making refers to a decision made entirely by automated means without any input from humans. Retailers can use this technology to make decisions about orders or refunds without involving humans. If a decision made by automation is challenged and requires human review, the retailer should always be contacted directly for assistance.

Please note, these rights are not absolute and are subject to various conditions under:

• applicable data protection and privacy legislation; and

• the laws and regulations to which we are subject.

Should you wish to exercise the rights accorded to you by data protection laws as described out above, please contact us via the means identified below in section entitled ‘Contact Information’. We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal information (or to exercise any of your other rights). This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

You have the right to make a complaint at any time to the UK supervisory authority for data protection issues, for example, if you are not happy with how Ravelin processes your personal data or we fail to provide you with a satisfactory resolution to your request.

• The UK supervisory authority is the Information Commissioner's Office (ICO), whose website is available at https://ico.org.uk/global/contact-us/

• EEA jurisdictions are available here;

• Switzerland jurisdictions are available here.

Residents of California

Privacy Disclosures

Under the California Consumer Privacy Act of 2018 and any subsequent amendments including the California Privacy Rights Act of 2020 (collectively, “CCPA”), California residents are entitled to the following disclosures about our data processing. These disclosures apply solely to Users who live in the State of California (“California Residents”). All terms used in this section have the same meaning as when used in the CCPA. California Residents may also review our Notice at Collection for our Website Privacy Notice available here.

• In the preceding 12 months, we have collected the categories of Personal Data: identifiers, personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)); commercial information; and internet or other similar network activity. The purposes for which we have collected Personal Data and the sources of that information are described above in Section(s) 3 and 4 above - “How We Source Your Personal Data” and “Categories of Personal Data We Process, Our Purposes for Processing”.
  

• In the preceding 12 months, we have disclosed Personal Data for a business purpose as detailed in Section 6 “Sharing Data” section above.

Further details about the use of cookies and related tracking technologies, including the rights afforded to you, can be found in our Website Privacy Notice.

CCPA/CPRA Rights

California Residents are afforded the following rights:

• to delete your personal information, unless we:

  • can prove this to be impossible;

  • it involves disproportionate effort; or

  • it is reasonably necessary for us to maintain records in order to:

    • fulfil the transaction(s) for which the personal information was collected;

• to correct inaccurate personal information held about you;

• to know what personal information is sold or shared and to whom (this right is fulfilled with the information provided within this Notice); and (1798.110.c.5);

  • to request specific pieces of information from us.

• to opt out of the sale or sharing of your personal information;

• to limit use and disclosure of sensitive personal data; and

• to no retaliation following opt-out or exercise of other rights

Rights requests shall be reviewed to see if an exemption allows us to retain the information. We may deny your deletion request if an exemption applies and/or if retaining the information is necessary for us or our service provider(s), for example to detect fraudulent activity or comply with a legal obligation. We will delete, de-identify or limit the scope of personal information not subject to an exemption from our records and will direct our service providers to take similar action.

To exercise any of the rights or options described above, please submit a request to us by emailing us at privacy@ravelin.com

The request should include your contact information and describe your request in enough detail to allow us to understand, evaluate, and respond to it. You should provide sufficient information that allows us to verify that you are the person about whom we collected the personal data or that demonstrates you are a properly appointed representative. We may need to request additional information in order to verify your identity and we will not be able to honour a request if we cannot verify your identity or authority to make the request.

We will respond to all requests we receive from data subjects wishing to exercise their rights and treat each request according to the requirements of the applicable jurisdiction.

We are committed to ensuring the safety and security of your personal data. As such, we adhere to strict Information Security standards and have obtained audited certifications for ISO 27001 and PCI DSS. Our technical and organisational measures are designed to protect personal data we process about you against any unauthorised access, disclosure, alteration, and destruction.

Questions, comments and requests regarding this Notice may be emailed to our Data Protection Officer privacy@ravelin.com or sent by post to: Data Protection Officer, Ravelin Technology Ltd, 5th Floor, 174 - 180 Old Street, London, England, EC1V 9BP

If you reside within the EU, you may contact our European Union representative by email to eu.representative@ravelin.com

If you believe we have not complied with our obligations under applicable data protection laws and regulations, you can lodge a complaint with a competent data protection authority.

We may update this Notice from time to time in response to changing legal, technical or business developments. Any changes we make to this Notice in the future will be posted on this page and if necessary, notified to you. You can see when this Notice was last updated by checking the “last updated” date displayed at the bottom of this Notice.