Signifyd’s “Services and Product” privacy notice

Last updated: April 8, 2024

This Services and Product Privacy Notice (the “Notice”) describes the data practices that Signifyd, Inc. and its affiliates (collectively, “we,” “us,” “our” or “Signifyd”) follow in connection with its provision of fraud and abuse detection products and services to its Subscribers.

Please note that this Notice does not describe our collection and use of data when visitors access our website www.signifyd.com. For information on how we process data collected through our website, please visit our Website Privacy Notice.

Introduction on Signifyd and how we process data

Signifyd is a global company that provides fraud and abuse detection products and services (the “Services”) designed to help e‑commerce merchants and platforms who subscribe to our Services (our “Subscribers”) detect and prevent fraud and abuse on their websites, mobile applications and other digital assets (the “Subscriber Storefronts”). We do this by using our proprietary machine learning technology.

In order to provide the Services to our Subscribers, we need to collect and process certain information about individuals who interact with their Subscriber Storefronts as end users (“End Users”). Through our User Data License (see our Terms in Section 9.2), our Subscribers provide us with data and information about End Users and their interactions on their Subscriber Storefronts through our Application Programming Interfaces (APIs). We also collect behavioral, device and connection data through standard tracking technologies (our JavaScript and mobile SDK), which are embedded on the Subscriber Storefronts (collectively, “End User Data”). End User Data may include Personal Data, which includes data that identifies an End User and as described in further detail in this Notice.

Once we have collected relevant End User Data, we process this data through our machine learning platform to return a recommendation to our Subscribers as to whether to approve or decline a transaction or other event (e.g., an account signup or login event or abuse of a Subscriber’s policies), or make a recommendation (e.g., for additional verification), on a particular Subscriber Storefront. In addition to these decisions, we provide our Subscribers with aggregated reporting and insights into transactions and other relevant events on their Subscriber Storefronts.

Our recommendations, reporting and insights are used by our Subscribers to assist them in detecting and preventing fraud and abuse on their Subscriber Storefronts. It is ultimately up to our Subscribers to decide what action to take or not to take using the information and insights we provide.

We also use End User Data (including Personal Data) across our network of Subscribers to improve our modeling and algorithms and to provide more accurate recommendations for all of our Subscribers. While we use End User Data for such purposes, we never disclose End User data between our Subscribers.

What type of Data we collect from End Users

1. Information provided by our Subscribers:

Our Subscribers provide us with information about End Users and their interactions on their Subscriber Storefronts through our Application Programming Interfaces (APIs) (described below). Our Subscribers ultimately decide what Personal Data to send to us for use in connection with the Services. While the exact nature and scope of Personal Data sent to us by our Subscribers through our APIs will vary depending on the particular Services provided, Personal Data sent by our Subscribers about their End Users via our APIs typically includes the following:

• Contact information: this includes information such as name, phone number, email and mailing address.
• Transaction data: this includes information about a transaction attempted or completed on a Subscriber Storefront, including name, email address, billing and shipping mailing addresses, items purchased, price paid, order status and chargeback information. We also receive basic information about an End User’s payment and billing method, but we do not receive the full credit card number or Payment Card Industry (“PCI”) sensitive information and we do not process End User Data to evaluate creditworthiness.
• Account information: this includes information about End Users’ account and preferences on a Subscriber Storefront.
• Browser, device and connection data: this includes information about the personal computer or mobile device End Users’ use to access the Subscriber Storefronts. Such information may include technical information transmitted by the device, including certain software and hardware information such as the browser used to access the Subscriber Storefront, the device model and operating system, unique device identifiers, geolocation data when relevant to a card-not-present transaction and the Internet Protocol (IP) address through which you accessed the Subscriber Storefront.

In some cases, our Subscribers may use a third party plugin (e.g. Shopify) to connect to our Services. We are not responsible for information disclosed to that third party plugin and we encourage Subscribers to review the privacy practices of those third party plugins before using them.

2. Information we automatically collect on Subscriber Storefronts:

We use standard tracking technologies (described below) to automatically collect certain behavioral, device and connection data regarding End Users who interact with Subscriber Storefronts.

Our Subscribers ultimately decide what pages on their Subscriber Storefronts to embed our tracking technologies. While the exact nature and scope of Personal Data that is automatically collected by us through our tracking technologies will vary depending on the Services provided to a Subscriber, Personal Data collected through our tracking technologies typically includes the following:

• Browser, device and connection data: this includes information about the personal computer or mobile device used to access the Subscriber Storefronts. Such information may include technical information transmitted by the device, including certain software and hardware information such as the browser used to access the Subscriber Storefront, the device model and operating system, unique device identifiers, geolocation data when relevant to a card-not-present transaction and the Internet Protocol (IP) address through which Subscriber Storefront was accessed.
• Behavioral data: this includes information regarding activity on a Subscriber Storefront, such as the time and frequency of access, the referrer page domain, pages viewed.

We may use the following standard tracking technologies on our Subscriber Storefronts. Which of the below technologies a Subscriber ultimately integrates with depends on the nature of the Services provided.

• JavaScript: a JavaScript code is a tiny snippet of code inserted into the content of a Subscriber Storefront. This allows Signifyd to collect the information described above.
• Mobile SDKs: mobile SDKs (or “software development kits”) are blocks of code embedded into the mobile version of a Subscriber Storefront. This allows Signifyd to collect the information described above.
• ReCAPTCHA: we may place an invisible reCAPTCHA code on a Subscriber Storefront, solely for the purposes of fraud prevention and abuse detection, which is subject to the Google Privacy Policy and Terms of Use.
• Information collected from third party data enrichment providers: in some cases, we may combine or enhance the information we collect about End Users (via our APIs and tracking technologies) with information we receive from third party data enrichment providers. For example, we may receive information from third parties regarding the IP Address associated with an order, the type of device from which an order was placed and complementary details about an order’s email and billing/shipping address.

How we use data collected

When a Subscriber asks us to review an order that an End User placed on a Subscriber Storefront, we review the data relating to that activity. We use End User Data to provide the Subscriber with a fraud analysis indicating whether or not the order is, in our assessment, a fraudulent or legitimate online transaction. Depending on the Services used, it is at the discretion of the Subscriber to accept or decline that order.

How we use your data and legal basis for processing

For purposes of applicable EU data protection laws, Signifyd acts as an independent Controller of Personal Data. We rely on our legitimate interests in detecting and preventing fraud and abuse as the legal basis for our processing of Personal Data. We only use Personal Data (i) to provide the Services to our Subscribers and (ii) to improve the Services to provide more accurate recommendations for our Subscribers. We may also use Personal Data to comply with our legal obligations. We do not disclose End User Data between our Subscribers.

Additional uses for data collected

We also use information collected for the following purposes:

• Improving, operating and enhancing the Services;
• Statistical analysis of End User activities at an aggregate level;
• Understanding and analyzing the usage trends and preferences of our Subscribers, to improve the Services and to develop new products, services, features and functionality;
• Administrative purposes such as providing customer service or sending communications, including messages about changes to our terms and conditions;
• Achieving business purposes, such as account verification, audits, security, compliance with applicable laws and regulations, fraud monitoring and prevention;
• Enforcing our Terms or contractual Agreements, or as necessary to establish, exercise or defend legal rights;
• Maintaining a record of our dealings with Subscribers and/or End Users;
• Handling requests and complaints;
• Preventing the fraudulent use of our Services;
• Taking any action needed in case of disputes that are related to the Services;
• Any other action that may be mandated by law or undertaken in good faith to protect our legal rights and property and/or those of third parties;

Automated decision-making

The proprietary machine learning technology that powers our Services relies on the automated processing of Personal Data to evaluate certain personal aspects relating to End Users, in particular to detect and prevent fraudulent and abusive behavior on the Subscriber Storefronts. This means that our recommendations to our Subscribers as to whether to approve or decline a transaction or other event on a Subscriber Storefront as part of the Services is initially made without human review or intervention. However, Signifyd’s machine learning technology is continuously monitored by our data science team and certain transactions may be subject to human review. In addition, our Subscribers can provide and review decisions through our Services and/or with our risk intelligence team.Depending on the Service, the Subscriber Storefront may, at its own discretion, use Signifyd’s Services to make a decision on whether to accept or decline an order based solely on automated processing. Please direct inquiries concerning approval of an order based solely on automated means to the Subscriber Storefront.

Data disclosed

When providing the Services, we may disclose insights to our Subscribers, such as whether a payment transaction is legitimate or potentially fraudulent (e.g., an account signup or login event or abuse of a Subscriber’s policies), to help Subscribers determine whether to approve or decline a transaction or other event. Personal Data disclosed to Subscribers is based on the Personal Data they have already provided to us to create these insights.

Data disclosures to third parties:

• Signifyd Affiliates: we may disclose Personal Data between and among Signifyd, Inc. and its affiliates.
• Trusted third party service providers: we use trusted third party service providers to assist us in providing the Services (e.g. infrastructure providers such as Amazon Web Services and Google Cloud Platform). Such third parties contractually commit to protecting the security and confidentiality of Personal Data.
• Data enrichment providers: we may disclose Personal Data to trusted third parties (e.g., location data or identity verification providers) for data enrichment purposes. Enriching the Personal Data allows us to cross-reference, verify and enhance the accuracy of the data we collect. When we disclose Personal Data to our data enrichment providers, we disclose this as disaggregated data points and require that such data is only used for the purpose of providing a service to us and not for any other purpose.
• Financial Partners: Signifyd may partner with certain financial entities, such as banks, card networks and/or payment processors and may provide them with elements of Personal Data as well as Signifyd’s derived intelligence data (e.g. our transaction score) in order to authorize more transactions.

We may also disclose Personal Data to third parties if we believe in good faith that the disclosure of such data is necessary to: (i) comply with applicable law or a request from a court, regulator or other governmental entity; (ii) enforce our contractual rights and our policies, including in connection with investigations of potential violations thereof; (iii) establish or exercise our rights to defend against legal claims; or (iv) enforce our intellectual property or other legal rights.

Additionally, we may disclose Personal Data to third parties in connection with an actual or contemplated corporate transaction involving Signifyd, such as a merger, acquisition, divestiture, reorganization, financing or sale of some or all of our assets, as well as in connection with an insolvency, bankruptcy or similar proceeding involving us. Any entity that acquires us (in whole or in part) shall be permitted to continue to use Personal Data as set forth in this Notice and shall assume our rights and obligations with respect to Personal Data, as described herein.

Non-Personal Data: We may use the information we collect to compile aggregated or anonymized information. We may disclose anonymized or aggregated information to any third parties at our discretion.

How we safeguard data

We implement industry standard measures to reduce risks caused by the potential loss of information, unauthorized access or use of information. However, no measure can provide absolute information security and, we cannot provide protections beyond what is within our reasonable control.

How long we retain data

The Personal Data we collect is retained only for as long as necessary to provide the Services or any newly developed Services under this Notice, or if it is required by us to establish, exercise or defend against legal claims or comply with legal obligations. When we dispense with the data, it is either deleted from our systems or anonymized.

Information for international users

Data transfers

We may transfer Personal Data outside of an End User’s country of residence, including to the United States and other countries where we and our third-party service providers operate. Where we do so, we comply with applicable laws in relation to such transfer.

EU-U.S. Data Privacy Framework and Swiss-U.S. Data Privacy Framework

Signifyd complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Signifyd has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of Personal Data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. Signifyd has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of Personal Data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this Notice and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program and to view our certification, please visit https://www.dataprivacyframework.gov/.

In compliance with the Data Privacy Framework, Signifyd commits to resolve complaints about our collection or use of your personal information. EU, UK and Swiss individuals with inquiries or complaints regarding our Data Privacy Framework policy should first contact Signifyd at [email protected]. Signifyd has further committed to refer unresolved complaints to the American Arbitration Association (“AAA”), an alternative dispute resolution provider located in the United States, which could reach a binding decision. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please visit AAA for more information or to file a complaint. The AAA Rules and filing forms are available online at www.adr.org, by calling the AAA at 1-800-778-7879. For residual complaints not fully or partially resolved by other means, you may be able to invoke binding arbitration as detailed here.

Your information rights

Depending on your jurisdiction of residence, you have certain rights with respect to your Personal Data, which may include the right to:

• Access the Personal Data we have about you;
• Correct any Personal Data we hold about you that may be inaccurate;
• Request that we delete your Personal Data;
• Restrict or object to the processing of your Personal Data;
• Transfer Personal Data to another organization (subject to certain conditions); and
• Withdraw your consent to us processing your Personal Data, where consent was previously provided and was the legal basis on which we relied for our processing of Personal Data.

If you request these rights, we may need to verify your identity for security and to prevent fraud.

To exercise these rights, please click here to access the Data Subject Access Request form or email us at [email protected].

Please note, however, that certain information may be exempt from such requests, which may include if we need to keep processing your information for our legitimate interests or to comply with a legal obligation. Depending on applicable law, you may have the right to appeal our decision to deny your request. If we deny your request, we will provide you with information on how to appeal the decision, if applicable, in our communications with you.

Personal Data Sales / Sharing Opt-Out. We do not “sell” or “share” information obtained from our Subscribers and about their End Users, as such terms are defined under applicable law.

Information for California residents

If you are a California resident, the California Consumer Privacy Act (“CCPA”) requires us to provide you with the following additional information about: (1) the purpose for which we use each category of Personal Data (statutorily called “Personal Information”) we collect; and (2) the categories of third parties to which we (a) disclose such Personal Data for a business purpose, (b) “share” Personal Data for “cross-context behavioral advertising,” and/or (c) “sell” such Personal Data. Under the CCPA, “sharing” is defined as the targeting of advertising to a consumer based on that consumer’s Personal Data obtained from the consumer’s activity across websites and “selling” is defined as the disclosure of Personal Data to third parties in exchange for monetary or other valuable consideration.

Categories of Personal Data collected and disclosed

The table below describes the categories of Personal Data we have collected from our Subscribers in the past twelve months and the categories of third parties to whom we disclose such Personal Data for a business purpose.

Categories of Personal Data collected	Purposes of use	Categories of third parties to whom the business discloses Personal Data
Contact Information	Business Operations Customer Service Legal Purposes Communication with Subscribers / End Users	Affiliates Third Party Service Providers Data Enrichment Providers Financial Partners
Demographic Information	Business Operations Customer Service Legal Purposes	Affiliates Third Party Service Providers Data Enrichment Providers
Financial/Commercial Information	Business Operations Customer Service Legal Purposes	Affiliates Third Party Service Providers Data Enrichment Providers Financial Partners
Geolocation Data	Business Operations Customer Service Legal Purposes	Affiliates Third Party Service Providers Data Enrichment Providers
Inference Data	Business Operations Customer Service Legal Purposes	Affiliates Third Party Service Providers Data Enrichment Providers Financial Partners
Internet Network or Device Information	Business Operations Customer Service Legal Purposes	Affiliates Third Party Service Providers Data Enrichment Providers

 

For more information about each category of Personal Data, purpose of use and third parties to which we disclose Personal Data, please see the “Information We Collect,” “How We Use Your Information” and “How We Disclose Your Information” sections of this Notice.

CCPA Rights. This section describes the rights that California Residents have and explains how to exercise those rights.

Right to Know About Personal Data Collected, Disclosed or Sold. You have the right to request that we disclose certain information to you about our collection, use, disclosure or sale of your Personal Data over the past 12 months. Once we receive and confirm your verifiable consumer request and subject to certain limitations that we describe below, we will disclose such information to you. You have the right to request any or all of the following:

• The categories of Personal Data we collected about you.
• The categories of sources from which the Personal Data is collected.
• Our business or commercial purpose for collecting or selling that Personal Data.
• The categories of third parties with whom we share that Personal Data.
• The specific pieces of Personal Data we collected about you.

Right to Request Deletion or Correction. You have the right to request that we delete any of your Personal Data that we collected from you and retained, or correct Personal Data that is inaccurate, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete or correct your Personal Data. However, we may deny a deletion request if retaining the information is necessary for us in order to perform certain actions permitted by applicable law, specifically such as detecting data security incidents or protecting against fraudulent or illegal activity. Therefore, we may retain your Personal Data despite such requests. We may also deny a correction request if the information we have about you is already accurate.

Exercising Access, Correction and Deletion Rights. To exercise the access and deletion rights described above, please click here to access the Data Subject Access Request form or email us at [email protected].

Only you, or a person or business entity registered with the California Secretary of State that you authorize to act on your behalf (an “authorized agent”), may make the requests set forth above. You may also make a request on behalf of your minor child.

The request should include your contact information and describe your request with sufficient detail that allows us to properly understand, evaluate and respond to it. In addition, you should provide sufficient information (including, at minimum, your name, address and e-mail address) that allows us to reasonably verify that you are the person about whom we collected the Personal Data or an authorized representative.

We will respond to consumer requests in a reasonably timely manner. If we require extra time to respond, we will inform you of the reason and extension period in writing.

Personal Data Sales/Sharing Opt-Out. We do not “sell” or “share” information obtained from our Subscribers and about their End Users, as such terms are defined under the CCPA.

If we ever offer any financial incentives in exchange for your Personal Information, we will provide you with appropriate information about such incentives.

Sensitive Personal Data: The CCPA also allows California Residents to limit the use or disclosure of “sensitive personal information” (as defined in the CCPA) if your sensitive personal information is used for certain purposes. Please note that we do not use or disclose sensitive personal information other than for business purposes for which you cannot opt out under the CCPA.

Non-Discrimination. We will not discriminate against you for exercising any of your legal rights.

Retention of Your Personal Information. Please see the “Retention” section above.

California “Shine the Light” disclosure. The California “Shine the Light” law gives residents of California the right under certain circumstances to opt out of the disclosure of certain categories of Personal Data (as defined in the Shine the Light law) to third parties for their direct marketing purposes, or in the alternative, that we provide a cost-free means for consumers to opt out of any such disclosure. We do not currently disclose Personal Data to third parties for their own direct marketing purposes.

Children

Our Services are not directed to children or under the age of 16 and we do not knowingly collect Personal Data from children under the age of 16. If we learn that we have collected Personal Data from a child under the age of 16 on our Services, we will delete that information as quickly as possible. If you believe that we may have collected any such Personal Data on our Services, please notify us at [email protected].

Updates to this Notice

We reserve the right to amend this Notice, from time to time, in our sole discretion. When we do, we will also revise the “last updated” date at the beginning of this Notice. The most current version of this Notice will always appear on our Website. We may also provide you with additional notice of changes where required by law, which may include notification via email or in the Services. The continued use of our Services after such changes will mean that you accept the revised Notice. We encourage you to periodically review this Notice to stay informed about how we collect, use and disclose Personal Data.

Contacting us

If you have any questions, comments or concerns about this Notice, or if you would like to exercise your rights in relation to your Personal Data, please contact us using the following contact information:

Signifyd, Inc.
Attn: Signifyd Privacy Issues
99 Almaden Blvd., 4th floor
San Jose, CA 95113
[email protected]
Tel: (866) 220-1415

Please note, the role and department responsible for compliance with the obligations under this Notice is:

Data Protection Officer
Signifyd, Inc.
99 Almaden Blvd., 4th floor
San Jose, CA 95113
[email protected]
Tel: (866) 220-1415

You may contact our European Local Representative as required under Art. 27 GDPR as follows:

Managing Counsel
Signifyd, Inc.
Buzón 109
C/ Pizarro 20 — Local
28004 Madrid

Prior Privacy Policy Versions:
April 20, 2018 to August 15, 2019
August 16, 2019 to January 30, 2023
January 31, 2023 to September 19, 2023
September 20, 2023 to February 9, 2024
February 10, 2023 to April 7, 2024

California Privacy Notice: July 6, 2021 to January 30, 2023
GDPR Policy: April 20, 2018 to January 30, 2023

Brazil Privacy Policy: August 20 2021 – January 30, 2023
Mexico Privacy Policy: December 19, 2019 to January 30, 2023