CCPA Privacy Policy (Credolab Supplemental Privacy Statement for California Consumers)

Bahasa - Indonesia

GDPR Privacy Policy

PDPA Privacy notice (Singapore)

iovation Anti-fraud Privacy Policy

CredoLab Website Cookie Policy

CCPA Privacy Policy (Credolab Supplemental Privacy Statement for California Consumers)

CCPA Privacy Policy (Credolab Supplemental Privacy Statement for California Consumers)

 

Effective Date: March 24, 2022

 

Background

Credolab Inc. ("CredoLab", "we", "us" or "our") takes the protection and security of your personal data very seriously.

If you are a California Consumer, this Supplemental Privacy Statement (“Statement”) also applies to you and appends the terms of our Privacy Policy.

 

Please read this Statement if and when an organisation of your choice (our customer) has assigned to us your consent to access your personal data as a part of the services we provide to them.

 

Capitalised terms used but not defined herein, shall have the meanings ascribed to such terms in California Civil Code § 1798.100, et seq. (together with the regulations thereunder, the “CCPA”), as applicable.

This Statement reflects our good faith understanding of the law and our data practices as of the date posted (set forth above). Accordingly, we may from time-to-time update information in this Statement and other notices regarding our data practices and your rights, modify our methods for responding to your requests, and/or supplement our response to your requests, as we continue to develop our compliance program to reflect the evolution of the law and our understanding of how it relates to our data practices.

 

If you have any questions about how we use your personal data, please contact our Data Protection Officer by email at privacypolicy@credolab.com.

 

We have offices in several locations, and our registered office address is at 625 E. Twiggs St., Ste. 1000 Tampa, Florida 33602. Our FEIN No. is 87-1093616.

 

This Statement addresses the following topics:

  • Purpose for collecting data;
  • How we collect data;
  • What data we collect;
  • California Consumer privacy rights.

Purpose for collecting data

Your User’s Data may be collected for the purpose of helping financial and other organisations to produce real-time credit decisions based on our alternative credit score (the “Purpose”). We provide this alternative credit score only in relation to the service that you are applying for at the organisation of your choice (our customer). We use mobile and web device metadata and/or personal information (“personal information” or “PI”) to produce the alternative credit score via our proprietary technology. This includes highly sophisticated algorithms and predictive analytics applied to metadata accessed via our mobile applications(CredoApp and CredoApply), a mobile SDK (CredoSDK), and a Web JavaScript (WebSDK). We do NOT share your alternative credit score with any third party other than the organisation of your choice (our customer).

 

How we collect data

Your User’s Data may be collected directly from you in three ways:

  • When you download our application (CredoApp, CredoApply); or
  • When you use the mobile application of the organisation of your choice (our customer) that has embedded CredoLab’s mobile technology(CredoSDK); or
  • When you use the web page of the organisation of your choice (our customer) that has embedded CredoLab’s web technology (CredoWeb).

 

What data we collect

We may collect the following categories of User’s Data about you:

  • On mobile phone, - history of SMS messages, contacts, calendars, list and storage of applications, and registered accounts which might include social accounts, and installed applications, in some cases for the provision of Anti-Fraud Services as a reseller of iovation, including the detection of TOR and VPN type of applications. The core purpose of these types of applications detection, involves a financial-transaction functionality (for example, dedicated banking, dedicated digital wallet) and obtaining broader visibility into installed applications solely for security-based purposes.
  • On web device, - device hardware type, operating system, language, keystroke patterns and similar information.

 

This still may sound complex, so an example is often the easiest way to explain:

  • You are going to receive a credit and/or other financial services from a financial organisation of your choice (our customer).
  • In order to provide you with financial service, the financial organisation of your choice needs to assess your creditworthiness.
  • At our customer’s request, CredoLab collects specific personal information and/or metadata from your mobile/web devices (via our products and services) (the “User’s Data”) and processes this User’s Data with CredoLab’s proprietary technology.
  • We pass your alternative credit score (but in no event your personal data) to an organisation of your choice (our customer).
  • Financial organisation of your choice (our customer) then decides how it will respond to you, e.g. provide you specific financial service(loan, credit card etc.), decline your request etc.
  • CredoLab does not have visibility on, nor can we influence how financial organisation of your choice responds to you.

California Consumer privacy rights

Due to how CredoLab process data, your Personal Information is pseudonymised, therefore it is not possible for CredoLab to identify you as an individual.

Therefore, to exercise any of your rights outlined below, you have to consult with the organisation you have been interacting with (our customer). You will be asked to provide your name, email address, country of residence, state, and request details. A confirmation email shall be sent to the email address you provide to begin the process to verify your identity. To protect your privacy and security the organisation you have been interacting with may require verification of your identity to a high degree of certainty based on information they already have about you. If you cannot meet that standard, we, together with the organisation you have been interacting with, will treat your request as a “categories request” as explained in the next section.

 

The organisation you have been interacting with (our customer) will be able to provide CredoLab with information to assist in exercising the rights listed below (“Rights”).

 

1)   Right to Know:

  • Specific Pieces: You have the right to make or obtain a transportable copy, no more than twice in a twelve-month period, of your PI that we have collected and are maintaining for the period that is 12 months prior to the request date. To protect your security and the rights of others, we may not be able to provide you all of the PI we may have on you.
  • Categories: California Consumers have the right, no more than twice in a twelve-month period, to request that we disclose the categories of PI collected in the prior 12 months; the categories of sources from which such PI is collected; the purpose for such collection or its sale (if applicable); the categories of third parties with which the businesses shares such PI, and, for each category of such PI, the categories of recipients of business purposes disclosures and, if applicable, of sales.

 

2)   Right to Delete

  • Except to the extent we have a basis for retention under the CCPA, you may request that we delete your PI that we have collected directly from you and are maintaining. Our retention rights include, without limitation, to complete transactions and provide services you have requested or that are reasonably anticipated, for security purposes, for legitimate internal business purposes, including maintaining business records, to comply with law, to exercise or defend legal claims, and to cooperate with law enforcement.
  • Rather than exercising a deletion request, you may alternatively exercise more limited control of your PI by instead opting out of e-mail marketing communications by following the unsubscribe instructions on the footer of those emails.

3)   “Do Not Sell My Personal Information”

While California law also allows for California residents to opt-out of the sale of their PI, we do not sell PI of California Consumers as those terms are defined by the CCPA.

 

4)   Verification Process

When you submit a request to know or delete your PI to the organisation you have been interacting with(our customer), that organisation is required to verify your request to ensure that the request is not fraudulent (“Verifiable Consumer Request”)”. Thus, upon receiving your request the organisation shall take measures to verify that the request is legitimate. These verification efforts may require additional information from you which may include information you have provided us in the past. For instance, if you have previously provided your name to them, they may ask you for other information (e.g., email address, phone number, or transaction history) so that they can match the new information you provide with the information they have. They may also use other verification methods as the circumstances dictate. If through reasonable efforts they are unable to verify your request to the appropriate degree of certainty, they will notify you. They shall use the PI provided in a Verifiable Consumer Request only to verify your identity or your authority to make the request and to track and document request responses, unless you also gave it to them for another purpose.

 

5)   Agent Requests

Note you can authorise an agent to exercise any of these California privacy rights on your behalf, subject to the agent request requirements of the CCPA. Note that the organisation you have been interacting with (our customer), shall take additional measures to verify the legal authority of your agent.

 

6)   Exceptions 

Notwithstanding anything to the contrary, we may collect, use and disclose your PI as required or permitted by applicable law and this may override your CCPA rights. In addition, we need not honour any of your requests to the extent that doing so would infringe upon our or any other person or party’s rights or conflict with applicable law.

Some PI we maintain about CaliforniaConsumers is not associated with PI about the Consumer for us to be able to verify that it is a particular Consumer’s PI when a Consumer request that requires verification pursuant to the CCPA’s verification standards is made to the organisation you have been interacting with (our customer). If we cannot comply fully with a request, we will explain the reasons in our response, unless we are prohibited from doing so by applicable law.  

 

Together with the organisation you have been interacting with (our customer), we will make commercially reasonable efforts to identify Consumer PI that we collect, process, store, disclose and otherwise use and to respond to your California Consumer rights requests. We reserve the right to direct you to where you may access and copy responsive PI yourself. We will typically not charge a fee to fully respond to your requests; provided, however, that we may charge a reasonable fee, or refuse to act upon a request, if your request is excessive, repetitive, unfounded or overly burdensome. If we determine that the request warrants afee, or that we may refuse it, we will give you notice explaining why we made that decision. You will be provided a cost estimate and the opportunity to accept such fees before we will charge you for responding to your request. As permitted by the CCPA, we are also not required to search for PI not maintained in a searchable or reasonably accessible format that is used for certain internal purposes only, but we apply this exception we will respond to your request with a description of the categories of PI to which this exception applies. 

 

In addition, as explained above, we will reject requests to the extent we and the organisation you have been interacting with (our customer) are not able to sufficiently verify your identity, or your agent’s authority. If we conclude we have a basis for not fully responding to your request, our response to you will explain the basis for the limitation, unless we are prohibited from doing so by applicable law.

 

7)   Financial Incentives and Non-discrimination

California residents also have the right not to receive discriminatory treatment for the exercise of any of the privacy rights conferred by the California Consumer Privacy Act. As of the Effective Date of this CA Statement we did not offer any programs requiring you to limit any of your CCPA rights, or otherwise require you to limit your CCPA rights in connection with charging a different price or rate, or offering a different level or quality of good or service. If we do so, the CCPA requires certain program terms and notices for California Consumer and the material aspects of any such program, and the rights of California participants, will be explained and described in its program terms. Participating in any such programs will be entirely optional. We may add or change programs and/or their terms by posting notice on the program descriptions so check them regularly.

CCPA Privacy Policy (Credolab Supplemental Privacy Statement for California Consumers)

 

Effective Date: March 24, 2022

 

Background

Credolab Inc. ("CredoLab", "we", "us" or "our") takes the protection and security of your personal data very seriously.

If you are a California Consumer, this Supplemental Privacy Statement (“Statement”) also applies to you and appends the terms of our Privacy Policy.

 

Please read this Statement if and when an organisation of your choice (our customer) has assigned to us your consent to access your personal data as a part of the services we provide to them.

 

Capitalised terms used but not defined herein, shall have the meanings ascribed to such terms in California Civil Code § 1798.100, et seq. (together with the regulations thereunder, the “CCPA”), as applicable.

This Statement reflects our good faith understanding of the law and our data practices as of the date posted (set forth above). Accordingly, we may from time-to-time update information in this Statement and other notices regarding our data practices and your rights, modify our methods for responding to your requests, and/or supplement our response to your requests, as we continue to develop our compliance program to reflect the evolution of the law and our understanding of how it relates to our data practices.

 

If you have any questions about how we use your personal data, please contact our Data Protection Officer by email at privacypolicy@credolab.com.

 

We have offices in several locations, and our registered office address is at 625 E. Twiggs St., Ste. 1000 Tampa, Florida 33602. Our FEIN No. is 87-1093616.

 

This Statement addresses the following topics:

  • Purpose for collecting data;
  • How we collect data;
  • What data we collect;
  • California Consumer privacy rights.

Purpose for collecting data

Your User’s Data may be collected for the purpose of helping financial and other organisations to produce real-time credit decisions based on our alternative credit score (the “Purpose”). We provide this alternative credit score only in relation to the service that you are applying for at the organisation of your choice (our customer). We use mobile and web device metadata and/or personal information (“personal information” or “PI”) to produce the alternative credit score via our proprietary technology. This includes highly sophisticated algorithms and predictive analytics applied to metadata accessed via our mobile applications(CredoApp and CredoApply), a mobile SDK (CredoSDK), and a Web JavaScript (WebSDK). We do NOT share your alternative credit score with any third party other than the organisation of your choice (our customer).

 

How we collect data

Your User’s Data may be collected directly from you in three ways:

  • When you download our application (CredoApp, CredoApply); or
  • When you use the mobile application of the organisation of your choice (our customer) that has embedded CredoLab’s mobile technology(CredoSDK); or
  • When you use the web page of the organisation of your choice (our customer) that has embedded CredoLab’s web technology (CredoWeb).

 

What data we collect

We may collect the following categories of User’s Data about you:

  • On mobile phone, - history of SMS messages, contacts, calendars, list and storage of applications, and registered accounts which might include social accounts, and installed applications, in some cases for the provision of Anti-Fraud Services as a reseller of iovation, including the detection of TOR and VPN type of applications. The core purpose of these types of applications detection, involves a financial-transaction functionality (for example, dedicated banking, dedicated digital wallet) and obtaining broader visibility into installed applications solely for security-based purposes.
  • On web device, - device hardware type, operating system, language, keystroke patterns and similar information.

 

This still may sound complex, so an example is often the easiest way to explain:

  • You are going to receive a credit and/or other financial services from a financial organisation of your choice (our customer).
  • In order to provide you with financial service, the financial organisation of your choice needs to assess your creditworthiness.
  • At our customer’s request, CredoLab collects specific personal information and/or metadata from your mobile/web devices (via our products and services) (the “User’s Data”) and processes this User’s Data with CredoLab’s proprietary technology.
  • We pass your alternative credit score (but in no event your personal data) to an organisation of your choice (our customer).
  • Financial organisation of your choice (our customer) then decides how it will respond to you, e.g. provide you specific financial service(loan, credit card etc.), decline your request etc.
  • CredoLab does not have visibility on, nor can we influence how financial organisation of your choice responds to you.

California Consumer privacy rights

Due to how CredoLab process data, your Personal Information is pseudonymised, therefore it is not possible for CredoLab to identify you as an individual.

Therefore, to exercise any of your rights outlined below, you have to consult with the organisation you have been interacting with (our customer). You will be asked to provide your name, email address, country of residence, state, and request details. A confirmation email shall be sent to the email address you provide to begin the process to verify your identity. To protect your privacy and security the organisation you have been interacting with may require verification of your identity to a high degree of certainty based on information they already have about you. If you cannot meet that standard, we, together with the organisation you have been interacting with, will treat your request as a “categories request” as explained in the next section.

 

The organisation you have been interacting with (our customer) will be able to provide CredoLab with information to assist in exercising the rights listed below (“Rights”).

 

1)   Right to Know:

  • Specific Pieces: You have the right to make or obtain a transportable copy, no more than twice in a twelve-month period, of your PI that we have collected and are maintaining for the period that is 12 months prior to the request date. To protect your security and the rights of others, we may not be able to provide you all of the PI we may have on you.
  • Categories: California Consumers have the right, no more than twice in a twelve-month period, to request that we disclose the categories of PI collected in the prior 12 months; the categories of sources from which such PI is collected; the purpose for such collection or its sale (if applicable); the categories of third parties with which the businesses shares such PI, and, for each category of such PI, the categories of recipients of business purposes disclosures and, if applicable, of sales.

 

2)   Right to Delete

  • Except to the extent we have a basis for retention under the CCPA, you may request that we delete your PI that we have collected directly from you and are maintaining. Our retention rights include, without limitation, to complete transactions and provide services you have requested or that are reasonably anticipated, for security purposes, for legitimate internal business purposes, including maintaining business records, to comply with law, to exercise or defend legal claims, and to cooperate with law enforcement.
  • Rather than exercising a deletion request, you may alternatively exercise more limited control of your PI by instead opting out of e-mail marketing communications by following the unsubscribe instructions on the footer of those emails.

3)   “Do Not Sell My Personal Information”

While California law also allows for California residents to opt-out of the sale of their PI, we do not sell PI of California Consumers as those terms are defined by the CCPA.

 

4)   Verification Process

When you submit a request to know or delete your PI to the organisation you have been interacting with(our customer), that organisation is required to verify your request to ensure that the request is not fraudulent (“Verifiable Consumer Request”)”. Thus, upon receiving your request the organisation shall take measures to verify that the request is legitimate. These verification efforts may require additional information from you which may include information you have provided us in the past. For instance, if you have previously provided your name to them, they may ask you for other information (e.g., email address, phone number, or transaction history) so that they can match the new information you provide with the information they have. They may also use other verification methods as the circumstances dictate. If through reasonable efforts they are unable to verify your request to the appropriate degree of certainty, they will notify you. They shall use the PI provided in a Verifiable Consumer Request only to verify your identity or your authority to make the request and to track and document request responses, unless you also gave it to them for another purpose.

 

5)   Agent Requests

Note you can authorise an agent to exercise any of these California privacy rights on your behalf, subject to the agent request requirements of the CCPA. Note that the organisation you have been interacting with (our customer), shall take additional measures to verify the legal authority of your agent.

 

6)   Exceptions 

Notwithstanding anything to the contrary, we may collect, use and disclose your PI as required or permitted by applicable law and this may override your CCPA rights. In addition, we need not honour any of your requests to the extent that doing so would infringe upon our or any other person or party’s rights or conflict with applicable law.

Some PI we maintain about CaliforniaConsumers is not associated with PI about the Consumer for us to be able to verify that it is a particular Consumer’s PI when a Consumer request that requires verification pursuant to the CCPA’s verification standards is made to the organisation you have been interacting with (our customer). If we cannot comply fully with a request, we will explain the reasons in our response, unless we are prohibited from doing so by applicable law.  

 

Together with the organisation you have been interacting with (our customer), we will make commercially reasonable efforts to identify Consumer PI that we collect, process, store, disclose and otherwise use and to respond to your California Consumer rights requests. We reserve the right to direct you to where you may access and copy responsive PI yourself. We will typically not charge a fee to fully respond to your requests; provided, however, that we may charge a reasonable fee, or refuse to act upon a request, if your request is excessive, repetitive, unfounded or overly burdensome. If we determine that the request warrants afee, or that we may refuse it, we will give you notice explaining why we made that decision. You will be provided a cost estimate and the opportunity to accept such fees before we will charge you for responding to your request. As permitted by the CCPA, we are also not required to search for PI not maintained in a searchable or reasonably accessible format that is used for certain internal purposes only, but we apply this exception we will respond to your request with a description of the categories of PI to which this exception applies. 

 

In addition, as explained above, we will reject requests to the extent we and the organisation you have been interacting with (our customer) are not able to sufficiently verify your identity, or your agent’s authority. If we conclude we have a basis for not fully responding to your request, our response to you will explain the basis for the limitation, unless we are prohibited from doing so by applicable law.

 

7)   Financial Incentives and Non-discrimination

California residents also have the right not to receive discriminatory treatment for the exercise of any of the privacy rights conferred by the California Consumer Privacy Act. As of the Effective Date of this CA Statement we did not offer any programs requiring you to limit any of your CCPA rights, or otherwise require you to limit your CCPA rights in connection with charging a different price or rate, or offering a different level or quality of good or service. If we do so, the CCPA requires certain program terms and notices for California Consumer and the material aspects of any such program, and the rights of California participants, will be explained and described in its program terms. Participating in any such programs will be entirely optional. We may add or change programs and/or their terms by posting notice on the program descriptions so check them regularly.