CredoLab Privacy Policy (iovation Anti-fraud Privacy Policy)

iovation Anti-fraud Privacy Policy

GDPR Privacy Policy

PDPA Privacy notice (Singapore)

iovation Anti-fraud Privacy Policy

Kebijakan Sistem Manajemen Keamanan Informasi ISO 27001 Indonesia

General information and contact details

CredoLab Pte. Ltd. ("CredoLab", "we", "us" or "our") take the protection and security of your personal data very seriously. This privacy notice sets out the data we collect and process about you through our products and services, the purposes of the data processing and how you can exercise your privacy rights under Singapore’s Personal Data Protection Act (PDPA).

You may be reading this notice because of a link provided by an organisation you are engaging (our customer), or you simply want more information on data processing in relation to our products and services.

This privacy notice relates specifically to the Anti-Fraud Checks services, provided by us as a reseller of the iovation Inc., a Delaware corporation (“iovation”), with a place of business at 555 SW Oak Street, Floor 3, Portland, Oregon 97204 (the “Anti-Fraud Services”), based on the OEM (Original Equipment Manufacturer) Agreement of August 19, 2019 (the “OEM Agreement”). Under the OEM Agreement CredoLab acts as an official reseller of the Anti-Fraud Services provided by iovation. Please read this notice if and when an organisation of your choice (our customer) has assigned to us your consent to access your personal data as a part of Anti-Fraud Services based on a separate agreement with us.

Our customer and data supplier (you have engaged with) will have a lawful reason for collecting and processing your data and may have a separate relationship with you. It is separately required to provide you with information (for example through their own privacy notice) about how it collects and processes your data.

We have offices in several locations, and our registered office address is at:

CredoLab Pte. Ltd.

111 North Bridge Road,

#08-08 Peninsula Plaza,

Singapore, 179098

Our Company Registration Number is: 201601190K

If you have any questions about how we use your data, please contact our Data Protection Officer by email at privacypolicy@credolab.com.

We review this privacy notice on an annual basis, or sooner if changes to regulation require it or we change the way we process personal data.

This privacy notice was last updated on 15 December 2020.

What do we do?

CredoLab is providing products and services to help financial and other organisations to produce real-time credit decisions. We use mobile and web device metadata to produce the alternative credit score via our proprietary technology. This includes highly sophisticated algorithms and predictive analytics applied to metadata accessed via our mobile applications (CredoApp and CredoApply), a mobile SDK (CredoSDK), and a Web JavaScript (Web SDK). We provide this alternative credit score only in relation to the service that you are applying for at the organisation of your choice (our customer). We do NOT share your alternative credit score with anyone else. This still may sound complex, so an example is often the easiest way to explain.

  • You are going to receive a credit and/or other financial service from an organisation of your choice (our customer).
  • In order to provide you with financial service, the organisation of your choice needs to assess your creditworthiness.  
  • At our customer’s request CredoLab collects specific metadata from your mobile/web devices (via our products and services) and processes this data with CredoLab’s proprietary technology.
  • Your data may be collected in three ways:

           a. When you download our application (CredoApp, CredoApply); or

           b. When you use the mobile application of the organisation of your choice that has embedded CredoLab’s mobile technology (CredoSDK); or

           c. When you use the web page of the organisation of your choice that has embedded CredoLab’s web technology (CredoWeb).

  • We pass your alternative credit sore (but in no event your personal data) to organisation of your choice (our customer).
  • Organisation of your choice (our customer) then decides how it will respond to you, e.g. provide you specific financial service (loan, credit card etc.), decline your request etc.  
  • CredoLab does not have visibility on, nor can we influence how organisation of your choice responds to you.

We would access the IP address only if your financial institution subscribes to the Anti-Fraud solution (offered by CredoLab on behalf of iovation Inc. based on the reseller agreement). If your financial institution subscribes only to the CredoLab’s credit analysis services, we will not access the IP address of your device. The IP address will be accessed only one-time, upon your application for specific financial service (loan, credit card etc.), and not persistently. The IP address information collected by us is similar to the types of information captured by common web analytics tools.

More examples are included below describing why we collect your personal data.

What data do we collect and why?

It’s simple. Unlike other companies, we do NOT collect data that directly identifies you, i.e. your name, phone number or email address. Provided, however, that in some cases for the provision of Anti-Fraud Services as a reseller of iovation, we might collect the IP address of your device as described below.  While collecting your data to calculate your alternative credit score, we use metadata to provide a segmented risk profile, generate an aggregated statistical information, and to improve and administer our current products and create new products. To protect your identity, we also remove all personal identifiers (if any) from the data we collect or aggregate and, in doing so, pseudonymise the information we collect. Any information we produce based on collected data cannot be reverse engineered to reproduce the original information collected. The processing of the information is done on CredoLab’s secure servers. The above-mentioned techniques assist in keeping the data that is sent to our servers anonymous and secure and allows you to retain your raw information on your device.

CredoLab’s technology may access some or all of the following (or similar) data on your mobile and/or web device (your digital footprint):

  • On mobile phone, - history of SMS messages, contacts, calendars, list and storage of applications;
  • On web device, - device hardware type, operating system, language, keystroke patterns and similar information.

While we cannot list out each and every type of data that we collect, our web technology collects (and uploads to our secured servers) only certain limited information. We’ve tried below to give you a general understanding of what types of data we collect and examples to help you see what we mean:

  • Our mobile technology may count the number of calendar events scheduled and their time stamp. Only this information is sent to our servers, NOT the underlying raw data.
  • While our mobile technology may scan and process your phone book contacts on your mobile device, the names and contact details are NOT sent to our servers.
  • While our mobile technology may scan and process information about the list of applications installed on your mobile device, we will only collect data relating to the frequency of use of such applications but NOT the activities you engage on any such application.
  • Our web technology may count the total time you spent to apply for a loan, the time you spent in the same position, how fast you scrolled application etc. While our web technology may scan and process such information, we do NOT read the content of what you type in the application form.

We would access your IP address only if your financial institution (or any other organisation of your choice (our customer)) subscribes to the Anti-Fraud Services offered by CredoLab on behalf of iovation based on the OEM Agreement. If your financial institution subscribes only to the CredoLab’s credit score services (CredoApp, CredoApply, CredoWeb, CredoSDK), we will not access the IP address of your device. The IP address information collected by us is similar to the types of information captured by common web analytics tools.

The digital footprint on your device (as well as IP address in case of the Anti-Fraud Services) will be accessed only one-time, upon your application for specific financial service (loan, credit card etc.), and NOT persistently, NOT in the background, NOT in the foreground. The information collected by us is similar to the types of information captured by common web analytics tools.

Our legal basis for processing data

We collect your data only after we have also collected your consent to the collection, use or disclosure, as the case may be, of your personal data either directly to us (via CredoApp, CredoApply) or via the organisation you are interacting with (CredoSDK, CredoWeb). We will NOT and cannot extract or process your data without your consent.

We do NOT request for your data from our customers (organisations that you have engaged with) without your consent and do NOT collect or process it without your consent. We/organisation that you have engaged with will also ask you to click on a button that says “proceed with credit analysis”, or similar, before commencing a credit scoring assessment on your mobile phone/web device.

You can be assured that we protect the information we collect. By using our products or services, you agree to the collection, use, and sharing of your data in accordance with this privacy notice. You may change and revoke your ‘access to data’ permissions at any time by using your phone/device settings.

How do we use your data?

We use your data to assess your creditworthiness for a service of your choice (loan, credit card etc.) with the organisation of your choice (our customer). Organisation of your choice may use CredoLab’s assessment as part of their decision process whether or not to grant you a loan or other financial service.

We also use your data to: -

  • Obtain an assessment of your creditworthiness including but not limited to an assessment of the probability of default of your obligations in the framework of contracts for the provision of financial services;
  • Assess your interest in receiving financial services through algorithms and mathematical modelling.

Who will we share your data?

As explained above under "What do we do", the data collected by our technology is NOT directly sent to the organisation of your choice (our customer). The organisation of your choice receives some limited pseudonymised information about you including the result of your credit scoring assessment.

I.e., we share the result of your credit assessment with the organisation you are applying for a financial service. The result of your credit assessment that we share, depends solely on your potential willingness to disclose your information in order to get the services you have requested the organisation of your choice. We also share your potential willingness to communicate directly with the organisation of your choice, if requested by the organisation. We do NOT share the raw data collected from you with any person including the organisation.

We may also share your data in the following ways: when required by competent authority or necessary to comply with a valid legal process; when required to protect and defend the rights or property of CredoLab, including the security of our products and services; when necessary to protect the personal safety, property or other rights of the public, CredoLab or its customers or employees; or in connection with a sale of all or part of our business. If we are involved in a merger, acquisition or asset sale, we will abide by this privacy notice, and any affected users will be informed if we transfer any personal data to a third party or if personal data becomes subject to a different privacy notice as a result.

How long do we retain your data for in our Products and Services?

We retain the data we collect from you for the length of time necessary to fulfil the specific purpose or purposes for which it has been collected (for example, to provide our customers with a service you have requested or for our customers to comply with applicable legal requirements, such as anti-money laundering). We may also keep it to comply with our legal obligations, resolve any disputes and enforce our rights.

Once the respective purpose ceases to apply, we will either delete or anonymise the personal data or, if this is not possible (for example, because your personal data has been stored in backup archives), then we will securely store your data and isolate it from any further processing until deletion is possible.


To implement and improve the functionality of CredoLab’s technology and to update the credit scorecards developed for our clients, we will keep your data for up to 3 (three) years unless you or organisation of your choice (our customer) request us to delete your data at an earlier date.

If you have questions about or need further information concerning how long we keep your data for, please contact us using the contact details provided below.

Your rights under the Singapore’s PDPA

Due to how CredoLab process data, your personal data is pseudonymised, therefore we are unable to fulfil your rights directly as it is not possible for CredoLab to identify you as an individual.  

To exercise any of the right outlined below, please consult with the organisation you have been interacting with.  They will then be able to provide CredoLab with information to assist in exercising your rights.  

As an individual, you have rights under the PDPA regarding the use of your data, these are:

  • The right to provide your consent for collection, use or disclosure, as the case may be, of your personal data.
  • The right to withdraw consent – you can withdraw your consent for collection, use or disclosure, as the case may be, of your personal data at any time.  

You are not required to pay any charge for exercising your rights. If CredoLab is unable to comply with your request regarding your consent withdrawal, we will provide you with an explanation.

How to contact us if you're not happy

We appreciate that at CredoLab we may not always get things right and it is regrettable for us as an organisation when we receive a complaint. We take all complaints seriously and can assure you we will do our best to deliver a satisfactory outcome. If you do wish to complain about how your personal data is used by CredoLab then please write to us at: privacypolicy@credolab.com.  

You may also contact us by mail at:

CredoLab Pte. Ltd,

#12-01 Capital Tower,

168 Robinson Road,

Singapore 068912.

CredoLab will investigate your complaint and aim to respond within 10 working days. This allows us time to investigate your complaint thoroughly.  

Your right to lodge a complaint with the Regulatory Authority

Where you believe that CredoLab have not taken our responsibilities with your data seriously, you have the right to complain to Singapore Personal Data Protection Commission or a regulator who governs your data protection depending of the country of your residence.

General information and contact details

CredoLab Pte. Ltd. ("CredoLab", "we", "us" or "our") take the protection and security of your personal data very seriously. This privacy notice sets out the data we collect and process about you through our products and services, the purposes of the data processing and how you can exercise your privacy rights under Singapore’s Personal Data Protection Act (PDPA).

You may be reading this notice because of a link provided by an organisation you are engaging (our customer), or you simply want more information on data processing in relation to our products and services.

This privacy notice relates specifically to the Anti-Fraud Checks services, provided by us as a reseller of the iovation Inc., a Delaware corporation (“iovation”), with a place of business at 555 SW Oak Street, Floor 3, Portland, Oregon 97204 (the “Anti-Fraud Services”), based on the OEM (Original Equipment Manufacturer) Agreement of August 19, 2019 (the “OEM Agreement”). Under the OEM Agreement CredoLab acts as an official reseller of the Anti-Fraud Services provided by iovation. Please read this notice if and when an organisation of your choice (our customer) has assigned to us your consent to access your personal data as a part of Anti-Fraud Services based on a separate agreement with us.

Our customer and data supplier (you have engaged with) will have a lawful reason for collecting and processing your data and may have a separate relationship with you. It is separately required to provide you with information (for example through their own privacy notice) about how it collects and processes your data.

We have offices in several locations, and our registered office address is at:

CredoLab Pte. Ltd.

111 North Bridge Road,

#08-08 Peninsula Plaza,

Singapore, 179098

Our Company Registration Number is: 201601190K

If you have any questions about how we use your data, please contact our Data Protection Officer by email at privacypolicy@credolab.com.

We review this privacy notice on an annual basis, or sooner if changes to regulation require it or we change the way we process personal data.

This privacy notice was last updated on 15 December 2020.

What do we do?

CredoLab is providing products and services to help financial and other organisations to produce real-time credit decisions. We use mobile and web device metadata to produce the alternative credit score via our proprietary technology. This includes highly sophisticated algorithms and predictive analytics applied to metadata accessed via our mobile applications (CredoApp and CredoApply), a mobile SDK (CredoSDK), and a Web JavaScript (Web SDK). We provide this alternative credit score only in relation to the service that you are applying for at the organisation of your choice (our customer). We do NOT share your alternative credit score with anyone else. This still may sound complex, so an example is often the easiest way to explain.

  • You are going to receive a credit and/or other financial service from an organisation of your choice (our customer).
  • In order to provide you with financial service, the organisation of your choice needs to assess your creditworthiness.  
  • At our customer’s request CredoLab collects specific metadata from your mobile/web devices (via our products and services) and processes this data with CredoLab’s proprietary technology.
  • Your data may be collected in three ways:

           a. When you download our application (CredoApp, CredoApply); or

           b. When you use the mobile application of the organisation of your choice that has embedded CredoLab’s mobile technology (CredoSDK); or

           c. When you use the web page of the organisation of your choice that has embedded CredoLab’s web technology (CredoWeb).

  • We pass your alternative credit sore (but in no event your personal data) to organisation of your choice (our customer).
  • Organisation of your choice (our customer) then decides how it will respond to you, e.g. provide you specific financial service (loan, credit card etc.), decline your request etc.  
  • CredoLab does not have visibility on, nor can we influence how organisation of your choice responds to you.

We would access the IP address only if your financial institution subscribes to the Anti-Fraud solution (offered by CredoLab on behalf of iovation Inc. based on the reseller agreement). If your financial institution subscribes only to the CredoLab’s credit analysis services, we will not access the IP address of your device. The IP address will be accessed only one-time, upon your application for specific financial service (loan, credit card etc.), and not persistently. The IP address information collected by us is similar to the types of information captured by common web analytics tools.

More examples are included below describing why we collect your personal data.

What data do we collect and why?

It’s simple. Unlike other companies, we do NOT collect data that directly identifies you, i.e. your name, phone number or email address. Provided, however, that in some cases for the provision of Anti-Fraud Services as a reseller of iovation, we might collect the IP address of your device as described below.  While collecting your data to calculate your alternative credit score, we use metadata to provide a segmented risk profile, generate an aggregated statistical information, and to improve and administer our current products and create new products. To protect your identity, we also remove all personal identifiers (if any) from the data we collect or aggregate and, in doing so, pseudonymise the information we collect. Any information we produce based on collected data cannot be reverse engineered to reproduce the original information collected. The processing of the information is done on CredoLab’s secure servers. The above-mentioned techniques assist in keeping the data that is sent to our servers anonymous and secure and allows you to retain your raw information on your device.

CredoLab’s technology may access some or all of the following (or similar) data on your mobile and/or web device (your digital footprint):

  • On mobile phone, - history of SMS messages, contacts, calendars, list and storage of applications;
  • On web device, - device hardware type, operating system, language, keystroke patterns and similar information.

While we cannot list out each and every type of data that we collect, our web technology collects (and uploads to our secured servers) only certain limited information. We’ve tried below to give you a general understanding of what types of data we collect and examples to help you see what we mean:

  • Our mobile technology may count the number of calendar events scheduled and their time stamp. Only this information is sent to our servers, NOT the underlying raw data.
  • While our mobile technology may scan and process your phone book contacts on your mobile device, the names and contact details are NOT sent to our servers.
  • While our mobile technology may scan and process information about the list of applications installed on your mobile device, we will only collect data relating to the frequency of use of such applications but NOT the activities you engage on any such application.
  • Our web technology may count the total time you spent to apply for a loan, the time you spent in the same position, how fast you scrolled application etc. While our web technology may scan and process such information, we do NOT read the content of what you type in the application form.

We would access your IP address only if your financial institution (or any other organisation of your choice (our customer)) subscribes to the Anti-Fraud Services offered by CredoLab on behalf of iovation based on the OEM Agreement. If your financial institution subscribes only to the CredoLab’s credit score services (CredoApp, CredoApply, CredoWeb, CredoSDK), we will not access the IP address of your device. The IP address information collected by us is similar to the types of information captured by common web analytics tools.

The digital footprint on your device (as well as IP address in case of the Anti-Fraud Services) will be accessed only one-time, upon your application for specific financial service (loan, credit card etc.), and NOT persistently, NOT in the background, NOT in the foreground. The information collected by us is similar to the types of information captured by common web analytics tools.

Our legal basis for processing data

We collect your data only after we have also collected your consent to the collection, use or disclosure, as the case may be, of your personal data either directly to us (via CredoApp, CredoApply) or via the organisation you are interacting with (CredoSDK, CredoWeb). We will NOT and cannot extract or process your data without your consent.

We do NOT request for your data from our customers (organisations that you have engaged with) without your consent and do NOT collect or process it without your consent. We/organisation that you have engaged with will also ask you to click on a button that says “proceed with credit analysis”, or similar, before commencing a credit scoring assessment on your mobile phone/web device.

You can be assured that we protect the information we collect. By using our products or services, you agree to the collection, use, and sharing of your data in accordance with this privacy notice. You may change and revoke your ‘access to data’ permissions at any time by using your phone/device settings.

How do we use your data?

We use your data to assess your creditworthiness for a service of your choice (loan, credit card etc.) with the organisation of your choice (our customer). Organisation of your choice may use CredoLab’s assessment as part of their decision process whether or not to grant you a loan or other financial service.

We also use your data to: -

  • Obtain an assessment of your creditworthiness including but not limited to an assessment of the probability of default of your obligations in the framework of contracts for the provision of financial services;
  • Assess your interest in receiving financial services through algorithms and mathematical modelling.

Who will we share your data?

As explained above under "What do we do", the data collected by our technology is NOT directly sent to the organisation of your choice (our customer). The organisation of your choice receives some limited pseudonymised information about you including the result of your credit scoring assessment.

I.e., we share the result of your credit assessment with the organisation you are applying for a financial service. The result of your credit assessment that we share, depends solely on your potential willingness to disclose your information in order to get the services you have requested the organisation of your choice. We also share your potential willingness to communicate directly with the organisation of your choice, if requested by the organisation. We do NOT share the raw data collected from you with any person including the organisation.

We may also share your data in the following ways: when required by competent authority or necessary to comply with a valid legal process; when required to protect and defend the rights or property of CredoLab, including the security of our products and services; when necessary to protect the personal safety, property or other rights of the public, CredoLab or its customers or employees; or in connection with a sale of all or part of our business. If we are involved in a merger, acquisition or asset sale, we will abide by this privacy notice, and any affected users will be informed if we transfer any personal data to a third party or if personal data becomes subject to a different privacy notice as a result.

How long do we retain your data for in our Products and Services?

We retain the data we collect from you for the length of time necessary to fulfil the specific purpose or purposes for which it has been collected (for example, to provide our customers with a service you have requested or for our customers to comply with applicable legal requirements, such as anti-money laundering). We may also keep it to comply with our legal obligations, resolve any disputes and enforce our rights.

Once the respective purpose ceases to apply, we will either delete or anonymise the personal data or, if this is not possible (for example, because your personal data has been stored in backup archives), then we will securely store your data and isolate it from any further processing until deletion is possible.


To implement and improve the functionality of CredoLab’s technology and to update the credit scorecards developed for our clients, we will keep your data for up to 3 (three) years unless you or organisation of your choice (our customer) request us to delete your data at an earlier date.

If you have questions about or need further information concerning how long we keep your data for, please contact us using the contact details provided below.

Your rights under the Singapore’s PDPA

Due to how CredoLab process data, your personal data is pseudonymised, therefore we are unable to fulfil your rights directly as it is not possible for CredoLab to identify you as an individual.  

To exercise any of the right outlined below, please consult with the organisation you have been interacting with.  They will then be able to provide CredoLab with information to assist in exercising your rights.  

As an individual, you have rights under the PDPA regarding the use of your data, these are:

  • The right to provide your consent for collection, use or disclosure, as the case may be, of your personal data.
  • The right to withdraw consent – you can withdraw your consent for collection, use or disclosure, as the case may be, of your personal data at any time.  

You are not required to pay any charge for exercising your rights. If CredoLab is unable to comply with your request regarding your consent withdrawal, we will provide you with an explanation.

How to contact us if you're not happy

We appreciate that at CredoLab we may not always get things right and it is regrettable for us as an organisation when we receive a complaint. We take all complaints seriously and can assure you we will do our best to deliver a satisfactory outcome. If you do wish to complain about how your personal data is used by CredoLab then please write to us at: privacypolicy@credolab.com.  

You may also contact us by mail at:

CredoLab Pte. Ltd,

#12-01 Capital Tower,

168 Robinson Road,

Singapore 068912.

CredoLab will investigate your complaint and aim to respond within 10 working days. This allows us time to investigate your complaint thoroughly.  

Your right to lodge a complaint with the Regulatory Authority

Where you believe that CredoLab have not taken our responsibilities with your data seriously, you have the right to complain to Singapore Personal Data Protection Commission or a regulator who governs your data protection depending of the country of your residence.