Decision Trust Processing Notice

Decision Trust, a LexisNexis Risk Solutions FL Inc. (“LNRS”, “we” or “our”) service, helps organizations in selected countries with risk assessment, fraud prevention, and other financial and business risk mitigation. This processing notice explains how LNRS processes personal information as part of the Decision Trust services for our organizational customers (collectively, “Customers” and each, a “Customer”). Use of the Decision Trust service is governed by the applicable agreements.

Our Customers choose which personal information of their clients and prospective clients (collectively, “Clients” and each, a “Client”) the Decision Trust service is authorized to receive, such as names, mobile phone numbers, email addresses, mailing addresses, location information, and device identifiers.

This data is associated to unique LexisNexis Risk Solutions digital identifiers and then matched across different Customers' submissions using the ThreatMetrix Digital Identity Network and Emailage global fraud network. Further details on the processing of personal data through the LexisNexis Risk Solutions ThreatMetrix and Emailage services are set out in their respective Processing Notices available at https://risk.lexisnexis.com/corporate/processing-notices/.

We also process personal information linked to LexisNexis Risk Solutions digital identifiers, including, but not limited to: (i) the number of email addresses and phone numbers associated with a Client’s internet-connected devices; (ii) activities and attributes associated with a Client’s email addresses, billing addresses, phone numbers, IP addresses; and (iii) activities associated with other online IDs, tracked over time, together with associated risk scores created or used by us through use of the services (collectively, “attribute information”).

We also process payment default outcome data received from our Customers to analyze the outcome of transactions processed by the Decision Trust service and to improve predictive models for the service.

We may also process similar categories of personal information received from LNRS affiliates and service providers to improve the predictive insights of data.

We process personal information for the legitimate interests of us and our Customers for:

• risk assessment including predicting the likelihood of payment default by digital loan applicants;
• identity verification;
• detection, investigation, assessment, monitoring and prevention of fraud and other crime;
• mitigation of financial, business, and credit risk; and/or
• compliance with anti-money laundering (AML), counter-terrorism financing (CTF), anti-bribery and corruption (ABC) and other legal obligations.

We may also use personal information for the enhancement of our services, including refining of analytics capabilities and development of new attributes, models and scores, analyzing established and anomalous pattern detection and graph analysis.

We may share attribute information:

• with our Customers, processors, sub-processors and affiliates;
• where we have a good faith belief that such disclosure is necessary to meet any applicable law, regulation, legal process or other legal obligation; detect, investigate and help prevent security, fraud or technical issues; and/or protect the rights, property or safety of LNRS and our affiliates, users, employees or others; and
• as part of a corporate transaction, such as a transfer of assets or an acquisition by or merger with another company.

We retain personal information for only as long as necessary to provide the services and fulfill the transactions requested by our Customers, or for other essential purposes such as complying with our legal obligations, maintaining business and financial records, resolving disputes, maintaining security, detecting and preventing fraud and abuse, and enforcing our agreements.

Our Customers are separate controllers of personal information we receive from them, and it is their obligation as controllers to determine their own retention periods. They may hold personal information for longer than we do.

Our practices and processes are designed to protect the data that we process from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access using appropriate administrative, physical and technical security measures.

We use personal information, such as attribute information, geographic location, network properties and user behavior data, sent by our Customers in order to produce various scores. Some of this data is collected by our Customers and passed to us through ThreatMetrix cookies and similar technologies that our Customers place or run on their Clients’ devices.

Our scores can be used by our Customers to predict the risk associated with a given transaction. Low confidence scores can suggest identity credentials being used fraudulently/out of prior context. Low trust scores detect unusual behavior, such as location anomalies, abnormally high number of new email addresses originating from the same device, or new billing addresses that haven’t been seen before.

Our Customers are solely responsible for determining how they may use the results of a check performed using our products or services. The data and scores we provide to them are just one among many factors they may consider in their assessment. Customers must always ensure they are in full compliance with all laws and regulations applicable to the use of Decision Trust services in their jurisdictions, including obtaining any Client consents, if required under applicable laws when Customers use Decision Trust to assess credit risk in selected countries. For the Clients, this means that Customers may make decisions that may affect online activity such as allowing an online transaction to proceed, or requiring a Client to provide additional authentication data. We do not make any decisions about an individual. Such decisions remain for our Customers to make.

We process personal information where LNRS, its affiliates and their service providers maintain servers and facilities, including in Germany, Iceland, India, Ireland, the Netherlands, and the United States. We take steps, including through contracts, intended to ensure that the personal information continues to be protected wherever it is located in a manner consistent with the standards of protection required under applicable law.

Certain U.S. entities within the LexisNexis Risk Solutions group of companies have certified certain of their services to the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework as set forth by the U.S. Department of Commerce. Please view these entities’ Data Privacy Framework Notice here. To learn more about the Data Privacy Framework program, and to view these entities’ certification, please visit https://www.dataprivacyframework.gov.

You have the right under European and certain other privacy and data protection laws, as may be applicable, to request free of charge:

• access to and correction or deletion of your personal information;
• restriction of our processing of your personal information;
• object to our processing; and
• the portability of your personal information.

If you wish to exercise any of these rights, please contact us at the address below. We will respond to your request consistent with applicable laws. To protect your privacy and security, we may require you to verify your identity. Where we are acting as a processor on behalf of our Customer, we will redirect you to make your request directly to our Customer.

We will update this processing notice from time to time. Any changes will be posted on this page with an updated revision date. If we make any material changes, we will provide notice through the services or by other means.

If you have any questions, comments, complaints or requests regarding this processing notice, please contact us online here. Alternatively, you can write to: Data Protection Officer, LexisNexis Risk Solutions, Global Reach, Dunleavy Drive, Cardiff CF11 0SN, United Kingdom. You may also lodge a complaint with the data protection authority in the applicable jurisdiction. LexisNexis Risk Solutions FL Inc. is represented in the EU by LexisNexis Risk Solutions (Europe) Limited, Riverside One, Sir John Rogerson's Quay, Dublin 2, D02 X576, Ireland.

Last updated: August 2025