Our organizational customers choose which personal information of their clients and prospective clients to send to us, such as names, mobile phone numbers, email addresses, mailing addresses and device identifiers. This information is immediately and automatically tokenized upon receipt, matched across different customers’ submissions throughout ThreatMetrix’s network of organizational customers, and combined into a unique digital identifier: the “ThreatMetrix ID”.
We also process personal information linked to the ThreatMetrix ID in a pseudonymous form, including, but not limited to: the number of email addresses and phone numbers associated with a client’s or prospective client’s Internet-connected devices; activities and attributes associated with a client’s or prospective client’s email addresses, shipping addresses, phone numbers, IP addresses; device fingerprinting information and activities associated with other online IDs, passwords and drivers’ license numbers, which have been hashed by the customer prior to being provided to us; client account details, log-in activity and history; and client transaction history associated with hashed credit card numbers, tracked over time, together with associated risk scores created or used by us through use of the services (collectively, ‘attribute information’)
We process such information for the legitimate interests of us and our customers for:
We share attribute information:
We retain personal information for only as long as necessary to provide the service and fulfill the transactions our customers have requested, or for other essential purposes such as complying with our legal 2 obligations, maintaining business and financial records, resolving disputes, maintaining security, detecting and preventing fraud and abuse, and enforcing our agreements.
We use attribute information, geographic location, network properties and user behavior data sent by our customers in order to produce scores such as the ThreatMetrix Confidence Score and the ThreatMetrix Trust Score. Some of this data is collected by our customers and passed to us through ThreatMetrix cookies and similar technologies that our customers place or run on their clients’ and prospective clients’ devices.
Our scores can be used by our customers to predict the reputational integrity of an ID for a given transaction. Low confidence scores can suggest identity credentials being used fraudulently/out of prior context. Low trust scores detect unusual behavior, such as location anomalies, abnormally high number of new email addresses originating from the same device, or new shipping addresses that haven’t been seen before.
Our customers configure their use of ThreatMetrix to address their unique needs, which may result in different scores among different customers. ThreatMetrix provides a platform for processing and applying rules to data but does not recommend to its customers whether to take any actions based on scores. For our customers’ clients and prospective clients, this means that ThreatMetrix’s customers may make decisions that may affect online activity such as prohibiting access to a website, allowing an online transaction to proceed, or requiring a client to provide additional authentication data. We do not make any decisions about an individual. Decisions remain for our customers to make.
We process such information where ThreatMetrix affiliates and their service providers maintain servers and facilities, including in Iceland, the Netherlands, the United Kingdom and the United States. We take steps, including through contracts, intended to ensure that the information continues to be protected wherever it is located in a manner consistent with the standards of protection required under applicable law.
ThreatMetrix and certain other U.S. companies within the LexisNexis Risk Solutions Group have certified to the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks as set forth by the U.S. Department of Commerce. Please view these entities’ Privacy Shield Notice here. To learn more about the Privacy Shield program, and to view these entities’ certification, please visit www.privacyshield.gov.
You have the right under European and certain other privacy and data protection laws, as may be applicable, to request free of charge:
If you wish to exercise any of these rights, please contact us at the address below. We will respond to your
request consistent with applicable laws. To protect your privacy and security, we may require you to verify
your identity. Where we are acting as a processor on behalf of our customer, we will redirect you to make
your request directly to our customer.
If you have any questions, comments, complaints or requests regarding this processing notice, please contact us online or in writing:For U.S. Privacy requests, click here to submit online.
Data Protection Officer,
LexisNexis Risk Solutions Group,
Cardiff CF11 0SN,
You may also lodge a complaint with the data protection authority in the applicable jurisdiction.
Last updated: 30th December 2021