Ekata EU Privacy Notice
Last updated: March 1, 2019
This Privacy Notice discloses the information practices of Ekata, Inc. (“Ekata,” “we,” or “us”) especially relating to the Ekata Pro Insight Web site (“Pro Insight”) and Ekata API services (the “API”), and any features or online services provided by Ekata that post or include a link to this Privacy notice (collectively, the “Services”). The present privacy notice was made in compliance with the General Data Protection Regulation (“the GDPR”) of the EU, and applies to the processing of personal data subject to the GDPR.
1. Who are we?
Ekata is an identity verification and fraud prevention service provider targeting only business customers. Consequently, during the performance of its identity verification and fraud prevention services, Ekata does not come into direct contact with any natural persons whose personal data are processed within the framework of its Services.
Despite the lack of direct relationship with natural person customers, we still receive personal data from our business partners during the operation of our Services. It might also be the case that you interact with us directly, which sometimes requires the processing of your personal data. Therefore, with the aim of ensuring that our data processing is compliant with the requirements of the GDPR, in this Privacy Notice we describe how we collect, use, process and disclose information that we learn about you, explain why, on what legal basis, and how we process personal data and, if you are the subject of any of the personal data concerned, what rights you have and how you can get in touch with us if you need to. Our contact and other details are set out below. Ekata is the data controller in relation to the personal data processed in accordance with this policy (except where this policy states otherwise).
Our details – contacting us:
1301 5th Ave #1600,
Seattle, WA 98101,
You can reach our data protection officer appointed to deal with data protection and privacy related matters worldwide via the following e-mail:
We also have two offices in the EU:
Köztelek utca 6. City Gate building 1
1017 HL Amsterdam
2. Whose personal data do we process? (scope of privacy notice)
We might process your personal data
- in the course of the operation of our fraud prevention and identity verification services, if
- your personal data have been provided to us by one of our business Customers within the course of using our Services (“Customer Data”). Our Services are provided for digital identity verification and fraud prevention purposes within the EU. For example, if you are a new client of one of our business Customers, your personal data might be verified by the use of our Services, in order to mitigate any fraudulent activities commenced by provision of false personal information. For further information regarding the Customer Data, please see section 4.
- your personal data have been provided to us by data providers with limited licenses granted for fraud prevention and identity verification purposes (“Ekata Data”). For further information regarding the Ekata Data please see section 4.
In both cases, we rely on contractual guarantees given by our Customers and data providers as third parties that they have duly informed you about the details of the processing of your personal data (including the disclosure of your personal data to us) according to applicable data protection law and that they have a lawful basis for such data processing. If you require further information regarding their privacy practices please contact them directly. Furthermore, you will find further information on your privacy rights and how you can apply them at the end of the present privacy notice.
- in the course of the administration of our Services, if
- you are our business Customer, whose registration/contact details contain personal data,
- you work for our business Customer, and your data have been disclosed by our Business Customer to us.
- in the course of our non-service-specific activities, if
- you are someone (or you work for someone) to whom we want to advertise or market our goods or services. In this case, we may have obtained your data directly from you (for example, via our website or at a trade show or exhibition) or from another source,
- you use our website available at ekata.com, or
- you are someone who contacts us.
3. What personal data do we collect?
We have set out below the categories of personal data we collect and use about you and how we collect them:
|General Communication Information||If you contact us (for example via email, phone or online web forms) we will collect information provided by you, such as your first and last name, telephone number, email address, corporate name, physical address, as well as any other content that you provide. If you do not provide certain General Communication Information, we may not be able to answer your requests or queries.|
|Account Information||Ekata collects usernames, passwords, and information when business Customers correspond with us by phone/email or request support for the Services. If business Customers do not provide certain Account Information, such as usernames and passwords, they may not be able to use the Services or take advantage of certain features of the Services.|
|Customer Data||Ekata collects information in the form of queries submitted to the Services by business Customers for identity verification and fraud prevention purposes. Such queries may contain the name, e-mail address, physical address, phone number, IP address of the business Customer’s consumers.|
|Billing Information||When purchasing the Services, Ekata may also require Customers to provide billing information, such as billing name and address, ACH or credit card number, and the number of employees within the organization that will be using the Services. A third-party service provider is used to manage credit card processing. This service provider is not permitted to store, retain, or process your billing information for any purpose except for credit card processing on our behalf.|
|Ekata Data||This is Ekata’s own database that Ekata makes available to business Customers through the Services or pursuant to an Order, consisting of information from publicly available sources, third-party data providers, and Metadata. In these cases, we always rely on lawful basis for processing information according to the applicable data protection law.|
|Metadata||These are data that Ekata derives from its analysis of its business Customers’ data that are submitted to the Services. Examples of Metadata include: the number of times a data element has been queried in a period of time (velocity) or the last time a data element has been seen (recency).|
The table below describes personal data collected from third party sources:General Communication Information, Account Information, Customer Data, Usage Information, Billing Information, Ekata Data and Metadata are sometimes collectively referred to as “Data.”
The majority of personal data processed by us is collected from various third parties. These third-party sources vary over time and include the following:
|Categories of third-party sources||Description of category|
|Customers||Ekata collects information in the form of queries submitted to the Services by business Customers for digital identity verification and fraud prevention purposes. When a Customer submits Customer Data to the Services, Ekata may analyze Customer Data in conjunction with Ekata Data and other customers’ data, to create Metadata to provide results to the Customer’s query.|
|Third-party data providers||Ekata occasionally partners with a variety of businesses to acquire databases collected by third-party data providers from publicly available sources or directly from you based on a proper legal basis in accordance with data protection regulations. We collect such databases only from providers who have proper authorization for such disclosures and provided contractual guarantees on their data protection compliance.|
|Technical service partners||We work with technical service partners that provide us with certain data, such as mapping IP addresses to non-precise location data (e.g., city, state), to enable us to provide the Service.|
4. What are the legal grounds for our processing of personal data?
The majority of our data processing activity performed in connection with the Services (especially regarding the processing of Customer Data, Ekata Data and Metadata) is based on the legitimate interest of ours and most of all our business Customers with regard to combatting fraud or fraudulent use of our Customers’ services. The legitimate interest as legal basis for such purposes is explicitly recognized by the GDPR. Furthermore, we have duly performed a legitimate interest assessment test, which has justified that our and our Customers’ legitimate interests are not overridden by your interests or fundamental rights and freedoms which require the protection of personal data.
In addition to the legitimate interest, there might be cases when our data processing is based on other legal grounds, as follows:
- In cases where this is necessary and you gave us your consent to the processing of your personal data, we rely on consent in relation to the processing concerned (see below for how to withdraw your consent at any time).
- We may process data as necessary
- to perform our contracts with you, or in order to take steps at your request prior to entering into such a contract;
- for compliance with a legal obligation to which we are subject;
- for the protection of your vital interests or those of another person;
- for the performance of a task carried out in the public interest, insofar as the processing has a basis in Union or Member State law.
Please see section 6 for further information regarding the applicable legal basis per our processing purposes or contact us if you need further details.
5. How we use information that we collect?
When you interact with Ekata or use the Services, we use a variety of technologies to process the personal data we collect about you for various reasons. We have set out in the table below the reasons why we process your personal data, the associated legal bases described in section 5 that we rely on to when processing your personal data, and the categories of personal data (identified in section 3) used for these purposes.
|Description of why Ekata processes your personal data (‘processing purpose’)||Legal Basis for the processing purpose||Categories of personal data used by Ekata for the processing purpose|
|To provide Ekata Service||
|To understand, diagnose, troubleshoot, and fix issues with the Ekata Service.||
|To evaluate and develop new features, technologies, and improvements to the Ekata Service||
|For marketing, promotion, and advertising purposes||
|To comply with legal obligations and law enforcement requests||
|To establish, exercise, or defend legal claims||
|To conduct business planning, reporting, and forecasting||
|To process payment||
6. Sharing of information collected
Ekata may provide Data to third party service providers and data providers to deliver the Services to you as well as for purposes related to the Services’ administration and operation, including conducting analytics. When sharing information to provide services requested by Customers, we will share Personally Identifiable Information only as necessary for the third party working on Ekata’s behalf to complete its work, and in compliance with contractual confidentiality and security measures. Ekata will transfer up to one element of Customer Data to each third-party data provider in order to supplement our database. For example, we may send an email address to a data provider to see whether and when the data provider may have seen the email address before. Or Ekata may transmit Customer Data to a cloud service provider that hosts Ekata query logs or may provide Billing Information to a credit card processing company to complete a Customer’s transaction.
Third-Party Business Partners
Ekata occasionally partners with a variety of businesses to market or sell products or services (“Partners”). We may disclose General Communication Information (especially email addresses) to our Partners for these purposes. Some of our Partners may co-sponsor events and other offerings with Ekata. Ekata may share General Communication Information that Customers provide when they sign up for events or other offerings with these Partners so they can send marketing communications and other information of interest. See below for how to withdraw your consent at any time.
Ekata reserves the right to use or disclose any information provided to us if required by law; if we reasonably believe that use or disclosure is necessary to protect Ekata’s rights or property; to comply with a judicial proceeding, court order, or legal process; to protect against misuse or unauthorized use of the Services; or to respond to emergencies, such as when Ekata believes someone’s physical safety is at risk.
Acquirers of the Business
In the event that Ekata is involved in a sale of some or all of our assets, or we are acquired by another company, the Data and any Personally Identifiable Information we collect may be among the assets reviewed and transferred.
7. Location of collected information stored by Ekata
Data submitted to Ekata and the Services are hosted and stored in a secure environment provided by Amazon Web Services (“AWS”). The AWS physical architecture that hosts Ekata is in the United States and the European Union.
8. International transfers of collected information
Ekata may store Data in the United States, but to facilitate its global business, Ekata may access such information from around the world, including from other countries in which the Company has operations. Ekata, however, ensures that the transfer of your personal data is carried out in accordance with applicable privacy laws and, in particular if your data is collected within United Kingdom and the European Union, European Economic Area, and Switzerland (together, the “EU”), that appropriate contractual, technical, and organizational measures are in place, such as the Standard Contractual Clauses approved by the EU Commission. For further details of the security measures we use to protect your personal data, please see point 12.
9. How long do we process personal data?
We process personal data only for so long as is necessary for the purpose(s) for which it was originally collected, after which it will be deleted or anonymized except to the extent that it is necessary for us to continue to process it for the purpose of compliance with legal obligations to which we are subject or for another legitimate and lawful purpose.
In particular, we may analyze and store Customer Data for as long as reasonably necessary (but not longer than three years) to provide identity verification and fraud detection services through the Services, except if Ekata’s business Customer instructed us otherwise in line with a definitive written agreement, or the data subject exercises his/her related data protection rights described below. We do this strictly for statistical purposes, in order to enable us to improve our algorithms and our services. We will not use these data for any other purposes, and the processing will have no effect on you or any other natural person.
On or before the time that Data has reached the retention limits, Ekata takes all commercially reasonable efforts to securely dispose of the Data in accordance with its information security policies and procedures. Please note that in all cases, we will retain and use your information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.
10. What are your rights?
You have the following rights in relation to personal data relating to you that we process:
- You may request access to the personal data concerned (please see the section on obtaining access to your personal data below),
- You may request that incorrect personal data that we are processing be rectified,
- Under certain circumstances, you may be entitled to request that we erase the personal data concerned,
- Under certain circumstances, you may be entitled to request the restriction of the processing of your data,
- In certain cases, such as cases where your personal data is processed for the purposes of direct marketing, or (with certain conditions) where the processing is based on the legitimate interest of ours or a third person, you may be entitled to object to the processing,
- In certain cases, you may also have the right to receive personal data concerning you in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller,
- Where we are processing personal data relating to you on the basis of your prior consent to that processing, you may withdraw your consent at any time, after which we shall stop the processing concerned. This, however, does not affect the lawfulness of the processing based on your consent before it was withdrawn,
- If you have a complaint about any processing of your personal data being conducted by us, you can contact us or lodge a formal complaint with a supervisory authority, in particular in the European Union member state of your habitual residence, place of work or place of the infringement of your rights took place. The list of competent supervisory authorities is available here.
You may exercise your above rights, including your right to withdraw your consent and access to your personal data, by writing to us at any of the addresses specified at the top of this document.
11. Changes to privacy notice
Ekata may occasionally update this privacy notice in response to changing business circumstances and legal developments. If there are material changes to this privacy notice or in how Ekata uses Personally Identifiable Information, we will post such changes prior to implementing the change. Ekata encourages periodic review of this privacy notice to remain informed of how Ekata collects and uses Data.