This dashboard policy (the “Policy”) is made by Ravelin Technology Ltd (“Ravelin”, “we” or “us”). Ravelin is committed to ensuring that your privacy is protected, this Policy explains who we are and how we collect, share, and use data in relation to the Ravelin Dashboard. We also include information on how you can exercise your rights and options in relation to your personal data.

This Policy does not describe our collection and use of data in relation to visitors to our website. For information on how we collect and use information via our website, please see our Website Policy.

1. Who We Are and What We Do

Ravelin helps businesses ( our “Retailers”) detect and address online fraud and other malicious behaviors through integrating our fraud prevention and authentication services (the “Services”) into their websites and mobile applications (“Retailer Platforms”). In order to provide the Services, we need to collect and process information about the authorized employee users of Retailers who access the Services through the Retailer’s account with Ravelin (“Authorized Users”).

1. Information We Collect

You are not obligated to provide us with your personal data, however Retailers may require you to provide us with information about you in order for you to access the Services as an Authorized User of a Retailer.

Data may be collected from Retailers when they register to use the Services or directly from you when you use the Services, for example, if you use your professional email address to contact Ravelin in relation to the Services on behalf of a Retailer. The data we collect may include:

• Professional contact information for example, your name, job title, Retailer organization, address, access level and email address.
• Log-in credentials such as your username and password.
• Communication information such as data you provide when you contact Ravelin for support as part of the Services

Ravelin and our third party service providers may automatically collect certain device and usage data about Authorized Users when they interact with and use the Services in order to better understand Authorized User needs and to optimize the Services - for example, how much time they spend on which pages and which links they choose. This data is collected using cookies and other standard tracking technologies, including:

• Mixpanel which collects user data (e.g., device details, browser and email address) and event data (e.g., buttons clicked or pages viewed) to help us better understand how different functionality is used.
• Hotjar which uses cookies and other technologies to collect data on our users’ behavior and devices to help us better understand user experiences. This may include collection of device details, browser details, and location information .
• Sentry which sends reports to Ravelin to alert us of any unhandled errors experienced by our users to alert us quickly to any issues and to help us debug issues. User, device, OS and browser details may be collected.
• Beamer which is used to share product update details. Some user data are collected to track which updates are popular, including name, email address and certain browser and device details.

1. How We Use Data

In connection with your organization’s use of the Services, you or your organization may provide certain information, including your personal data to us - for example, providing your professional email address to enable you to log in to the Ravelin dashboard. We use the data we collect and store in order to provide the Services to your organization.

General

We may use the data we collect to:

• Provide, maintain, improve, and develop the Services.
• Prevent fraud and other malicious activities.
• Consider, investigate and communicate with you in relation to any requests, concerns or complaints you contact us about.
• Enforce this Policy and prevent misuse of the Services.
• Keep our website and Services safe and secure.
• Administer our website and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes.
• Validate your identity when you are seeking to exercise your privacy rights.
• Take any action which may be required or mandated by applicable law.

1. Sharing Data

We will always keep your data safe and never sell your information to third parties. There may be circumstances where the information detailed in this Policy is shared with others for the following reasons:

Service providers

We may share limited information about you with our third party service providers, vendors, or other contractors who provide services to us and with whom the sharing information is necessary in order for them to provide their services - for example, a provider hosting our infrastructure.

Retailers’ vendors or other service providers

We may share your information with third party vendors, service providers or other third party contractors of Retailers, strictly where sharing the information is necessary to provide the Services.

Professional advisers

We may disclose your personal data to our professional advisers, such as lawyers, bankers, auditors and insurers but only where strictly necessary in the course of the professional services they are providing to us.

Legal purposes

We may disclose your information where we believe it is required by law or in order to exercise our legal rights - for example, we may share your data with a competent law enforcement body, government agency, court or other third party.

Corporate affiliates

We may share your information with Ravelin affiliates (any subsidiary, parent company or company under common control) as necessary to perform the Services and only for the purposes described in this Policy. If Ravelin is involved in an acquisition, merger or sale of its business or assets, your information may be shared or transferred as part of that transaction.

1. Legal Basis for Processing Personal Data

Ravelin relies on valid legal reasons for using personal data, depending on how you are interacting with Ravelin or the Services, our legal basis will be one of the following:

• Legitimate interest where we collect and use your personal data, or share it as outlined in this Policy because we have a legitimate reason to do so, such as our legitimate interest in preventing fraud.
• Keeping to our contracts where personal data is required to provide our Services and we cannot provide them without this personal data.
• Legal obligation - where we are required to do so by law or where we believe it is necessary to protect or enforce our legal rights.
• Consent - where we use information about you where you have consented to do so for a specific purpose, such as receiving marketing communications from Ravelin or featured testimonials published with your permission.

1. Data Storage, Transfers and Retention

Your personal data may be transferred, processed and stored in the United Kingdom, United States, Belgium and other countries. We may also process information using cloud services. These countries may have different data protection and privacy laws to the laws of your country and may provide a different level of protection than in your jurisdiction, however Ravelin takes the necessary steps to ensure that your data is always processed in accordance with this Policy and in line with the requirements of applicable law.

If you are a resident in the EEA, UK or Switzerland, we will protect your personal data when it is transferred out of your jurisdiction by ensuring that the party receiving the data is either based in a territory which has an adequate level of protection as determined by the relevant authority or using appropriate safeguards to protect your personal data, such as standard contractual clauses.

We will retain your personal data where we have an ongoing legitimate legal reason to keep it and for a length of time consistent with the original purpose it was collected for. The appropriate retention period for personal data will depend on a number of factors including, the reason why it was collected, the amount, nature and sensitivity of the data. We will also consider any applicable legal requirements in relation to data retention.

After data is no longer required for the purpose it was collected for or where you have requested for us to delete the data that we hold about you (unless it is still required to be kept by us and a valid exemption applies), we will either delete or anonymize your personal data. If this is not possible (for example, where the data has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until it is possible to delete it.

1. Your Rights

Depending on where you are a resident, you may have certain rights in relation to the personal data which is held about you. Subject to legal limitations and exemptions that may apply, you may have the right to:

• Access the personal data we hold about you (a “data subject access request”).
• Correct incomplete or inaccurate data we hold about you.
• Ask us to erase the personal data we hold about you.
• Ask us to restrict the handling of your personal information.
• Ask us to transfer your personal information to a third party.
• Object to how we are using your personal information.

Details on how to contact us to exercise any of these rights can be found below in the Exercising Your Rights section of this Policy .

Residents of the EEA, UK or Switzerland

If we have collected and processed your personal information with your consent for a specific purpose, you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing which occurred prior to your withdrawal and it will not affect the processing of your personal data on lawful grounds other than consent. To withdraw your consent, all you need to do is follow the instructions in the Exercising Your Rights section of this Policy.

You have the right to complain to a data protection authority about our collection or use of your personal data. You can contact your local data protection authority for more information. The contact details for the data protection authorities for residents in:

• EEA jurisdictions are available here;
• the UK are available here; and
• Switzerland is available here.

Residents of California

The California Consumer Privacy Act (“CCPA”) provides Californian residents with specific rights regarding their personal information. This section describes your rights and explains how to exercise them.

You have the right to request that we disclose certain information to you about our collection and use of your personal information over the previous 12 months ("right to know"). Once we receive your request and confirm your identity (see Exercising Your Rights), we will disclose to you:

• The categories of personal information we collected about you.
• The categories of sources for the personal information we collected about you.
• Our business or commercial purpose for collecting or selling that personal information.
• The categories of third parties with whom we share that personal information.
• The specific pieces of personal information we collected about you.

You have the right to request that we delete any of your personal information that we have collected and retained (the "right to delete"), subject to certain exemptions.  Once we receive your request and confirm your identity (see Exercising Your Rights), we will review your request to see if an exemption allowing us to retain the information applies. We may deny your deletion request if an exemption applies and retaining the information is necessary for us or our service provider(s), for example to detect fraudulent activity or comply with a legal obligation.

You may authorize an agent to submit a request to us on your behalf. Please note that before completing any requests, and in addition to our identification verification process, we will need to verify that your agent has been properly authorized to request information on your behalf which means it may take longer to complete your request.

We will delete or de-identify personal information not subject to an exemption from our records and will direct our service providers to take similar action.

We do not “sell” information, as sales are defined under applicable laws. We will not discriminate against you for exercising any of your CCPA rights

1. Exercising Your Rights

To exercise any of the rights or options described above, please submit a request to us by emailing us at [email protected].

The request should include your contact information and describe your request in enough detail to allow us to understand, evaluate, and respond to it. You should provide sufficient information that allows us to verify that you are the person about whom we collected the  personal data or that demonstrates you are a properly appointed representative. We may need to request additional information in order to verify your identity and we will not be able to honor a request if we cannot verify your identity or authority to make the request.

We will respond to all requests we receive from data subjects wishing to exercise their rights and treat each request according to the requirements of the applicable jurisdiction.

1. Changes to this Policy

We may update this Policy from time to time in response to changing legal, technical or business developments. Any changes we make to this Policy in the future will be posted on this page and if necessary, notified to you. You can see when this Policy was last updated by checking the “last updated” date displayed at the bottom of this Policy.

1. Contact Details

You can contact our Data Protection Officer  with any questions or concerns about this Policy or our practices at:

Ravelin Technology Ltd

Attn: DPO

Bentima House,

168-172 Old St,

London

EC1V 9BP

Email: [email protected]

We have appointed Ravelin Technology Ireland as our EU Representative, who you can contact at [email protected]

This Policy was last updated: November 2023