First Data Corporation and its subsidiaries and affiliates (collectively, First Data or "we") provide the Fraud Detect service (the Service) to subscribing merchants to help identify and reduce fraud in card-not-present transactions and in account registrations performed through the merchant’s mobile application and website; however, merchants are not required to use all aspects of the Service. This “Privacy Statement” explains how we collect, use, disclose, and otherwise process end user personal information in connection with the Service. This Privacy Statement does not apply to First Data’s privacy practices outside of the context of the Service, such as its payment card acceptance services.
First Data's processing of personal information in connection with the Service is governed by this Privacy Statement and our agreement with the merchant for this Service (Service Agreement). In the event of any conflict between this Privacy Statement and a Service Agreement, the Service Agreement will control to the extent permitted by applicable law.
This Privacy Statement is not a substitute for any privacy notice that merchants are required to provide to their customers or end-users.
Information We Collect
Information about merchants
- We collect information about the merchant that subscribes to use the Service upon registration and when consumer transactions are processed. This information may include:
- Name of the merchant
- Merchant ID and category code
- Merchant location where a transaction occurred
- Information about transactions processed by the merchant, including transaction volume, velocity, amounts, and types of goods or services sold, and chargeback ratios
Information about end-users, consumers, and transactions that are submitted to the Service
Information we collect about individuals
- We collect information about the following categories of individuals in connection with the Service (e.g., when an individual places an order for physical or digital goods or services or registers for an account with a merchant). In many instances, these will be the same person:
- Individuals who use a computer or mobile device (end-users)
- Individuals who register for an account or make a purchase with a merchant (consumers)
- The individual whose payment card is used to make a purchase (cardholder)
- The individual whose details are listed as a billing contact in connection with a purchase
- The individual whose details are listed as the shipping contact or recipient in connection with a purchase
Merchants may provide us with a variety of information about individuals, such as:
- Billing, delivery, or other address
- Email address
- User ID or other unique identifier
- Telephone number
- Hashed payment card number or other payment information
- Information about an individual’s participation in the merchant’s loyalty or rewards program, such as a loyalty account number, status in the program, and points balance
Information about transactions
- We may obtain a variety of information about transactions performed via the merchant's website or mobile application. This information is associated with an individual. This type of information includes:
- Order number or similar identifier
- Details regarding the payment transaction, such as amount, date, and time
- Details regarding the products and/or services purchased in the transaction, such as the precise item(s) purchased and the category of goods the merchant assigns to the item (e.g., books, clothing, prepared food)
- Details regarding chargebacks for the reason of fraud
Any other information the merchant chooses to submit to us
- Merchants are free to submit additional information to us in connection with payment transactions, account registrations, and our performance of the Service. Such information may include, without limitation:
- An individual's transaction history with the merchant
- Birthdate or year of birth
Information about end-users' computers or mobile devices
We collect information automatically about end-users' computers or mobile devices in connection with account registrations or transactions. This information varies depending on whether the relevant transaction or interaction was performed via a web browser or mobile application. We may use service providers to facilitate our collection of computer or device data, including through the use of third-party cookies when the Service is implemented on a website. If we are unable to collect information about an end-user’s computer or mobile device in connection with a transaction or registration, we may be unable to provide the Service for that transaction or registration; and, as a result, a merchant may choose whether to reject or accept that transaction or registration.
Information collected via web browsers
- Information about the device and its configuration, such as device type, the browser and operating system version, screen resolution, fonts installed, and time zone
- Browser settings, such as language settings, browser plugins installed, whether cookies are accepted, and whether the browser sends a "Do Not Track" signal
- IP address and approximate geolocation derived from the IP address
- Information about mouse movements, clicks, and keypresses on the pages where the Service is installed
Information collected via mobile applications
The specific information we collect via mobile applications may vary depending on whether an Android or Apple device is used and the version of the operating system installed on the end-user's device. In addition, our ability to collect certain information may depend on whether the end-user has granted the merchant’s app certain permissions. Typically, the information we collect includes:
- Information about the mobile device and its configuration, such as device type, manufacturer, model, operating system and version, language settings, screen resolution, time zone, and whether the device was rooted
- IP address
- Applications installed on the mobile device and whether malware was detected
- Phone numbers and accounts registered on the device
- Unique identifiers associated with the device (such as Google Advertising ID or Apple ID for Advertising, MAC address, and IMEI)
- Information about the network(s) to which the device is connected and nearby
- Battery level
- Precise (GPS) and network-based geolocation data
- Accelerometer data
Information we obtain about end-users from third-party sources
In circumstances where a manual review of a transaction is performed in the event the Service identifies a transaction or registration as potentially fraudulent, we may obtain personal information from third-party sources, such as public social media posts and news media. In these cases, data from third-party sources may help us to assess the risk of a potential transaction.
How We Use The Information We Collect
We use the information we collect about individuals, transactions, and devices for the purposes described in this Privacy Statement and otherwise in our Service Agreement. Merchants may contact us for additional details about how we use the information we collect.
To provide and improve the Service and our offerings
- We use the information we collect to provide and improve the Service, which includes:
- Scoring transactions and registrations for indicators of fraud and providing recommendations whether to permit or deny a transaction or registration
- Investigating suspected fraud
- Maintaining records of unique identifiers (such as email addresses, device IDs, and payment card numbers) associated with fraudulent transactions or account registrations
- Analyzing, refining, and developing new fraud detection models for the Service based in part on transaction data, end-user information, and device data obtained from all merchant users of the Service
- Maintaining a historical record of transactions and chargebacks at merchants that use the Service for purposes of identifying indicators of fraud
- Providing support and maintenance for the Service
- Uses as requested by the merchant
- Uses as otherwise provided in our Service Agreement
To market our products and services to merchants
We may send merchants who have subscribed to the Service marketing communications as permitted by law. Our marketing communications may be targeted based on aggregated information about a merchant’s use of the Service - such as transaction volume, velocity, amounts, and types of goods or services sold, and chargeback ratios. Merchants will have the ability to opt out of such communications. We do not use the data that we collect in connection with the Service to send marketing emails to the end-users or consumers of merchants that use the Service.
For product development, analytics, and other legitimate business purposes
- We use the information we collect for our own legitimate business purposes, which include:
- Developing or improving our products and services
- To develop and create analytics and related reporting, such as regarding industry and fraud trends
With the consent of the data subject
In some circumstances, we may need consent of the data subject in the performance of our Service. Merchants are responsible for ensuring data subject consent is obtained for the performance of our Service.
To create anonymous data
We may create anonymous data from the personal information we collect. We make personal information into anonymous data by excluding information that makes the data personally identifiable, and use that anonymous data for our lawful business purposes.
For compliance, fraud prevention, and safety
In addition, we may also use personal information as we believe necessary or appropriate to (a) comply with applicable law; (b) enforce the terms and conditions that govern the Service; (c) protect our rights, privacy, safety or property, and/or that of you or others; and (d) protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity.
How We Share Information
- We may share the information we collect:
- With merchants, regarding information that pertains to the merchant's customers and end-users
- With third party service providers that help us manage and improve the Service
- With First Data subsidiaries and corporate affiliates
- As requested by the merchant
- With our professional advisors, such as lawyers, bankers, auditors and insurers, where necessary in the course of the professional services that they render to us
- As otherwise provided in our Service Agreement with the merchant for the Service
We may also share personal information with government, law enforcement officials or private parties as required by law, when we believe such disclosure is necessary or appropriate to (a) comply with applicable law; (b) enforce the terms and conditions that govern the Service; (c) protect our rights, privacy, safety or property, and/or that of you or others; and (d) protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity.
We may sell, transfer or otherwise share some or all of First Data’s business or assets, including personal information, in connection with a business deal (or potential business deal) such as a merger, consolidation, acquisition, reorganization or sale of assets or in the event of bankruptcy.
Cross Border Data Transfer
In connection with the Service, First Data may transfer personal information to countries outside of the country where the data was initially collected, including to the United States. Please see the Service Agreement for additional information regarding how First Data safeguards the personal information it transfers across borders. Merchants may contact us for additional information about our cross border data transfers in connection with the Service. Additional information is provided in the section titled "Information of Relevance to European Data Subjects."
Information of Relevance to European Data Subjects
Controller and Data Protection Officer
First Data is made up of different legal entities. The controller is the member of the First Data group that signs the Service Agreement, or which is otherwise identified as the controller in the Service Agreement.
The contact information for First Data’s Data Protection Officer is: Data Protection Officer, First Data Email address: email@example.com Postal address: Floor 29 1 Canada Square Canary Wharf London E14 5AB
Legal Bases for Processing
Our legal bases for the processing of personal information are as follows:
|Processing purpose||Legal basis|
||These processing activities constitute our legitimate interests. We make sure we consider and balance any potential impact on the data subject (both positive and negative) and the data subject's rights before we process personal data for our legitimate interests. We do not use personal data for activities where our interests are overridden by the impact on the data subject (unless we have the data subject's consent or are otherwise required or permitted to by law).
In the case of compliance, fraud prevention, and safety, processing may be necessary to comply with our legal obligations.
|With the consent of the data subject||Processing is based on the consent of the data subject.|
Cross Border Data Transfer
- When we transfer personal data outside of Europe to countries not deemed by the European Commission to provide an adequate level of protection for personal data, we make the transfer as follows:
- When transferring personal data to a company in the First Data group, the transfer is made based on our Binding Corporate Rules, a copy of which can be found here
- When transferring personal data to third parties, the transfer will be made pursuant to:
- A contract approved by the European Commission (sometimes called "Model Clauses" or "Standard Contractual Clauses");
- The EU-US Privacy Shield;
- The recipient's Binding Corporate Rules;
- The consent of the individual to whom the personal data relates; or
- Other mechanisms or legal grounds as may be permitted under applicable European law.
Data subjects may contact us with questions about our transfer mechanism.
The Service may involve automated decision-making subject to Article 22 of the GDPR. Decisions are made by matching the data provided to us by merchants with patterns indicative of fraud. Where the Service identifies a suspected fraudulent account registration or purchase that is consistent with the merchant’s pre-established thresholds for blocking registrations or transactions, First Data will block the registration or transaction in an automated manner. Where a registration or transaction is blocked, certain unique identifiers associated with the registration or purchase will subsequently be blocked with that merchant.
To the extent that decisions are made based solely on automated processing that produce legal or similarly significant effects, such decisions will be made where (a) they are necessary for entering into, or performing, a contract between the data subject and a data controller; (b) as authorized by applicable law; or (c) based on the data subject’s explicit consent.
First Data retains personal information for as long as necessary to (a) provide the Service; (b) comply with legal obligations; (c) resolve disputes; and (d) enforce the terms of the Service Agreement. Merchants may contact us for additional information about our data retention practices in connection with the Service.
Data Subject Rights
Merchants are data controllers of the personal information that they provide to First Data or enable First Data to collect via the Service and have a direct relationship with their consumers or end-users. Merchants are responsible for providing all necessary privacy notices to data subjects to whom the personal information pertains, as well as receiving and responding to data subjects’ requests to exercise any rights afforded to them under applicable data protection law. First Data will assist merchants in responding to such requests as set forth in its Service Agreements, but may respond to consumers as necessary under applicable data protection law.
Under certain circumstances, data subjects in Europe have certain rights relating to their personal data, which include the rights to request from the controller (a) access to the data subject’s personal data; (b) correction of incomplete or inaccurate personal data; (c) erasure of personal data; (d) restriction of processing concerning the data subject; and (e) that the controller provide a copy of the data subject’s personal data that the data subject provided to the controller in a structured, commonly used and machine-readable format. Data subjects may also object to a controller’s processing of personal data under certain circumstances. Where processing is based on a data subject’s consent, the data subject has the right to withdraw consent at any time; however, the withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.
Data subjects may also file a complaint with a supervisory authority.
We reserve the right to modify this Privacy Statement at any time. We will notify our merchants of updates by updating the date of this Privacy Statement and posting the updated Privacy Statement to our website and through such other manner as may be stated in our Service Agreement.
Merchants with questions about this Privacy Statement may contact the Fraud Detect support team at FraudDetectSupport@firstdata.com. Both merchants and data subjects may contact our Privacy Office at firstname.lastname@example.org.