Privacy Policy with respect to data received for processing.

U.S. – E.U. Safe Harbor/U.S. – Switzerland Safe Harbor

Australian Privacy Act

Introduction

Accertify provides fraud detection and related screening using its proprietary hosted fraud management platform. In connection with providing this service, Accertify receives data about a variety of commercial transactions. This policy sets forth the manner in which such data is used and secured by Accertify. This policy does not describe how such data may be used by our clients who received the data directly from the consumer and sent it to us. Consumers concerned about the use of their data should review the privacy policies of the companies with which they do business directly in addition to this policy.

Nature of the data received.

Generally, Accertify's clients are merchants selling goods or services on the Internet. Accertify receives consumer data indirectly via its clients. Accertify does not receive data directly from consumers.

Accertify's clients may provide data relating to the purchase and sale of goods or services, the registration for the use of website, or other transactions that involve a risk of fraud, unauthorized use of credit card or other form of payment, or some other abuse of the client's website, property or resources. The data provided typically includes several elements necessary to complete the transaction requested by the consumer. The following are examples of information commonly received by Accertify from its clients, but are not exhaustive; a consumer's name, billing address, telephone number(s), email address and credit card number or other form of payment.

Use of the data received.

The processes used by Accertify generally focus on the nature, elements and circumstances of a particular transaction, not on the specific consumer. Accertify processes the data received from its clients using its proprietary hosted fraud management platform and external data sources to determine the likelihood that each particular transaction is legitimate or whether it has indications of fraud or other impropriety. The results of Accertify's process are made available to the client that sent the transaction data to Accertify. The client may use Accertify's system to carefully review suspicious transactions in an efficient workflow queue before making a decision to accept or reject the transaction. Transactional data is stored by Accertify on behalf of its clients for periods of time specified in its client contracts.

With the written consent of the client, individual elements of data, such as a telephone number or an email address, that were used in a transaction identified by a client as involving fraud may be retained by Accertify and used to weigh the likelihood of fraud in other transactions received from different clients. Where data elements are used for this purpose, Accertify administers a process through which any client, on behalf of a consumer, may challenge the accuracy of any retained data element. A challenge results in a prompt notice and investigation by the client that contributed the data element. In turn, that investigation will lead to the removal or modification of the data from the database if the linkage to a fraudulent transaction is not confirmed.

In addition, Accertify may apply statistical analytics to the aggregate data received from all clients to identify patterns or anomalies useful in predicting the likelihood of fraud in specific transactions. These analytical efforts use the data in an aggregated, anonymous manner.

Accertify may make stored data available to third parties or government officials in response to subpoena or other comparable lawful and compulsory request. Except as described herein, Accertify does not make the data it receives available to third parties.

Compliance with the Australia Privacy Act 1988.

This paragraph states the nature of records that may contain personal information received by Accertify, pursuant to paragraph 3 of Principle 5– Information relating to records kept by record-keeper, as identified in the Australian privacy legislation. It also provides a basic description of the nature of the data Accertify receives and how it is processed and maintained.

(a) Accertify keeps records of commercial transactions and other interactions between consumers and clients using Accertify's fraud detection software. These records may contain any of the information provided by the consumer in completing the transaction. Additional data elements may be added to the transaction record including, but not limited to, the consumer's IP address for that transaction, through the use of third party data services.

(b) The record is kept for the purpose of fraud detection.

(c) Records are kept for any person making an online or telephone purchase of goods or services from an Accertify client.

(d) The period for which records are kept is determined by the contract between Accertify and each individual client, but is generally one year. Specific elements of a transaction, such as email address or phone number, believed to have been used in an attempted fraudulent manner may be retained for longer periods.

(e) Only the Accertify client that sent the transaction data to Accertify may access the record of that transaction, with the following exceptions: (1) records may be accessed by third parties using proper judicial means such as a subpoena, and (2) individual elements of data contained in a record reported as an attempted fraud by a client of Accertify may be retained and accessed in a limited manner, by other clients of Accertify solely for the purpose of detecting fraud.

(f) Any person wishing to determine what, if any, information Accertify maintains about them may contact Accertify as described below.

U.S. – EU Safe Harbor Framework.

In 1995, the European Parliament issued Directive 95/46/EU establishing certain principles for the protection of data privacy within the European Union. In part, the Directive prohibited the transfer of data outside of the European Union to countries without "adequate controls." The U.S. Commerce Department and the European Commission subsequently established the "Safe Harbor" compliance program in order to provide these adequate controls for data transmitted from the European Union to the United States.

Certification of Compliance with the U.S. – E.U. Safe Harbor Principles.

Accertify is a "processor" as defined by Article 2 (e) of Directive 95/46/EC with its headquarters and processing facilities located in the United States.. Because Accertify's processing of the data relates to "the prevention, investigation, detection and prosecution of criminal offences," it may be exempt from certain portions of the Directive. (Directive, Article 13, Section 1 (d)) Nevertheless, Accertify complies with the U.S.-EU Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries and Switzerland. Accertify has certified that it adheres to the Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement to the extent that is required for processors of data. To learn more about the Safe Harbor program, and to view Accertify's certification, please visit http://www.export.gov/safeharbor/.

Principles of the U.S. – E.U. Safe Harbor Framework.

There are several specific principles regarding data privacy included in the Directive. Because Accertify is a processor, without direct contact with the consumer whose data Accertify is receiving, not all of the principles apply directly to Accertify, but they are addressed individually below.

Notice

Accertify provides individuals with information concerning the type of data it collects, including Personal Information, and the uses of such data via this website. In addition, Accertify encourages its clients, who are typically merchants of goods or services on the internet, to provide their customers with notice of Accertify's role in processing the transaction data.

Choice

Accertify provides fraud detection data processing relating to the use of credit cards and other forms of payment via the Internet, and thus has no direct contact with the individual. We receive the data from an internet merchant with whom the individual has chosen to do business. We encourage our merchant clients to disclose that the data provided in connection with the online transaction will be processed by Accertify to aid in identifying improper uses of online forms of payment.

Onward Transfers

Accertify itself does not make any onward transfers of the data it receives. In some cases, our clients have chosen to use additional third party services that may help verify elements of the data received against other data records, such as the proper correlation between a name, address and phone number. We can facilitate that use of the data and incorporate the result in our processing, but in every such case, the query using the individual's data is performed at the request of our client. As with other principles of the Directive, we encourage our clients to provide the necessary disclosures and choices to its customers concerning the use of the data.

Data Security

Accertify's business requires a high level of data security. Because we routinely receive credit card information as well as Personal Information, we must comply with the Payment Card Industry Data Security Standards – a formal set of security standards that includes annual audit and recertification by an independent assessor. Accordingly, Accertify has in place physical security, system security and firewalls, uses data encryption, compels key employees to undergo periodic background checks and drug testing and applies policies and procedures to protect the data it receives and processes from loss, unauthorized access or misuse.

Data Integrity

The accuracy and efficiency of Accertify's fraud detection services would be impaired if the integrity of the data was not properly maintained. Accertify processes Personal Information along with other data in closely monitored manner that is targeted only to achieve the objective of ensuring that the client's customer – typically a consumer – is the proper, authorized user of the chosen form of payment for an online transaction. Accordingly, Accertify takes reasonable steps to ensure that the data it processes is accurate, complete, current and reliable for this purpose.

Access

To the extent that Accertify retains data for use in identifying future fraud, it does so in the form of discrete elements, such as a list of email addresses that have been used in connection with confirmed fraud. We do not maintain the data in a format that would allow a profile of any individual. Nevertheless, individuals may contact us either directly or through one of our clients, and after appropriate verification of their identity, can reasonably direct the correction or removal of data relating to them in our databases.

Enforcement

In addition to the periodic third party recertification process required by the Payment Card Industry Data Security Standards, Accertify uses a self assessment approach to assure compliance with this privacy policy and its data security obligations. We periodically verify that this policy remains accurate, comprehensive for its intended purpose, is accessible and the link to this text is prominently displayed on our website, fully implemented and conforms with the principles contained in the Directive and the U.S.-Swiss Safe Harbor Framework principles.

Amendments

This privacy policy may be amended from time to time consistent with the requirements of the Safe Harbor. Accertify will post any revised policy on this website.

Contact for questions.

Any questions about the accuracy, use, processing or storage of data received by Accertify should be directed to Legal@accertify.com.

Enforcement.

Accertify is subject to the jurisdiction of the Federal Trade Commission and, in connection with the processing of data on behalf of certain airline clients, to the Department of Transportation.

Privacy Complaints by European Union Citizens:

In compliance with the Safe Harbor Principles, Accertify commits to resolve complaints about your privacy and our collection or use of your personal information. European Union citizens with inquiries or complaints regarding this privacy policy should first contact Accertify at:

Legal@accertify.com and identify "Privacy Compliance" in the subject line, or

Legal/Privacy Compliance
Accertify, Inc.
1075 W. Hawthorn Dr.
Itasca, Illinois, 60143 USA
+1 (630) 735-4400 ask for Legal/Privacy Compliance

Accertify has further committed to refer unresolved privacy complaints under the Safe Harbor Principles to an independent dispute resolution mechanism, the BBB EU Safe Harbor, operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed by Accertify, you may contact:

Council of Better Business Bureaus, Inc.
BBB EU Safe Harbor
4200 Wilson Boulevard, Suite 800
Arlington, VA 22203
Phone: 703-276-0100
Web: www.us.bbb.org
Email: eusafeharbor@council.bbb.org