Last updated: April 26, 2022
This Policy describes how we collect, use and share personal information in connection with:
- Our communications with employees, clients or representatives of our organizational clients (i.e., the individuals and organizations to whom we provide services);
- Our marketing communications;
- The operation of fraud protection and security tools, and any other services that we offer to our clients; and
- Any other contexts, including events or other offline activities, where we may post, link to or otherwise direct attention to this Policy.
Collectively, we refer to our Site, communications, services and operations as the “Services.”
While reviewing this Policy, here are a few important things to keep in mind:
- “Personal information” refers to any information that identifies or can reasonably be used to identify a natural person, or that is associated with or could reasonably be linked to a natural person.
We provide important information for residents of California in the Notices to Residents of California, US section and for residents of Europe in the Notices to Residents of Europe (including Switzerland and UK) section.
We generally collect information from the following sources: provided to us directly by individuals, collected through automated technologies or collected from a third party.
Information individuals provide to us. Personal information that we collect directly from individuals through the Services or otherwise may include:
- Contact data, such as first and last name, email and mailing addresses, phone number(s), professional title and company name.
- Registration data, such as the information provided to register for Services that we offer, which may include a name, email address and password or other access credentials.
- Communications, such as information provided when a person contacts us with questions, feedback, or otherwise corresponds with us.
- Marketing data, such as the email addresses or contact details that we use to send marketing communications to people, and information about responses to our marketing communications.
Information we collect automatically. We may automatically log the following information about individuals, their computers or mobile devices and any activity occurring on or through the Services:
- Device data, such as IP address, computer or mobile device operating system type and version number, manufacturer and model, browser type, screen resolution, the website visited before browsing to our website and general location information such as city, state or geographic area (but not precise geolocation data).
- Online activity and usage data, such as information about use of and actions on the Site or within the Services, including pages or screens viewed, time spent on a page or screen, navigation paths between pages or screens, access times, length of access and other information about online activity while using the Services.
- Email open and click data, such as IP address and other information about people who open marketing emails from us or click on any links provided in our marketing email.
Information from third parties. We may receive personal information about individuals from other sources, such as:
- Business clients, which may provide us with personal information of others in order for us to provide our services to those clients. For example, a business will pass the email address of a client to check if the email address is on a recent breach list. Business clients may also provide us with personal information about their employees.
For personal information that we receive from business clients, we will use and process such personal information in accordance with the specific terms of our contract(s) with each client and in accordance with this Policy. However, in cases where we process personal information on behalf of third parties and business clients and do not control such information, we may not be able to accommodate the requests and choices that are outlined in this Policy. Instead, people should directly contact the business that controls their personal information.
- Publicly available sources, including social media platforms;
- Information services; and
- Business partners, such as joint marketing partners.
We may combine the personal information we obtain from other sources with the personal information that a person provides to us directly.
Social Media. We may also maintain pages or accounts on social media platforms, such as Instagram, Facebook, Twitter, LinkedIn and Slack. We collect personal information from people who interact with us through social media platforms if they choose to share personal information, such as an account name or contact information. In addition, companies that provide social media platforms may provide us with analytics and aggregated data about our presence on those platforms.
Service delivery and business operations. We use personal information to:
- Provide, operate and improve the Services;
- Communicate with people about the Services, including by sending announcements, updates, security alerts and support and administrative messages;
- Communicate with representatives of our clients and other individuals in connection with providing Services;
- Respond to individuals’ requests, questions and feedback; and
- Perform other internal business operations.
Research and development. We may use personal information to analyze and improve the Services and our business and operations.
Marketing. We may send announcements about 443ID or other marketing communications as permitted by law.
To comply with law. We may use and share personal information as we believe necessary or appropriate to comply with applicable laws, lawful requests and legal process, such as to respond to subpoenas or requests from government authorities.
For compliance, fraud prevention and safety. We may use personal information and disclose it to law enforcement, government authorities and private parties as we believe necessary or appropriate to: (i) protect our or others’ rights, privacy, safety or property (including by making and defending legal claims); (ii) audit our internal processes for compliance with legal and contractual requirements; (iii) enforce the terms and conditions that govern the Services; and (iv) prevent, identify, investigate and deter fraudulent, harmful, unauthorized, unethical or illegal activity, including cyberattacks and identity theft.
With consent. In some cases, we may specifically ask for consent to collect, use or share personal information, such as when required by law.
To create anonymous data. We may create aggregated, de-identified or other anonymous data from any personal information we collect. We make personal information into anonymous data by removing information that makes the data personally identifiable to any specific person. We may use this anonymous data and share it with third parties for our lawful business purposes, including to analyze and improve the Services and promote our business.
We do not share personal information with third parties without consent, except in the following circumstances or as described elsewhere in this Policy:
Service providers. We may share personal information with third party companies and individuals that provide services on our behalf or help us operate the Services or our business (such as IT, hosting, human resources services, email delivery, marketing, event management and database management services). Our service providers are obligated to protect the confidentiality of personal information and are only permitted to use the personal information to provide services to us.
Clients. For persons employed by or associated with one of our organizational clients, we may share personal information about the client’s employees with that client.
Professional advisors. We may disclose personal information to professional advisors, such as lawyers, auditors and insurers, where necessary in the course of the professional services that they render to us.
To comply with law. We may share personal information as we believe necessary or appropriate to comply with applicable laws, lawful requests and legal process, such as to respond to subpoenas or requests from government authorities.
For compliance, fraud prevention and safety. We may share personal information and disclose it to law enforcement, government authorities, and private parties as we believe necessary or appropriate to: (i) protect our or others’ rights, privacy, safety or property (including by making and defending legal claims); (ii) audit our internal processes for compliance with legal and contractual requirements; (iii) enforce the terms and conditions that govern the Services; and (iv) prevent, identify, investigate and deter fraudulent, harmful, unauthorized, unethical or illegal activity, including cyberattacks and identity theft.
Business transfers. We may sell, transfer or otherwise share some or all of our business or assets, including personal information, in connection with a business transaction (or potential business transaction) involving 443ID, such as a corporate divestiture, merger, consolidation, acquisition, reorganization or sale of assets, or in the event of bankruptcy or dissolution.
Based on instructions. We may share a person’s personal information with other parties at the instruction or request of the person who is the subject of the personal information.
443ID does not share personal information with our clients in the regular course of providing our fraud prevention and security tools and services, which only provide fraud risk scores, factors influencing high fraud risk scores and digital signal prints.
Review personal information and request changes. For people who have registered with the Services or have an account through the Services, they can review and change their personal information on their account profile page.
Please understand that we may not be able to alter or delete personal information if we are required under applicable law to maintain that information. We are also not obligated to comply with requests that are unreasonably burdensome or expensive, or with requests that would interfere with the rights of another individual. In addition, we may not be able or obligated to provide access to personal information in cases where we hold and process personal information on behalf of one of our clients.
Individual rights. Some individuals may have certain rights under applicable laws, with respect to their personal information. These may include rights to access, correct or delete personal information, portability rights or rights to object or restrict to certain processing of personal information. For those who wish to exercise rights they hold under applicable law, please contact us as directed by the How to Contact Us section. We will process requests as required under applicable laws. Please note that we may take steps to verify the identity of the person who submits a request in order to protect personal information.
Please understand that not all individuals hold rights with respect to personal information and that laws granting such rights may not apply to 443ID. We are also not obligated to comply with requests that are unreasonably burdensome or expensive, or with requests that would interfere with the rights of another individual. In addition, we may not be able or obligated to accommodate the exercise of rights with respect to personal information in cases where we hold and process personal information on behalf of one of our clients.
Opt-out of marketing communications. Any person may opt out of marketing-related emails or other communications by following the opt-out or unsubscribe instructions in our emails or other communications, or by contacting us as directed by the How to Contact Us section. If a person opts out of marketing communications, they may continue to receive service-related, account-related or other non-marketing emails.
Do Not Track. Some Internet browsers may be configured to send “Do Not Track” signals to websites or other online services. We currently do not respond to “Do Not Track” or similar signals sent to our Site or Services. To find out more about “Do Not Track,” please visit http://www.allaboutdnt.com.
Cookies. Internet browsers may be configured to reject or disable cookies, as described in browser documentation. Please understand, however, that rejecting or disabling cookies may affect one’s experience of the Site or interfere with the ability to access areas or functions of the Site.
Online advertising. We may also participate in online advertising networks that collect personal information. Many advertising networks offer means to opt out of targeted advertising. More information about targeted advertising is available at https://thenai.org/, and opt-out resources are available at https://optout.networkadvertising.org/.
Declining to provide information. One can always decide not to provide personal information. However, we need to collect personal information to provide certain Services. If we do not collect the information requested, we may not be able to provide those Services.
The Services may contain links to other websites and online services operated by third parties. These links are not an endorsement of, or representation that we are affiliated with, any third party. In addition, our content may be included on web pages or other online services that are not associated with us. We do not control third party websites or online services, and we are not responsible for their actions.
The Services are not directed to children under the age of 13, and we do not knowingly collect personal information through the Services from children under the age of 13 without appropriate consent of a parent or guardian. If you believe that we may have collected personal information from a child under the age of 13 through the Services, please contact us as directed by the How to Contact Us section.
The security of personal information is important to us. We employ organizational, technical and physical safeguards designed to protect the personal information we collect. However, security risk is inherent in all internet and information technologies and we cannot guarantee the security of personal information.
We maintain offices and facilities in the United States, and personal information may be transferred to the United States or other locations outside of one’s state, province or country of residence, where privacy laws may not be as protective as those in the state, province or country where the individual resides.
Take 2 Identity, Inc.
Liberty Hill, TX 78642
This section applies to California residents and outlines an individual’s rights and choices with respect to 443ID’s processing of an individual’s personal data under the CCPA.
For business purposes in the last twelve months, we may have collected, used and shared personal data about individuals as described in this Policy. To learn more about the personal data we collect, including the specific pieces of personal data collected, sources of collection, our purposes for collection and the categories of service providers with whom we share personal data, please see the Personal Information We Collect, How We Use Personal Information and How We Share Personal Information sections of this Policy.
We do not sell personal data for business or commercial purposes.
A. Consumer Rights
The CCPA grants California consumers certain rights in connection with the personal data collected by businesses, as described below:
- Right to Know. Any person has the right to know the categories and specific pieces of personal data we have collected about them in the previous 12 months.
- Right to Deletion. Any person has the right to request that we delete any personal data we have collected about them.
- Right to Request Information. Any person has the right to request information about our collection, sale and disclosure of their personal data from the previous 12 months.
- Right to Opt-out of the Sale of Personal Data. Any person has the right to opt-out of the sale of personal data we have collected about them. As of the date of this Policy, 443ID does not sell personal data.
- Right to Non-Discrimination. Any person has the right to not receive discriminatory treatment for exercising any rights of a person under the CCPA. We will not treat any person differently for exercising any of the rights described above.
B. Exercising Individual Rights
To exercise any of the CCPA rights above, please contact us as directed by the How to Contact Us section. We will fulfill requests within forty-five (45) days of receiving a request. Some of these rights may be subject to limitations and qualifications, such as where fulfilling the request would conflict with federal, state or local law, regulatory inquiries, subpoenas or 443ID’s ability to defend against legal claims.
We will verify a request using the individual’s email address. If an individual has created an account with us, we will also verify their request using the information associated with their account, including billing information. Government identification may be required. We cannot respond to an individual’s request if we cannot verify their identity and/or authority to make the request on behalf of another and confirm the personal data relates to them. Making a verifiable consumer request does not require any person to create an account with us.
If an individual wishes to use an authorized agent to submit a request to opt-out on their behalf, they must provide the authorized agent written permission signed by them, the consumer. We may deny a request from an authorized agent if the agent cannot provide to 443ID the individual’s signed permission demonstrating that the agent has been authorized to act on their behalf.
This section applies to individuals located in the EEA, the UK or in Switzerland and outlines additional information about a person’s rights and choices regarding 443ID’s processing of their personal data under the GDPR or equivalent laws in Switzerland and UK.
A. Legal Basis
We collect and process personal data about a person only where we have a legal basis for doing so under applicable data protection laws. Our legal bases include processing personal data as follows:
- With a person’s consent. Where appropriate or legally required, we collect and use personal data about a person subject to their consent (e.g., where legally required for direct marketing activities or to provide the Services).
- Performance of contract. We collect and use personal data about a person to contract with a person or to perform a contract that a person has with us.
- To protect the legitimate interests of 443ID, a person or other parties. We process personal data for our legitimate interests, such as to improve our Services, deliver content, optimize a person’s experience, market our Services, provide appropriate security for the Services and to protect an individual, 443ID and other third parties.
- Where necessary for compliance with laws. We may process personal data about a person: (i) as required by law, such as to comply with a subpoena or similar legal process; (ii) when we believe in good faith that disclosure is necessary to protect our rights or property, to protect an individual’s health and safety or the health and safety of others; (iii) to investigate fraud or respond to a government request; or (iv) if we are involved in a merger, acquisition or sale of all or a portion of our assets.
B. Data Subject Rights
A person has certain rights related to the personal data we hold about them in our capacity as “controller.” Some of these rights may be subject to limitations and qualifications including when: (i) fulfilling an individual’s request would adversely affect other individuals, company trade secrets or intellectual property; (ii) there are overriding public interest reasons; or (iii) we are required by law to retain an individual’s personal data.
- Right of Access. Any person has the right to access personal data held by us.
- Right to Rectification. Any person has the right to rectify personal data that is inaccurate or incomplete.
- Right to Data Portability. Any person the right to request a copy of certain personal data we hold about them in a structured, machine readable format, and to ask us to share this information with another entity.
- Right to Erasure. Any person has the right to have personal data deleted where: (1) they believe that it is no longer necessary for us to hold their personal data; (2) we are processing their personal data based on legitimate interests and they object to such processing and we cannot demonstrate an overriding legitimate ground for the processing; (3) they have provided their personal data to us with their consent and they wish to withdraw their consent and there is no other ground under which we can process their personal data; or (4) where they believe the personal data we hold about them is being unlawfully processed by us.
- Right to Restrict Processing. Any person has the right to ask us to restrict (stop any active) processing of their personal data where: (1) they believe the personal data we hold about them is inaccurate and while we verify accuracy; (2) we want to erase their personal data as the processing is unlawful, but they want us to continue to store it; (3) we no longer need their personal data for our processing, but they require us to retain the data for the establishment, exercise, or defense of legal claims; or (4) they have objected to us processing their personal data based on our legitimate interests and we are considering their objection.
- Right to Object. Any person can object to our processing of their personal data based on our legitimate interests. We will no longer process their personal data unless we can demonstrate an overriding legitimate purpose.
- Objection to direct marketing, automated decision making and profiling. Any person has the right to object to our processing of personal data for direct marketing communications and profiling related to direct marketing. We will stop processing the personal data for that purpose.
- Automated Profiling. In the event that we conduct automated decision making that has a legal or other significant impact we will tell individuals about this and they have the right to challenge such decisions and request that it is reviewed by a human.
- Withdrawal of Consent. Where the processing of an individual’s personal data by us is based on consent, they have the right to withdraw that consent without detriment at any time by contacting us as directed by the How to Contact Us section.
C. Exercising your Rights
If an individual would like to exercise the rights set forth above, please contact us as directed by the How to Contact Us section. Before we respond to requests for personal data, we will require that an individual verify their identity or the identity of any data subject for whom they are requesting personal data. Our verification methods may include requesting that the individual log into their account, confirm their contact information or email address and/or provide documents for identity verification, depending on the nature of their relationship with us.
We will fulfill an individual’s request within thirty (30) days of receipt unless an exception applies. If an individual has concerns unresolved by 443ID, they may also address any grievance directly with the relevant Supervisory Authority or the ICO for UK-based individuals.
D. Contact Details for 443ID’s Data Protection Officer and EU Representative
Take 2 Identity, Inc. d/b/a 443ID (Box #86, Liberty Hill, TX 78642, USA) is the controller for personal data collected in connection with the use of the Services in the EEA, the UK and Switzerland. Our Data Protection Officer can be contacted as directed by the How to Contact Us section.
For EU personal data protection, 443ID has nominated a GDPR Representative Lionheart Squared who may be contacted at:
EU GDPR Article 27 Representative
Lionheart Squared (Europe) Ltd (FAO 443id)
2 Pembroke House
Upper Pembroke Street 28-32
Dublin, D02 EK84
Republic of Ireland
UK GDPR Article 27 Representative
Lionheart Squared Limited, (FAO 443id)
17 Glasshouse Studios
Fryern Court Road
Hampshire, SP6 1QX UK
E. About the Privacy Shield
We are committed to complying with the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use, and retention of personal data transferred from the EEA, UK and Switzerland to the United States pursuant to Privacy Shield. We have certified that we adhere to the Privacy Shield Principles with respect to such personal data. If there is any conflict between this Policy and the data subject rights under the Privacy Shield principles, the Privacy Shield principles shall govern. To learn more about the Privacy Shield program, and to view our certification page, please visit here.
We are aware that, on July 16, 2020, the European Court of Justice invalidated the EU-US Privacy Shield as a means of ensuring adequate protection for personal data transferred to the US. We are also aware that the Swiss Data Protection Authority and Information Commissioner invalidated the Swiss-US Privacy Shield in September 2020. In reflection of these rulings, where we transfer personal data originating in the EEA, UK and/or Switzerland to the US, transfers are made under the Standard Contractual Clauses approved by the European Commission.
By continuing our commitment to the EU-US Privacy Shield and the Swiss-US Privacy Shield frameworks, we remain subject to the investigatory and enforcement authority of the United States Federal Trade Commission (FTC). Furthermore, pursuant to the Privacy Shield principles, we still acknowledge the right of individuals located in the EEA, UK and/or Switzerland to access, inspect, update or correct their personal data. Individuals located in the EEA, UK and/or Switzerland may exercise their rights by contacting us as directed by the How to Contact Us section.
Under the Privacy Shield, we may be liable for the onward transfer of personal data to third parties as described under the Personal Information We Collect section. If we receive personal data subject to our certification under the Privacy Shield and then transfer it to a third party service provider acting as an agent on our behalf, we have certain liability under the Privacy Shield if both (i) the agent processes the personal data in a manner inconsistent with the Privacy Shield and (ii) we are responsible for the event giving rise to the damage. We may be required to release personal data in response to lawful requests by public authorities, including to meet national security and law enforcement requirements.
In compliance with the Privacy Shield principles, we commit to resolving complaints about an individual’s privacy and our collection or use of an individual’s personal data transferred to the US pursuant to Privacy Shield. Individuals located in the EEA, UK and/or Switzerland with Privacy Shield inquiries or complaints may exercise their rights by contacting us as directed by the How to Contact Us section.
We have further committed to refer unresolved privacy complaints under the Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD, operated by the Council of Better Business Bureaus. If an individual does not receive timely acknowledgment of their complaint, or if your complaint is not satisfactorily addressed, please visit here for more information and to file a complaint. This service is provided free of charge to you. If your Privacy Shield complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See Privacy Shield Annex 1 here.