End User Privacy Statement
Last Updated August 25, 2021
BlockScore Inc. D/B/A Cognito (“BlockScore”, “Cognito”, “we”, “our”, or “us”) offers an identity verification, fraud detection, and watchlist screening services globally to companies, firms and financial institutions (our “Customers” or “Customer”). You may be asked by one of our Customers to complete various checks using our service. This end user privacy statement (“Privacy Statement”) explains how your personal data (“Your Personal Information”) may be used when we carry out this service on behalf of our Customers.
Our services are intended only for individuals 18 years or older. If you are under 18, please do not use our service.
When we provide our services to our Customers, our Customers determine the purposes and means by which Your Personal Information is processed (and is considered a data controller). We act on our Customer’s instructions with respect to how and why Your Personal Information is processed. Cognito is a data processor where it is facilitating identity verification, watchlist screening, and antifraud screening services at the direction of our Customers. Our Customers direct us to collect Your Personal Information. Cognito acts as a processor when directed to collect information from you, including Your Personal Information, and Cognito receives instructions from our Customers about whom to collect personal data from and when to collect and process Your Personal Information. We use Your Personal Information to provide Cognito Services to our Customers.
You should always check the privacy policies of our Customers and direct any queries and request to exercise your rights in respect of Your Personal Information to them.
Some of the Cognito Services may be accessed directly by you, including through our websites that reference this policy (e.g. CognitoHQ.com) (collectively “Sites”).
Cognito will not ever sell Your Personal Information to any third parties. Our Customers decide how we use Your Personal Information, control their data retention policies, and may specify how long to retain Your Personal Information.
Depending on the service required by our Customers, we may process Your Personal Information on our Customers’ behalf as described in this Privacy Statement, so we encourage you to read it carefully.
When Cognito provides its services to our Customers, you will be asked to provide information about yourself to us. On behalf of our Customers, we carry out cloud-based identity verification and watchlist screening services. Our system collects information from you and about you to predict and helps to prevent fraudulent activity in real time. The collection and use of Your Personal Information are described below. We then complete these services and provide the results direct to our Customers.
Our Customers determine the scope of the request for information and what personal information about you might be used for analysis with the Cognito services. Customers configure the system to require and use certain information to verify your identity. A Customer may configure Cognito services to ask for limited information. If the requested information is insufficient to provide verification, the Cognito services may request additional information to complete the verification process.
If you are not satisfied with the result of any processing, you should direct your query to the Customer, who will be able to review it.
2. Information We May Collect
Depending on the services requested by our Customers, we may collect Your Personal Information in the following ways:
Information you provide: We collect Your Personal Information when you provide information requested by the Customer to us. If you choose not to provide the requested information, we will not be able to provide our Customer with the Cognito services. Please contact the Customer to discuss alternative identity verification and screening options, if available for your region or nationality.
To find out more about the types of personal information that may be requested from you, see below:
Information used to verify a mobile device or email: We also may provide a two-factor authentication feature to our Customers to help provide measures to ensure that the person providing information has possession of the phone number or email address associated with that identity. To provide this feature for our Customers, we may use Your Personal Information provided by our Customer or by you to send verification codes to you, such as via text messages or emails, which you can then enter to confirm your identity when you log in to use a Customer Site or create a new account.
Information we automatically collect when you visit Customer Sites. Our services use certain standard tracking technologies to automatically collect certain information about your device when you interact with and use Customer Sites. Some of this information includes, for example, your IP address and certain unique identifiers, may identify a particular computer or device and may be considered “personal data” in some jurisdictions, including the EU.
The types of information we may collect on behalf of our Customers will depend on whether you visit a Customer Site via an API interface, app using our SDK or a webpage and more details are provided below:
To find out more about the tracking technologies we use, see below.
Information we collect from third party sources. At our Customer’s request and as part of our services for Customer, we may combine the information we collect about you with information we receive from third parties. For example, we may receive information such as whether an IP address is commercial or private, whether a phone number is a landline, or whether an email domain is free. Customers may also ask us to work with providers that match information provided against third-party sources such as credit header files, mobile account records, utility records, motor vehicle records and other reputable sources. For certain countries, your mobile carrier may be asked to disclose your mobile account details for the purpose of verifying your identity, including your name, address, and device details. We may also receive information about you from third parties and/or collect information about you that is publicly available, on behalf of our Customer.
Special categories of personal data. If our Customers require you to provide us with any document that contains your photograph or if you need to verify your identity by providing a photograph or video of yourself, these images may reveal special categories of data about you, for example, information relating to your health (for example, if you wear glasses), your race or ethnicity or relating to your religious or political beliefs. Our facial recognition technology may also use biometric data, which is information that is used to identify you.
We use these special categories of personal data only on our Customer’s instructions and in accordance with any of our Customers’ privacy policies and this Privacy Statement and for no other reason.
3. How We May Use Your Personal Information to Provide Our Service to Customers
We process Your Personal Information on behalf of our Customers on their instructions. You need to check our Customers’ privacy policies to find out how and why Your Personal Information is used. We are not responsible for these policies and you should ask the Customer if you have any questions in relation to this.
Our Customers may use our cloud-based identity verification and watchlist screening service and we return information to the Customer about the likelihood that the person providing the information is who they claim to be.
Our Customers may also request us to use facial recognition technology to verify that the photo on your identity document matches the photo or selfie you submit. Facial recognition data will be destroyed by us when the information is no longer needed for verification as specified by Customer.
Cognito uses Your Personal Information to provide the Cognito services to our Customers, and to help our Customers comply with their legal obligations. For example, we process Your Personal Information through our cloud-based identity verification service to return match information to our Customers for particular events or activities on the Customer Site. We may also use Your Personal Information to help Customers validate your identity if you seek to exercise your privacy rights. In addition, when our Customers use the Cognito two-factor authentication feature, we process Your Personal Information, such as your telephone number or email address, to send a verification code to you via text message or email. This helps our Customers who use this feature to validate end users identities by ensuring possession of phone numbers or email addresses associated with identities.
If you do not complete your verification process on our Service, our Customers may request us to use Your Personal Information to send you a prompt by email [or text message] to complete the process. You may follow the link in any email to deactivate these reminders if you do not wish to receive these again.
4. How We May Use Anonymized or Aggregate Information to Maintain, Improve, and Develop our Services
We may anonymize or aggregate to maintain, improve and optimize the Cognito Services. We use anonymous or aggregate information to develop and improve our service. We believe that this does not adversely affect your rights and interests and is likely to be what you might expect.
5. Your Rights and Choices
Depending on your location and subject to applicable law, you may have the rights below with regard to Personal Information we process on Customer’s behalf.
Data Protection Rights
Where we act as a data processor on behalf of our Customers, you must direct any request to access Your Personal Information or to exercise any of your data protection rights to the Customer. We will assist our Customers in responding to your request and will act on their instructions. Our Customers may use our Service to verify your identity as part of this process.
6. Security and Retention
We use technical and organizational security measures designed to protect personal information processed as part of the Cognito Services against unauthorized access, disclosure, alteration, and destruction.
Customers control their data retention policies and may specify how long to retain Your Personal Information. When instructed by a Customer to do so, Your Personal Information will either be deleted or anonymized.
7. Updates to this Privacy Statement
We may revise this Privacy Statement from time to time in response to our Customers requirements for our Services and changing legal, technical or business developments. We will provide any updates on our Site and the revised version will be effective when it is posted. If we make any material changes to the ways in which we use or share Personal Information previously collected from you, we will post the updated version here. You can see when this Privacy Statement was last updated by checking the “last updated” or “effective” date displayed at the top of this page.
8. Contacting Cognito
Please contact Cognito with any questions or comments about this Privacy Statement or our privacy practices at:
Attn: Privacy Officer
340 S Lemon Ave., Suite 4260
Walnut, CA 91789
Cognito has appointed DataRep as its Data Protection Representative for the purposes of the GDPR in the EU/EEA and the Data Protection Act 2018 (as amended) in the UK. If we have processed or are processing your personal data, you may be entitled to exercise your rights under GDPR in respect of that personal data.
If our Customer on whose behalf we have processed Your Personal Information is also located the EEA or UK, you should contact our Customer about Your Personal Information instead of Cognito’s Data Protection Representative. If you still want to raise a question to Cognito, or otherwise exercise your rights in respect of Your Personal Information, you may do so by:
- sending an email to firstname.lastname@example.org; or
- contacting our Data Protection Representative via webform at https://www.datarep.com/cognito.
You may also mail your inquiry to DataRep at the following addresses:
|For EU Residents||For UK Residents|
Cork, T12 H1XY
Republic of Ireland
107-111 Fleet Street
EC4A 2AB, London
Please note when mailing inquiries, it is essential that you mark your letters for “DataRep” and not Cognito, or your inquiry may not reach DataRep. Please refer clearly to “Cognito” in your correspondence. On receiving your correspondence, Cognito is likely to request evidence of your identity to ensure Your Personal Information is not provided to anyone other than you.