JuicyScore data policy
List of Terms and Definitions
Purposes of the data collection
Data use and disclosure
Data storage and protection
- The current Data Policy (hereafter «the Policy») represents rules for using virtual user data processed by Juicy Labs LLC (hereafter «the Company») in course of providing services such as operational and fraud risks identification, credit and financial risks reduction for institutions and the Client’s online services.
- The Policy defines the procedure of collecting, processing, storing, using and disclosing information about virtual users (hereafter «Users») on the Company’s web resources (e.g. www.juicyscore.com) and the Client’s web resources as well, within providing the services by the Company.
- The Policy is valid from 02.03.2020.
- Client — Legal entity or individual entrepreneur, receiver of the Company’s services provided on the basis of a contract
- Web resource — Website, mobile application or another resource that can be accessed by a virtual user using the Internet
- Company (or «Juicy Labs») — Juicy Labs LLC, a legal entity registered in Russian Federation, Moscow, Moscow, Bolshaya Gruzinskaya, 30A, building 1.
- User (virtual user) or Subject — User of the Client’s web resource (website, mobile app) who is the subject of data collection
- Personal data — Any minimal data set defined as personal data according to the Federal Law on Personal Data (152-FZ) and the legislation of the country where the services are provided
- Direct identifier — A unique data attribute related to the data subject providing a one-to-one correspondence with an individual
- Session (or JuicySession) — A unique identifier of an Internet session registered on the Client’s web resource, generated on the Company’s servers, which is at its core an improved token that does not contain any personal data
- Device — A mobile or stationary device with an Internet access used by a Virtual user to enter the Client’s web resource
- The Company’s feedback form — The Company’s query form designed for any cooperation issues for corporate bodies and individuals, placed on the public web resource juicyscore.com belonging to the Company, available at https://juicyscore.com/ready-to-connect/
- The Company collects data on virtual users from the Client’s web resources guided by the principle of reasonable necessity and sufficiency. The list of data collected by the Company is open and available for download and review; it contains parameters of the Device, the software and the network connection consistent with the software settings and corresponding with the code of responsible behaviour on the Internet, user safety rules for working online and Apple and Google mobile app standards (EU GDPR, Recital 47 and Article 6(1) (f)).
- Juicy Labs LLC does not collect or process data on Virtual users visiting the Client’s web resources that may infringe their fundamental rights and freedoms. The Company does not process such information as full name, contact data including full address of registration, full address of residence, full numbers of mobile or stationary phones, full email address, information given in the ID documents or sensitive data, such as disposable income, amount of expenses, religion, etc. (EU GDPR, Recital 47).
- The Company collects information from the Client’s web resources only on the basis and in presence of a confidentiality agreement and/or a service agreement (contract), agreed and signed by the Company’s and the Client’s authorized persons.
- Categories of information collected with the SDK installed in the Client’s mobile app 1) The SDK collects following categories of information about the device used by a Virtual user to enter the Client’s web resource: Device model, manufacturer, year of production, optional device identifier (MAC address, can be omitted based on local data legislation), parameters of the screen, microphone, video card, processor, OS, accelerometer, fonts and plugins; Software installed on the Device. Operational system: its name, version, and language. Browser: its mask, version, build, graphic rendering, language by default, number of pages visited, current url, previous url, Do Not Track.; Network environment, including IP address, connection status, etc.; List of mobile apps installed, sorted by categories: proxy, shopping, games, social networks, credit institutions; Hard drive usage; Speed of typing using hardware or software keyboard, copy / paste operations, etc.; Geolocation with precision non less than ~100 meters if authorized by the Virtual user (rounding the virtual user’s initial position on the Device to three decimal places before sending the information to the Company). 2) The SDK does NOT collect information sufficient for an unambiguous identification of a virtual user, relating to Personal data or Direct identifiers. It does NOT collect or process such data as private correspondence (SMS, e-mail), people’s faces and geotags on photos or images, or contact list. 3) The recent SDK version for Android and iOS is always accessible in the Client’s personal cabinet.
- In case the information in fill-in field «email_login» is provided to the Company it is obfuscated by the algorithm of data procession (the value of the role of fill-in field «email_login» is reduced in average by 5 symbols depending on the length of source value and at least by 2 symbols before the analytical processing in order to avoid the possibility of restoring of default value) used by the Company both on the side of the Client and during data procession by the Company.
- Online sessions (JuicySession) generated in connection with service provision. 1) The sessions are generated at the moment when a User enters the Client’s web resource on the servers belonging to the Company’s infrastructure, that is why they cannot be Direct identifiers of the Subject. 2) The Sessions identifier depends on a random number generator and the time of service invocation. It is at its core equivalent to an improved random token generated for online payment and does not depend on Users or their devices. 3) Unlike Cookies the Sessions may not be stored on the device but it may be available from the memory. 4)The Sessions are not synchronized with sessions of third parties. 5)The data on virtual users is not enhanced with the data from third parties including the data on virtual users behavior on other websites or beyond the scope of Juicy score activities.
- Information collected with the Feedback form on the www.juicyscore.com website. 1) Using the Feedback form, a virtual user provides information kept in the Form on his/her own free will, including personal data according to the legislation of the Russian Federation and the 152 Federal Law on Personal Data, as well as the legislation of the country where the User’s inquiry comes from. 2) Information collected with the Feedback form on the Company’s website may involve Personal data including surname, first name, patronymic name, name of the organisation, phone number (mobile and / or stationary), email address or other information referring to the representative of the organisation interested in the Company’s services. 3) Continuing to use the Feedback form, the virtual user agrees that his/her personal information provided to the Company for the purposes and the period of time determined by the Policy will be collected, processed, stored, depersonalised, deleted or subject to any other form of procession.
- Informing of the web resource users. In accordance with the current legislation of the Russian Federation, the EU and other countries, the Client is obliged to inform the Users of his/her web resources about the sessions launched on these resources by the Company and about the automated data collection using the software units provided by the Company. The informing should take place before the data collection starts. In addition to the legal requirements, the Company is committed to include a corresponding clause into the agreements and contracts between the Company and the Client, when possible.
- Adjusting the Do Not Track in the browser. Guided by the purposes of automated data collection (see Section 2.1), the Do Not Track header is disregarded when the Sessions and software units of data collection are launched on the Client’s web resource.
- Delete query (the opt-out principle). As long as the information collected and processed by the Company does not include Personal data, it can be deleted upon Users’ request only theoretically, because it is not possible to connect unambiguously the technical data collected by the Company with a User’s personal information on the Company’s site. However, the delete query is available with the feedback form on the Company’s web resource (www.juicyscore.com) in Russian and English, and the Company is committed to apply its best efforts to accommodate the incoming delete queries.
- Automated data collection on virtual users (section 1.4 и 1.5 of the Policy) 1) the data can be used to provide the Company’s services to the Client in order to evaluate fraud risks or other operational risks, credit or other financial risks which can result in financial, reputational or other losses for the Client and / or the Client’s customers who receive the Client’s services online; 2) the data cannot be used for the purposes of direct marketing activities in order to attract customers for the Client’s services or products, or any other soliciting activities which do not correspond with the purposes described in 2.1.1. of the Policy. 3) the data collected on the Client’s web resource that were not requested by the Client in order to evaluate the User’s risks are stored not longer than 3 (three) months since collected; 4) the data collected on the Client’s web resource that were requested by the Client in order to evaluate the User’s risks are stored not longer than 2 (two) years since collected.
- The data collected with the Feedback form on the Company’s web resource is collected and processed in order to contact the representative of the organisation which may be a possible receiver of the Company’s services, to advise on the services provided by the Company, to execute a service contract or carry out any other business activities. The data are stored not longer than 5 (five) years.
- The data provided by the Clients, such as signs of financial damage or high fraud evaluated using internal procedures regarding Devices and Virtual users, registered by the Client on his/her web resources and processed by the Company in order to provide the services are stored not longer than 2 (two) years.
- Data is disclosed by sending a request from the Client’s infrastructure to the Company’s infrastructure according to the technical interaction format.
- A response to the request is presented as an API service and provided to the Client on the basis of an agreement (contract) signed by both parts.
- The response format involves, among other things, information collected on the Client’s web resourced and aggregated data that was previously collected from web resources of other institutions that are Company’s clients. The aggregated format does not allow to determine unambiguously which resources the data was collected from and when.
- It is not provided and prohibited to disclose data in any other form but in the agreed format in order to provide services to the Client.
- The Company is entitled to provide extended not personal data upon the Client’s request and using the User’s parameters in terms of investigation, if the User had previously entered the Client’s web resource and his/her actions had caused damage to the Client.
- Should the data disclosed in terms of providing the services to the Client be used or not used, is the sole responsibility of the Client. The Company does not bear any responsibility for this.
- The Company takes all the required legal, organisational and technical measures to protect the collected data from an unauthorized, illegitimate or occasional access, from deleting, changing, blocking, copying, providing, disseminating or any other illegitimate actions regarding the data, which involves: — restriction and regulation of the composition of employees who have an access to the data including Personal data collected with the feedback form on the Company’s web resource; — familiarization of the employees who are directly involved into data processing with the applicable data legislation including the Personal data legislation, and the current Policy; — password protection of the access to the data information system; — implementation of access control tools for communication ports, input-output devices, removable computer storage media and external storage devices; — implementation of an anti-virus control; — implementation of firewalling; — information backup; — ensuring the recovery of information modified or deleted due to an unauthorized access to it.
- The Clients can only access the data using a request from the back-end of the Client’s systems via secure communication channels using the account issued by the Company on the basis of a confidentiality agreement and / or service agreement (contract) previously concluded and signed by both parties.
- Data collected on the Clients’ web resources registered on the territory of Russian Federation are stored on equipment and processed with IT systems physically located on the territory of Russian Federation.
- The implementation of the current Policy regulations is controlled by the Authorized person of the Company.
- The Company’s employees, who do not fulfil, through their own fault, their obligations to comply with the procedure of working with data according to this Policy, may be subject to disciplinary sanctions in accordance with the applicable legislation.
- Persons guilty of violating the regulations governing the processing and protection of the data collected by the Company, including Personal data, bear responsibility according to the internal regulations of the Company and the applicable legislation.