Experian Privacy and Cookies Policy for Dark Web Monitoring, Social Media Monitoring and Identity Restoration Services Provided Outside of the United States

Effective Date:  December 1, 2020

This Privacy & Cookies Policy is also available in: Danish (Dansk), Dutch (Nederlandse), European French (Européen Français), Finnish (Suomen), French Canadian (Français Canadian), German (Deutsch), Italian (Italiano), Norwegian (Norsk), Polish (Polska), Portuguese (Portugues), Spanish - Latin America (Español – America Latina), Spanish - Spain (Español - España), Swedish (Svenska), and Turkish (Türk).

This Privacy and Cookies Policy applies to all ‘personal information’ (in some countries referred to as ‘personal data’) collected from subscribers (individual – and corporate) in connection with our Dark Web Monitoring, Social Media Monitoring and/or Identity Restoration services, (“Services”) and your access to our Web Portal. It sets out what personal information we collect, use, share and secure or otherwise process about you, the reasons for this processing and the lawful basis for it in the course of providing the Services and your choices regarding use, access, correction and other rights in relation to your personal information. 

Individual subscribers 

We mean individuals applying either directly to us for our services, or to services offered by a client of ours who has arranged that the subscriber can use some or all of our services (“Client”). This might include children whose personal information is provided to us by subscribers (or by our Client), in connection with our Dark Web Monitoring Service (“Family Subscription”).

Corporate subscriber

We mean employees, partners and directors (“Staff”) of businesses outside of the United States, where the business is a subscriber applying to use our Services.

together “you” and “your” for the purpose of this Privacy & Cookies Policy. 

Not all of our Services are available to all subscribers.  You should read this Privacy and Cookies Policy carefully to understand how we process your personal information in relation to the Services you use. 

If you are subscriber to Global Identity Works

Please note that in accepting the terms of use of our Web Portal you have entered into a contract with one of our affiliated companies: ConsumerInfo.com, Inc., (a California corporation and an Experian company); or Experian Limited, (a U.K. company and an Experian company).

Although that company acts on behalf of us the processing of your personal information is carried out by us as described in this Policy.

If you are a child, or a parent/guardian of a child under a Family Subscription

Please refer to the version of this Privacy and Cookies Policy that we have developed for children in the Experian Privacy and Cookies Policy (version for children) – Dark Web Monitoring Service section below.

Who is Experian and how can you contact us?

When we refer to Experian in this Privacy and Cookies Policy we mean CSIdentity Corporation, Inc, an Experian company and also known as Experian Partner Solutions, with its principal office at 1501 South Mopac Expressway, Suite 200, Austin, TX 78746, United States (hereinafter “Experian”, “we”, “us” and “our” for the purposes of this Policy)

Experian is part of a group of companies whose parent company is listed on the London Stock Exchange (EXPN) as Experian plc.  The Experian group of companies has its corporate HQ in Dublin, Ireland, and its operational HQs in Costa Mesa, California and Nottingham, UK.  You can find out more about the Experian group on our website at www.experianplc.com.

Experian, as your Controller respects the privacy and values the confidence, of our subscribers.  The term “Controller” is used in European Union (“EU”) data privacy law meaning that we are responsible for determining how and why your personal information is processed. Data privacy laws in many other regions have a similar responsibility role and therefore we use this term ‘Controller’ in this Privacy and Cookies Policy to include the equivalent term/concept in other applicable data privacy laws. 

By using the Services, you acknowledge and agree that you have read and understood the personal information practices described in this Privacy and Cookies Policy. If you do not agree, please do not use the Services.

What information do we collect?

In order to provide the Services, we ask that you provide certain personal information from which you can be identified.  The personal information requested will differ depending upon which of our Services you are using, as set out below. In limited circumstances, this may include special category or sensitive personal information.  We may also collect or create personal information about you in the course of performing our Services, operating our Web Portal, operating our business and complying with legal obligations. The descriptions of our processing of personal information below which are relevant to you are those which relate to the Services you use. 

Access to our Web Portal

Our Web Portal is the gateway via which you can access our other Services, to the extent you are entitled to use those other Services.  If you are entitled to access the Web Portal, you will have been provided with an activation code by our relevant third party Client who has arranged for you to use our Services, or that Client will have provided alternative registration webpages to establish the entitlement to receive the relevant Services we provide.  In this initial set up process you will create an account log-in, set a password and provide your name and email address – all of which will constitute personal information about you (“Account Set Up Data”).  We will collect this Account Set Up Data directly from you or, where relevant, from our Client.  We will use this Account Set Up Data to enable you to access the Web Portal on subsequent visits.

Dark Web Monitoring Service

This Service is available to all subscribers to our Services.  In order to provide this Service to you we collect compromised personal information from a number of different internet sources upon which compromised information is shared (e.g. forums and/or social media groups for sharing compromised information) and hold it on our database (the “Database”).   

The personal information which, you (or they) may provide to us (via our Web Portal) in order for us to search for matches in our Database may include some or all of the following:

  • your name;
  • your date of birth;
  • your contact details, including postal address, telephone number and email address;
  • your log-in details and password (which may contain personal information);
  • your credit/debit/retail card number;
  • your bank account/iban details;
  • your national insurance/medical ID number;
  • your national identifier (ID) or social security number (if applicable), or other alpha-numeric identifiers which may be applicable in your jurisdiction (e.g. tax ID, travel ID or health ID numbers, or equivalents in your jurisdiction);
  • your driver’s license number; and/or
  • your passport number.

Where you have provided us with the above personal information, and we find matches in our Database, we will send you an alert (via email) to notify you of that.  

Where you are an EU/United Kingdom (“UK”) resident, please also see the section in relation to Special Category Personal Information processed by us in relation to this Service.   

Social Media Monitoring Service

Not all subscribers are eligible to receive this Service.  If you are eligible and want to use this service you will need to provide us with your relevant social media account log-in credentials (log-in details and password via a widget).  Please note that this Service will be set to “off” by default until you enter the details referred to above and select “on”.  Once activated, we will access your relevant social media account/s to monitor the content of your relevant social media profiles and alert you (via email) to privacy and/or reputational risks to you, based on the content of your profile and/or postings made by you on your profile wall (including recommended steps for you to take to address those risks, for example, removing certain wall posts or removing information from your profile). 

Privacy risks include making available your personal information which could be used by other people to impersonate you.  Reputational risks are identified by searching the written content (not photographs) of wall posts for matches against our dictionary of terms which may present you with a reputational risk.  The content of your profile and, in certain circumstances, the wall posts on your profile may constitute your personal information (for example, your name, contact details, interests, opinions and beliefs).  We will collect this personal information indirectly from you when monitoring your social media profile/wall posts to identify privacy and/or reputational risks as detailed above. The monitoring undertaken by us in order to provide this Service to you will continue until you turn it “off”, which you can do at any time. You have the option to turn monitoring “on” and “off” for each of your social networks individually. 

Where you are an EU/UK resident, please also see the section in relation to Special Category Personal Information processed by us in relation to this Service.      

Identity Restoration Service

Not all subscribers are eligible to receive this Service.  For subscribers who are eligible to receive this Service, in combination with our other Services described above, we may provide you this Identity Restoration Service.  Depending on your level of eligibility for this Service, the Identity Restoration Service: (i) could be limited to providing you with advice accessible via the Web Portal in relation to steps you can take to protect your identity and address any risks identified; or (ii) additionally may include providing you (at your request, and where your service entitlement or subscription covers this element of this Service) with assistance via a helpline, where our identity restoration advisors can: (a) advise you in relation to steps you should take; 

or (b) at your request (and where your service entitlement or subscription covers this element of the Service), take steps on your behalf to communicate with other parties about restoring the integrity of your identity.  Where you discuss restoration with one of our identity restoration advisors (via our helpline), we may collect further personal information from you which you provide to us, in order to provide this Service to you (for example, which relevant service provider(s) you use and how to contact them in order to take steps to restore your identity). 

Special Category Personal Information

We may collect Special Category Personal Information via the Dark Web Monitoring or Social Media Monitoring Services. “Special Category Personal Information” under applicable data privacy law means personal information which reveals your racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying you, data concerning your health or data concerning your sex life or sexual orientation or is otherwise a category of information for which explicit consent is required to allow us to process this information under applicable local law. 

Data Accuracy

Unless you are a child or a Staff member of a business subscriber, you are responsible for the accuracy of the information that you provide (including in relation to your child or Staff member, where applicable), and you agree that any discrepancies or inconsistencies with the information you provide may result in your (or their) identity not being validated, which may prevent access to all or some of our Services.  In addition, providing us with inaccurate information may mean that you will not receive the benefit of the Service – for example, if you wish to use the Dark Web Monitoring Service and you provide us with an inaccurate passport number for matching against the Database, we will not be able to check the correct passport number against the Database or alert you of any matches.  

How do we use your information?

We use your personal information to provide you with the Services which you are entitled to and have requested. 

Access to our Web Portal

To enable you to set a log-in to the Web Portal in order to access our other Services.

Dark Web Monitoring Service

To search our Database to determine whether any of your personal information has been compromised, and send you (or your parent/guardian or business employer, as appropriate) alerts about this where matches are found.

Social Media Monitoring Service

To search your nominated social media profile and/or wall posts to identify privacy and/or reputational risks, and send you alerts about risks we identify.

Identity Restoration Service

To provide you with advice about how to manage identity risks and, if you it forms part of your subscription, to take steps on your behalf and on your request. 

To manage your account

We also collect, store and otherwise process personal information for the following purposes related to your use of the Services

  • to confirm you are entitled to receive the Services;
  • to provide customer support to you as required;
  • to keep a record of alerts sent in relation to the Dark Web Monitoring Service and the Social Media Monitoring Service; and 
  • for compliance with legal, regulatory and other good governance obligations.

General Purposes

In addition, we may also process your personal information for the following purposes:

  • to administer our relationship with you (or your parent/guardian or business employer, where applicable) and (where necessary) to enforce our terms and conditions and for other internal business purposes (where lawful to do so under data privacy laws);
  • to defend a legal claim against us;
  • to develop our products and services for example, to refine the dictionary we use to identify reputational risks when providing the Social Media Monitoring Service to you, by identifying keywords more likely to be associated with such risks and adding them to the dictionary;
  • for statistical analysis (relating to development of our products and services);
  • for compliance with legal, regulatory and other good governance obligations; and
  • for administrative and any related purposes, or where we have a legal right or duty to use or disclose your personal information (including for crime and fraud prevention and related purposes).

Market Research

We may convert your personal information into statistical or aggregated data in such a way as to ensure that you are not identified or identifiable from that data itself.  We may then use this aggregated data to conduct market research and analysis, including to produce statistical research and reports.  We may share this statistical or aggregated data in several ways, including for the same reasons as we might share personal information, please read the relevant section on that sharing in this Privacy and Cookies Policy.

What is the Lawful Basis for processing your personal information?

The processing of your personal information is undertaken on the basis of a number of different lawful conditions. 

Necessary in our legitimate interests

The processing of personal information for the following purposes: 

  • providing access to our Web Portal; 
  • providing the Dark Web Monitoring Service  - to conduct searches; 
  • confirming you (or your parent/guardian or business employer, where applicable) are entitled to receive the Services;
  • keeping a record of alerts and the information you (or your parent/guardian or business employer, where applicable) have provided to us, for your (or their) benefit (for example, should you or they require additional Services or support from us) and also for compliance with legal, regulatory and other good governance obligations;
  • processing your personal information for the general purposes explained under that heading in the “How we use your information?” section above; 
  • conducting market research; and
  • disclosures to third parties, such as in the event of a merger (unless the disclosure is to comply with our legal obligations in which case the lawful basis for processing will be legal obligations; or your consent for the disclosure is necessary in accordance with applicable data privacy law, in which case the lawful basis for processing will be consent)

is performed on the lawful basis that it is necessary in our legitimate interests and does not prejudice your rights, freedoms or personal legitimate interests. The legitimate interests that this is necessary for include providing (and improving and developing) Services which benefit our subscribers and Clients who have procured our Services on their behalf, undertaking tasks to enable that to happen and our businesses to function and protecting our business against legal and other risks.

Necessary for compliance with a contract

The processing of personal information for the purposes of providing the Dark Web Monitoring and Social Media Monitoring Services is necessary for us to perform our contractual commitments to you and provide the Services.

Necessary in order for us to comply with our legal obligations

The processing of your personal information for the purposes of keeping a record of alerts, to protect against a legal claim against us, for compliance with legal and regulatory purposes, or where we have a legal right or duty to use or disclose your information (including for crime and fraud prevention and related purposes) is necessary to comply with our legal obligations.

Consent

In some jurisdictions, in accordance with applicable data privacy law, the processing of your personal information (including Special Category Personal Information) for some or all of the purposes described in “What information do we collect and why” and “How do we use your information?”) must be conducted on the basis of your consent (whether you are providing this on your own behalf, or that of a child). Therefore, when registering to obtain the relevant Services from us, we ask that you provide your consent to the processing of your personal information.  Where local data protection laws require consent our processing of your personal information is on the lawful basis of your consent.  However, where consent is not required, we will process your personal information because either it is necessary in or legitimate interests, is necessary to enable us to perform the contract or it is necessary for us to comply with our legal obligations.

Where you are (or your child is, as relevant) an EU/UK resident, our lawful basis for processing the following personal information is based on your explicit consent, (given by you on your own behalf and/or as parent or guardian on behalf of your child as relevant).

1. Dark Web Monitoring – General

To the extent that you provide Special Category Personal Information to us via the Dark Web Monitoring Service or it is contained on a compromised record along with this personal information, we may use it to: 

  • conduct searches to determine whether any of the personal information provided for matching appears to have been compromised, by checking for matches with personal information already held in our Database (or which we subsequently obtain), which we collect from various sources on the internet, and send you alerts about this where matches are found; 
  • provide customer support to you as required; 
  • retain the personal information for the purpose of queries 
  • keep a record of alerts and the information you have provided to us, for your benefit (for example, should you require additional Services or support from us) and also for compliance with good governance obligations (where not required to comply with legal or regulatory obligations); 
  • process for statistical analysis purposes (including conversion to statistical or aggregated form); 
  • disclose the personal information to third parties (apart from our service providers who process information on our behalf) unless the disclosure is required to comply with our legal obligations; and
  • administer our relationship with you.

2. Dark Web Monitoring – Children

The personal information of your child (including Special Category Personal Information belonging to your child - or any other category of information where explicit consent is required to allow us to process this information under applicable local law) which you (as a parent/guardian) provide to us via the Web Portal (or is contained on a compromised record along with this personal information) and which we use to: 

  • conduct searches to determine whether any of the personal information provided for matching appears to have been compromised, by checking for matches with information already held in our Database (or which we subsequently obtain), which we collect from various sources on the internet, and send you alerts about this where matches are found; 
  • provide customer support to you (as parent/guardian) as required; 
  • retain the personal information for the purpose of queries 
  • keep a record of alerts and the information you (as parent/guardian) have provided to us, for your (or your child’s) benefit (for example, should you or they require additional Services or support from us) and also for compliance with good governance obligations (where not required to comply with legal or regulatory obligations); 
  • process for statistical analysis purposes (including conversion to statistical or aggregated form)
  • disclose the personal information to third parties (apart from our service providers who process the personal information on our behalf) (unless the disclosure is required to comply with our legal obligations); and 
  • (only to the extent that the personal information constitutes Special Category Personal Information - or any other category of information where explicit consent is required to allow us to process this information under applicable local law) to administer our account with you (as parent/guardian). 

3. Social Media Monitoring Service

This Service is not provided in relation to children.

Any Special Category Personal Information (or any other category of information where explicit consent is required to allow us to process this information under applicable local law) included on your social media profile or wall posts which are monitored by us in order to provide this Service and which we use to: 

  • provide the requested services of searching your relevant social media profile and/or wall posts to identify privacy and/or reputational risks, and sending you alerts about risks identified; 
  • provide customer support to as required; 
  • retain the personal information for the purpose of queries; 
  • keep a record of alerts and the information you have provided to us, for your benefit (for example, should you require additional Services or support from us) and also for compliance with good governance obligations (where not required to comply with legal or regulatory obligations); 
  • develop this Service (for example, to refine the dictionary we use to identify reputational risks when providing the this Service to you by identifying keywords more likely to be associated with such risks which are added to the dictionary in order to provide a better service to subscribers); 
  • process for statistical analysis purposes (including conversion to statistical or aggregated form);
  • disclose the personal information to third parties (apart from our service providers who process the personal information on our behalf) (unless the disclosure is required to comply with our legal obligations); and 
  • administer our relationship with you.     

Please note that where your consent is requested as our lawful basis for processing you are entitled to refuse to give your consent or to withdraw it any time.  Withdrawing your consent does not affect the lawfulness of our processing based on your consent before it was withdrawn.  However, where your consent is necessary in order for us to process your personal information, by not providing your consent (or withdrawing it), we will not be able to process that information and, or provide the Services to you.

Corporate subscribers 

Where you are a Staff member of a business subscriber, our lawful basis for processing your personal information are  that the processing is necessary in our legitimate interests or to comply with legal obligations 

Do we disclose or share your personal information?

We will share your personal information with third parties only in the ways that are described in this Privacy and Cookies Policy or where otherwise permitted to do so by law.

Suppliers

In order for us to provide you with the Services and for the prevention and detection of fraud, we will share your personal information with third parties who perform services on our behalf, for example IT companies providing data storage, contact center providers (if you are eligible for the helpline element of our Identity Restoration Service) or other communications providers (for example who may send you email alerts if you are using the Dark Web Monitoring Service). These third parties are authorized to use your personal information only as necessary to provide such services to us.

Government bodies, law enforcement, regulators

In certain situations, we may disclose personal information in response to lawful requests by governmental and regulatory bodies, and other public authorities, including to meet regulatory, national security or law enforcement requirements (for example, in relation to investigations of crime). This may be because we are  required by law to comply with our legal obligations, or where the disclosure is necessary in our legitimate interest or those of a third party.

Lawful disclosures

We may also disclose your personal information (including as required by law), for example, to comply with a subpoena, or similar legal process, when we believe in good faith that the disclosure is necessary to protect our rights, protect your safety or the safety of others, to investigate fraud, or to respond to a government request.

Third parties

In addition, in the event of a merger, acquisition, or any form of sale of some or all of our assets to a third party, we may also disclose your personal information to the third parties concerned or their professional advisors. In the event of such a transaction, the personal information held by us will be among the assets transferred to the buyer.

When you close your account with us, we may continue to process your personal information, to the extent permitted by applicable law, for the purposes detailed above (disclosures in relation to suppliers, government bodies, lawful disclosures and third parties).

Experian does not disclose your personal information in a form from which you can be identified to any affiliates within the Experian group (including its parent company), unless otherwise stated elsewhere in this Policy.

Personal information processed by us on behalf of our Clients

In other cases we process your personal information (e.g. Account Set Up Data) on behalf of a Client who is responsible for determining how and why we process it, in which case we will share such personal information with that Client.

Do we send personal information abroad?

The processing of your personal information will primarily be conducted on servers located in Ireland and the United States.  However, some processing of your personal information (including by some of our third- party service providers) may be conducted on servers located in another jurisdiction, such as processing by the identity restoration advisors who are located in the Netherlands.  We take appropriate steps to protect your personal information regardless of where it is stored. These include entering into contracts with third parties. If your personal information will be transferred to a country outside the United Kingdom or European Economic we will also ensure that the EU Commissions approved standard contractual clauses or some other adequacy mechanism (such as the Privacy Shield Framework in the US) is in place to protect it. 

Where we are receiving personal information from a Client (or an Experian Affiliate) who is subject to EU/UK data privacy laws as a controller

This section applies only where:

  • our Client (or an Experian affiliate) provides you with a portal or website via which you access our Services, and provides us with your Account Set Up Data
  • our Client (or Experian affiliate) is subject to data privacy laws in the EU and/or the UK; and 
  • we receive Account Set Up Data from the Client (or an Experian affiliate) and process it in the United States in order to provide our Services. 

In the circumstances outlined, your personal information will be transferred by the Client (or Experian affiliate) to us in the United States, and we (Experian) will protect your personal information in accordance with the Privacy Shield Principles outlined below.

The United States Department of Commerce and the EU Commission have agreed on a set of data privacy principles and frequently asked questions (the “Privacy Shield Principles”) to enable United States companies, to satisfy the requirement under EU law that adequate protection be given to personal information transferred from the EU to the United States.

Experian participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework.  Experian is committed to subjecting all personal information received in connection with the provision of identity theft protection and fraud prevention services from EU member countries (and the UK, during the UK’s transition period following its departure from the EU and any equivalent replacement framework as regards the UK after the expiry of such transition period), in reliance on the Privacy Shield Framework to the Framework’s applicable Principles.  To learn more about the Privacy Shield Framework, and our certification under the name of CSIdentity Corporation, Inc, please visit the United States Department of Commerce’s Privacy Shield List.

Experian is responsible for compliance with the Privacy Shield Principles in relation to the processing of personal information it receives in connection with the services described above, from EU (and UK) Clients, including where it subsequently transfers the personal information to a third party acting as an agent on its behalf. Experian complies with the Privacy Shield Principles for all onward transfers of personal information from the EU (and UK), including the onward transfer liability provisions.

With respect to personal information received or transferred pursuant to the Privacy Shield Framework, Experian is subject to the regulatory enforcement powers of the United States. Federal Trade Commission.  In certain situations, Experian may be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our United States-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.

Under certain conditions, more fully described on the Privacy Shield website, you may invoke binding arbitration, which is a private form of alternative dispute resolution, when other dispute resolution procedures have been exhausted.

Upon request, Experian will provide you with information about whether we hold, or process on behalf of a third party, any of your personal information.  To request this information, please contact us at eu.data.privacy@experian.com.

In relation to how you can exercise your rights in relation to your personal information processed by us, please see the section below entitled “Your Rights – Including Access and Deletion”. 

How do we use Aggregated Data?

We may convert your personal information into statistical or aggregated form, so that you are not identifiable from it alone.  Such statistical or aggregated information may be used for statistical analysis and administration purposes, including analysis of trends, carrying out actuarial work, tailoring services, risk assessment and analysis of costs and charges in relation to our Services.

Where lawful to do so, we may also share statistical or aggregated information with third parties such as Clients, prospective Clients and/or partners, our service and other third parties.  Please note that statistical or aggregated information may be disclosed to other members of the Experian group – although the recipient of that information will not be able to identify you from that information alone.  Examples include business intelligence reports based on aggregated consumer data across regions.

How we keep your personal information secure?

We take appropriate steps to protect the personal information we process about you (for example, encrypting personal information where appropriate).

When you submit personal information to us through our Web Portal or otherwise communicate with us, you should be aware that your personal information is transmitted across the internet and that no method of transmission over the internet is 100% secure.  Although we take reasonable security measures to protect your personal information when we receive it, you also need to ensure you take appropriate steps to protect your personal information.

Marketing

Our range of identity protection products and services is constantly evolving to match the increasingly sophisticated market in which we operate.  We will not send you marketing communications in relation to any of our other products or services (or those of any reputable third parties) without your prior consent and, if you do give your consent to receive this, you can change your mind at any time by contacting us using the contact details in this Privacy Policy.  In the limited instances we send you promotional communications for services you are receiving or have received from us, you may opt-out of receiving them by following the instructions included in each communication, by contacting us.

Please note that marketing communications are not the same as information only or service communications and that consents are not usually required in order for us to communicate with you about the Services you have requested, using contact details you have provided for this purpose.

How long we keep your personal information for?

Your personal information will not be kept for longer than is necessary to fulfill the specific purposes outlined in this Privacy and Cookies Policy and to allow us to comply with our legal requirements, including, without limitation, any tax and commercial obligations, as well as respond to potential legal claims.  We retain certain personal information in connection with the Dark Web Monitoring Service for 25 years from the date of first collection to enable us to more effectively provide this service.

The criteria we use to determine data retention periods include the following:

Retention in case of queries

We may keep your personal information for a reasonable period after you have enquired about Services, in case of follow up queries from you (or your parent/guardian or business employer, where applicable).  Examples of personal information falling within this category are data from product alerts, documents received for ID verification, Account Set Up Data transaction history, correspondence, call notes and personal information submitted for monitoring.

Retention in case of claims

We may keep your personal information for the period in which you (or your parent/guardian or business employer, where applicable) might legally bring claims against us if and to the extent this is relevant.  Examples of such personal information are transactional and Account Set Up Data. 

Retention in accordance with legal and regulatory requirements

Where we are required to keep your personal information to comply with legal and/or regulatory requirements, we will store it for the length of time which we are required to in order to comply with such legal or regulatory requirements (unless we already keep it for a longer period in line with the other reasons stated in this section). Examples of such personal information is transactional (including credit card data for ID verification) and Account Set Up Data. 

Retention for legitimate interests, as permitted under applicable law

We will continue to store personal information, where necessary, to provide our Services to you (or your parent/guardian or business employer, where applicable) and the retention of such personal information is necessary for the purposes of pursuing our legitimate interests.  An example of this type of personal information is information collected in connection with the Dark Web Monitoring Service.  This is retained for 25 years from the date of first collection.  We keep this information for 25 years because it is necessary to ensure that the Dark Web Monitoring Service is fit for purpose. This is because the Dark Web Monitoring Service relies on observing and analyzing historical records in order to detect if such records have been compromised.  Compromises from many years ago can have current impacts for enduring data records.

We review and cleanse the personal information we hold annually to ensure that we only keep what is necessary in order to provide our service and assist our subscribers., You should be aware however that, although reasonable efforts will be taken, it may not always be possible to completely remove or delete all of your personal information from our databases because of back-ups and other technical reasons.  Where this is the case, we will take steps to ensure that your personal information is suppressed in order to render it unusable. 

How we use cookies?

We, and the third parties we engage to perform analytics services: 

  • automatically collect certain information when you access our website (including the Web Portal), via Cookies, Log Files, Web Beacons, and other tracking technologies (the “Tracking Technologies”);
  • We use these Tracking Technologies to administer and improve our Services and the content within them, including to track user movements around the Services, to gather usage information and statistics about how the Services are used, to permit users to log in or enroll in our services, to store user preferences, and to customize content;
  • We do not use cookies for marketing or advertising purposes; and
  • We use both session ID cookies and persistent cookies

We may combine the information we have automatically collected from you with other information we collect about you. We do this to improve services we offer you, for functionality and analytics and to develop new products and services.

The types of cookies we use and why

We use session-based cookies in order to store language and other country-specific preferences such as support contact information. We may also utilize cookies in order to track internal metrics of site usage.

A session ID cookie expires when you close your browser. A persistent cookie remains on your hard drive for an extended period of time.  Persistent cookies also enable us to track and target the interests of our users to enhance the experience on our site.

Can I remove cookies?

You can remove persistent cookies by following directions provided in your internet browser’s “help” file. You can choose to accept or decline cookies. Most internet browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. However, this may prevent you from taking full advantage of the Services.

The following are some examples of information we may collect:

  • Experian web-site pages you view
  • Emails that you open or forward
  • Links you click on
  • Forms you complete

In connection with the use of the Services, for example during the enrolment process or upon log-in to the Web Portal, information about your computer, such as the device ID and other accompanying technical information, will be accessed, stored and used by us or our service provider solely to analyze trends, track users’ movements on the Services, and to gather demographic information about the user base as a whole. If you access the Services through a mobile device, we also may collect information about your device, such as the device ID or another identifier as permitted by the manufacturer.

Unless you are a Global IdentityWorks subscriber (in which case the only cookies used are technical rather than analytical and solely for the purpose of ensuring that our Services function correctly), Experian and our clients have access to reports produced by these service providers that contain aggregated trends and statistics about usage on our proprietary platforms.  However, neither Experian nor any other third parties are able to tie any of the aggregated analytics data to your personal information. At no time will this information be provided or sold to any third party affiliates for advertising or marketing purposes. The use of cookies by our partners and the third parties we engage to perform analytics services is not covered by this Privacy and Cookies Policy.

As is true of most websites, we gather certain information automatically and store it in log files.  This information may include internet protocol (IP) addresses, browser type, internet service provider (ISP), referring/exit pages, operating system, date/time stamp, and/or clickstream data.  We do not link this automatically collected data to other information we collect about you.

Third parties with whom we partner to provide certain features on our website also use HTML5 to collect and store information.  Various browsers may offer their own management tools for removing HTML5.

Link to other websites 

Our Web Portal and Services may contain links to other web sites of interest.  However, once you click these links to leave our site, you should be aware that we do not have any control over that other web-site and cannot be responsible for the protection and privacy of any personal information that you provide while visiting such sites. You should exercise caution and look at the privacy statement applicable to any other website you visit as this one will not apply.

Social Media Widgets 

Our Web Portal and Services include Social Media features, such as the Facebook and Twitter buttons or interactive mini-programs/Widgets. These features may collect your IP address, which page you are visiting on our site, and may set a cookie to enable the Features to function properly. Social media Features are either hosted by a third party or hosted directly on our Web Portal. Your interactions with these features are governed by the privacy policy of the company providing it.

Your Rights – including Access and Correction

It is important that you understand your rights in relation to your personal information and how you can contact us if you have questions or concerns.  These rights include amongst others described below the right to obtain confirmation as to whether or not your personal information is processed by us as a Controller and the right to request access to your personal information.  In order for us to comply with such a request, we may require you to prove your identity to us, and the relevant requirements may vary from country to country.

In addition to the right of access (above) and subject to applicable law, you also have the right to:

  • be informed of our processing of your personal information (as is explained in this Privacy and Cookies Policy): 
  • request your personal information be updated or amended where personal information is inaccurate;
  • request the erasure, anonymization or blocking of your personal information if it is being processed unlawfully, including where personal information is being retained for a period that is unnecessary for the purposes for which it was collected or subsequently processed; 
  • request that your personal information is transferred to a third party in a commonly-used machine-readable format;
  • withdraw your consent to any processing for which you have previously given that consent (subject to contractual restrictions where those are relevant under applicable law);
  • object (or oppose, or request to cancel), in whole or in part, (as relevant under applicable law),on legitimate grounds, to the processing of your personal information; and to the processing of your personal information for direct marketing purposes or for communication surveys; and
  • claim compensation for breaches of applicable laws in certain circumstances (if that right is available to you under applicable laws).

To exercise any of your rights (as listed above), including to request the erasure/deletion of your information, please contact us through one of the methods listed below under the section entitled “How to contact us to exercise your rights”.  Please note that these rights do not always apply and the timescales for complying may vary depending on which applicable data protection laws apply to our processing of your personal information. .  If you make a request to us, we will confirm whether that right applies to the personal information we hold about you and, if so, what timescales apply to our response under the applicable law.

Alternatively, if your (or your child’s or business Staff member’s) personally identifiable information changes, or if you no longer desire our Services, you may correct, update, amend, or deactivate it by making the change on our subscriber profile page within the Web Portal (to the extent you are a subscriber) or by contacting us through one of the methods listed below

Furthermore, and in the event that you feel that we have not satisfied our obligations under data protection laws, you have the right to complain to your local data protection authority.

Where we process your personal information (e.g. Account Set Up Data) on behalf of a Client (and it is the Client who is responsible as Controller for determining how and why we process it) to exercise your rights in relation to any of your personal information processed by us on behalf of the relevant Client, your request should be sent to the Client who is providing you with access to our Services.

How to contact us to exercise your rights

EU/UK Residents (GDPR-regulated countries)

If you are a resident of an EU country (or the UK) and wish to exercise any of your rights in respect of your personal information, or if you have questions, comments, and/or complaints regarding this Privacy and Cookies Policy or how we collect, transmit, and process data please contact us by:

E-MAIL: eu.data.privacy@experian.com

MAIL: Experian, 1501 S. Mopac Exp, Suite 200, Austin, TX 78746, USA

Non-EU Residents

If you are a resident of a non-EU country and wish to exercise any of your rights in respect of your personal information, or if you have questions, comments, and/or complaints regarding this Privacy and Cookies Policy or how we collect, transmit, and process data please contact us by email or mail:         

Email: global.data.privacy@experian.com

MAIL: Experian, 1501 S. Mopac Exp., Suite 200, Austin, TX 78746, USA

Enforcement

In order to ensure that we comply with the requirements of this Privacy and Cookies Policy we will conduct audits both internally and using this party organisations. In addition, if necessary, we will cooperate with an independent third party as a means of providing you with a mechanism by which any complaints and disputes can be investigated and satisfactorily remedied.

Amendments

We reserve the right to change this Privacy and Cookies Policy.  You can determine when this Privacy and Cookies Policy was last revised by referring to the “Effective Date” at the top of this Privacy and Cookies Policy.  Any changes to our Privacy and Cookies Policy will become effective upon our posting of the revised Privacy and Cookies Policy.  Use of the Services following such changes constitutes your acknowledgement and agreement that you have read and understood the revised Privacy and Cookies Policy then in effect.  Therefore, we encourage you to review this Privacy and Cookies Policy for changes from time to time by visiting the following www.experian.com/privacy/csid-global-privacy-policy.

Experian Privacy and Cookies Policy (version for children) – Dark Web Monitoring Service

Who are you? 

We are CSIdentity Corporation, Inc, an Experian Company and also known as Experian Partner Solutions, and we provide services which help protect people’s information.  Our office address is: 1501 South Mopac Expressway, Suite 200, Austin, TX 78746, United States.

What is personal information?

Personal information is any information that can be used to identify you, such as what you look like (a photo), where you live, how old you are, your email address and your phone number.

Dark Web Monitoring service – what is it?

Some people use the internet to buy and sell things against the law.  For example people steal personal information about other people and sell it on the internet for money.  This could be information about your identity. Where someone has this information they can pretend to be you.

Our Dark Web Monitoring Service carries out searches to see if your information is available on the internet without your permission. We do this by collecting information from different places in the internet and putting it in our database. We then check the information you give us, with the information in our database to see if there is a match. If there is a match we let you/your parent/guardian know so that you and/or they can take steps to protect your information.

What kind of information do you need about me for the service? 

We request the following information about you so that we can carry out these checks:

  • • your name;
  • • your date of birth;
  • • your contact details, including postal address, telephone number and email address;
  • • national insurance/medical ID number;
  • • national identifier (ID) or social security number (if applicable), or other government or official identifiers which may be applicable to you (e.g. tax ID, travel ID or health ID numbers, or equivalents in your country); and/or
  • • passport number.

Your parent/guardian will provide this information on your behalf.  We will have an agreement with your parent/guardian to use your information.  As part of that agreement we’ve asked your parent/guardian to show you a copy of this document so that you understand how your personal information is being used and what the service does.  If you do not agree with this document or do not want the service please see the section below on What do I do if I don’t want to use the service anymore?

How are you going to use my information?

When your parent/guardian signs up to use the service on your behalf, we ask them to give us your information.  We then check your information against our database to see if your information is on the internet without your permission.  We do this using a variety of different searches.  If we find anything we let your parent/guardian, and /or you know.

We will also use your information in our relationship with you and your parent/guardian – for the day to day running of our account with your parent/guardian about the service. We may also use your information to comply with law.  Sometimes we may take your information and change it so that we can review it and learn from it for own research purposes.  Where we do this, we change the information in such a way so that we can’t identify you.

What are the legal grounds that you can use my information?

We rely on different reasons to use your information which are available under law.  Where you live in the EU or the UK, when your parent/guardian signs up on your behalf we rely on them providing consent on your behalf, for us to use your personal information (including special category personal information – or any other category of data where explicit consent is required to allow us to process this information under applicable local law) to: (i) check whether there is a match on our database and let your parent/guardian and/or you know if there is a match (via an email alert); (ii) provide customer support to your parent/guardian if needed and (only to the extent that the information is special category personal information, for example health information or race/ethnicity – or any other category of data where explicit consent is required to allow us to process this information under applicable local law – otherwise we do this based on our legitimate business reasons) deal with our relationship with them; (iii) keep a record of your information and the alerts for your parent/guardian’s or your benefit or to run our business responsibly; (iv) change it so that we can review it and learn from it for own research purposes (as mentioned above); and (v) in some limited cases, to disclose it to other people where there is good reason for this but where not strictly required to comply with law.  Where we use your information in the day to day running of our account with your parent/guardian, this will be for our legitimate business reason to do so (unless it is special category personal information – or any other category of data where explicit consent is required to allow us to process this information under applicable local law – in which case we rely upon your parent/guardian’s consent).  We may also use your information because it is necessary in order for us to comply with our legal obligations. 

Do you share my personal information with anyone else?

We may share your information in the following ways:

  • • With other companies who help us with our service, for example IT companies;
  • • With other companies who provide our Dark Web Monitoring Service as part of their range of services; 
  • • Sometimes we have to share your information with the police, or other law enforcement agencies if they need to investigate a crime; and 
  • • If we sell the company, we may disclose your personal information to the new buyer.

Do you send my personal information to another country?

Your personal information is kept on computers in Ireland and the USA. If we do send your information to another country, we take steps to protect it and your rights under data privacy law as we are required to by that law.

Is my information safe?

We take steps to look after your personal information, such as using technology tools to restrict access to the information around our business and where we send it to others, training our staff and putting processes in place to help to keep it secure.

How long will you keep my information?

Your personal information will not be kept for longer than is necessary. We may need to keep your personal information for the following reasons beyond the end of the contract and supply of services:

  • • Enable us to respond to claims;
  • • To follow up questions you might have;
  • • Where your parent/guardian or you bring a legal claim; and
  • • Where we need to use or retain it to comply with law. 

Personal information which we have collected from the dark web is kept for 25 years. We retain this information for this amount of time to provide the service to you and your parent. Data compromised many years ago can still have current day impacts so having a fuller historical set of data to search allows us to deliver our service more effectively. 

What are my rights?

You have the same rights as an adult when it comes to your personal information. These rights are:

  • • The right to be told about how your information is used (informed);
  • • The right to get a copy of your information (access);
  • • The right to have your information corrected if it is wrong (rectification); 
  • • The right to have your information deleted  (erasure/to be forgotten);
  • • The right to stopping someone using your information when they have it  (restrict processing);
  • • The right to move your information between companies  (data portability);
  • • The right to say no to someone using your information (object); and
  • • The right to say no to someone using a computer to make decisions on your information and building a picture of you (automated decision making and profiling).

You can raise your rights or your parent/guardian can do so on your behalf at any time, to do this please contact eu.data.privacy@experian.com.

You have the right to lodge a complaint at any point with the data protection authority for your country. 

What do I do if I don’t want to use the service anymore?

If you no longer want to use the service, tell your parent/guardian who can contact us or you can contact us directly at eu.data.privacy@experian.com.