LGPD Privacy Policy

CredoLab LGPD Privacy Policy December 17, 2024

‍

General information and contact details

CredoLab Pte. Ltd. ("CredoLab", "we", "us" or "our") take the protection and security of your personal data very seriously.

If you are a resident of Brazil, this LGPD Privacy Policy (“Statement”) also applies to you and appends the terms of our Privacy Policy. Please read this Statement if and when an organisation of your choice (our customer) has assigned to us your consent to access your personal data as a part of the services we provide to them.

Capitalised terms used but not defined herein, shall have the meanings ascribed to such terms in Brazilian Data Protection Law (as amended by Law No. 13,853/2019), as applicable (“LGPD”).

ThisStatement reflects our good faith understanding of the LGPD and our data practices as of the date posted (set forth above). Accordingly, we may from time-to-time update information in this Statement and other notices regarding our data practices and your rights, modify our methods for responding to your requests, and/or supplement our response to your requests, as we continue to develop our compliance program to reflect the evolution of the law and our understanding of how it relates to our data practices.

Our customer and data supplier (you have engaged with) will have a lawful reason for collecting and processing your personal data and may have a separate relationship with you. It is separately required to provide you with information (for example through their own privacy notice)about how it collects and processes your personal data. Please read this notice if and when an organisation of your choice (our customer) has assigned to us your consent to access your personal data as a part of Anti-Fraud Services based on a separate agreement with us.

‍

If you have any questions about how we use your data, please contact our Data Protection Officer by email at privacypolicy@credolab.com.

We have offices in several locations, and our registered office address is at:

CredoLab Pte. Ltd.

111 North Bridge Road,

#08-11 Peninsula Plaza,

Singapore 179098

‍

This Statement addresses the following topics:

• Purpose for collecting data;
• How we collect data;
• What data we collect;
• Why do we believe we have the right to collect data;
• How do we use and protect your data;
• Who will we share your data with;
• Transfers outside of national territory;
• How long do we retain your data;
• Your rights under the LGPD.

Purpose for collecting data 

Your Personal Data may be collected for the purpose of helping financial and other organisations to produce real-time credit decisions based on our alternative credit score (the “Purpose”). We provide this alternative credit score only in relation to the service that you are applying for at the organisation of your choice (our customer). We use mobile and web device metadata and/or personal information (“personal information” or “PI”) to produce the alternative credit score via our proprietary technology. This includes highly sophisticated algorithms and predictive analytics applied to metadata accessed via our mobile application (CredoApply), a mobile SDK (CredoSDK), and a Web JavaScript(WebSDK). We do NOT share your alternative credit score with any third party other than the organisation of your choice (our customer).

‍

How we collect data

Your Personal Data may be collected directly from you in three ways:

• When you download our application (CredoApply); or
• When you use the mobile application of the organisation of your choice (our customer) that has embedded CredoLab’s mobile technology (CredoSDK); or
• When you use the web page of the organisation of your choice (our customer) that has embedded CredoLab’s web technology(CredoWeb).

‍

What data we collect

We may collect the following categories of Personal Data about you:

• On mobile phone, - history of SMS messages, contacts, calendars, list and storage of applications, and registered accounts which might include social accounts, and installed applications, in some cases for the provision of Anti-Fraud Services as a reseller of iovation, including the detection of TOR and VPN type of applications. The core purpose of these types of applications detection, involves a financial-transaction functionality(for example, dedicated banking, dedicated digital wallet) and obtaining broader visibility into installed applications solely for security-based purposes. Hardware type, operating system, language, keystroke patterns and similar information.
• On web device, - device hardware type, operating system, browser type, language, keystroke patterns and similar information.

This still may sound complex, so an example is often the easiest way to explain:

• You are going to receive a credit and/or other financial services from a financial organisation of your choice (our customer).
• In order to provide you with financial service, the financial organisation of your choice needs to assess your creditworthiness.
• At our customer’s request, CredoLab collects specific personal information and/or metadata from your mobile/web devices (via our products and services) (the “Personal Data”) and processes this PersonalData with CredoLab’s proprietary technology.
• We pass your alternative credit score (but in no event your Personal Data) to an organisation of your choice (our customer).
• Financial organisation of your choice (our customer) then decides how it will respond to you, e.g. provide you specific financial service (loan, credit card etc.), decline your request etc.
• CredoLab does not have visibility on, nor can we influence how financial organisation of your choice responds to you.

‍

Why do we believe we have the right to collect data

Pursuant to LGPD, there must be a lawful basis for processing personal data, such as data subject’s consent, performance of a contract with a data subject, a legal obligation or the legitimate interests.

‍

We collect your data only after we have also collected your consent either directly to us(via CredoApply) or via the organisation you are interacting with (CredoSDK, CredoWeb). We will NOT and cannot extract your data without your consent.

‍

We do NOT request for your data from our customers (organisations that you have engaged with) without your consent and do NOT collect or process it without your consent. We/organisation that you have engaged with will also ask you to click on a button that says “proceed with credit analysis”, or similar, before commencing a credit scoring assessment on your mobile phone/web device.

‍

You can be assured that we protect the information we collect. By using our products or services, you agree to the collection, use, and sharing of your data in accordance with this Statement. You may change and revoke your ‘access to data’ permissions at any time by using your phone/device settings.

‍

How do we use and protect your data

We use your data to assess your creditworthiness for a service of your choice (loan, credit card etc.) with the organisation of your choice (our customer). Organisation of your choice may use CredoLab’s assessment as part of their decision process whether or not to grant you a loan or other financial service.

We also use your data to:

• obtain an assessment of your creditworthiness including but not limited to an assessment of the probability of default of your obligations in the framework of contracts for the provision of financial services;
• assess your interest in receiving financial services through algorithms and mathematical modelling.

We handle all personal data and sensitive personal data securely, including transmitting it using modern cryptography (for example, over HTTPS). Although our mobile SDK may use some sensitive data, we use that data only to assess the application for a loan or a credit card with the organisation of your choice and not for advertising purposes.

‍

Who will we share your data with

As explained above, the data collected by our technology is NOT directly sent to the organisation of your choice (our customer). We neither use the anonymous metadata for advertising purposes, nor sell your personal and/or sensitive user data. We may however provide the results of the processing of such metadata to the organisation of your choice, that receives some limited pseudonymised information about you including the result of your credit scoring assessment.

‍

I.e., we share the result of your credit assessment with the organisation you are applying for a financial service. The result of your credit assessment that we share, depends solely on your potential willingness to disclose your information in order to get the services you have requested the organisation of your choice. We also share your potential willingness to communicate directly with the organisation of your choice, if requested by the organisation. We doNOT share the raw data collected from you with any person including the organisation.

‍

We may also share your data in the following ways: when required by competent authority or necessary to comply with a valid legal process; when required to protect and defend the rights or property of CredoLab, including the security of our products and services; when necessary to protect the personal safety, property or other rights of the public, CredoLab or its customers or employees; or in connection with a sale of all or part of our business. If we are involved in a merger, acquisition or asset sale, we will abide by this Statement, and any affected users will be informed if we transfer any personal data to a third party or if personal data becomes subject to a different privacy notice as a result.

‍

Transfers outside of national territory

Your data maybe transferred to, and processed in, countries other than your national territory. These countries may have data protection laws that are different to the laws of your country.

‍

Our group companies, data suppliers, customers and third-party service providers operate around the world. This means that when we collect your data we may process it in any of these countries. However, we have taken appropriate safeguards to require that your data will remain protected in accordance with this Statement.These include implementing the standard contractual clauses for transfers of data between our group applicable data protection laws.

‍

We have implemented similar appropriate safeguards with our data suppliers, customers and third-party service providers and partners and further details can be provided upon request.

‍

How long do we retain your data

We retain the data we collect from you for the length of time necessary to fulfil the specific purpose or purposes for which it has been collected (for example, to provide our customers with a service you have requested or for our customers to comply with applicable legal requirements, such as anti-money laundering). We may also keep it to comply with our legal obligations, resolve any disputes and enforce our rights.

‍

Once the respective purpose ceases to apply, we will either delete or anonymise the personal data or, if this is not possible (for example, because your personal data has been stored in backup archives), then we will securely store your data and isolate it from any further processing until deletion is possible.

‍

To implement and improve the functionality of CredoLab’s technology and to update the credit scorecards developed for our clients, we will keep your data for up to 3 (three) years unless you or organisation of your choice (our customer) request us to delete your data at an earlier date.

‍

If you have questions about or need further information concerning how long we keep your data for, please contact us using the contact details provided below.

‍

Your rights under the LGPD

Due to how CredoLab process data, your personal data is pseudonymised, therefore we are unable to fulfil your rights directly as it is not possible for CredoLab to identify you as an individual.

‍

To exercise any of the right outlined below, please consult with the organisation you have been interacting with. They will then be able to provide CredoLab with information to assist in exercising your rights.

‍

As an individual, you have rights under the LGPD regarding the use of your data, these are:

• The right to withdraw consent – you can withdraw consent at any time.  
• The right to erasure – you can request that CredoLab remove your data from our systems.
• The right to restrict processing – you can request that CredoLab only process your data for the purposes you specify.
• The right to data portability – you can request that the data you have provided to CredoLab be ported to another organisation.
• The right to access your data – You have a right to know what data CredoLab hold on you and for what purpose we are processing your data. 
• The right to rectification – you have the right to ask us to rectify any information you believe is inaccurate. You also have the right to ask us to complete information you think is incomplete.
• The right to object to processing – you have the right to object to processing if we are able to process your information because the processing is in our legitimate interests.

‍

You are not required to pay any charge for exercising your rights. We will respond to you within one calendar month. If CredoLab is unable to comply with your request, we will provide you with an explanation.

‍

We review this privacy notice on an annual basis, or sooner if changes to regulation require it or we change the way we process personal data.