Secure your business from login to chargeback
Stop fraud, break down data silos, and lower friction with Sift.
- Achieve up to 285% ROI
- Increase user acceptance rates up to 99%
- Drop time spent on manual review up to 80%
Updated: June 8, 2023
Previous Service Privacy Notice available here link to Service Privacy Notice
Sift Science, Inc. (“Sift”, “we” or “us”) respects your privacy and wants you to be informed about what we do. Sift provides a suite of digital trust and safety products and services (the “Sift Services”) designed to help online businesses (our “Customers”) detect and prevent fraud, security threats, and other illegal or malicious behavior on their digital properties, such as their websites and mobile applications (“Customer Sites”).
This Service Privacy Notice (this “Notice”) explains who we are and how we collect, share, and use personal information about you when: (i) you use the Sift Services as an authorized end user under our Customer’s (your employer’s) account (“Authorized User”); or (ii) you interact with any of the Customer Sites that use the Sift Services as a digital end user or we otherwise process your information on behalf of our Customers for fraud detection and prevention and/or other related purposes (“End User”). We also include information about how you can exercise your privacy rights. “You” or “your” may be an End User and/or Authorized User depending on the context.
Please note that this Notice does not describe our collection and use of personal information when visitors access our website. For information about how we collect and use information via our website (www.sift.com and its subdomains), please see our Website Privacy Notice.
Additionally, if you are an Authorized User and a resident of California, Colorado or Virginia, please also review our Supplemental U.S. State Law Privacy Notice.
We recommend that you read this Notice in full to ensure that you are fully informed. However, if you would like to access a particular section of this Notice, then you can click on the relevant link below to jump to that section.
Sift is a Software-as-a-Service (SaaS) company based in San Francisco, California. We help our Customers detect and address fraud and other illegal or malicious behavior on their Customer Sites and in other contexts using our proprietary real-time machine learning technology.
In doing so, we need to collect and process information about our Customers’ End Users. Our cloud-based machine learning platform uses this information to predict and prevent fraudulent and other illegal or malicious activity in real time.
We offer four core products and related support and knowledge sharing services: Payment Protection (reduces fraudulent payments), Account Defense (reduces fake account creation and prevents bad actors from accessing trust-worthy accounts), Content Integrity (protects Customer Sites from malicious content) and Dispute Management (helps Customers manage chargebacks). You can find out more about these offerings here. find out more about Sift's core product offerings
We then process the Customer Data through our cloud-based machine learning platform to return a relative fraud score which is a numerical indicator of the likelihood of fraud or illegal activity for a particular event on the Customer Site (e.g., a purchase transaction, the posting of content, creation of a profile) and supporting information about potential illegal acts or security threats. For our Dispute Management product, we process the Customer Data to create a win rate which (similar to the fraud score) is a numerical indicator of the likelihood of winning a particular chargeback. In addition to the score and win rate, we provide our Customers with supporting evidence, aggregated reporting, insights and records.
The data we provide to Customers, including supporting fraud scores and supporting evidence and insights, are used by Customers to assist them in identifying and preventing fraudulent activity on their Customer Sites and managing chargeback disputes. Any of this information may also be used by certain Customers to support their legal or regulatory reporting obligations and risk management procedures (e.g., in relation to their anti-money laundering or know your customer (KYC) requirements). It is up to our Customers to decide what action to take or not to take using the information we provide. For example, depending on the rules set by our Customers, transactions with certain scores may be presented with further authentication challenges, flagged for the Customer’s review, or blocked. Typically, however, the transaction or activity will proceed with no issues. More information about what to do if a transaction is blocked is provided in the “Automated Decision-Making” section below. Customers also provide us with ongoing feedback on the accuracy of the scores by reviewing the activity on their Customer Sites, which in turn improves our proprietary modeling and algorithms.
We also may provide security notification and verification features (including two-factor authentication) as part of our Account Defense product. To provide these features, we use certain Customer Data provided by our Customers to notify End Users of login attempts and account activity, and to send verification codes to End Users (such as via text messages or emails), which they can enter on the Customer Sites to confirm their identity when they login to use a Customer Site or create a new account.
Information provided by our Customers: Our Customers decide the type of Customer Data they wish to send to Sift for analysis within the Sift Services. Our solutions and support teams work closely with Customers to assess the utility of the specific Customer Data they send to us. For example, Sift guides Customers as to whether a particular data type (e.g., billing method) may be relevant in assessing the particular activity (e.g., likelihood of stolen payment credentials). While it will depend on the specific product offering and Customer relationship, the Customer Data that Customers typically send to us through our integrations include:
Information we automatically collect when you visit Customer Sites: As further explained below, we use certain standard tracking technologies to automatically collect certain information about your device when you interact with and use Customer Sites. Some of this information (including, for example, your IP address and certain unique identifiers), may identify a particular computer or device and may be "personal data" in some jurisdictions, including the EU. Depending on whether you visit a Customer Site via an app or a webpage, the information we collect includes:
Information we collect from third party sources: We may receive some of the information above from our Customer's service providers or partners (such as, their payment processors, customer support providers or KYC providers), as directed by our Customer. We also combine or enhance the information we collect about you with limited information we receive from third parties. For example, we receive information such as whether an IP address is commercial or private, whether a phone number is a landline, whether an email domain is free, or the issuing bank associated with a transaction. We also work with a small number of providers that match information from social media with End Users' email addresses provided to us, or provide us with a human-readable, mapped location based on a physical address or latitude/longitude.
Sift only uses Customer Data to provide, maintain, improve, and develop the Sift Services and to comply with its legal obligations.
For example, we process Customer Data through our cloud-based machine learning platform to return fraud scores to our Customers for particular events or activities on the Customer Site and/or to return win rates for particular chargeback disputes. We may also use Customer Data to optimize and improve the Sift Services (for example, to train our proprietary models and algorithms so that we can more effectively detect fraudulent behaviors) and to validate the identity of End Users seeking to exercise their privacy rights. In addition, when our Customers use the Sift security notification and two-factor authentication features, we process Customer Data, such as their End Users' telephone number or email address, to notify End Users of login attempts and account activity and send a verification code to End Users via text message or email. This allows our Customers who use these features to identify suspicious logins and validate their End Users' identities when they log into the Customer Sites or create a new account.
We base our processing of your personal information on: (i) our legitimate interests in operating the Sift Services, including to better detecting and preventing fraud, security threats, and other illegal or malicious behavior on Customer Sites; and (ii) our (and our Customers) legitimate interest in combating fraud, maintaining safe online experiences for our Customers and their End Users and reducing the costs associated with invalid or fraudulent chargebacks. In some cases, we may also need to process Customer Data to comply with our legal obligations.
If you have questions about or need further information concerning the legal basis on which we collect and use your personal information, including any legitimate interests relied upon, please contact us as provided under the How to contact us section at the end of this Notice.
We use standard tracking technologies to automatically collect certain information (as described in the Information We Collect About End Users section) from your device and/or browser when you visit or interact with Customer Sites.
We use the following tracking technologies:
When an End User views or uses a Customer Site, Sift servers are notified, and we are able to collect information from the browser or application as described above.
Automated decision-making means that a decision is made automatically on the basis of a computer determination (using software algorithms), without human review or intervention. The services we provide to our Customers may result in an automated decision being made by our Customers about an action you have made on a Customer Site. For example, in certain limited circumstances, the Customer may use the analysis we provide them to automatically pause the completion of an activity or transaction based on rules the Customer has set. Similarly, the Customer may use the analysis we provide them to challenge a particular chargeback. In such instances, you may be required to take further steps (e.g., two factor authentication), you may potentially be unable to complete a transaction, or your chargeback may be disputed by the Customer. Please contact the relevant Customer directly for more information.
Information you provide to us when you use the Sift Services: You (or your organization's administrator) may provide certain personal information to us through the Sift Services – for example, when you register for the Sift Services, when you consult with our customer support or participate in our online community, send us an email or communicate with us in any way in connection with the Sift Services.
The personal information we collect may include:
If you ever communicate directly with us or within our community, we may maintain a record of those communications and responses.
Usage Data may include:
We collect and process personal information for the purposes and on the legal bases identified below. For these purposes, we combine data we collect from different contexts (for example, from your use of two products within the Sift Services). We use this information to:
We may share and disclose information about End Users and Authorized Users in the following circumstances:
Your personal information may be transferred to, and processed by Sift in, countries other than the country in which you are resident, including the United States, Ukraine and other countries around the world where Sift, its affiliates, service providers or partners operate facilities. These countries may have data protection laws that are different to the laws of your country and may not provide for the same level of protection as your jurisdiction. However, regardless of where your data is processed, we take steps to ensure that your personal information will be processed in accordance with this Notice and the requirements of applicable law.
If you are resident in the EEA, UK or Switzerland, we will protect your personal information when it is transferred outside of your jurisdiction by: (i) processing it in a territory that provides an adequate level of protection for personal information based on the receiving country's data protection laws; and/or (ii) implementing appropriate safeguards to protect your personal information, such as requiring the recipient to comply with the Standard Contractual Clauses, or another lawful and approved transfer mechanism.
Depending on your location and subject to applicable law, you may have the following rights with regard to personal information we control about you:
If you are a resident of the European Economic Area (“EEA”), United Kingdom, and Switzerland, you may access, review, modify, and request deletion of any personal information that we process about you, as required by law. You can send an email to email@example.com to exercise these rights.
We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws, and treat each according to the requirements of the applicable jurisdiction. To protect your privacy and security, we may need to take reasonable steps to verify your identity before responding to your request. Specifically, we (or our third party service provider acting on our behalf) may need to collect a copy of your photo ID and any other information necessary to confirm your identity. Such information will be securely processed in accordance with this Notice and only used for the purpose of verifying your identity.
In addition, if you are a resident of the European Economic Area EEA, United Kingdom, and Switzerland, and we can properly verify your identity, you can object to the processing of your personal information, ask us to restrict the processing of your personal information or request portability of your personal information. To exercise these rights, email firstname.lastname@example.org.
If you are a resident of the EEA, United Kingdom, or Switzerland, and we have collected and process your personal information with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent. To withdraw your consent to any processing, email email@example.com.
If you are an End User located in the EEA, UK or Switzerland, you have the right to complain to a data protection authority about our collection and use of your personal information. For more information, please contact your local data protection authority. Contact details for data protection authorities in the EEA and UK are available here link to EEA authoritiesand Switzerland are link to Switzerland authoritieshere.
When we handle personal information (as defined under the California Consumer Privacy Act (“CCPA”), or personal data as defined under the Colorado Privacy Act (“ColoPA”) and the Virginia Consumer Data Protection Act (“VCDPA”) in providing the Sift Services to our Customers, we do so as a service provider under the CCPA and a processor under the ColoPA and VCDPA to and/or on behalf of our Customers (who are “businesses” under the CCPA and “controllers” under the ColoPA and VCDPA), to assist them in protecting against security threats or detecting illegal, criminal, malicious or fraudulent activity. When requested, we reasonably assist our Customers in responding to consumer requests under these U.S. state privacy laws. Please direct any requests regarding your U.S. state privacy law rights to the businesses you believe may have collected (or transferred to Sift) your information, so that those businesses can properly instruct us whether and how to assist them in responding.
You may at any time ask us to stop sending marketing communications to you, including by clicking "Unsubscribe" in any e-mail communications we send you. If you have any questions in relation to the "Unsubscribe" process, please feel free to get in touch via the contact details set out below. If you choose to no longer receive marketing information, we may still communicate with you regarding such things as your security updates, product functionality, responses to service requests, or other transactional, non-marketing/administrative related purposes.
We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws. To protect your privacy and security, we may need to take reasonable steps to verify your identity before responding to your request.
We use technical and organizational security measures designed to protect personal information processed as part of the Sift Services against unauthorized access, disclosure, alteration, and destruction.
We retain your personal information where we have an ongoing legitimate business need to do so and for a period of time consistent with the original purpose as described in this Notice. We determine the appropriate retention period for personal information on the basis of the amount, nature and sensitivity of your personal information processed, the potential risk of harm from unauthorized use or disclosure of your personal information and whether we can achieve the purposes of the processing through other means, as well as on the basis of applicable legal requirements (such as applicable statutes of limitation).
After expiration of the applicable retention periods, we will either delete or anonymize your personal information or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
We may revise this Notice from time to time in response to changing legal, technical or business developments, and the revised version will be effective when it is posted. If we make any material changes to the ways in which we use or share personal information previously collected from you, we will prominently post the updated version here and in our discretion notify you and/or the Customer by email or by other reasonable means. You can see when this Notice was last updated by checking the “last updated” or “effective” date displayed at the top of this Notice.
Please contact Sift with any questions or comments about this Notice or our privacy practices at:
Sift Science, Inc.
Attn: Privacy Officer
525 Market Street, Sixth Floor
San Francisco, CA 94105
If you are a resident in the EEA, UK, or Switzerland, Sift Science, Inc. is the controller of the personal information (i.e., personal data under European data protection legislation) collected through the Sift Services.
You may contact our Data Protection Officer by emailing firstname.lastname@example.org or using the mailing address listed in the Contact Details section above. Our EU representative (for EEA, UK or Swiss data subjects) is:
Sift Science Ireland Limited
by email: email@example.com
by mail: Sift Science Ireland Limited c/o Sift Science, Inc. 525 Market Street, Sixth Floor, San Francisco, CA 94105
Stop fraud, break down data silos, and lower friction with Sift.