Product Privacy Notice

We provide authentication, fraud-prevention, and device-intelligence services (the “Services”) that operate on behalf of our business customers (“Customer Controllers”). When we deliver the Services on to our Customer Controllers, we act as a data processor under the European Union General Data Protection Regulation, United Kingdom Data Protection Act (2018) and other applicable privacy regulations, and we process personal data under instructions from each Customer Controller.

Categories of Personal Data We Process

We process personal data when it is shared or submitted to us by our Customer Controllers who act as data controllers as they interact with their data subjects customers.

We process only the personal data necessary to deliver the Services. The categories of personal data and examples of such data categories include:

  • Session Event Information, such as records capturing the details of a specific usage event, e.g., short message service (SMS), data session, or voice call; phone numbers of the message sender and recipient; timestamps associated with network or message; timestamp when the message was submitted to the network; a unique identifier for a transaction or event record; or the status of an event delivery or session.

  • Subscriber Data which refers to the unique identifiers associated with a mobile subscriber and identifies data such as the international mobile subscriber identity (IMSI) and mobile station international subscriber directory number (MSISDN); data associated with the subscriber identity module (SIM) card, used for multi-IMSI roaming; the subscriber's phone number in international format; timestamps related to the subscription activation and other data associated with the subscriber's account.

  • Device Data such as a device SIM card, electronic SIM (eSIM) card and associated integrated circuit card identification number (ICCID) and international mobile equipment identity (IMEI); unique identifiers that identify the device hardware; or the description of the device and its purpose.

  • Customer Data which is any data identifying the customer or business entity that owns the device and subscription such as unique identifiers for the account; name of the customer or identifiers associated with device(s) within the customer’s account.

  • Network Data including information such as the mobile network operator (MNO); the network elements involved in the session; mobile country code; identifiers for a mobile operator and other information related to circuit switched services or networks, e.g., 2G, 3G or LTE.

  • Location Data such as the geographical, and network-based location, location area code; country and network codes of the last known cell tower; and an indication of precise or estimated location data for the device.

  • Service Profile such as the block/unblock configurations; roaming policies; subscriber billing plan; billing currency and service restrictions applied to a subscriber.

  • IP Address which includes the IP address(es) assigned to a session, subscriber or device; IP address version (IPv4 or IPv6) or IP address/SIM association.

  • Record Metadata such as system-generated information; identifiers related to a transaction record or indications of data attached to such records.

The purposes for which we process data on behalf of our customer controllers are provisioning of authentication services, fraud-prevention, security analytics and as otherwise instructed by customer controllers subject to the lawful basis they determine as appropriate and valid. We do not use personal data for purposes other than to carry out our data processor obligations, and do not otherwise sell or share personal data.

De-identified Data

SLC may process aggregated or anonymized data (“Deidentified Data”) to evaluate, improve and develop our products and services.

Subprocessors

We engage vetted subprocessors to support operational, hosting, analytics, and technical needs. A current list of our subprocessors is available {{here}}.

International Transfers

SLC is headquartered in the United States. We may transfer personal data to the United States or to other jurisdictions outside an individual’s country of residence. We employ strong protective measures along with standard contractual clauses (SCC) for the personal data that is transferred from the EU or UK.

Security Controls

SLC employs a range of technical and organizational measures to protect the Customer Data entrusted to us. Our information security program is designed to protect against the unauthorized access, loss, misuse or alteration of such data, including encryption in transit and at rest; continuous monitoring and logging; secure software development lifecycle and ongoing penetration testing and vulnerability scanning.

While we take these and many other precautions to protect Customer Data, no technology, software or security protocol can be guaranteed to be 100% secure.

Data Subject Rights Support

We assist our Customer Controllers with any requests to carry out individual privacy rights, including the right to access, delete, correct, port, and restrict data. Because we act only on our controllers’ instructions, we cannot respond directly to rights requests for data that we process as a data processor. Once the controller with whom you do business instructs us, we will support them and carry out the required actions under the EU GDPR, UK GDPR and other applicable privacy regulations.

Updates

SLC reserves the right to change or update this Privacy Notice at any time by posting a notice of such updates on our site. We encourage you to visit our privacy page from time to time and to read the Privacy Notice to learn of our current privacy practices and protections.

Contact

For questions relating to this Product Privacy Notice or our role as a data processor, contact: privacy@SLC.digital