End User Privacy Statement
Last Updated June 1, 2022
BlockScore LLC D/B/A Cognito (“Cognito”, “we”, “our”, or “us”) offers identity verification, fraud detection, and watchlist screening services (the “IDV Services” or “Services”) globally to companies, firms and financial institutions (“Customers” or “Customer”).
You may be asked by one of our Customers to complete various checks using our service. This end user privacy statement (“Privacy Statement”) explains how your personal data (“Your Personal Information”) may be used when we carry out this service on behalf of our Customers. Cognito also acts as a sub-processor for our parent company, Plaid Inc. (“Plaid”) when Plaid provides IDV Services to its clients. For clarity, when we refer to Customer or Customers in this Privacy Statement, we are also referring to the clients of Plaid that use IDV Services.
The IDV Services are intended only for individuals 18 years or older. If you are under 18, please do not use our Services.
When we provide IDV Services to our Customers, our Customers determine the purposes and means by which Your Personal Information is processed (and our Customers are considered a data controller). We act on our Customers' instructions with respect to how and why Your Personal Information is processed. Cognito is a data processor or sub-processor when it facilitates identity verification, fraud detection, and watchlist screening services at the direction of our Customers. Our Customers direct us to collect Your Personal Information. Cognito acts as a processor or sub-processor when directed to collect information from you, including Your Personal Information, and Cognito receives instructions from our Customers about whom to collect personal data from and when to collect and process Your Personal Information. We use Your Personal Information to provide IDV Services to our Customers. We also transfer and/or provide access to download the information we collect from you, including Your Personal Information, to Customers at their instruction and request.
You should always check the privacy policies of our Customers and direct any queries and request to exercise your rights in respect of Your Personal Information to them.
Cognito will not ever sell Your Personal Information to any third parties. Our Customers decide how we use Your Personal Information, control their data retention policies, and may specify how long to retain Your Personal Information and whether and when we share the information we collect, including Your Personal Information, with our Customer.
Depending on the service required by our Customers, we may process Your Personal Information on our Customers' behalf as described in this Privacy Statement, so we encourage you to read it carefully.
When Cognito provides our Services to Customers, you will be asked to provide information about yourself to us. On behalf of our Customers, we carry out cloud-based identity verification, fraud detection, and watchlist screening services. Our system collects information from you and about you to predict and helps to prevent fraudulent activity in real time. The collection and use of Your Personal Information are described below. We then complete our IDV Services and provide the results directly to our Customers. At Customer's request, we provide a copy of the information you share, including Your Personal Information, for Customer's use and as part of the IDV Services.
Our Customers determine the scope of the request for information and what personal information about you might be used for analysis with the IDV Services. Customers configure the system to require and use certain information to verify your identity. A Customer may configure the IDV Services to ask for limited information. If the requested information is insufficient to provide verification, at Customer’s instruction the IDV Services may request additional information to complete the verification process.
If you are not satisfied with the result of any processing, you should direct your query to the Customer, who will be able to review it.
2. Information We May Collect
Depending on the Services requested by our Customers, we may collect Your Personal Information in the following ways:
Information you provide: We collect Your Personal Information when you provide information requested by the Customer to us. If you choose not to provide the requested information, we will not be able to provide our Customer with the IDV Services. Please contact the Customer to discuss alternative identity verification and screening options, if available for your region or nationality.
Some of the potential information about you that may be requested on behalf of our Customers includes contact details, including your name, email address, postal address, phone number, date of birth, and/or government ID or ID numbers; and/or photo and video information, including pictures, sometimes called selfies, to assess whether a person matches their photo ID and appears to be a live person.
Information used to verify a mobile device or email: We also may provide a two-factor authentication feature to our Customers to help provide measures to ensure that the person providing information has possession of the phone number or email address associated with that identity. To provide this feature for our Customers, we may use Your Personal Information provided by our Customer or by you to send verification codes to you, such as via text messages or emails, which you can then enter to confirm your identity when you log in to use a Customer Site or create a new account.
Information we automatically collect when you visit Customer Sites. Our Services use certain standard tracking technologies to automatically collect certain information about your device when you interact with and use Customer Sites, and how often a device is used to interact with Customer Sites and our IDV Services. Some of this information includes, for example, your IP address and certain unique identifiers, may identify a particular computer or device and may be considered “personal data” in some jurisdictions, including the EU.
The types of information we may collect on behalf of our Customers will depend on whether you visit a Customer Site via an API interface, app using our SDK or a webpage. Learn more here:
To find out more about the tracking technologies we use, learn more here:
Information we collect from third party sources. At our Customer's request and as part of our Services for Customer, we may combine the information we collect about you with information we receive from third parties. For example, we may receive information such as whether an IP address is commercial or private, whether a phone number is a landline, or whether an email domain is free. Customers may also ask us to work with providers that match information provided against third-party sources such as credit header files, mobile account records, utility records, motor vehicle records and other reputable sources. For certain countries, your mobile carrier may be asked to disclose your mobile account details for the purpose of verifying your identity, including your name, address, and device details. We may also receive information about you from third parties and/or collect information about you that is publicly available, on behalf of our Customer.
Special categories of personal data. If our Customers require you to provide us with any document that contains your photograph or if you need to verify your identity by providing a photograph or video of yourself, these images may reveal special categories of data about you, for example, information relating to your health (for example, if you wear glasses), your race or ethnicity or relating to your religious or political beliefs. Our facial recognition technology may also use biometric data, which is information that is used to identify you.
We use these special categories of personal data only on our Customer's instructions and in accordance with any of our Customers' privacy policies and this Privacy Statement and for no other reason.
Special Biometric Data Notice for Illinois and Texas Residents
For residents of Illinois or Texas, if our Customers require you to provide us with any document that contains your photograph or if you need to verify your identity by providing a photograph or video of yourself, the data derived from your face that we and our service providers collect and process on behalf of our Customers to provide the IDV Services may be considered biometric data in some jurisdictions. Your data will be stored as long as requested by the Customer, but no longer than three years, unless otherwise required by law.
3. How We May Use Your Personal Information to Provide Our Service to Customers
We process Your Personal Information on behalf of our Customers on their instructions. You need to check our Customers’ privacy policies to find out how and why Your Personal Information is used. We are not responsible for these policies and you should ask the Customer if you have any questions in relation to this.
Our Customers may use our cloud-based identity verification, fraud detection, and watchlist screening service and we return information to the Customer about the likelihood that the person providing the information is who they claim to be. We also transfer to Customer and/or provide access for Customers to download the information we collect from you, including Your Personal Information, at our Customer's instruction and request.
Our Customers may also request us to use facial recognition technology to verify that the photo on your identity document matches the photo or selfie you submit. Facial recognition data will be destroyed by us or our sub-processors, as may be the case, when the information is no longer needed for verification, as specified by Customer, unless another timeframe for deletion is specified in this Privacy Statement.
Cognito uses Your Personal Information to provide the IDV Services to our Customers, and to help our Customers comply with their legal obligations. We may also use device information or tracking technologies to identify and prevent fraud in our Services. For example, we process Your Personal Information through our cloud-based identity verification service to return match information to our Customers for particular events or activities on the Customer Site. We may also use Your Personal Information to help Customers validate your identity if you seek to exercise your privacy rights. In addition, when our Customers use two-factor authentication, we process Your Personal Information, such as your telephone number or email address, to send a verification code to you via text message or email. This helps our Customers who use this feature to validate end users identities by ensuring possession of phone numbers or email addresses associated with identities.
If you do not complete your verification process on our Service, our Customers may request us to use Your Personal Information to send you a prompt by email or text message to complete the process. You may follow the link in any email to deactivate these reminders if you do not wish to receive these again.
4. How We May Use Anonymized or Aggregate Information to Maintain, Improve, and Develop our Services
We may anonymize, de-identify, or aggregate to maintain, improve and optimize the IDV Services. We use anonymous, de-identified, or aggregate information to develop and improve our service. We believe that this does not adversely affect your rights and interests and is likely to be what you might expect.
5. Your Rights and Choices
Depending on your location and subject to applicable law, you may have the rights regarding Personal Information we process on Customer's behalf.
Data Protection Rights
Where we act as a data processor or sub-processor on behalf of our Customers, you must direct any request to access Your Personal Information or to exercise any of your data protection rights to the Customer. We will assist our Customers in responding to your request and will act on their instructions. Our Customers may use our service to verify your identity as part of this process.
6. Security and Retention
We use technical and organizational security measures designed to protect personal information processed as part of the IDV Services against unauthorized access, disclosure, alteration, and destruction.
Customers control their data retention policies and may specify how long to retain Your Personal Information. When instructed by a Customer to do so, Your Personal Information will either be deleted or anonymized.
7. Updates to this Privacy Statement
We may revise this Privacy Statement from time to time in response to our Customers requirements for our Services and changing legal, technical or business developments. We will provide any updates on our Site and the revised version will be effective when it is posted. If we make any material changes to the ways in which we use or share Personal Information previously collected from you, we will post the updated version here. You can see when this Privacy Statement was last updated by checking the “last updated” or “effective” date displayed at the top of this page.
8. Contacting Cognito
Please contact Cognito with any questions or comments about this Privacy Statement or our privacy practices at:
Attn: Privacy Officer
340 S Lemon Ave., Suite 4260
Walnut, CA 91789
For residents of the European Union and United Kingdom
Cognito has appointed DataRep as its Data Protection Representative for the purposes of the GDPR in the EU/EEA and the Data Protection Act 2018 (as amended) in the UK. If you are an EU/EEA or UK resident and we have processed or are processing your Personal Information, you may be entitled to exercise your rights under the GDPR. To learn more about whom to contact to exercise your rights under the GDPR, learn more here: