Privacy and Security


On this page:

About GDPR

The General Data Protection Regulation (GDPR) applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location. Under GDPR, organisations collecting personal data must identify the specific grounds on which they are collecting the data, and must consider several rights afforded to the data subject. The ICO has an excellent guide to GDPR, and your company’s data protection officer will also be a good person to talk to.


This guide briefly touches on some of the rights and principles of GDPR and how they relate to Ravelin’s service. In short, Ravelin provides a fraud prevention service and consequently:

  • As a client, it is in your legitimate interest to use Ravelin for the processing of personal data
  • There are exemptions which apply to some of the data subject rights

A fully detailed discussion will take place between you and Ravelin when establishing a Data Protection Agreement (DPA) as part of your contract. Some introductory information is provided below, however bear in mind that the contents of this GDPR guide do not constitute legal advice and are provided for general information purposes only. If you require specific legal advice you should contact your company’s legal counsel.

Data Controllers and Data Processors

In the context of GDPR, Ravelin is the data processor responsible for processing personal data on behalf of Ravelin’s clients, who are the data controllers. However, depending on the solution in question, Ravelin’s GDPR position might change.


Ravelin’s GDPR position for Connect remains the same throughout the entire processing period. Ravelin is the data processor and the client is the data controller.

Image of Connect

Payment Fraud

Ravelin’s GDPR position for payment fraud changes during the processing period.

Image of Detect

Stage 1

When the data subject signs up with the client, Ravelin is a processor and the client is the controller. At this point Ravelin only holds the data that the data subject has shared with the client, who then shares that with Ravelin.

Stage 2

Once the data subject places an order with the client, Ravelin runs the data provided by the client through a set of machine learning algorithms to provide a probabilistic score of the likelihood of the data subject being fraudulent. While running the shared data through our own technological environment (Ravelin databases), Ravelin becomes the data controller in common with the client.

Data Controllers (in common)

Ravelin and the client are data controllers in their own right (i.e. data controllers in common, and not joint controllers) in respect of the processing of the shared customer personal data, on the basis that they each determine on their own (i.e. alone) the purposes and means of the Processing of such shared customer personal data when it is processed within their respective technology environments.

Image of Detect

Personal Data Collected by Ravelin

Ravelin collects data in the following categories:

  • Identity Data
  • Contact Data
  • Financial Data
  • Transaction Data
  • Technical Data
  • Profile Data

Further detail on the data is in section 6 of the Ravelin privacy policy. We do not collect any special categories of personal data, criminal offence data or data relating to children.

Lawful Basis for Processing Personal Data

For processing of personal data to be lawful, both the data controller and the data processor need to identify specific grounds to justify the processing. This is covered in Article 6 and known as the ‘lawful basis’ for processing. To comply with the accountability principle in Article 5 (2), you must be able to demonstrate that a lawful basis applies.

Ravelin’s lawful basis for the processing is because it is in the legitimate interest of the controller to whom we supply fraud prevention services. This is covered in Recital 47 which cites fraud prevention:

The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned.

As the data controller, you need to define your lawful basis for processing personal data, which may differ from this.

Automated Decision Making and Profiling

Article 22 of GDPR affords data subjects the right not to be subject to automated decision making and profiling unless necessary to enter or fulfil a contract, authorised by law, or undertaken with the subject’s consent.

Ravelin uses a variety of automated monitoring techniques to analyse patterns, detect anomalies, and identify links between different accounts. Techniques such as machine learning, graph networks and rules are combined with manual reviews carried out by analysts. This combination of methods is used to evaluate the risk of fraud and provide feedback to clients with recommendations. In the context of fraud prevention, this automated decision making is permitted without the End User’s consent in Recital 71:

… decision-making based on such processing, including profiling, should be allowed where expressly authorised by Union or Member State law to which the controller is subject, including for fraud and tax-evasion monitoring and prevention purposes

Right to Object, Right to Restrict Processing, Right to Erasure

GDPR offers data subjects many other rights, including:

  • The right to object to the processing of personal data, requiring the controller to stop the activity, covered in Article 21 of GDPR
  • The right to restrict processing, covered in Article 18
  • The right to erasure or ‘right to be forgotten’ covered in Article 17

For each of the rights above there is an exemption when the data is processed:

for the establishment, exercise or defence of legal claims

Recital 47’s overriding legitimate interest of fraud prevention can also be taken into account. With respect to data retention, Recital 65 also confirms that retention is lawful where it is necessary to perform a task carried out in the public interest. In the case of Ravelin, personal data is retained in order to protect the public from fraud.

Historical Data

As established in Recital 47, the lawful basis of processing data to prevent fraud constitutes a legitimate interest of the controller. Historical data falls under this scope. Ravelin works with clients to collect historical data with the explicit goal of providing better fraud prevention. The data sharing must be covered in the data controller’s terms and conditions - see what you’ll need to do below.

End User Requests

As stated in section 15 of our privacy policy, Ravelin will evaluate any requests received from users and either respond directly or refer back to the data controller. If a user wishes to exercise any of their legal rights they can contact our Data Protection Officer at

What You’ll Need to Do

Typically, as part of the process of preparing to go live, after finalising the Data Protection Agreement you’ll need to perform a data protection impact assessment (if applicable) and update your privacy policy and any related documents in order to cover the processing of data by Ravelin.

It is essential that as the data controller you reflect in your terms and conditions that users’ data is shared with Ravelin for the purpose of fraud prevention. Ravelin can provide you with details of the information which needs to be included in your terms.