Datalake Privacy Notice

Datalake Privacy Notice

Last Updated: December 15th, 2020

Constella Intelligence, Inc. (“Constella”, “we”, or “us”) continuously collects exposed identity information found in open sources on the surface, social, deep, and dark web, and places that data into one or more of our proprietary Constella IDLake databases (collectively, the “Datalake”).  We offer access to the Datalake as a part of the products and services we provide to clients (collectively, the “Services”) to help investigators to, among other things, combat fraud, money laundering, counter terrorism financing, insider threats and other cyber crimes, and to protect consumers from identity theft and account takeover, as further described in this Datalake Privacy Notice (this “Privacy Notice”).

This Privacy Notice applies to Constella’s collection, using, sharing, and processing of data collected from available open sources on the Internet for use in the Datalake. For the avoidance of doubt, our Datalake may or may not include your Personal Data. This Privacy Notice only applies to the extent that your Personal Data is actually collected by Constella from the Internet as described in this Privacy Notice and included in our Datalake. For information on how we collect, share, use, and protect your Personal Data when you visit or use our online service, including Constella websites, Constella products and services offered at /, and any other online services offered by Constella and its affiliates, please refer to our Website Privacy Policy.

This Privacy Notice supplements (and does not supersede) our Website Privacy Policy; however, in the event of any conflict, this Privacy Notice shall prevail with respect to the subject matter governed by this Privacy Notice. Capitalized terms that are not defined below have the definitions given them in our Website Privacy Policy .

  1. Categories of Personal Data We Collect

In the process of collecting data for the Datalake, we may collect any exposed data about you (including Personal Data) that can be found in open sources on the surface, social, deep, and dark web.

In most cases, the categories of Personal Data we collect through the Internet may include the following exposed identity information:

  • First and last name
  • Username (associated with third party online accounts)
  • Email
  • Telephone

In limited cases, the categories of Personal Data we collect through the Internet may also include:

  • Date of birth
  • Physical address
  • Unique personal identifiers, e.g. social security number, tax ID, driver’s license number, passport number, other national identification number
  • Professional or employment-related information, e.g. company name, company website, professional identifier numbers, usernames, and passwords
  • Credit card number, bank account number, insurance account number

We do not review each element of the data we collect for the Datalake, nor do we have the ability to separate out specific data elements from any specific source or breach corpus that we find on open sources on the Internet.  As such, while data that we collect for the Datalake may contain your Personal Data, we have no control over what data is included in each source or breach corpus.

 

  1. How We Use Your Personal Data

We use and process data (including Personal Data) that we collect from available open sources on the Internet as described in this Privacy Notice for the following purposes:

  • To offer and enable clients to use the Services, which are designed to, among other things, protect against or deter fraudulent, illegal or harmful actions and to assist our clients with maintaining the safety, security and integrity of their products and information relating to their customers (which may include you). Please refer to the subsection titled “Our Use of the Information for Datalake” below for details.
  • To improve and develop the Services, including testing, research, analysis and product development.
  • To comply with our legal or contractual obligations, resolve disputes, and enforce our Terms of Use.
  • To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations.
  • For any other purpose permitted by applicable data privacy laws, such as the California Consumer Privacy Act (the “CCPA”).  

We will not use the Personal Data we collected for materially different, unrelated, or incompatible purposes.   

Our Use of the Data for the Datalake

As noted in the list above, we use the data (including Personal Data) collected from the Internet to create, improve, and supplement the Datalake and to identify correlations between data records in order to deter fraudulent, illegal or harmful actions, and to protect the safety, security and integrity of your data, our clients, and the internet community generally. Specifically, the Services use such data for the following purposes (see Constella Acceptable Use Policy (the “AUP”), available here (/aup)):

  • Fraud/Criminal Investigations: Performing investigations into or related to countering fraud, anti-money laundering (AML), counter-terrorism finance (CTF), or criminal activity.
  • Know Your Customer (KYC)/Customer Due Diligence: Performing KYC or other forms of identity verification, due diligence, and validation, but not for Fair Credit Reporting Act (FCRA) purposes.
  • Identity Theft Protection/Account Takeover (ATO)/Executive Monitoring (EM)/Domain Monitoring (DM): Providing protection services to end customers or employees.
  • Cyber Security Analysis/Incident Response (IR): Investigating security events and incidents.

Note that we require our clients of the Services to only use the Services pursuant to the AUP. Specifically, our AUP prohibits all uses and activities involving the Services that are illegal, that infringe the rights of others, that interfere with or diminish the use of the Services by others, or that otherwise adversely affect the Services or Constella. For more information, please review the AUP in full.

 

  • How We Share Your Personal Data

Categories of Third Parties with Whom We Share Personal Data

  • Clients: To the extent that a client purchases access to Services that require access to elements of the Datalake, such access will be provided for the purpose of detecting or deterring fraudulent, illegal or harmful actions and to maintaining the safety, security and integrity of their products and information relating to their individual customers (which may include you). Given the fact that the Datalake may or may not contain your Personal Data, it is possible that a client may receive access to that Personal Data during the course of accessing the Services.
    • In most cases, our clients share specific types of Personal Data about you with us in the first place, and our clients are responsible for obtaining your consent for such sharing. The Services process such data with the goal of determining whether there is a correlation with the data records we have in the Datalake. To the extent that Personal Data is contained in the Datalake results, we only share Personal Data for this purpose according to the specific criteria of the data search or requests as instructed by our clients. For clarity, we do not compile your Personal Data to create a profile.
    • In rare cases, we grant access to our Datalake to a very limited and select group of customers, consisting of, for example, law enforcement agencies, government organizations, fraudulent investigation firms, and banks, for them to draw connections and associations between bits of data in various parts of our Datalake for the sole purpose of detecting fraudulent, illegal or harmful actions and determining the identity of bad actors.
  • Service Providers
    • These are third parties that host the Services on our behalf to enable our provision of the Services, such as AWS. Our hosting service providers store and host the Datalake, which is encrypted by us.
  • Acquirers
    • The Datalake (which may include your Personal Data) and the Services may also be transferred to a third party if we undergo a merger, acquisition, bankruptcy or other transaction in which that third party assumes control of our business (in whole or in part).

Disclosures of Personal Data for a Business Purpose

We disclose your Personal Data to service providers and other parties for the following business purposes:

 

  • Auditing related to a current interaction and concurrent transactions, including, but not limited to, auditing compliance with this specification and other standards.
  • Detecting security incidents, protecting against malicious, deceptive, fraudulent or illegal activity, and prosecuting those responsible for that activity.
  • Debugging to identify and repair errors that impair existing intended functionality.
  • Short-term, transient use of Personal Data that is not used by another party to build a consumer profile or otherwise alter your consumer experience outside the current interaction.
  • Performing services on our behalf, including providing hosting services on our behalf.
  • Undertaking internal research for technological development and demonstration.
  • Undertaking activities to verify or maintain the quality or safety of a service or device that we own, manufacture (or that was manufactured for us) or control.

 

  1. Data Security and Retention

We seek to protect your Personal Data from unauthorized access, use and disclosure using appropriate physical, technical, organizational and administrative security measures based on the type of Personal Data and how we are processing that data. For example, the Services that permit access to the Datalake use industry standard Secure Sockets Layer (SSL) technology to allow for the encryption of Personal Data in our control. You should also help protect your data by appropriately selecting and protecting your password and/or other sign-on mechanism; limiting access to your computer or device and browser; and signing off after you have finished accessing your account with any online services.

To the extent that the Datalake contains your Personal Data, we will retain that Personal Data for at least ten (10) years.  After the initial ten (10) year period has expired, Constella will review that Personal Data on an annual basis to determine whether it remains relevant to or necessary for the provision of Services.  If Constella determines that the Personal Data is no longer relevant to or necessary for the provision of the Services, the Personal Data will be deleted.

In some cases we may retain Personal Data for longer periods if doing so is necessary to comply with our legal obligations, resolve disputes, or is otherwise permitted or required by applicable law, rule or regulation. We may further retain information in an anonymous or aggregated form where that information would not identify you personally.

  1. California Resident Rights

If you are a California resident, you have the rights set forth in this section. Please see the “Exercising Your Rights” section below for instructions regarding how to exercise these rights.

If there are any conflicts between this section and any other provision of this Privacy Notice and you are a California resident, the portion that is more protective of Personal Data shall control to the extent of such conflict. If you have any questions about this section or whether any of the following rights apply to you, please contact us at privacy@constellaintelligence.com.

For the sake of clarity, the rights set forth in this Section V do not cover data that may be collected through your use of the Services generally.  Please refer to our Website Privacy Policy for more information on your rights with respect to data that may be collected through your use of the Services generally.

Exercising Your Rights

Please follow the instructions and requirements described below and on our websites when submitting your requests. Requests that fail to comply with any of these instructions and requirements may result in delayed or no response.

To exercise the rights described below as a California resident, you must send us a request (1) that provides sufficient information (including, without limitation, email verification) to allow us to verify that (i) you are the person about whom we have collected Personal Data, (ii) you, as the requester, are the same person as the data subject for whose information you’re requesting (or such person’s parent/guardian), (2) that describes your request in sufficient detail to allow us to understand, evaluate and respond to it, (3) that declares, under the penalty of perjury, that you’re exercising your rights under the CCPA as a California resident solely for lawful purposes, and (4) in a way that does not and would not unduly burden or otherwise abuse our data request system, our Datalake, and/or our Services. Each request that meets all of these criteria will be considered a “Valid Request.” We may not respond to requests that do not meet these criteria. We will use commercially reasonable efforts to determine whether a request may be for harmful, fraudulent, deceptive, threatening, harassing, defamatory, obscene, or otherwise objectionable purposes, and we reserve the right not to respond to such request. We will only use Personal Data provided in a Valid Request to verify your identity and complete your request. You do not need an account to submit a Valid Request.

We will work to respond to your Valid Request within 45 days of receipt. We will not charge you a fee for making a Valid Request unless your Valid Request(s) is excessive, repetitive or manifestly unfounded. If we determine that your Valid Request warrants a fee, we will notify you of the fee and explain that decision before completing your request.

You may submit a Valid Request using the following methods:

You may also authorize an agent (an “Authorized Agent”) to exercise your rights on your behalf. To do this, you must provide your Authorized Agent with written permission to exercise your rights on your behalf, and we may request a copy of this written permission from your Authorized Agent when they make a request on your behalf.

Access

You have the right to request certain information about our collection and use of your Personal Data over the past 12 months. In response to a Valid Request, we will provide you with the following information:

  • The categories of Personal Data that you requested and that we can reasonably determine, via a review of the Datalake, that we have collected about you.
  • The categories of sources that we can reasonably determine, via a review of the Datalake, from which that Personal Data was collected.
  • The business or commercial purpose for collecting or selling your Personal Data.
  • The categories of third parties with whom we have shared your Personal Data.
  • The specific pieces of Personal Data that you explicitly requested and that we can reasonably determine, via a review of the Datalake, that we have collected about you.

If we have disclosed your Personal Data to any third parties for a business purpose over the past 12 months, we will identify the categories of Personal Data shared with each category of third party recipient, unless we’re restricted from doing so by law or court order. If we have sold your Personal Data over the past 12 months, we will identify the categories of Personal Data sold to each category of third party recipient, unless we’re restricted from doing so by law or court order.

You acknowledge that in some cases, we may not know whether your Personal Data is contained in the Datalake.   By way of example only, if a password happens to be contained in the Datalake, we have no way to know whether that password, absent any other information clearly identifying you as the source of the password, is your Personal Data (or possibly the Personal Data of someone else who uses the same password).  With that in mind, you understand that while we will use reasonable efforts to review the Datalake to respond to a Valid Request, we may not be able to determine whether we have actually collected any particular Personal Data about you.

Deletion

You have the right to request that we delete the Personal Data that we have collected about you. Under the CCPA, this right is subject to certain exceptions: for example, we may need to retain your Personal Data to provide you with the Services or complete a transaction or other action you have requested. If your deletion request is subject to one of these exceptions, we may deny your deletion request, even if it otherwise constitutes a Valid Request.

You acknowledge that we are constantly collecting exposed identity information found in open sources on the surface, social, deep, and dark web, and placing that information into the Datalake.  With that in mind, in the event that we delete your Personal Data in response to a Valid Request, you acknowledge that nothing will prevent the possible collection of that Personal Data at some future time, if that Personal Data happens to be contained in other open sources on the surface, social, deep, and dark web.  You have the right to make additional Valid Requests to delete Personal Data at any time.

 

Personal Data Sales Opt-Out and Opt-In

In this section, we use the term ‘sell’ as it is defined in the CCPA. We sell your Personal Data solely to the extent that: (i) we make the Datalake available to our clients via their use of the Services; (ii) we make the Services available to clients for a fee; and (iii) the Datalake contains Personal Data about you at the time that the client is accessing the Services that utilize the Datalake.  The categories of Personal Data that may be sold will vary based on the content of the Datalake at any given time.  You can submit a data access request for information regarding the categories of Personal Data sold to each category of third party recipient. Please refer to Section “Access” above for more details.

You have the right to opt out of sales of your Personal Data.  Please note that such an opt-out request also needs to be a Valid Request (as described above). You can opt-out by submitting a Valid Request using the following methods:

  • You can complete the online form found here: Do Not Sell My Personal Information https://www.constellaintelligence.com/contact-us/
  • Email us at privacy@constellaintelligence.com

You acknowledge that we are constantly collecting exposed identity information found in open sources on the surface, social, deep, and dark web, and placing that information into the Datalake.  With that in mind, in the event that you opt out of sales of your Personal Data pursuant to a Valid Request, you acknowledge that nothing will prevent the possible collection and sale of that Personal Data as part of the Datalake at some future time, if that Personal Data happens to be contained in other open sources on the surface, social, deep, and dark web.  You have the right to make additional Valid Requests to opt out of sales of your Personal Data at any time.

We Will Not Discriminate Against You for Exercising Your Rights Under the CCPA

We will not discriminate against you for exercising your rights under the CCPA. We will not deny you our goods or services, charge you different prices or rates, or provide you a lower quality of goods and services if you exercise your rights under the CCPA. However, we may offer different tiers of our Services as allowed by applicable data privacy laws (including the CCPA) with varying prices, rates or levels of quality of the goods or services you receive related to the value of Personal Data that we receive from you.

 

  1. Other State Law Priavcy Rights

Please refer to the “Other State Law Privacy Rights” section in our Website Privacy Policy for more details.

If you have any questions about this section or whether any of the following rights apply to you, please contact us at privacy@constellaintelligence.com.

 

  • European Union Data Subject Rights

If you are a resident of the European Union (“EU”), United Kingdom, Lichtenstein, Norway or Iceland, you may have additional rights under the EU General Data Protection Regulation (the “GDPR”) with respect to your Personal Data. Please refer to the “European Union Data Subject Rights” section in our Website Privacy Policy for more details. The following applies to our collection, using, sharing, and processing of data (including personally identifiable information) collected from the Internet for use in the Datalake.

Purposes for the processing

The purpose of Constella’s Datalake is to support the Services by collecting data from available open sources on the Internet at high pace, and extracting relevant information from that data. This includes information about individuals, companies, organizations, places, etc. The data are stored in a centrally located and highly secure location.

Constella processes the data contained in the Datalake in order to create correlations between data records for certain legitimate business purposes, which may include (but are not limited to) the following (see Constella Acceptable Use Policy):

  • Fraud/Criminal Investigations: Performing investigations into or related to countering fraud, anti-money laundering (AML), counter-terrorism finance (CTF), or criminal activity.
  • Know Your Customer (KYC)/Customer Due Diligence: Performing KYC or other forms of identity verification, due diligence, and validation, but not for FCRA purposes.
  • Identity Theft Protection/Account Takeover (ATO)/Executive Monitoring (EM)/Domain Monitoring (DM): Providing protection services to end customers or employees.
  • Cyber Security Analysis/Incident Response (IR): Investigating security events and incidents.

When we process Personal Data that may be contained in the Datalake for these legitimate interests, we make sure to consider any potential impact on potential data subjects and their rights under data protection laws, such as the GDPR.

Lawful basis for the processing

In line with the purposes pursued by Constella, the legitimate basis for the processing of this information is the legitimate interest it has in analysing the information in the Datalake to help prevent fraud and other unlawful acts, and to ensure the integrity and security of the information (not only of its clients).

Do we disclose any information to third parties?

Except as stated under Section III (How We Share Your Personal Data) above, we do not otherwise disclose or transfer your Personal Information to any other third parties not specified in this Privacy Notice. We may also release your information when said release is appropriate to comply with the law, enforce our policies or the Terms of Use, protect our rights, property, or safety, or protect the rights, property, or safety of third parties.

Except as stated under Section III (How We Share Your Personal Data) above, Constella may only disclose your Personal Data without your consent if the disclosure of such information is reasonably necessary to:   

  • Satisfy any applicable law, regulation, legal process or valid governmental request; or
  • Detect, prevent, or otherwise address fraud, security or technical issues.

 

Retention periods

We will retain your Personal Data for as long as necessary in accordance with the purpose(s) for which it was collected and in accordance with applicable law. The criteria used to determine our retention periods include:

  • the length of time during which it remains advisable to store certain data in the Datalake;  
  • whether there is a legal obligation to which we are subject;
  • whether retention is advisable in light of the legal position to which we are subject (such as that relating to applicable limitations or statutes, pending litigation or regulatory investigations).

 

How can you exercise your data protection rights?

If you would like to review, correct, update, suppress, delete or otherwise limit our use of your Personal Data that has been previously provided to us, or if you would like to request an electronic copy of your Personal Data for purposes of transmitting it to another company (to the extent you have a right to data portability under applicable law), you may make a request by contacting us using the information provided in the contact section of the website. We will respond to your request in a manner consistent with applicable law.

For your protection, we may only implement requests with respect to the Personal Data associated with the particular email address that you use to send us your request, and we may need to verify your identity before implementing your request. We will try to comply with your request as soon as reasonably practicable and consistent with applicable law.

You acknowledge that we are constantly collecting exposed identity information found in open sources on the surface, social, deep, and dark web, and placing that information into the Datalake.  With that in mind, in the event that we delete your Personal Data in response to a Valid Request, you acknowledge that nothing will prevent the possible collection of that Personal Data at some future time, if that Personal Data happens to be contained in other open sources on the surface, social, deep, and dark web.  You have the right to make additional Valid Requests to delete Personal Data at any time.

You can exercise your rights by sending a request to the contact address above or to the following email address: privacy@constellaintelligence.com.  You must include detailed information and documentation proving your identity in order to manage your request satisfactorily. We will process your request and give you an answer within the time limits set by current legislation.

  • Changes to this Privacy Notice

We’re constantly trying to improve the Datalake and the Services, so we may need to change this Privacy Notice from time to time, but we will alert you to any such changes by placing a notice on our website and/or by some other means. Please note that if you’ve opted not to receive legal notice emails from us (or you haven’t provided us with your email address to receive updates), those legal notices will still govern your rights with respect to the Personal Data included in the Datalake (if any), and you are still responsible for reading and understanding them.  Use of information we collect is subject to the Privacy Notice in effect at the time such information is collected.

  1. Contact Information:

If you have any questions or comments about this Privacy Notice, the ways in which we collect and use your Personal Data or your choices and rights regarding such collection and use, please do not hesitate to contact us at:

If you are located in the European Union, you may use the following information to contact our Data Protection Officer and our European Union-Based Member Representative:

  • Our branch office in the European Union: Sucursal en España (“Constella”) located at C/Acanto 22, 13th floor, 28045, Madrid (Spain)

Data Protection Officer: privacy@constellaintelligence.com