This Policy applies to you if you are a consumer who
- has interacted directly with FICO about a FICO product or service;
- is a myFICO customer;
- has registered to participate in industry discussions and/or receive marketing and industry materials through myFICO or myFICO Forums; or
- has registered to participate in industry discussions and/or receive marketing and industry materials at FICO Analytic Cloud in the FICO Community or the FICO Marketplace.
We are committed to fairly and accurately processing and protecting personal information when we control the purposes and means of processing that information. This Policy describes our data privacy practices and the rights you have to (i) opt out of receiving information you have consented to receiving as a registrant to our services (see Section 6); (ii) access, correct, or delete your personal data under our control; (iii) challenge or dispute our processing of your personal data; (iv) limit our disclosure of your personal data to third parties; and (v) file a complaint with us or a regulator. You will not receive discriminatory treatment from us for exercising your privacy rights under this Policy.
When you use a FICO website to obtain products or services, we do not permit a third party, without your express consent, to collect personal information from the FICO website about you or your online activities beyond what is necessary for that party to perform business activities on our behalf.
1. Categories of Personal Data
A. Personal Data that FICO Collects, Processes, Stores, and Discloses
We collect and process personal data for our own business purposes that may include:
- Identifiers such as a real name, alias, signature, postal address, telephone number, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver's license number, passport number, or other similar identifiers.
- Physical and personal characteristics or description; biometric information, including audio (voice print), electronic visual (facial scan), thermal, olfactory, finger print, DNA, or similar information; geolocation data; education; professional and employment-related information.
- Commercial information, including bank account number, credit card number, debit card number, records of personal property, credit data from credit bureaus, and demographic data from data brokers to build and populate FICO models that control our business software.
- Consumer browsing and shopping activity, including products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies; Internet or other electronic network activity information, including browsing history, search history; and information regarding a consumer's interaction with an Internet website, application, or advertisement.
B. Business Purposes For the Collection, Processing, and Use of Personal Data
We collect personal information at this website in order to:
- Register you at our website for an account or an interaction with us;
- Provide certain functionality at the website, and monitor the performance of the functionalities and services offered on the website;
- Process your inquiries and requests, provide you with requested information or services, and anticipate your future needs;
- Verify your identity when you visit the website to protect you from fraud, unauthorized access, and identity theft; and
- Analyze and research improvements to the website, and to our products and services.
We may draw inferences from the information identified in this section to create a profile about consumers reflecting their preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. These inferences allow us to improve our products and services and tailor our online information for the benefit of our customers.
2. Sources of Personal Data
A. Consumer Provided Information
We collect personal data from applications for employment, other applications or questionnaires when you contact us, and other forms you submit to us or our clients, such as your contact information (name, home address, email, and telephone number) and your date of birth, Social Security number, social insurance number, passport or other identification number, nationality, job title, your company's name and industry sector, your company's location (country, state and zip code). We also collect personal data from your transactions and interactions with us, such as your professional interests, or information you may provide via your interactions with our online forums, blogs, or participation in our online communities.
B. Credit Bureaus and Other Data Sources
We collect personal data from credit bureaus if it is necessary for the delivery of the services we provide you, and we may access public sources of personal data, such as census data and real estate records, and private source of personal data such as business bureau, industry analyst, or market research data.
C. Cookies and Web Analytics
In addition, we use web-based tools when you visit FICO websites, such as "cookies" to track your online activities, including your registration, submissions, and information requests, in accordance with applicable law. Cookies are small text files placed by a website server on your computer or other device you are using to access the website. We may collect information about the pages you have viewed, which is used to monitor and assess the website and improve its performance. Other cookies track your online activities on this website, including the IP address from which you accessed the website, and we may link that information with personal data you have provided us through online registration, to help us remember your settings. We may also use your IP address to help diagnose problems with our server and to administer the website. The length of time we may keep a cookie on your device will depend on the nature of the cookie and the reason we have set it.
D. Video Surveillance
We may conduct video surveillance of our workplace locations to identify safety and security concerns, detect theft or misconduct, and deter or prevent harassment and workplace violence.
3. Storage and Retention of Personal Data
Your personal information will be held only as long as you are a FICO customer, or the customer of a business for which FICO is a vendor, and thereafter only if we or the business has a legitimate business interest in the personal data. We may use personal information in a depersonalized (anonymized or pseudonymised) or aggregated format for the purpose of reviewing and improving our own account acquisition and management processes, analyzing the effectiveness of our solutions, and creating, validating or updating our products and services.
4. Disclosure of Personal Data
A. Service Providers (vendors; contractors; distributors)
We disclose personal information to our service providers who provide technical, operational, or administrative support, but only if the personal information is reasonably necessary and proportionate to provide the services. We will only disclose personal information to service providers who process it pursuant to our instructions and with our oversight. Disclosure to service providers may occur for these purposes:
- Auditing related to a current customer interactions and concurrent transactions, including counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards.
- Maintaining and repairing our digital infrastructure for efficiency and data security, including the company's computer hardware, web servers for cloud hosting our web servers; detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity.
- Undertaking activities to verify or maintain the quality or safety of our software or a service we engage in, and to improve, upgrade, or enhance the software or service; debugging to identify and repair errors that impair existing intended functionality; performing internal research for technological development and demonstration
- Maintaining and servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing advertising or marketing services, providing analytic services, or providing similar services on behalf of FICO or our service providers.
- Processing employees' personal data for the purposes of: (i) recruitment, relocation, and performance of an Employee's contract of employment; (ii) health and safety at work; (iii) exercise and enjoyment of rights and benefits related to employment, including compensation, medical benefits stock plan services, and providing other support services; and (iv) the termination of the employment relationship.
- Performing certain corporate functions, such as legal compliance with federal, state, or local laws; exercising and defending legal claims; keeping accounting and tax records; company audits; sales and distribution of our products and services.
B. Third Parties
We will not sell consumers' personal information to third parties for their own marketing, advertising, or other purposes. We have not sold consumers' personal information to such third parties in the preceding 12 months.
C. Affiliates and Subsidiaries
We may disclose personal information, in electronic or other form, among FICO affiliates and subsidiaries for the purpose of implementing, administering, and managing your business relationship with FICO, to provide the product or service you requested, to contact you in connection with product or service offerings, or for other legitimate business purposes.
D. Cooperation With Regulators and Law Enforcement
We may disclose personal information if necessary or appropriate to government agencies, advisors, and other third parties, in order to comply with applicable laws, or protect the rights or property of FICO and its affiliated companies, or its customers. We may disclose personal information to comply with civil, criminal, or regulatory inquiries, investigations, subpoenas, or summons by federal, state, or local authorities. We may disclose personal information in cooperation with law enforcement agencies concerning conduct or activity that we reasonably and in good faith believe may violate federal, state, or local law.
E. Corporate Mergers and Acquisitions
If another company acquires or merges with FICO, or plans to acquire or merge with FICO, our company, business, or our assets, we will share personal information with that company, including at the negotiation stage.
5. FICO Business Solutions That Process Personal Data
A. Business Solutions. We sell, license, host, and distribute software solutions, such as predictive models and analytics, which are built with depersonalized (anonymized or pseudonymised) data. Our clients use the solutions for their business purposes. Some solutions are operational: these solutions assist a company in its resource planning, financial projections, and record-keeping, for example. Other solutions facilitate the processing of consumers' personal data. Those solutions are designed to be used for:
- New Customer Acquisition — to predict which consumers are likely to buy certain products or services; marketing solutions process personal data, which may include the age, gender, marital status, and buying patterns of financially and demographically similar consumers, to determine whether a company's products and services match other consumers' product preferences and their inclination and ability to purchase the products and services.
- Credit and Insurance Eligibility — to predict which consumers and current customers are good candidates for financial, insurance, or retail services; credit risk solutions may process personal data, as permitted by law, from (i) an applicant's credit application, (ii) an applicant's past credit history (including loan, telecommunication, and rental payments), (iii) an applicant's cash flow, and (iv) social media, to assess an applicant's credit or insurance risk.
- Financial Fraud Detection and Prevention — to verify the identity of an applicant for credit, and to prevent fraudulent financial transactions; some financial fraud solutions process personal data from a consumer's application and the consumer's past credit activity to verify the identity of the consumer requesting credit; other financial fraud solutions process personal data about a current customer's past shopping and purchasing behavior, to protect the customer from unauthorized access to the customer's accounts.
- Healthcare Fraud Detection — to identify and prevent fraudulent or improper healthcare transactions; healthcare fraud solutions process personal data about individual health care claimants from the claimant's healthcare provider's claims records and the claim records of other health care providers, to identify fraudulent behaviors by the health care claimant.
- Customer Management — to determine which customers would benefit from enhanced or additional services; customer management solutions may process personal data about a customer's payment history, past purchases, and customer service interactions to match customer expectations with available services.
- Debt Management — to determine whether debt counseling, debt settlement, debt collection, litigation, or other activity is appropriate for a credit grantor or debt buyer; debt collection solutions may process personal data from the data subject, credit bureaus, and other debt collectors, to assess the size and age of the consumer's debt, the consumer's past payment history, and the consumer's current financial situation to find an appropriate response to a consumer's credit delinquency.
B. Automated Decisions, Including Profiling. FICO predictive models can be used to make automated decisions, including profiling. In building and updating these models, we review the data sets used to address any prejudicial elements, and reviews the correlations indicated by the model to address any non-empirical or non-intuitive results. When we host the models, we audit the performance of our algorithms that drive these models, and regularly review the accuracy and relevance of the automated decision-making, including profiling, that results from the use of the models. We have strict procedures and measures designed to prevent errors, inaccuracies, or discrimination on the basis of special category data. The outcome of such measures is fed back into the system design.
Some FICO models utilize explainable artificial intelligence (AI) in model development and model operation. One component of AI, called machine learning, adapts through progressive learning algorithms to let the data do the programming. Machine learning finds structure and regularities in data so that the algorithms acquire the ability to classify data and predict outcomes. Machine learning algorithms are built with relevant variables called "features", and the process of extracting features is called "feature engineering". This technique of deriving features, which can be automated, is a way to inject expert knowledge into the process of building and deploying accurate machine learning models. Explainable AI inspects relationships among features that drive model outputs and the decisions based on these models. We observe the model output of all expert derived features, and the relationships predicted by the models, to prevent bias, ensure palatability, prevent overfitting, and avoid spurious correlation learned through historical data.
6. Opting Out of Receiving Information You Have Consented to Receiving as a Registrant of myFICO, myFICO Forums, FICO Community, or FICO Marketplace
A. Update or Opt Out. If you have registered to participate in industry discussions and/or receive marketing and industry materials, as a myFICO customer, a registrant at myFICO Forums, or a registrant at FICO Analytic Cloud in the FICO Community or the FICO Marketplace, you may update your preferences, or revoke your consent and unsubscribe at any time by clicking the unsubscribe link in the footer of all FICO email messages, or by contacting us at the FICO Trust Center.
B. Email Messages. Our email messages may contain web beacons and other features that tell us you received and were able to open the message. We do not honor electronic do-not-track signals sent by a consumer's browser when you visit FICO's or myFICO's websites or other mechanisms that would give you an ability to exercise choice regarding the collection of personal information about your online activities over time and across third party websites.
C. No Discrimination. The status of a FICO or myFICO customer will not be affected if the customer declines to sign up to receive myFICO emails or declines to register as a myFICO Forum user. Also, the status of a myFICO customer will not be affected if the customer signs up to receive myFICO emails or registers as a myFICO Forums user, but declines to give consent, or gives and later revokes consent, to receive myFICO emails.
7. Consumers' Rights in the United States
A. Right to Request Deletion of Your Personal Information
You have a right to request that we delete any personal information about you that we have collected from you. Upon receiving a verifiable request, we will delete your personal information from our records and direct any service providers we have used to process your personal information to delete the same from their records. However, we will decline to delete your personal information if maintaining it is necessary in order for us to:
- Complete the transaction for which the personal information was collected, provide a good or service requested by you, or reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform a contract between us and you;
- Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity;
- Debug to identify and repair errors that impair existing intended functionality;
- Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law;
- Comply with the California Electronic Communications Privacy Act pursuant to Chapter 3.6 (commencing with Section 1546) of Title 12 of Part 2 of the Penal Code;
- Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when our deletion of the information is likely to render impossible or seriously impair the achievement of such research, if you have provided informed consent;
- Enable solely internal uses that are reasonably aligned with your expectations based on your relationship with us;
- Comply with a legal obligation; or
- Otherwise use your personal information, internally, in a lawful manner that is compatible with the context in which you provided the information.
B. Right to Access Your Personal Information
You have the right to ask us to disclose the categories and specific pieces of personal information, including information reasonably capable of being associated with you or your household that we have collected about you within the previous 12 months and still retain We will also disclose, if applicable:
- The categories of sources from which the personal information was collected
- The business or commercial purpose for collection the information
- The categories of service providers with whom we shared the information
When you request access, we will not disclose the following personal information to you, but we will explain to you the basis for our denial:
- Information lawfully made available from federal, state, or local government records;
- Information if the disclosure of it creates a conflict with federal or state law;
- Information that is deidentified or aggregate consumer information;
- A consumer report about you we obtain from a credit bureau;
- Information if the disclosure of it creates a substantial, articulable, and unreasonable risk to the security of that personal information, your account with us, or the security of our business's systems or networks; or
- Your Social Security number, driver's license number or other government-issued identification number, financial account number, any health insurance or medical identification number, an account password, or security questions and answers
For purposes of this Policy, we will not collect personal information that we would not otherwise collect in the ordinary course of our business, retain personal information for longer than we would otherwise retain such information in the ordinary course of our business, or reidentify or otherwise link information that is not maintained in a manner that would be considered personal information.
C. Exercising Your Rights of Deletion and Access
- If you are a FICO or myFICO customer, you may exercise (i) your right to request deletion of your personal information collected or maintained by us, or (ii) your right to access the information we have collected, used, disclosed, or sold, by contacting us at the FICO Trust Center or calling us toll free at 888-807-4932. For your protection when you request deletion or access, we will expect you to verify your identity by accessing your password-protected account with FICO. You may exercise your right to request access to your personal information at any time, but not more often than twice in a 12 month period.
- We will use a two-step process for online requests to delete where you must first submit the request to delete and, second, separately confirm that you want your personal information deleted. We will respond in writing through your account. In our response to your request to delete, we will specify the manner in which the personal information has been deleted. We will maintain a record of your request.
- If you do not have an account with FICO or myFICO, but you have interacted with FICO online or offline, you may exercise your right to request access to your personal information by contacting us at the FICO Trust Center or calling us toll free at 888-807-4932. We will provide the information you request by mail or electronically at your option, in a portable and readily useable format that allows you to transmit this information to another entity without hindrance. For your protection when you request deletion or access, we will expect you to verify your identity, which may depend on the nature of the personal information requested.
- Upon receiving an access request or a request to delete, we will confirm receipt of the request within 10 days and provide information about how we will process the request. We will describe our verification process and when you should expect a response. We will respond to requests for access and requests to delete within 45 days, which begins on the day we receive your request. We may take up to an additional 45 days to respond to the consumer's request, for a maximum total of 90 days from the day the request is received, if we provide you with notice explaining the reason that the business will take more than 45 days to respond to the request.
- If we receive from you a request for access or a request to delete your personal information that we collect or maintain in our business capacity as a service provider on behalf of another business, we will deny your request, but we will notify you to submit the request directly to that business, and we will provide you with contact information for that business, if feasible.
- You may designate an authorized agent to make an access request or a request to delete on your behalf, but we require that (i) you provide the authorized agent written permission to do so; and (ii) the agent verifies her own identity directly with us. A power of attorney will suffice.
8. The General Data Protection Regulation (GDPR)
This section applies to individuals in the European Union and to individuals in other countries whose data privacy laws are similar to GDPR. In those jurisdictions, special conditions apply, and individuals have certain privacy rights:
Special Categories of Personal Data.
We will not process personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; and we will not process genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation, without your explicit consent, or in accordance with the law.
Transfer of Personal Data to Another Country.
If we transfer your personal data to another country for processing, we will comply with the requirements of the General Data Protection Regulation, or the laws of the country from which the personal data is transferred, specifically: (1) FICO is certified under the Privacy Shield; and (2) FICO uses the standard data protection clauses, approved by the European Commission.
Right of Access and Rectification.
You have the right to be informed of the purpose, means, and recipients of the processing of your personal data. You may access your personal data in our possession to amend or correct any errors, and you may request the source of the personal data and the transferees of the personal data. We will attempt to notify each third party who has received the personal data of the corrected information. You may object to our processing of your personal data, but we may decline if the personal data is necessary to complete the delivery of a FICO solution you have requested, or if we have a legitimate interest in the processing.
Right to Erasure.
You have the right to have your personal data erased from our systems if it is being processed unlawfully, or is no longer necessary in relation to the purposes for which it was collected or processed. At your request, if we made your personal data public (with your consent), we will take reasonable steps to inform controllers that you requested erasure of any links to, or copy of, that information.
Right to Data Portability.
You have the right to receive back the personal data you provided us, if we processed the information by automated means. You will receive the personal data in a structured, commonly used and machine-readable format. We will assist you in the transmission of the personal data to another company if it is reasonably technically feasible.
Right to Object to Automated Decision-Making.
If your personal data is used to make a decision based solely on automated processing, including profiling, and that decision produces legal or significant effects concerning you, you have the right to object. We reserve the right to make such decision if the use of your personal data is necessary for entering into, or performance of, a contract between us. In that event, we will protect your rights and freedoms and legitimate interests, including the right to speak to a human to express your point of view and contest our decision.
Right to File a Complaint.
You have the right to file a complaint with us and with a supervisory authority. Contact us at the FICO Trust Center.
9. The EU-U.S. Privacy Shield Framework, including the United Kingdom, and the Swiss-US. Privacy Shield Framework
FICO's certification means we have committed to the principles of the Privacy Shield:
We will notify you about the purposes for which we collect and use personal data about you. This Policy explains the types of third parties to which we disclose the personal data; the choices and means you have for limiting our use and disclosure; and how you can contact us with any inquiries or complaints.
We will not disclose your personal data to a third party for a purpose incompatible with the purpose for which it was originally collected, or subsequently authorized by you, without your consent. For sensitive information ("special categories of personal data"), we will get your explicit (opt in) consent if the information is to be disclosed to a third party or used for a purpose other than its original purpose or the purpose authorized subsequently by you. You may withdraw your consent at any time by contacting us as described in this Policy.
If we transfer personal data to a third party that is acting as an agent, we will (i) transfer such data only for limited and specified purposes; (ii) ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles; (iii) take reasonable and appropriate steps to ensure that the agent effectively processes the personal data transferred in a manner consistent with the organization's obligations under the Principles; (iv) require the agent to notify the organization if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles; (v) upon notice, including under (iv), take reasonable and appropriate steps to stop and remediate unauthorized processing; and (vi) provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department of Commerce upon request.
We will take reasonable and appropriate measures to protect personal data from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the personal data.
Data Integrity and Purpose Limitation.
We will collect and retain personal data that is relevant to the purposes of processing, and not in a way incompatible with the purposes for which it has been collected or subsequently authorized by you. We will take reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete, and current.
You will have access to personal data about yourself that we hold, and you may correct amend, or delete that information where it is inaccurate, except where the burden or expense of providing access would be disproportionate to the privacy risks in question, or where the rights of persons other than you would be violated. For security reasons, we will take steps to authenticate your identity before providing you with access to personal data.
Recourse, Enforcement and Liability.
We will maintain a mechanism to provide that your complaints or disputes are investigated and resolved, and damages awarded where applicable law so provides. We will remedy problems arising out of our failure to comply with the Privacy Shield Principles. If you believe we have violated our obligations to you under the Privacy Shield Principles, you should first raise the claimed violation directly with us, and we will respond within 45 days of receiving a complaint. If we are unable to resolve your complaint, you should next raise the issue through your Data Protection Authority to the U.S. Department of Commerce and afford the Department of Commerce an opportunity to use best efforts to resolve the issue, at no cost to you. Then, if such violation still remains fully or partially unremedied, you may contact JAMS, which is an international dispute resolution provider, at no cost to you. JAMS may be reached by email at email@example.com, phone 800.352.5267, or mail to JAMS, 620 8th Avenue, 34th Floor, New York, New York 10018. If you are contacting JAMS to lodge a complaint, you must include the following information: the name of company, the alleged privacy violation, your contact information, and whether you would like the particulars of your complaint shared with the company. For information about JAMS or the operation of JAMS' dispute resolution process, contact Patrick Mullarkey, JAMS Global Practice Development Manager, firstname.lastname@example.org, 212.607.2771. The JAMS dispute resolution process shall be conducted in English. For complaints and disputes over human resources data, we have agreed to cooperate with Data Protection Authorities. You may, under certain conditions, invoke binding arbitration.
10. Personal Data Security and Confidentiality
FICO has industry standard physical safeguards, such as secure areas in buildings; electronic safeguards, such as passwords and encryption; and procedural safeguards, such as customer authentication procedures designed to prevent ID theft. We restrict access to your personal data to only those employees who need to know that information to provide products or services to you. We carefully select and monitor outside service providers, such as mail vendors, who have access to personal data, and we require them to keep it safe and secure. We do not allow them to use or share personal data for any purpose other than the job they are hired to do. We train our employees on these security procedures, and we conduct regular audits designed to check on compliance with the procedures.
11. Contacting FICO and myFICO
If you have a question about FICO's or myFICO's privacy policies or practices, or want to submit a complaint, you may contact FICO's Privacy Team at the FICO Trust Center. Members of FICO's Privacy Team include:
Vickie Miller, Data Protection Officer
3661 Valley Centre Drive, Suite 500
San Diego, CA 92130 USA
Email Address: email@example.com
Simon Elsom, Vice President Legal
Cottons Centre 5th Floor
London SE1 2 QP
Email Address: firstname.lastname@example.org
If we change this Policy, we will post the changes here. This Policy is effective as of February 10, 2020.