1. Introduction
FraudLayer ("we", "our", "us") is operated by KONNECTE LTD, a company registered in England and Wales with its registered office at 124 City Road, London EC1V 2NX, United Kingdom.
This Privacy Policy explains how we collect, use, store, and share personal data when you use our fraud prevention platform — including our web application, REST API, and integrations with e-commerce platforms such as Shopify and WooCommerce.
We are committed to protecting your privacy and processing personal data in compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and, where applicable, the EU General Data Protection Regulation (EU GDPR).
2. Data Controller
The data controller for data processed through the FraudLayer platform is:
Where you are a merchant using FraudLayer to process your customers' order data, you act as an independent data controller for that end-customer data, and we act as a data processor on your behalf.
3. What Data We Collect
3.1 End Customer Data (via Merchant API Calls)
When merchants submit orders to the FraudLayer API for fraud assessment, we process and store the following data in anonymised, one-way hashed form (SHA-256). We do never store raw personal identifiers such as email addresses, phone numbers, or full names in our network:
- SHA-256 hashed email addresses
- SHA-256 hashed phone numbers
- SHA-256 hashed shipping and billing addresses
- Device fingerprints (derived from browser signals: user agent, screen resolution, language, timezone) — stored as anonymised hashes
- IP addresses and associated geolocation metadata (country, region, city)
- Order metadata: total amount, currency, item categories, timestamp
- Payment method type (e.g., card, PayPal) — card numbers are never transmitted to or stored by us
3.2 Merchant Account Data
- Business or brand name
- Account email address
- Platform type (Shopify, WooCommerce, custom API)
- Subscription and billing information (managed securely via Stripe — we do not store payment card data)
- API keys (stored as hashed values; plaintext is shown only once at creation)
3.3 Technical & Usage Data
- API request logs (timestamp, endpoint, response code) — retained for 30 days for debugging and rate limiting
- Session authentication cookies
- Browser type and operating system (for the dashboard web app)
4. How We Use Your Data
We use the data we collect for the following purposes:
Real-time fraud risk scoring
Analysing order signals to compute a trust score and risk classification (Low / Medium / High / Critical) for each submitted order.
Cross-merchant network intelligence
Aggregating anonymised, hashed signals across our merchant network to identify fraud patterns. No raw personal data is ever shared between merchants — only normalised signals.
Chargeback and alert management
Generating fraud alerts and chargeback-prevention recommendations based on risk patterns detected in your order stream.
Account and billing management
Processing your subscription, sending invoices, and managing your merchant account.
Service communications
Sending transactional emails such as account confirmations, password resets, and important service updates.
Service improvement
Improving our fraud detection models and platform features using aggregated, anonymised data.
5. Legal Basis for Processing
We rely on the following legal bases under UK GDPR / EU GDPR:
Legitimate interests (Art. 6(1)(f))
Processing hashed order signals to detect fraud and protect merchants and end customers from financial crime.
Performance of a contract (Art. 6(1)(b))
Processing merchant account data to provide the FraudLayer service under our Terms of Service.
Compliance with a legal obligation (Art. 6(1)(c))
Retaining certain records as required by applicable law (e.g., financial and tax regulations).
Consent (Art. 6(1)(a))
Where we rely on consent (e.g., optional marketing emails), you may withdraw it at any time.
6. Data Sharing
We do not sell personal data. We share data only in the following circumstances:
Merchant network (anonymised signals only)
Hashed, normalised fraud signals contribute to our shared intelligence network. No raw personal data, email addresses, names, or identifiable information is ever shared between merchants.
Stripe Inc.
Payment processing for subscriptions. Stripe acts as an independent data controller for payment data. See stripe.com/privacy.
Resend Inc.
Transactional email delivery (account confirmations, billing receipts, alerts).
Neon Inc.
Managed PostgreSQL database hosting. Data is encrypted at rest and in transit.
Upstash Inc.
Redis-based caching for real-time fraud scoring. Cached data is short-lived and anonymised.
Legal authorities
Where required by law, court order, or to protect the rights and safety of our users or the public.
7. International Data Transfers
Some of our sub-processors (Stripe, Resend, Neon, Upstash) operate in the United States. Where data is transferred outside the UK or European Economic Area, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the UK ICO or European Commission, or reliance on adequacy decisions where applicable.
8. Data Retention
We retain data only as long as necessary:
| Data type | Retention period |
|---|---|
| Order assessments & risk scores | Duration of subscription + 90 days |
| Hashed fraud signals (network) | Up to 3 years for network integrity |
| Merchant account data | Until account deletion + 30 days |
| API request logs | 30 days |
| Billing records | 7 years (legal/tax requirement) |
| Authentication session data | 30 days of inactivity |
9. Data Security
Security is fundamental to how FraudLayer is designed. Our key measures include:
- SHA-256 one-way hashing of all personal identifiers before storage — we cannot reverse-engineer raw data from what we store
- TLS 1.3 encryption for all data in transit between your systems and our API
- AES-256 encryption at rest for our database
- Role-based access controls and audit logging for all admin actions
- API keys stored as hashed values; plaintext is shown only once at creation
- Regular security reviews and dependency updates
10. Your Rights
Under UK GDPR and EU GDPR, you have the following rights regarding your personal data:
Right of access
Request a copy of data we hold about you.
Right to rectification
Correct inaccurate or incomplete data.
Right to erasure
Request deletion of your data where there is no overriding legal basis for retention.
Right to data portability
Receive your data in a structured, machine-readable format.
Right to restrict processing
Limit how we use your data in certain circumstances.
Right to object
Object to processing based on legitimate interests.
To exercise any of these rights, contact us at info@konnecte.com. We will respond within 30 days.
You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.
12. Children's Privacy
FraudLayer is a business-to-business (B2B) service intended for use by registered companies and individuals aged 18 or over. We do not knowingly collect data from children. If you believe a minor has provided us with personal data, please contact us at info@konnecte.com and we will delete it promptly.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email at least 30 days before the changes take effect. The "Effective date" at the top of this page indicates when the policy was last revised. Your continued use of FraudLayer after the effective date constitutes acceptance of the updated policy.
14. Contact Us
For any privacy-related questions, requests, or complaints, please contact our data protection team:
Have a privacy question?
Our team is happy to help with any questions about your data.
Contact our privacy team