In this privacy policy, we explain how we collect and use your personal data. This privacy policy applies to all personal data that Ricochet Dynamics processes if you are our customer, use our websites, or contact us. We process your personal data primarily to make you aware that your credentials are being used fraudulently, offer you guidance, and answer your questions. If we process your personal data, you have a couple of privacy rights. In this privacy policy, which is divided into different paragraphs, we provide more information about which personal data we process and what your rights are. Please click on the relevant paragraph below for more information.

 

1. Who we are

 

We are Ricochet Dynamics B.V., a Dutch company with its office at Graauwedijk 13, 9625 PA in Overschild, the Netherlands. 

 

Ricochet Dynamics B.V. is part of the QAH Holdings B.V.. For more information, please see our website under “About”. Ricochet Dynamics is responsible for the collection and use of your personal data described in this privacy policy. 

 

We offer a free service to victims of online fraud where their credentials have been used during so called credential stuffing attacks. Credential stuffing attacks are where cyber criminals use previously stolen credentials (email address/password combinations) in an attempt to login to various websites. Ricochet Dynamics is working with partner businesses from all industries in an attempt to fight online fraud one incident at a time.

 

Ricochet Dynamics is both the data controller and processor responsible for processing your personal data when incidents are detected. We have an arrangement in place that sets out our respective responsibilities for complying with the applicable privacy legislation. In short, we have agreed that you can contact either the Privacy Office of Ricochet Dynamics (please see “Your rights” below) if you wish to exercise your rights, or if you have a complaint about the processing of your personal data. 

 

2. The types of personal data we process

 

2.1. General 

 

We may collect and process the following categories of personal data: 

 

(A) Your contact details 

If your email address has been identified by one of our partners businesses as part of an incident it will be shared with us and used to inform you that it has fraudulently been used. 

 

(B) Our communication with you

When you send us an e-mail or through social media, we register your messages. If you call us, your questions or complaints will be registered in our database. We may also record telephone calls for training purposes or to prevent or combat fraud. We register your communication preferences, for example your preferred language (if supported) or if you wish to subscribe to or unsubscribe to our service. 

 

(C) Information we collect when you use our websites 

1. When you visit our website, we may register your IP address, browser type, operating system, referring website, web-browsing behaviour. We use different methods to collect this information, including our own cookies and third-party cookies. For more information, please read our cookie policy.

2. We may keep records of whether you open our e-mails, as well as the links you click on in e-mails. 

3. With your consent, we may receive your location data. 

 

(D) Information about social media

Depending on your social network settings, we may receive information from your social network provider. For example, if you sign in to our services using a social network account, we may collect your social network profile, including your contact details, interests, and contacts. We also receive visitor statistics from Facebook in connection with our Facebook page. Although Ricochet Dynamics and Facebook are jointly responsible for those visitor statistics, Facebook Ireland Limited is your primary point of contact and handles requests to exercise your rights and any complaints you may have. Where necessary, we assist Facebook in responding to your requests or complaints. For more information on the personal data that we receive from social network providers and how to change your settings, please check the websites and privacy policies of the social network providers. 

 

(E) Information you choose to share with us

We process information that you choose to share with us, for example when you share your email preferences or your preferences on our website, leave a comment on our Facebook page, fill out a customer survey, or register for a campaign or event. 

 

2.2. Special categories of personal data 

 

Some categories of personal data, such as data revealing racial or ethnic origin or health-related data, are deemed to be “special categories of personal data” under the applicable privacy laws. We do not process special categories of personal data unless you choose to expose it to us through email correspondence or by leaving comments on our Facebook page. 

 

2.3. Cookies and similar technologies 

 

When you use our website, we collect information using cookies and similar technologies. For more information, please read our cookie policy. 

 

2.4. Specific services, apps, events, contests or campaigns 

 

For specific services, apps, events, contests or campaigns, we may collect other types of data than described in this privacy policy. We will inform you about this when you register for the service, event, contest, or campaign, or when you download the app.

 

3. How we collect your data

 

3.1. We collect the aforementioned categories of personal data in the following ways: 

 

(A) We collect the personal data you provide to us

When you leave a message for us on social media, contact our customer service, subscribe to receive our e-mails, or register for one of our events, contests or campaigns. 

 

(B) We receive your email address from our partner companies if identified as part of an incident

We receive your data from our partners to alert you that your email and password have been detected as part of a credential stuffing attack where formally collected credentials (email address / password combinations) are actively being used. For example, your credentials could have been leaked during the LinkedIn hack that happened in 2012 where 163 million credentials were stolen and offered for sale in 2016 on the dark web. 

 

(C) If you use social networks, we may also receive information from your social network provider

For more information, please see 2 “The types of personal data we process” above. 

 

4. For which purposes we use your data

 

4.1. The main purposes for which we use your personal data are: 

​

(A) To provide our services to you

1. To warn you that your credentials have been leaked and offer you guidance on how to protect your personal email account as well as all your online accounts we must in many cases process the information described above at 2.1 (A) to (E). For example, to inform you that your credentials are actively being used, we would need your contact details. In addition, we need to know your preferences to give you the best support. 

2. Unsubscribe:

• E-mails: You may unsubscribe (OPT-OUT) from our services by replying back to an email that was sent to you by us within 30 days and adding the word OPT-OUT to the subject. We have also included an unsubscribe link in the email that includes the necessary information. Do not make any further changes to the subject. A confirmation email will be sent back to you.

 

(B) For statistical research

1. General: We research general trends in the use of our services, websites, social media, as well as trends in the behaviour and preferences of our customers and users. We use our research results to develop better services, provide better customer service, and improve the designs and contents of our website. 

2. Categories of data: To perform our research based on numbers, not on individuals, we may use the categories of personal data described at 2.1 (A) to (E), where your personal data (email address) was used, data we receive from social network providers, and that data that we collect about the use of our digital media. We only use “aggregated data” for our research. The results of this data cannot be traced back directly to you, as all directly identifiable elements (e.g. names and e-mail addresses) are not included. We take appropriate measures to ensure that only a limited group of employees have access to the analyses. 

3. Examples: You can request a report on your details which will generate an email in your preferred language containing your recorded preferences and an overview of all the incidents where your credentials have been used, and on a monthly, quarterly and yearly basis we will share trending reports on incidents that have been reported on a geographical and industrial level to our partners.

4. Legal basis and right to object: We process your personal data for our legitimate interests described above (please see sub (1.) “General”). You have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data for statistical research (please see 8 “Your rights” below). 

 

(C) To communicate with you

We use your contact details to communicate with you about our services, to answer your questions, or to address your complaints. 

 

(D) To conduct our business operations or to comply with statutory obligations

We collect, use, and retain your personal data to conduct our business operations, such as for record keeping purposes, to prevent or combat fraud, or to settle disputes. In the case of fraud, we may include your personal data in our internal control and warning systems. In addition, we process your personal data to comply with our legal and tax obligations. 

 

4.2. Specific services, apps, events, contests, or campaigns 

 

For specific services, apps, events, contests, or campaigns, we may use your personal data for purposes other than those described in this privacy policy. We will only include you if you have actively requested to be included. 

 

4.3. Legal basis 

 

We may only process your personal data if we have a legal basis for doing so. In many cases, we need your personal data to inform you of an incident with your credentials, or to answer your questions (see 4.1 (A) and (D)). In those cases, the legal basis for processing your data is “necessary for the performance of a contract”. 

 

If you have consented to a processing (which consent you may withdraw at any time, please see 8 “Your rights” below), we process your data based on that consent. 

 

In certain cases, we may use your personal data if we or third parties have a legitimate interest in doing so. We always weigh all interests carefully: your interests, the interests of others, and Ricochet Dynamics’s interests. Based on the latter legal basis, we process your data for, for instance, security, or statistical research (see 4.1 (B) and (D) above for more information). 

 

We may have a legal obligation to process your data, for example to satisfy GDPR formalities. 

 

5. Granting access or sharing data with third parties

 

5.1. General 

 

We may share your personal data with third parties in the following cases: 

 

(A) For support or additional services

To provide our services, we use support or additional services of third parties, such as IT suppliers, and social media providers. All such third parties are required to adequately safeguard your personal data and only process them in accordance with our instructions. 

 

Within the Ricochet Dynamics, our business operations are carried out using centralised databases and systems. Those central databases and systems may be hosted or managed by one group company for other group companies. In addition, for efficiency purposes, certain operational functions may be performed by one group company for other group companies. This means that our group companies may have access to your personal data for these purposes. Our group companies may only process your personal data as required for the relevant business function and in accordance with this privacy policy. 

 

(B) Payment services

To process payments for your purchases, we may work with third parties that offer payment services. In many cases, those payment service providers also conduct fraud checks. These payment service providers have their own privacy policies that apply to the way they use your personal data. 

 

5.2. Specific services, events, contests, or campaigns 

 

For specific services, events, contests, or campaigns, we may share your data with third parties other than those described in this privacy policy, for example, when we organise a campaign or event in collaboration with a partner. We will inform you about this when you register for the service, event, contest, or campaign. 

 

5.4. Third-party websites 

 

Our website contains links to third-party websites. If you follow those links, you will leave our website. This privacy policy does not apply to the websites of third parties. For more information on how these third parties handle your personal data, please check their privacy and/or cookie policies (if available).

 

6. Security and retention

 

6.1. Security

 

Ricochet Dynamics takes appropriate technical and organisational measures to protect your personal data against loss or unlawful use. 

 

6.2. Retention

 

We do not retain your personal data any longer than is necessary. How long your personal data is retained, depends on the purposes for which your personal data are processed and the applicable statutory retention periods.

 

7. International transfer of your data

 

7.1. Ricochet Dynamics may transfer your personal data to countries other than your country of residence. This is done for the purposes of our group companies, partners, or service providers provide their services from other countries. The laws of the countries to which we transfer your personal data may not always offer the same level of protection of your personal data. 

 

7.2. If your personal data need not be transferred to provide our services to you, Ricochet Dynamics will ensure that adequate safeguards are in place to comply with the requirements for the international transfer of personal data under the applicable privacy laws. For transfers of personal data to countries outside the European Economic Area, Ricochet Dynamics may use European Commission approved Standard Contractual Clauses as safeguards. 

 

8. Your rights

 

8.1. You may contact our Privacy Office (please see 8.4 below) to exercise any of the rights you are granted under applicable data protection laws, which includes (A) the right to access your data, (B) to rectify them, (C) to erase them, (D) to restrict the processing of your data, (E) the right to data portability, and (F) the right to object to processing. 

 

(A) Right to access

You may ask us whether or not we process any of your personal data and, if so, receive access to that data in the form of a copy. 

 

(B) Right to rectification

You have the right to have your data rectified in case of inaccuracy or incompleteness. Upon request, we will correct inaccurate personal data about you and, taking into account the purposes of the processing, complete incomplete personal data, which may include the provision of a supplementary statement. 

 

(C) Right to erasure

You have the right to have your personal data erased, which means the deletion of your data by us. Erasure of your personal data only finds place in certain cases, prescribed by law and listed under article 17 of the General Data Protection Regulation (GDPR). This includes situations where your personal data are no longer necessary in relation to the initial purposes for which they were processed, as well as situations where they were processed unlawfully. Due to the way we maintain certain services, it may take some time before backup copies are erased. 

 

(D) Right to restriction of processing

You have the right to obtain the restriction of the processing of your personal data, which means that we suspend the processing of your data for a certain period of time. Circumstances which may give rise to this right include situations where the accuracy of your personal data was contested but some time is needed for us to verify their (in)accuracy. This right does not prevent us from continuing to store your personal data. We will inform you before the restriction is lifted. 

 

(E) Right to data portability

Your right to data portability entails that you may request us to provide you with your personal data in a structured, commonly used and machine-readable format, and to have such data transmitted directly to another controller, where technically feasible. Upon request and where this is technically feasible, we will transmit your personal data directly to the other controller. 

 

(F) Right to object

You have the right to object to the processing of your personal data, which means you may request us to no longer process your personal data. This only applies in case the “legitimate interests” ground (including profiling) constitutes the legal basis for processing (see 4.3 “Legal basis” above). At any time and free of charge you can object to direct marketing purposes in case your personal data are processed for such purposes, which includes profiling purposes to the extent that it is related to such direct marketing. In case you exercise this right, we will no longer process your personal data for such purposes. 

 

8.2. You may withdraw your consent at any time 

 

You may withdraw your consent at any time by following the specific instructions in relation to the processing for which you provided your consent. For example, you may withdraw consent by clicking the unsubscribe link in the email or adjusting your communication preferences in your account (if available).

 

Next to that, you may contact the Privacy Office of Ricochet Dynamics. For more information on how you can withdraw your consent for cookies and similar technologies we use when you visit our website, please check our cookie policy. 

 

8.3. Denial or restriction of rights 

 

There may be situations where we are entitled to deny or restrict your rights as described in 8.2 above. In any case, we will carefully assess whether such an exemption applies, and inform you accordingly. We may, for example, deny your request for access when necessary to protect the rights and freedoms of other individuals, or refuse to delete your personal data in case the processing of such data is necessary for compliance with legal obligations. The right to data portability, for example, does not apply in case the personal data was not provided by you or if we process the data not on the basis of your consent or for the performance of a contract. 

 

8.4. How to contact us

 

When you would like to exercise your rights, all you have to do is send your request to the Privacy Office of Ricochet Dynamics:

 

Ricochet Dynamics

P.O. Box 75

9930 AB Delfzijl

The Netherlands

E-mail: privacyoffice@ricochetdynamics.com

 

8.5. You may contact us if you have any questions, comments or complaints about this privacy policy. In the event of unsolved problems, you have the right to file a complaint with the competent supervisory authority. In the Netherlands, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) in The Hague is responsible for monitoring compliance with privacy regulations.

 

9. How this privacy policy is updated

​

9.1. This privacy policy took effect on 25 October 2023 and replaced our previous privacy policy of 11 March 2020. This privacy policy is amended from time to time. We will notify you of any changes before they take effect.