Last Updated: June 24, 2025
Arbitra.org, a SaaS platform providing independent identity verification (IDV) benchmarking and testing, is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and protect information in connection with our website, benchmarking reports, synthetic datasets, and client solution testing. We comply with the California Consumer Privacy Act (CCPA), General Data Protection Regulation (GDPR), Illinois Biometric Information Privacy Act (BIPA), Florida Information Protection Act (FIPA), New York's NYDFS and SHIELD Act, Texas Data Privacy and Security Act (TDPSA), ISO/IEC 27701, NIST 800-63-3, and vendor terms (e.g., Jumio, Persona, Mitek).
Our benchmarking and testing services primarily use synthetic datasets (e.g., 500 simulated California driver's licenses) containing no real personally identifiable information (PII) or biometric data. These datasets simulate state-of-the-art fraud vectors (e.g., deepfakes, digital forgeries) for research and client testing.
For limited client solution testing, we may collect real user profiles (e.g., names, photos) with explicit, documented consent, in compliance with CCPA, GDPR, BIPA, and TDPSA.
Benchmarking reports rely on publicly available data (e.g., G2, Gartner, NIST, vendor websites) with no PII.
Non-personal data (e.g., IP addresses, browser type) is collected via cookies for analytics, as described in our Cookie Policy.
If you contact us (e.g., via forms), we collect only provided information (e.g., name, email) to respond.
Public data and synthetic datasets generate IDV reports, compliant with AAMVA and ISO/IEC 30107/19795-2 standards.
Synthetic datasets and consented real user profiles test client IDV solutions against fraud vectors (e.g., deepfakes, face swaps), with client permission and vendor consent (e.g., Jumio, Persona) to avoid terms violations.
Non-personal data enhances user experience.
Contact information supports inquiries or newsletter updates (with opt-in consent).
Synthetic data and public data are not shared as PII. Real user profiles are shared only with client and vendor consent, under strict agreements.
Non-personal data may be shared with trusted providers (e.g., analytics, hosting) under confidentiality agreements, compliant with CCPA, GDPR, and NYDFS.
Data may be disclosed if required by law or to protect our rights, per FIPA, SHIELD Act, or other regulations.
We use end-to-end encryption, access controls, and regular audits (aligned with ISO/IEC 27701 and NIST 800-63-3) to protect synthetic datasets, real user profiles, and website data. Synthetic datasets include watermarks to trace misuse. No system is entirely secure, and users assume associated risks.
California, EU, Illinois, and Texas residents may request access, deletion, or opt-out of personal data (if collected). Real user profiles are managed with explicit consent.
Contact legal@arbitra.org. We respond within 45 days (CCPA), 30 days (GDPR/FIPA), or as required.
Client testing respects vendor terms (e.g., Jumio, Persona, Mitek) by obtaining consents and anonymizing results unless authorized.
See our Cookie Policy for details on cookies used for website functionality and analytics.
For future expansion (e.g., Brazil), we comply with GDPR for cross-border transfers, using synthetic data to minimize risks.
Links to third-party sites (e.g., G2, Gartner) are provided for convenience. We are not responsible for their practices.
Updates will be posted here with a revised "Last Updated" date. Continued use constitutes acceptance.
