Arbitra
Contact

Privacy Policy

Effective Date: September 8th, 2025

CCPA Compliant
California Law
ISO/IEC 27701

Arbitra is a SaaS platform providing independent benchmarking and testing of identity verification (IDV) solutions. Although headquartered in Mexico, Arbitra serves primarily U.S.-based users and complies with U.S. laws including the CCPA, CPRA, BIPA, FIPA, TDPSA, and SHIELD Act. This Privacy Policy outlines our practices regarding data collection, use, retention, and protection.

We are also aligned with leading technical standards such as ISO/IEC 27701 and NIST 800-63-3.

What We Collect

We may collect the following types of data, depending on your interactions with our platform:

Synthetic Data

Computer-generated IDs and biometric simulations used for benchmarking. Some profiles may be hybrid, combining real-world attributes (such as document templates or sample demographic distributions) with artificial elements. These profiles are never linked to real persons and are designed solely for testing. (not linked to real individuals).

Real User Profiles

Only with explicit, written, timestamped consent. May include images, documents, or identifiers voluntarily provided for testing purposes.

Public Data

From vendor websites, government databases, and review platforms.

Contact Info

Provided voluntarily (e.g., through forms).

Website Analytics

Non-personal usage data (e.g., IP address, browser type).

How We Use Data
  • • To generate benchmarking reports
  • • To test IDV solutions (with proper consent and safeguards)
  • • To improve user experience and site functionality
  • • To respond to user requests and maintain compliance
Your Privacy Rights

Depending on your state of residence, you may have the right to:

  • • Request access, correction, or deletion of your personal data
  • • Opt-out of profiling or data sharing
  • • Withdraw consent at any time (for real user profiles)

To exercise your rights, please email privacy@arbitra.org. We respond within 45 days for CCPA requests, and 30 days for others.

Data Sharing and Third-Party Processors
  • • We do not sell your personal data
  • • Synthetic data is not linked to any real identities
  • • Real data shared only with consent and NDA-bound processors
  • • Users may request a list of third-party processors
  • • When required by law or to protect our legal rights
Data Security and Breach Notification
  • • End-to-end encryption of data in transit and at rest
  • • Role-based access control and secure authentication
  • • Internal audit trails and security incident protocols
  • • Annual privacy reviews and system audits aligned with ISO 27701 and NIST 800-63-3
  • • Breach notifications are made within 72 hours or as required by applicable U.S. state law
Data Retention and Minimization
  • • Synthetic data may be stored indefinitely for research purposes
  • • Real user data is deleted post-testing or upon user request
  • • Consent forms are stored securely and retained for at least 3 years for compliance
  • • We collect only the minimum data needed to fulfill our services
Legal Basis for Processing
  • Consent: For real user profiles and email contact
  • Contract: For client testing agreements
  • Legitimate Interest: For internal benchmarking and fraud detection testing
Cross-Border Data Transfers

All data is processed in compliance with U.S. state privacy laws. Data transfers between Mexico and the U.S. are encrypted and governed by written contracts that ensure equivalent protections.

Age Restriction and Verification

Our services are intended for users 18 and older. Real user testing includes age attestation and contract validation to ensure compliance. We do not knowingly collect or process data from minors.

Cookies and Automated Decision-Making

We use cookies for performance monitoring and site optimization. See our Cookie Policy at https://www.arbitra.org/sub-pages/cookies for details on cookie categories, opt-out mechanisms, and your preferences.

No automated decision-making is used in producing legal outcomes or eligibility assessments.

Biometric Information Privacy (Illinois Residents)

For residents of Illinois, we comply with the Illinois Biometric Information Privacy Act (BIPA). This includes:

Definition:

Biometric information may include facial geometry, fingerprints, voiceprints, or other biometric identifiers used during IDV testing.

Consent:

Written, informed consent is required before any biometric data is collected. Consent includes the purpose, length of retention, and rights under BIPA.

Retention:

Biometric data is retained only for the duration of the test, not exceeding 30 days, and is permanently deleted thereafter.

Disclosure Restrictions:

We do not sell, lease, trade, or otherwise profit from biometric data.

Data Sharing:

Biometric data is not disclosed to third parties without user consent unless required by law.

Dispute Resolution

Disputes will be resolved by binding arbitration in California, unless otherwise required by applicable law. Users retain their rights under applicable U.S. privacy laws.

Updates to This Policy

We may update this policy periodically. Material changes will be communicated by revising the 'Effective Date' at the top. Continued use of our services indicates acceptance of any updates.

Contact Us

If you have questions or would like to exercise your privacy rights:

Email: contact@arbitra.org