Does your website use third-party services? Get GDPR compliant in minutes.

Qualva

What does Qualva do?

Japanese fraud and risk scoring service that collects browser fingerprints and behavioural signals to compute a transaction risk score for ecommerce and payment flows.

What Qualva is

Qualva is a Japanese fraud and risk management service used by ecommerce, payments and account creation flows. It collects device and behavioural signals from the browser and computes a transaction level risk score that the operator can use to allow, challenge or block an operation.

Data and cookies

The SDK reads canvas and font metrics, screen and platform attributes, plugins, language, mouse and keyboard timings and writes a first party device cookie (qlv_device) plus a session token (qlv_session). The scoring API receives the IP, user agent, transaction context and the operator session identifier.

GDPR and ePrivacy posture

Browser fingerprinting reads information from the visitor device. Article 5(3) ePrivacy applies, so consent is required before the SDK fingerprint signals are collected. The risk score may amount to automated decision making with significant effects under Article 22 GDPR if a payment is blocked, requiring meaningful information and a right to human review.

Get GDPR compliant in 10 minutes

Free plan available · No credit card required

Try FlowConsent free

Transfers to Japan

Japan benefits from a partial GDPR adequacy decision since 2019, but only for data subject to the Japanese supplementary rules. Confirm with Qualva K.K. which scope applies, sign Standard Contractual Clauses where adequacy does not cover the dataset, and document the Transfer Impact Assessment.

Implementation steps

Gate the SDK behind your CMP, document the fingerprinting in the cookie register, complete a DPIA, build a human review path for blocked transactions, sign the DPA and SCCs, and provide a privacy notice that explains the logic of the risk score in plain language.

GDPR consent category

Analytics

Websites using Qualva must obtain user consent under GDPR regulations.

Legal basisConsent (Art. 6(1)(a) GDPR and Art. 5(3) ePrivacy) for the Qualva SDK cookies and fingerprinting signals. Legitimate interest (Art. 6(1)(f)) can be invoked for the strictly fraud prevention scoring of completed transactions, but the front end fingerprinting still requires consent.

Risk levelhigh

Applicable regulationsGDPR, ePrivacy Directive, UK GDPR, Japan APPI

DPIA considerations

A DPIA is required because Qualva combines automated decision making (fraud risk score), browser fingerprinting, behavioural data and a transfer to Japan. Document the categories, retention, the meaningful information about the logic and the safeguards under Article 22 GDPR.

Sample consent text

We use Qualva to detect fraudulent activity. With your consent, the Qualva SDK collects device and behavioural signals on this page and transmits them to servers in Japan to compute a risk score.

Technical details

Tracking methodJavaScript fraud and risk scoring SDK that collects browser fingerprints, device signals, behavioural metrics and transaction context, with first party cookies for session continuity and a server side scoring API.

Server locationJapan (Qualva K.K.)

Data transferred outside the EUQualva processes behavioural and device data on Japanese infrastructure. Japan benefits from a partial GDPR adequacy decision (for data covered by Japanese supplementary rules). Outside that scope, SCCs and a Transfer Impact Assessment apply.

Third-party domains contacted

qualva.comapi.qualva.comcdn.qualva.com

Cookies placed

Name	Type	Duration	Purpose
qlv_device	first_party	1 year	Long lived device identifier used to recognise the same browser across sessions for fraud risk scoring.
qlv_session	first_party	Session	Session identifier used to link the events of a single visit to the risk score request.
qlv_probe	third_party	Session	Probe cookie used by the Qualva SDK to detect proxies and inconsistent network configurations.

Qualva collects user analytics data — you legally need a consent banner. Try FlowConsent free.

Get started free Scan your site

Frequently asked questions

What cookies does Qualva set?

The Qualva SDK writes qlv_device (long lived device identifier) and qlv_session (session). Some integrations use a third party probe cookie to detect proxies.

Is consent required to load Qualva?

Yes. Browser fingerprinting and the SDK cookies trigger Article 5(3) ePrivacy. Consent must be obtained before the SDK loads the device signals.

What is the legal basis for Qualva processing?

Consent (Art. 6(1)(a) GDPR) for the front end fingerprinting and cookies. Legitimate interest (Art. 6(1)(f)) for fraud prevention scoring of completed transactions, weighed in a Legitimate Interest Assessment.

Does Qualva transfer data to a third country?

Yes, to Japan. Japan has a partial adequacy decision since 2019. Confirm the scope of adequacy with Qualva K.K. and sign SCCs for any data outside that scope.

Do I need a DPIA for Qualva?

Yes. The combination of automated decision making, fingerprinting, behavioural data and a transfer to Japan is a textbook DPIA trigger under Article 35 GDPR.

How do I implement Qualva compliantly?

Gate the SDK behind the CMP, document the fingerprinting, sign the DPA and SCCs, configure retention to the minimum, build a human review path for blocked transactions and explain the logic of the score in a plain language privacy notice.

What are the alternatives to Qualva?

EU friendly alternatives include Sift, Riskified, Forter, Ravelin (UK), SEON (Hungary) and Fraugster. Each has its own posture on fingerprinting and data residency.

How do I update my cookie policy when adding Qualva?

List qlv_device and qlv_session with name, purpose, retention and processor (Qualva K.K., Japan). Mention the Japan transfer and the SCCs. Disclose the use of the score under Article 22 in your privacy notice.

Get compliant — Try FlowConsent free

Free plan · 10-min setup