Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Managed fraud prevention and chargeback guarantee service from Apruvd LLC (United States) that combines machine learning, device fingerprinting and manual review to approve or decline e commerce transactions.
Apruvd is a managed fraud prevention service that screens e commerce transactions and provides a chargeback guarantee. The merchant calls the Apruvd API at checkout; Apruvd combines machine learning, device fingerprinting and a manual review team to decide whether to approve, decline or hold the order.
Apruvd processes the buyer''s name, billing and shipping address, e mail, phone, IP, device fingerprint, order value, basket content, BIN range and payment method metadata. It cross references this against its risk graph of historical fraud patterns and known networks of fraudsters.
Fraud prevention can rely on contract (Article 6(1)(b) GDPR) or legitimate interest (Article 6(1)(f)) provided the processing is strictly proportionate. The fingerprinting script may still trigger Article 5(3) ePrivacy if it stores or reads information on the device for purposes beyond what is strictly necessary for the requested service. Automated decisions producing legal effects fall under Article 22, with a right to human intervention.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Consent is generally not required because fraud screening is necessary to perform the contract and protect both parties. However the fingerprinting and risk signal collection must be disclosed in the privacy notice, with an explanation of the logic and the right to contest an automated decision. Marketing reuse of fraud data would require consent.
Apruvd processes data primarily in the United States. Transfers rely on Standard Contractual Clauses and the EU US Data Privacy Framework. Document the transfer impact assessment, especially since fraud signals can be combined and shared across merchants in the network.
Sign the DPA, run a DPIA, describe Apruvd as a processor in your privacy notice, explain the automated decision logic in plain language, expose a contact point for human review under Article 22, restrict the data fields sent to the strict minimum, define retention for risk scores and align with PCI DSS scoping for any payment data shared.
Websites using Apruvd must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is required because fraud screening involves systematic evaluation of personal aspects (Article 35(3)(a) GDPR) and may lead to automated decisions with legal or significant effects (Article 22). Document the logic, the human review fallback, retention of risk signals and data subject rights.
Sample consent text
To protect both you and our store from payment fraud we use Apruvd (Apruvd LLC, United States) to analyse the transaction, including device, IP and order data. Apruvd may approve, decline or send the order for manual review. You can request human intervention and explanation under Article 22 GDPR.
Third-party domains contacted
apruvd.comjs.apruvd.comapi.apruvd.comfingerprint.apruvd.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| apruvd_did | http | 1 year | Stores a pseudonymous device identifier computed from the fingerprinting script to recognise the device across orders. |
| apruvd_session | http | Session | Stores the session ID used during the fraud scoring API call at checkout. |
| apruvd_risk | http | 30 days | Caches the latest risk score for the device to avoid redundant API calls during the same browsing window. |
Apruvd is an essential service, but transparency matters. Manage all your consent with FlowConsent.
Apruvd sets a small set of strictly necessary cookies for the checkout fraud check: apruvd_did (device ID derived from fingerprinting), apruvd_session (session ID) and apruvd_risk (cached risk score). No advertising cookie is set.
Not for the fraud scoring itself when it is strictly necessary to complete the payment under Article 6(1)(b) GDPR. The fingerprinting and cookies do however need to be disclosed in the privacy notice. Reuse for marketing would require consent.
Article 6(1)(b) GDPR (contract performance) and Article 6(1)(f) (legitimate interest in fraud prevention). Article 22 GDPR applies whenever the score automatically rejects an order, and the merchant must offer a human review channel.
Yes. Apruvd LLC is based in the United States. Transfers are covered by Standard Contractual Clauses and the EU US Data Privacy Framework as described in the Apruvd DPA. A transfer impact assessment is recommended.
Yes. Automated decision making, large scale evaluation of personal aspects and cross merchant risk graphs all trigger Article 35 GDPR. The DPIA must cover the logic, model bias controls, retention of signals and Article 22 safeguards.
Sign the DPA, run a DPIA, send only the data fields required for scoring, disclose Apruvd in the privacy notice, set up a human review process for declined orders, configure retention, restrict admin access and align PCI DSS controls for shared payment data.
Other fraud and chargeback services include Signifyd, Riskified, Forter, Kount, Sift, Stripe Radar, Adyen RevenueProtect, NoFraud and ClearSale. EU based options or those with EU residency reduce transfer complexity.
List Apruvd as a processor under the security and fraud prevention category, describe the strictly necessary cookies it sets, the data sent to its API, the retention of risk scores, link to its privacy policy and refresh the entry whenever the integration changes.