Privacy
Privacy Policy
How MoSecure collects, uses, and protects data processed by our fraud intelligence service.
Effective Date — January 2025 · Jakarta, Indonesia
How MoSecure collects, uses, and protects data processed by our fraud intelligence service.
Effective Date — January 2025 · Jakarta, Indonesia
MoSecure provides a mobile anti-fraud solution that integrates seamlessly into banking applications. Our fraud intelligence service collects device and session signals to help banks detect and prevent fraud in real time. This privacy policy explains what data the MoSecure service processes and how that data is handled.
Our core privacy principle: MoSecure is designed as a privacy-safe enhancement layer. We never access, process, or store financial transaction data — no amounts, no recipients, no account numbers. Our fraud intelligence service assesses the device environment and session context, not the user's banking activity.
The MoSecure fraud intelligence service collects device and session signals necessary for fraud risk assessment. These fall into the following general categories:
| Data Category | Purpose | Contains PII |
|---|---|---|
| Device Environment Signals | Assess the integrity and security state of the mobile device | No |
| Application Environment | Detect the presence of potentially harmful applications on the device | No |
| Session Context | Analyze session behavior and timing for anomalous patterns | No |
| Behavioral Metrics | Verify user identity through anonymized interaction patterns | No |
| Network Context | Assess the connection environment for signs of interception or manipulation | No |
| Device Binding | Track device identity and changes over time (anonymized) | No |
| Transaction Events | Timestamp and session ID at transfer execution (triggered by bank's system) | No |
All signals are processed to generate aggregated risk scores. The specific detection methods and signal combinations used by MoSecure are proprietary and not disclosed in this document.
MoSecure is architecturally designed to never access or process the following:
Never collected: Transaction amounts, recipient details, account numbers, balance information, login credentials, personal identification documents, contact lists, SMS content, call content, photos, browsing history, or any data from the app's user interface.
Our transaction monitoring service receives only a timestamp and session ID from the bank. This architectural decision ensures MoSecure cannot reconstruct any financial activity, even in the event of a data breach.
Data collected by MoSecure is used exclusively for fraud detection and prevention:
Device and session signals are processed in real-time to generate risk scores. These scores are returned to the bank's fraud engine within milliseconds, enabling the bank to make informed approve, flag, or block decisions.
Active threats detected during a session are flagged as part of the risk payload delivered to the bank.
Anonymized data is analyzed over time to establish baseline patterns for each device, enabling detection of anomalies that may indicate unauthorized access.
Aggregated, anonymized signal data is used to improve our detection models. Individual session data is never used for model training without aggregation and anonymization.
All data processed by MoSecure is encrypted in transit (TLS 1.3) and at rest (AES-256). Our infrastructure is hosted in local region.
Access to raw signal data is restricted to authorized security engineers under strict access controls and audit logging. We conduct regular penetration testing and security audits.
MoSecure shares risk scores and threat verdicts only with the integrating company — the entity whose mobile application contains our fraud intelligence service. We do not sell, license, or share data with third parties for advertising, marketing, or any purpose unrelated to fraud prevention.
We may disclose data if required by law, regulation, or valid legal process. In such cases, we will notify the affected bank partner unless legally prohibited from doing so.
Real-time session data (risk scores, threat flags) is retained for 1–2 years to support fraud investigation and dispute resolution. After this period, data is either deleted or irreversibly anonymized for aggregate analytics.
Anonymized behavioral baselines are retained for the lifetime of the device binding and deleted when inactive for 12 months.
Because MoSecure operates as a data processor on behalf of the integrating bank (the data controller), end-user data requests — including access, correction, deletion, and portability — should be directed to your bank. We support banks in fulfilling these requests promptly.
If you wish to contact MoSecure directly regarding your data, please reach out to our Data Protection Officer at dpo@mosecure.id.
MoSecure's fraud intelligence service and data practices are designed to comply with applicable regulations including Indonesia's Personal Data Protection Law (UU PDP), GDPR (for partners with EU-based users), OJK regulations on information technology risk management for banks, and PCI-DSS requirements where applicable.
Privacy-safe
Device signals only