Trust
General Data Protection Policy
Last Updated: April 6, 2022
A. Overview
This policy applies to Amobee, Inc. and Amobee EMEA Limited (referred to by the first-person plural in this policy).
We provide our advertisers and their agencies, our website and app publishers and other ad inventory providers and our data vendors (our “Business Partners”) with technologies that enable the serving and display of relevant advertisements to individuals who access a publisher’s website, mobile app, or other online content. Our technology also helps our partners collect and manage the data generated by such advertisements as well as data that our Business Partners may already have and data that they collect regarding visitors to their digital properties, including websites and mobile applications.
Our advertising technology collects and uses data to help make online advertising more relevant and for ad delivery and reporting purposes. By delivering more relevant advertisements, we play an important role in keeping the Internet free, dynamic and vibrant. That’s because advertisers will pay more when their ads are tailored to an audience’s interests and publishers of websites and apps get more money when their audiences receive tailored advertisements instead of generic ones. That helps publishers continue to provide great content at a great price—often free.
This disclosure explains the various ways individuals may interact with us and our advertising technology and the ways in which individuals may exercise control over the use of information collected by us.
B. GDPR
The GDPR is European Union (“EU”) legislation which protects the rights of “data subjects” with respect to their “personal data,” as such terms are defined in the GDPR. The GDPR governs the handling and transfer of personal data originating throughout the European Economic Area (“EEA”). For clarity, the term “EEA” includes the United Kingdom even after its withdrawal from the European Union. The GDPR provides the following rights:
- the right to be told how we use your personal data and obtain access to your personal data;
- the right to have your personal data rectified or erased or place restrictions on processing your personal data;
- the right to object to the processing of your personal data, e.g., for direct marketing or ad targeting purposes;
- the right to have any personal data you provided to us on an automated basis returned to you in a structured, commonly used and machine-readable format, or sent directly to another company, where technically feasible (“data portability”);
- where the processing of your personal data is based on your consent, the right to withdraw that consent subject to legal or contractual restrictions;
- the right to object to any decisions based on the automated processing of your personal data, including profiling; and
- the right to lodge a complaint with the supervisory authority responsible for data protection matters (e.g. in the UK, the Information Commissioner’s Office, or “ICO”).
The disclosure in section B is provided for us to be compliant under GDPR and is specifically directed to data subjects in the EEA.
B.1. Compliance
Below are some of the many actions we have taken to be compliant with GDPR.
- We have conducted a data privacy impact assessment to document our data flows and evaluate our technology and practices.
- We have established our lawful basis for processing data.
- We have appointed a data privacy officer.
- We have made changes to bring our technology and practices into compliance, including offering self-service portals for EEA data subjects to make erasure and access requests and revising our data retention policies.
- We have made changes to our contracts and entered into data processing agreements or other agreements where appropriate with our clients and vendors.
- We have trained our personnel on new requirements.
- We have updated our disclosures and data security policies.
B.2. What Personal Data is Collected and How It is Collected
If you are an end user located in the EEA who receives online advertising from one or more of our clients via the Amobee ad platform, our technology collects data about the websites and apps that you interact with and the advertisements that we show you. This data may include information about the device and its IP address; the browser or application used; which and how many, business partner web pages have been viewed by a browser or application; search terms entered on business partner websites; referring and exit pages; the date and time an advertisement was viewed; imprecise geolocation data; browser or device-specific identifiers (such as mobile device advertising identifiers or your browser’s user agent string); and other similar information. Amobee does not “actively scan device characteristics” as defined in the IAB Trust and Consent Framework 2.0. The data may be collected when: we or a Business Partner purchases online advertisements on a website that you visit or an app that you use; a Business Partner places one of our web pixels on a website that you visit; or you interact with an app from which we collect data. We also license data from third-party vendors and those vendors represent that the data transfer to us is compliant with GDPR. Our advertising technology also allows Business Partners to target users by submitting lists of pseudonymized data to us.
Our advertising technology also offers data management services to business partners via our data management platform (“DMP”). Our DMP enables our Business Partners to collect, store and analyze data about their audiences. The data in the DMP is the foregoing data, as well as any data uploaded by the Business Partners for their own use. We associate end user data with pseudonymous identifiers known as an Amobee ID. We use ID syncing to associate Amobee IDs with identifiers and data from Business Partners and other industry participants in an effort to display relevant advertisements on a wider range of websites, apps and content. We may also collect market research survey responses in some cases.
If you are a visitor to our own website, our technology collects your IP address, the pages on our website that you view, your web browser, location data, mobile device-specific identifiers, your internet service provider, the time/date of the visit and your device operating system. If you choose to directly contact us or fill out a contact form for the purpose of receiving more information about our products and services, we will collect the information you provide, such as your first and last name, physical address, telephone number or e-mail address.
If you have a contract with us or we are taking steps at your request to enter into a contract with us, we collect personal data you provide, such as your e-mail addresses, telephone number and billing details.
B.3. How Personal Data is Used
If you are an end user located in the EEA who receives online advertising from one or more of our clients via our ad platform, we use your personal data to identify the audience most likely to respond to a particular ad, to serve those ads and to analyze trends. We may also share this information with our affiliates and Business Partners in accordance with our Privacy Guidelines. We do not use “special categories” of your data for these purposes, as that term is defined by the GDPR.
If you are a visitor to our own website, we use your personal data to administer, improve and customize our website, to help us understand and analyze how the website is being used and to evaluate aggregate website usage. We use your contact information (if provided) to provide you with information about our products and services.
If you have a contract with us or we are taking steps at your request to enter into a contract with us, we use your personal data for ordinary business purposes, such as to maintain customer and supplier accounts, billing, password management and to service other customer needs.
B.4. Who the Personal Data is Shared With
We may share personal data with Google Cloud and Amazon Web Services who provide cloud computing services for us. We use Hubspot and Google Analytics to collect information about visitors to our corporate website. These third parties are prohibited from using the information we provide for purposes other than performing services for us or as contractually agreed.
We may also share personal data with our Amobee-branded affiliates and Business Partners (including third-party DSPs and DMPs used by our Business Partners) to carry out advertising campaigns and analysis. Similarly, we may enhance the personal data collected via our advertising technology with personal data collected from Business Partners.
We may be required to disclose personal data to third parties when we reasonably believe we are obligated to do so by law (including to meet national security or law enforcement requirements) and to investigate, prevent, or take action regarding suspected or actual prohibited activities, including but not limited to, fraud and situations involving potential threats to the physical safety of any person.
Finally, we may transfer personal data to a successor entity in connection with a corporate merger, consolidation, sale of assets, bankruptcy, or other corporate change.
B.5. How Long Personal Data is Retained
If you are an end user located in the EEA who receives online advertising from one or more of our clients via our ad platform, then we will retain personal data associated with your Amobee ID for up to 13 months. We retain certain other data related to web traffic and Twitter tweets, where the data is not associated with any user (i.e., it is not personal data), for up to 18 months.
If you have a contract with us or we are taking steps at your request to enter into a contract with us, then we will retain your personal data for the duration of our business relationship and afterwards for as long as is necessary and relevant for our legitimate business purposes, in accordance with our data retention policy or as otherwise permitted under applicable laws and regulation.
Where we no longer need your personal data, we will dispose of it in a secure manner (without further notice to you).
B.6. Basis for Processing
We have implemented the IAB Europe Transparency and Consent Framework (the “TCF”) in our ad platform. If you are an end user located in the EEA who receives online advertising from one or more of our clients via our ad platform, we will honor consent signals in the bid request for each ad impression. This means we will rely on consent for the basis for processing (if consent is granted) or we will not process your personal data (if consent is denied or if the consent signal is malformed or missing) in connection with that ad impression. If the ICO later determines that TCF is insufficient to represent consent under GDPR, we may rely on legitimate interest as the basis for processing. The legitimate interest is direct marketing in order to deliver more relevant advertising while supporting the production of ad-supported content on the Internet, as provided under Recital 47 following the guidance of the Article 29 Working Party stated in “Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679.” Due to technical limitations in the consent mechanism, the consent mechanism may not provide a complete description of our legal basis for processing. Therefore, this policy controls in the event of conflict between this and any description in the consent mechanism.
If you are a visitor to our own website, we may rely on legitimate interest as the basis for processing under GDPR. The legitimate interest to administer, improve and customize our website, to help us understand and analyze how the website is being used and to evaluate aggregate website usage, under the same legal authorities and guidance as stated above. If you fill out a contact form, we rely on consent as the basis for processing.
If you have a contract with us or we are taking steps at your request to enter into a contract with us, then we will rely on the performance of a contract as the basis for processing your personal data under GDPR.
We are subject to the Privacy and Electronic Communications Regulations (“PECR”) in addition to GDPR. PECR requires consent before setting or reading cookies in the user’s browser. Therefore, if you are located in the EEA, we will only set or read cookies in your browser when we reasonably believe we have consent to do so.
B.7. Profiling
The automated ad-decisioning performed by us and other companies may be regarded as a type of profiling. The profiling is based on websites previously visited by you, previous ads served to you and any clicks or actions you made on those ads, demographic and other information about you, location information and contextual information (e.g., which website the ad is to be served on). Our evaluations of these profiles concluded that none of them are considered “high risk” to the fundamental human rights of EEA data subjects.
B.8. Security and Integrity
We have implemented reasonable security measures to protect the information in our care, both during transmission and once we receive it. This includes, but is not limited to, physical security and the use of encryption. No method of transmission over the Internet, or method of electronic storage, is entirely secure, however. Therefore, while we strive to use commercially reasonable means to protect information, we cannot guarantee its absolute security.
We process information in a way that is compatible with, and relevant to, the purpose for which it was collected. To the extent necessary for those purposes, we take reasonable steps to ensure that any information in our care is accurate, complete, current and reliable for its intended use.
B.9. Data Subject Request
If you simply wish to stop receiving tailored advertisements on your browser or mobile device, the easiest option is to use our Consumer Opt Out. This is available to everyone.
Alternatively, if you are an EEA data subject who receives online advertising from one or more of our clients via our ad platform, you can do the following.
- If you wish to exercise your rights to erasure, to restrict processing, to object or to not be subject to automated decision-making including profiling, please click here and we will delete all personal data we have about you. If you believe we hold incorrect data about you, please exercise the same right to have our data about you deleted and we will delete that incorrect data.
- If you wish to exercise your rights to access your personal data or to data portability, please click here and we will send you a copy of the personal data we have about you.
If you have a contract with us and wish to do any of the foregoing, please send your request to your Amobee representative.
B.10. Data Protection Officer and Representative
Our data protection officer is ePrivacy GmbH, Große Bleichen 21, 20354 Hamburg.
The EU representative of Amobee, Inc. and Amobee EMEA Limited for purposes of Article 27 of the GDPR is ePrivacy Holding GmbH, Große Bleichen 21, 20354 Hamburg.
The CEO of Amobee, Inc. and Amobee EMEA Limited is Nick Brien, 100 Redwood Shores Parkway, 3rd Floor, Redwood City, CA 94065.
B.11. Complaints
In compliance with GDPR, we commit to resolve complaints about your privacy and our collection or use of your personal information. EEA data subjects with inquiries or complaints regarding this privacy policy should first contact us via: amobeeprivacy@amobee.com.
You may also file a complaint with the ICO, our supervisory authority.
B.12. Data Processing Agreement
An example of the data processing agreement between our clients and us is here.
C. Cross-Border Data Transfers
Amobee processes data in the United States and the EEA, and personal data is sometimes transferred from the EEA to a place where data protection laws may not provide as much protection as those afforded EEA data subjects.
C.1. Standard Contractual Clauses
Amobee transfers personal data of EEA and/or UK data subjects to destinations outside the EEA and/or UK via applicable data protection laws and/or the approved Standard Contractual Clauses (“SCCs”).
C.2. What Personal Data is Collected and How It is Collected
If you are an end user located in the EEA or Switzerland who receives online advertising from one or more of our clients via our ad platform, our technology collects data about the websites and apps that you interact with and the advertisements that we show you. This data may include information about the device and its IP address; the browser or application used; which and how many, business partner web pages have been viewed by a browser or application; search terms entered on business partner websites; referring and exit pages; the date and time an advertisement was viewed; imprecise geolocation data; browser or device-specific identifiers (such as mobile device advertising identifiers or your browser’s user agent string); and other similar information. We do not “actively scan device characteristics” as defined in the IAB Trust and Consent Framework 2.0. The data may be collected when: we or a Business Partner purchases online advertisements on a website that you visit or an app that you use; a Business Partner places one of our web pixels on a website that you visit; or you interact with an app from which we collect data. We also license data from third-party vendors and those vendors represent that the data transfer to us is compliant with GDPR. Our advertising technology also allows Business Partners to target users by submitting lists of pseudonymized data to us.
Our advertising technology also offers data management services to business partners via our data management platform (“DMP”). Our DMP enables our Business Partners to collect, store and analyze data about their audiences. The data in the DMP is the foregoing data, as well as any data uploaded by the Business Partners for their own use. We associate end user data with pseudonymous identifiers known as an Amobee ID. We use ID syncing to associate Amobee IDs with identifiers and data from Business Partners and other industry participants in an effort to display relevant advertisements on a wider range of websites, apps and content. We may also collect market research survey responses in some cases.
If you are a visitor to our own website, our technology collects your IP address, the pages on our website that you view, your web browser, location data, mobile device-specific identifiers, your internet service provider, the time/date of the visit and your device operating system. If you choose to directly contact us or fill out a contact form for the purpose of receiving more information about our products and services, we will collect the information you provide, such as your first and last name, physical address, telephone number or e-mail address.
If you have a contract with us or we are taking steps at your request to enter into a contract with us, we collect personal data you provide, such as your e-mail addresses, telephone number and billing details.
C.3. How Personal Data is Used
If you are an end user located in the EEA or Switzerland who receives online advertising from one or more of our clients via our ad platform, we use your personal data to identify the audience most likely to respond to a particular ad, to serve those ads and to analyze trends. We may also share this information with our affiliates and Business Partners in accordance with our Privacy Guidelines. We do not use “special categories” of your data for these purposes, as that term is defined by the GDPR.
If you are a visitor to our own website, we use your personal data to administer, improve and customize our website, to help us understand and analyze how the website is being used and to evaluate aggregate website usage. We use your contact information (if provided) to provide you with information about our products and services.
If you have a contract with us or we are taking steps at your request to enter into a contract with us, we use your personal data for ordinary business purposes, such as to maintain customer and supplier accounts, billing, password management and to service other customer needs.
C.4. Company Contact
See “Complaints” below under C.7.
C.5. Who the Personal Data is Shared With
We may share personal data with Google Cloud and Amazon Web Services who provide cloud computing services for us. We use Hubspot and Google Analytics to collect information about visitors to our corporate website. These third parties are prohibited from using the information we provide for purposes other than performing services for us or as contractually agreed.
We may also share personal data with our Amobee-branded affiliates and Business Partners (including third-party DSPs and DMPs used by our Business Partners) to carry out advertising campaigns and analysis. Similarly, we may enhance the personal data collected via our advertising technology with personal data collected from Business Partners.
We may be required to disclose personal data to third parties when we reasonably believe we are obligated to do so by law (including to meet national security or law enforcement requirements) and to investigate, prevent, or take action regarding suspected or actual prohibited activities, including but not limited to, fraud and situations involving potential threats to the physical safety of any person.
Finally, we may transfer personal data to a successor entity in connection with a corporate merger, consolidation, sale of assets, bankruptcy, or other corporate change.
C.6. Data Subject Request
If you simply wish to stop receiving tailored advertisements on your browser or mobile device, the easiest option is to use our Consumer Opt Out. This is available to everyone.
Alternatively, if you are an EEA or Swiss data subject who receives online advertising from one or more of our clients via our ad platform, you can do the following.
- You have the right to delete, correct or amend information where it is inaccurate, or has been processed in violation of applicable data protection laws and/or the approved Standard Contractual Clauses. Please click here and we will delete all personal data we have about you. If you believe we hold inaccurate data about you or data which has been processed in violation of applicable data protection laws and/or the approved Standard Contractual Clauses, please exercise the same right to have our data about you deleted and we will delete that inaccurate or improperly processed data.
- You have the right to access personal information about you that we hold, except where the burden or expense of providing access would be disproportionate to the risks to your privacy or where the rights of persons other than you would be violated. Please click here and we will send you a copy of the personal data about you that we hold.
If you have a contract with us and wish to do any of the foregoing, please send your request to your Amobee representative.
C.7. Complaints
In compliance with data protection laws, we commit to resolve complaints about your privacy and our collection or use of your personal information. EEA and Swiss data subjects with inquiries or complaints regarding this privacy policy should first send their inquiry or complaint to us via: amobeeprivacy@amobee.com.
If your complaint cannot be resolved through the above channels you may reach out to the data protection authorities located in your jurisdiction.
D. Changes to this GDPR and Cross-Border Data Transfer Policy
Visit this page periodically to stay aware of any changes to this policy, which we may update from time to time. If we modify this policy, we will make the revised policy available at the URL of this page and indicate the date of the latest revision.