End User Website Privacy Notice
Who are we?
Addition Plus (the “Organisation”, “we”, “us” and “our”) based at 6-8 Long Lane, London, EC1A 9HF (tel: 0207 490 7713; email firstname.lastname@example.org) provides expertise to our clients (“Clients”) on media and advertising campaigns to advertise their products or services online. To run our digital advertising campaigns, we use our in-house technology platform (the “Platform”).
We respect your privacy and are committed to protecting your personal data and being transparent about how we collect and use the data and to meeting our data protection obligations.
For the purposes of what we do and our interactions with you, we are a ‘processor’ of your personal data, and we are appointed as a processor, by our Client. Our Client is the ‘controller’, who is ultimately responsible for your personal data and deciding how it is used.
What do we do?
We use our Platform to help our Clients place online display advertising on websites (“Websites”) that are typically owned by publishers or online service providers (“Website Owners”). Tailoring which advertisements are displayed is known as “targeted advertising”.
By providing targeted online advertising, it is more likely to: (a) make the advertising you see more relevant and useful to you; (b) make the advertising more effective for our Clients; and (c) allow the Website Owner to sell the advertising space for a higher price and increase the flow of funding from advertisements that it receives.
In order to try to ‘target’ the most appropriate advert to the most appropriate audience, we typically employ “Contextual Targeting”. This is where we show advertisements on a specific Website, because we believe it will be relevant to the type of audience that may be visiting the Website. For example, we might show an advertisement for skiwear on a winter sports website.
This type of targeting does not specifically target you or your device and all visitors to the Website could receive the same advertisement.
On occasion, a Client will have collected information from you that is passed to us for processing. We may then employ “Behavioural Targeting” where we show advertisements on a specific Website on the basis that we understand your device has been used by someone to show interest in a particular type of product or service. For example, we might recognise that your device has previously been used to visit the winter sports section of our Client’s website and we could then place an advertisement for the same Client’s skiwear if you visit an unrelated Website (e.g. Hotmail.com or eBay).
This type of targeting may use unique device identifiers such as cookies placed on your device (further information about identifiers are provided below). Anyone using your device could receive the same advertisement.
When you (or any other user) visits a Website, whilst the Website is loading we receive a notification that the Website wishes to sell advertising space to display to you (or the relevant user). We would then look at the contents of any cookies on your browser. If your browser is set to not collect cookies or if it the cookie is set as an anonymous number, we cannot associate it with any other information or recognise any historic behaviour, so any targeted advertising we place would use Contextual Targeting. If we receive a cookie that allows us to identify you, then any targeted advertising we place may use Behavioural Targeting.
What information do we collect?
We process limited data when employing targeted advertising for our Clients. Our Clients provide this information to us and they have collected it from you. This information includes
- online identifiers such as cookie ID, web beacons, mobile device identifier and IP addresses;
- geo-location information; and
- our Client may also provide us with other unique identifier information such as a customer ID number, which will relate back to information on their systems, but does not identify you to us.
This information is connected to the identity of your device (not necessarily you). This information is considered personal data under the General Data Protection Regulation (also known as the “GDPR”) and therefore we protect and use it in a way that complies with data protection laws.
We do not know your name, address, phone number, email address or other contact information. We do not knowingly collect any “Special Categories” of personal data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.
We do not knowingly use or collect data to target advertising to children under the age of 13.
In some cases, we may collect personal data about you from third parties or publicly available sources, such as associated information about weather conditions or device location.
We may also create, use and share aggregated data such as statistical or demographic data. Aggregated data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate data relating to the advertisements we have placed on behalf of our Clients.
How do we collect personal data?
We do not have any direct interaction with you or your device and do not collect any personal data directly from you.
How do we use your personal information?
- How does this relate to my privacy and personal data?
We may use your personal data provided by our Client (such as cookies, web beacons and device IDs) to serve Behavioural Targeting online adverts to you, as a potential customer of our Client.
The data provided from our Client falls within the technical legal definition of personal data because, if combined with other data from a third party, it could technically be possible to identify a specific individual user (and therefore should be treated the same as other personal data).
However, we are only able to use such data to recognise your device in order to serve a targeted advertisement to it; we cannot specifically identify any individual using the device (you) directly from this data alone and we do not combine this data with any additional data that would enable us to know who you are.
- Bidding for advertising space
Within the advertising ecosystem there are large number of Website Owners selling space for advertisements and advertisers (such as our Clients) wishing to buy that space to advertise online. To facilitate this market place Website Owners can either sell directly to advertisers (such as our Clients) or use intermediaries to facilitate the sale (such as us).
We use cookie IDs to match the Website Owners with our Clients and help our Clients to decide which adverts you are likely to be interested in. We then bid to the Website Owner on behalf of our Client for that advertising space and if our bid is successful, our Client will get the advertising space.
- Displaying and measuring the success of the advertisements
In order to serve targeted display advertisements to you and to measure the effectiveness of advertisements, we may disclose your IP address or other device identifier to other third parties in the advertising network.
To the extent we pass personal data to third parties, we put in place contractual cover and security measures as required by GDPR.
- Fraud prevention
We take various measure to minimise fraud within the advertising network and to drive transparency.
Why do we process personal data?
We act as a processor of your personal data as we follow the instructions of our Client in relation to how your personal data may be used.
We are an advertising intermediary and do not have a direct relationship with you or other users. Our Client is responsible for your personal data and we expect that they will only pass us your personal data if they have a legitimate interest in processing this data or have obtained your full, unambiguous and informed consent. The collection by our Clients of your personal data is outside the scope of this Privacy Notice and the Client will be operating under their own privacy notice or policy.
We may use your personal data to inform our Client about advertisements which were served using Behavioural Targeting and to report on the success or other aspects of the service we provide to our Client. This is necessary for our legitimate interests and the legitimate interests of our Client (in order to keep our records updated and to study how our Clients use our services so we can further develop them, and to enable us and our Client to grow our respective businesses).
Where we are relying on legitimate interests as a reason for processing data, we have considered whether those interests are overridden by your rights and freedoms and have concluded that they are not as we cannot identify a specific individual by using this information alone.
Who has access to data?
We limit access to your personal data to those of our personnel and third parties who have a genuine business need to know it.
We share your data with demand-side platforms who allow us to buy space on websites to place our Client’s advertisements and we will also share your data with publishers where we contract with them directly.
Many of the Website Owners are based outside of the EU or host their servers outside of the EU (e.g. in the USA) which may require us to transfer your personal data (such as cookie ID) outside of the European Union.
Where we are transferring your data outside of the EU, we rely on one of the European Commission’s adequacy decisions (for example, relying on a Privacy Shield certification where the transfer contains a US entity) or we will use reasonable efforts to put in place appropriate safeguards to cover transfers of your personal data including, for example, signing standard contractual clauses/data protection clauses adopted by the European Commission. Please click here for a link to the standard contractual/data protection clauses and click here for more information about the Privacy Shield for US companies.
How do we protect data?
We take the security of your data seriously. We have internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the performance of their duties.
For example, access to data is limited to personnel who have genuine business need to use it. Only personnel with access to the Platform can see any data; this access is frequently reviewed by the Controller to ensure that it is suitable and that those using the Platform are adequately trained in data protection.
We also have procedures in place to deal with any data security breach. Where legally required to do so, we will inform you and any applicable regulator of any data security breaches. However, the nature of the personal data that we process means that it is unlikely we will be able to identify and contact you directly.
For how long do we keep data?
We will hold your personal data for as long as necessary to fulfil the purposes it was transferred to us, including satisfying any legal, accounting or reporting requirements. Cookies will last for a maximum of 120 days. In practice, we may delete cookies sooner as they are only used for specific advertising campaigns. As such, a cookie will typically be valid for 14 days.
As a data subject, you have a number of rights. You can:
- access and obtain a copy of your data on request;
- require the organisation to change incorrect or incomplete data;
- require the organisation to delete or stop processing your data, in certain circumstances, for example where the data is no longer necessary for the purposes of processing;
- withdraw your consent to our using your data;
- ask the organisation to stop processing data for a period if data is inaccurate or there is a dispute about whether or not your interests override the organisation’s legitimate grounds for processing data; and
- right to data portability, in certain circumstances.
However, given the nature of the personal data that we may process about you, it is unlikely that we would be able to link you as an individual to a device that we have data about. You are more likely to be able to control, restrict or amend your personal data by opting out of advertising or by contacting the Client.
If you would still like to exercise any of these rights, please contact us using the details below. This may mean that you will have to provide us with further personal data about yourself so that we can identify the device connected with you.
How to opt out of Behaviourally Targeted advertising
Please note that stopping advertising which uses Behaviour Targeting will not mean you will cease to see any advertising at all. When you visit a website, an advert may still be placed by us on behalf of our Client which may use Contextual Targeting or be untargeted.
Can I delete my data?
Under data protection laws (such as the GDPR), you may have the right to ask us to suspend the processing of your personal data. However, as explained above, we are unlikely to be able to identify you from the device-specific personal data we may process about you and therefore, you would need to provide further personal data to allow us to identify you as the individual using a specific device and therefore we recommend you take the opt-out steps set out above first.
Changes to this Notice
We reserve the right to update this Privacy Notice at any time, and we will post a new version of this Privacy Notice on our website when we make any substantial updates.
Addition Plus contact information
To get in touch with us with regards to privacy and your personal data or in connection with the advertising services we manage for our Clients, you may contact us by email on email@example.com
How to complain
We hope that we can resolve any query or concern you raise about our use of your information.
The GDPR also gives you right to lodge a complaint with a data protection supervisory authority, in particular in the European Union state where you work, normally live or where any alleged infringement of data protection laws occurred. The supervisory authority in the UK is the Information Commissioner who may be contacted at https://ico.org.uk/concerns/ or telephone: 0303 123 1113.
The wording in this document reflects the requirements of the General Data Protection Regulation (GDPR), which will come into effect in the UK on 25 May 2018.
Addition Plus adheres to the principles of the EDAA IAB Europe OBA Framework.