Tapad Privacy Notice - EU & EEA

Updated: Oct 1, 2019, effective on Oct 1, 2019

 

At a Glance – Summary of the Privacy Notice

Full details of the Privacy Notice follow this summary table. To further guide your understanding of this Privacy Notice, please review the list of definitions referencing capitalized terms throughout this notice, at the end of this page.

Who we are Tapad, Inc., doing business in the European Union (“EU”) and European Economic Area (“EEA”) as Tapad UK Ltd. Tapad UK Limited (ICO registration number ZA091566) (“Tapad”), is a global leader with digital products such as The Device Graph™ (the “Graph” or “Tapad Graph"). The Tapad Graph provides a transparent, privacy-safe approach to globally connect to consumers through their devices and related Identifiers such as phones, tablets and desktop computers.
What we do Tapad collects and uses information as described further in this Privacy Notice in connection with the Graph services we provide to Clients and Partners. The Graph is an association of likely connections between device Identifiers across platforms including websites, or mobile applications. This data is used by our clients for more tailored advertising, marketing, measurement, analytics, and research. We do not collect or create any information that directly identifies a natural person.
Tapad’s Role In the creation of the EU Device Graph, Tapad determines the purpose and means of the processing of data that is collected and stored by Tapad. Tapad therefore is usually considered a data Controller. In some instances, Tapad may act as a data Processor but does not use data collected in this context to enrich Tapad’s Graph.
What we collect We collect information as users browse the internet through their devices such as computers, phones, or tablets. We only collect information that is necessary to provide our Services. The information we collect includes the following:
  • Unique device Identifiers: Unique device Identifiers (or “unique IDs”) allow Tapad to distinguish one browser or device from another, as each device has its own ID. The unique IDs that we collect are Cookies, Mobile Ad IDs which are associated with app usage such as IDFAs for iOS, and Android Ad IDs for Android, or other device IDs associated with devices connected to the internet.
  • Timestamps which indicate the time the device was recognised
  • User Agent Strings that specify information such as type of browser, device and Operating System information
  • IP addresses and general location data that can be extrapolated from an IP address, but no more specific than a postal code level
What we do not collect We do not collect and store the following information:
  • Names
  • Addressess
  • Precise Location Data
  • Web address (also known as URLs) or app IDs of a web page or a mobile application where a user is browsing
  • Phone numbers
  • Login data with associated passwords
  • Special category data such as race, sexual orientation, political affiliations, biometrics, etc.
We do not collect any information that directly identifies a natural person.
Where This Privacy Notice relates to processing in EU and EEA. For information about processing activities in North America and Asia Pacific, please see our US & Global privacy notice available here.
Why (purpose) We use our technologies to create likely connections between device Identifiers across platforms including websites, or mobile applications. This data is used by our clients for more tailored advertising, marketing, measurement, analytics, and research.
Your Rights & Options You may opt out of the Tapad Graph at any time by clicking our Opt-Out link displayed on this page.
  • You may also opt out of Tapad and other companies’ data collection practices via the Network Advertising Initiative (“NAI”) opt-out page here, or European Digital Advertising Alliance’s (“EDAA”) opt-out page here.
Opting out of Tapad through any of the mechanisms described above will have the same effect. For data access requests or data deletion requests, you may email us at privacy@tapad.com. Please note that we will need your Cookie and/or Mobile Ad IDs in order to identify your devices in our systems.
  • Access requests: provides you access to the data we have that may be linked to your devices
  • Erasure or deletion requests: allows you to request deletion of any data we may hold relating to your device(s)

FULL PRIVACY NOTICE

To further guide your understanding of this Privacy Notice, please review the list of definitions referencing capitalised terms throughout this notice, at the end of this page.

This Privacy Notice describes how Tapad collects and uses information in connection with the services (the “Services”) we provide to our Partners and our Clients in the EU. Our Services create likely connections between device Identifiers across platforms including websites, or mobile applications. This data is used by our clients for more tailored advertising, marketing, measurement, analytics, and research.

Tapad is a member in good standing of the industry association the Network Advertising Initiative and adheres to the NAI Code of Conduct, which is designed to ensure compliance with responsible data collection and use practices. We also participate in the European Digital Advertising Alliance and self-regulatory programmes and adhere to the Interactive Advertising Bureau Europe (“IAB EU”) Online Behavioural Advertising (“OBA”) framework. Tapad also participates in the IAB EU Transparency & Consent Framework (“TCF”) and complies with its Specifications and Policies. Tapad’s identification number within the framework is Vendor ID 89.

Should you have any questions or concerns regarding our use or collection of information, please send an email to privacy@tapad.com.

Our Privacy principles

At Tapad, we abide by the seven key principles as set forth under the GDPR: Lawfulness, fairness and transparency; Purpose limitation; Data minimisation; Accuracy; Storage limitation; Integrity and confidentiality (security); and Accountability.

The following general principles guide us in our data collection, usage, protection and product development throughout our product life cycle, and help guide this privacy notice:

  1. Notice and Transparency: We explain the information we’re collecting and why.
  2. Offer Meaningful Choice: Consumers can easily opt out of the Tapad Graph powered by Tapad.
  3. Data Minimisation: We minimise the amount of data that we collect, process and store, and do not collect information that is directly identifiable to an individual person.
  4. Data Protection: We follow reasonable practices to ensure all user data is secured, and operates in accordance with the requirements of the International Organization for Standardization (“ISO”) standard ISO/IEC 27001:2013.

Each of the four sections described above are explained in more detail below.

1. Notice and Transparency

In order to establish connections between devices and provide the Services and Tapad Graph to Clients and Partners, we collect and store the information as described below from devices. Tapad collects and uses information through Third Party websites and mobile applications, and in connection with the Services that we provide to Partners and Clients such as advertisers, agencies, marketers, and technology firms. Tapad observes these signals generated from internet activity received from devices connected to the internet, and uses various processing logic to establish likely connections and groups together unique Identifiers that are likely associated. The associated Identifiers may include those IDs associated with mobile applications on both smartphones and tablets, and web browsers across various devices.

We collect information as users browse the internet, and we use common tools such as Cookies, SDKs and web server logs.

The signals that we use in our Services (creating likely connections between device identifiers) are as follows:

  • Unique device Identifiers: These can come in multiple forms such as a browser Cookie, Mobile Ad IDs which are associated with app usage such as IDFAs for iOS, and Android Ad IDs for Android, or other device IDs associated with devices connected to the internet. Tapad uses these unique IDs to distinguish one browser or device from another.
  • Timestamps: Indicate the time the device was recognised.
  • User Agent Strings: A string of information about the context of the user requesting content, typically including type of browser, device type, operating system, model or version number, and screen size.
  • IP addresses: Internet Protocol address and generalised data that can be extrapolated from an IP address (e.g. we may be able to determine a general user location but not more defined than a postal code level)

We collect information in the following ways:

  • In a web browser, we may use Pixels to collect information. When these web pages are accessed, Pixels generate a notice of the visit. When used with Cookies, Pixels can track activity on a site by a particular browser and provide relevant online advertising. If Tapad, or a Partner, collects information about a device in a mobile application, we may also use Pixels or an SDK.
  • We may also exchange data in a batch file, which is a way of receiving a set of data from our Partners.

We do not use or permit our Clients or Partners to send us:

  • Precise Location Data, such as your exact location at any given time
  • Any information that may be directly identifying or re-identified by us with a natural person such as name, address, clear text email address, username, government ID information, GPS data, cell site data or phone number
  • User or household level demographic information

Tapad itself does not create any statistically-derived Identifiers, or engage in practice called “fingerprinting”. We do not reinstate Cookies once they have been opted out by you, or conduct history sniffing. We do not use local storage on servers.

Collected information is used by Tapad only to:

  • Evaluate the probability and nature of connections between devices (a key attribute of the Tapad Graph)
  • Cluster probabilistic associated devices and Pseudonymised IDs
  • Understand high level device attributes such as the make, model, country, or city the device is being used
  • Share this aggregate information with Third Parties

We also use Google and Amazon cloud-based storage and processing systems. Google and Amazon are bound by our written instructions as to how to process Tapad data, do not read or modify any Tapad data, nor Client or Partner data, except as otherwise directed by us, and therefore are classified as processors of Tapad’s in the EU.

Tapad also receives matching IDs from Partners and Clients for the purpose of matching existing customers or otherwise known IDs to IDs in Tapad’s Graph. Matching IDs may represent device IDs, underlying Cookie IDs, customer IDs, or other types of data meaningful to the Partner or Client, and is recognised only as another pseudonym in Tapad’s systems.

Tapad requires that Partners and Clients obscure and protect all Matching IDs before sending them to Tapad, such that the underlying data is either meaningless to Tapad, or is encrypted such that Tapad has no ability to access the underlying data. Matching IDs may be used for the purpose of Tapad Graph and for Tapad’s Services.

Some data in the Tapad Graph (the User Agent Strings and IP data) is translated with assistance from Partners. This information is used for understanding some metadata, such as translating IP addresses to country or city code (in no event would IP address be narrowed to an area more specific than postal code), or to understand that the User Agent String is a specific device or model type to a general manufacturer.

To comply with Articles 8 and 9 of the EU’s General Data Protection Regulation (“GDPR”), we require that our Partners put the necessary filters in place to ensure that they do not transmit this type of data to Tapad nor do they create or associate data to Tapad data that could be used to target children under the age of sixteen (16).

Tapad does not use any special category data such as information reflecting a data subject’s financial information, race, sexual orientation, political affiliations, genetic or biometrics, philosophical beliefs, or trade union membership.

Legal Basis for processing

To process personal data lawfully Tapad has to follow two separate requirements stemming from two different legal acts in European legislation:

a) To store and gain access to information stored on a device of a user (so called cookies) consent must be obtained. For this “cookie consent”, Tapad relies on the website providers (publishers) and obliges them contractually to pass on only legally obtained data. As noted previously, Tapad also participates in the IAB EU’s TCF framework which allows for disclosures at the point of collection. Through this process, Tapad fulfills its obligations stemming from the ePrivacy Directive.

b) For further processing and creation of the Device Graph based on various data (including the above Cookie data), Tapad uses legitimate interest as a legal basis for processing. Similar to the process described above, Tapad performs diligence regarding transparency disclosures as well. Through this, Tapad fulfills its obligation based on GDPR, as the processing goes beyond the original placement of the Cookie.

Categories of recipients and usage

As described in this Privacy Notice, we share the data that we maintain in the Tapad Graph with our Clients and our Partners.

Categories of our Clients and Partners are:

  • Advertisers
  • Advertising agencies
  • Marketers
  • Technology platforms
  • Market research firms
  • Telecommunications companies

The Tapad Graph may be used by our Partners and Clients to:

  • Provide targeted advertising to users
  • Provide measurement insights, and provide reporting back to Clients and Partners, including statistical reporting in connection with the activity on a website, optimisation of location of ad placement, ad performance, reach and frequency metrics
  • Market research and analytics, such as user journey mapping
  • Understand device information such as type of device, OS, age of device, country or region of the device extrapolated information from IP address, general usage on WiFi or cellular network
  • Marketing and advertising analytics
  • Website or app Personalisation

Countries of transfer

Our Clients, Partners and service providers are located across the EU and the EEA. Where our clients are located in North America, Asia Pacific, Latin America, Tapad covers all its data transfers of data in the EU/EEA to non-EU/EEA countries with EU Standard Contractual Clauses, and if needed or requested with a Data Transfer Agreement.

2. Offer Meaningful Choice

If you would like to opt out of Tapad Services, we allow you to do so as described in this section.

Mobile applications and web browsers operate with different Identifiers even though they may be on the same device. This is similar to how different web browsers on your computer have independent Identifiers. Because mobile apps and web browsers have different Identifiers, you may need to opt out of each environment separately.

When you opt out via one ID that is contained in the Tapad Graph, if we have other device Identifiers associated with that ID in the Tapad Graph, we will automatically remove and opt out all other related Identifiers which Tapad deems to be associated to that ID. If we have not probabilistically associated your other Identifiers in the Tapad Graph, then we cannot opt these other Identifiers out. Therefore, to ensure thorough opt-out choices are honored, the opt-out process must be performed on each device and browser from which you choose to be opted out. For example, if you want to opt out on your computer browser as well as your mobile device browser, and we do not have the two as associated browsers, you will need to click on the link in the table above in both your computer browser as well as your mobile device browser.

If you are interested in opting out on your computer or mobile web browser, please visit the “Web Browser Opt-out” section below, or opt out by clicking the link displayed on this page. If you are interested in opting out on your mobile device, please visit the “Mobile Application Opt-out” section below. All of our Clients and Partners are obligated to promptly discard IDs that have been opted out of Tapad data processing upon receipt of refreshed Tapad data.

Web Browser Opt-out

If you would like Tapad to stop collecting device data for the Tapad Graph and our associated Services, please see the opt-out button at the top right of this page.

You may also opt out of Tapad and other companies’ data collection practices via the NAI’s opt-out page here, or EDAA’s opt-out page here.

We make the best effort to provide a persistent opt-out for all web based environments.

PLEASE NOTE: In the web browser environment, do not just delete Cookies from your browser. The Tapad web browser opt-out works by replacing your unique Cookie ID with a generic opted-out value. Thus, if you attempt to opt out by clearing Cookies, or deleting your devices’ content cache, Tapad will not be able to recognise your device as opted out, and if you subsequently visit one of Tapad’s website Partners, you may then create a new Tapad Cookie, which may then be included in the Tapad Graph.

The above opt-out will only be enabled if you are accessing it from a JavaScript-enabled browser and Third-Party Cookies are enabled. These two technologies are required for us to provide a persistent opt-out.

Mobile Application Opt-out

As mentioned previously, if your mobile ID is associated with the web browser opt-out described above, it will automatically be included in the opt-out. However, if it is not included, then the steps below will apply.

If you would like Tapad to stop collecting device data for the Tapad Graph and our associated Services, for your mobile applications, please download the Digital Advertising Alliance’s AppChoices tool for your mobile Operating System and opt out through the application.

Manage Your Device Settings

In addition, you may also manage your privacy preferences on your mobile device by adjusting your advertising preferences within your device settings. For example:

  • To adjust your advertising preferences in iOS, visit Settings > Privacy > Advertising > Limit Ad Tracking or Settings > Privacy > Advertising > Reset advertising ID
  • To adjust your advertising preferences in Android, visit Settings > Google > Ads > Opt out of Ads Personalisation

3. Data Minimisation

We only collect data needed to provide our Services as described under the “Notice and Transparency” section of this Privacy Notice. Furthermore, we actively discard data that we may otherwise receive that is not used for building the Graph, as described.

We do not retain device-level data for any longer than necessary to build the Graph, at a maximum of 90 days. However, we will retain data as described in this notice as long as necessary for measuring advertising and marketing campaigns, but in no event longer than fourteen (14) months (even in backup systems). We contractually require all of our Partners to do the same, and further, we require all Clients and Partners to only use the latest Tapad Graph build, which includes recent opt-outs. We keep opt-out information for longer than this period so that we can continue to honor opt-out requests. Aggregate reports generated from this information may also be kept longer.

We actively reevaluate our data retention policies on a regular basis to ensure that we only store data as needed to continue to deliver our product to our Clients.

4. Protect Data

Tapad takes significant steps to protect the security of the information that we collect. To that end, we have designed and deployed hardware, software, and networking solutions to reasonably secure and protect access to our systems and data. Tapad’s Information Security Management System (“ISMS”) operates in accordance with, and is certified to the requirements of ISO/IEC 27001:2013.

However, no data security measures can be guaranteed to be completely effective. Consequently, we cannot ensure or warrant the security of any Tapad Graph data or other information. In particular, we cannot guarantee that the Tapad Graph data or other information will not be disclosed, altered, or accessed in accidental circumstances or by unauthorised or unlawful acts of others.

Legal and Other Disclosures

We may share Personal Data when we believe such action is appropriate to comply with the law (e.g., legal process or a statutory authorisation); to enforce or apply our customer agreements; to initiate, render, bill, and collect for Services; to protect our rights or property, or to protect users of those Services from fraudulent, abusive, or unlawful use of, or subscription to, such Services; or if we reasonably believe that an emergency involving immediate danger of death or serious physical injury to any person requires disclosure of communications or justifies disclosure of information without delay.

Tapad Website Data

In addition to the data we collect for the Services we provide, we also collect information you explicitly provide to the Tapad Sites (www.tapad.com) with your consent. In this instance, in addition to collecting data for the purposes listed above, we may also collect user registration information from Tapad sites (www.tapad.com), such as when you sign up for our email newsletter. Data would also be collected when a consultation or meeting is requested or when available Marketing material is downloaded from our site.

This might include our business Clients’ or prospects’ names, email addresses, company information, title, countries, phone numbers, and information on which Services they are interested in. We do not sell or rent data collected from our websites, but we may provide it to Third-Party service providers such as Customer Relationship Management (“CRM”) platforms as necessary to conduct our business operations. In addition to the data collected for our marketing purposes, we also receive and store Personal Data that would be covered under our Services from these website visits so that we can improve our Tapad Services and to analyze our own Client base.

Your Rights

Tapad offers the rights to access and erasure to the information of the users whose data we collect and process.

If you want to execute your right to erasure or access your specific information we may hold, you may request erasure or access by emailing privacy@tapad.com. You may also object to your data being processed by opting out, as described earlier in this notice. Please note that because we cannot identify requesters based on names or email addresses, requesters will need to present any relevant online Identifiers such as Cookie ID or Mobile Ad IDs to Tapad. Whenever you opt out of the processing conducted by Tapad, all personal data relating to you and maintained by Tapad will be deleted safely by Tapad within 30 days, except as otherwise noted in this Privacy Notice.

Additionally, requesters will be asked to return an executed Certification Form that Tapad will provide at the time of the request that is meant to verify the identity of the requester by way of their own admission and under penalty of perjury, as required by relevant laws.

Contact details

Tapad, Inc. Headquarters
551 Fifth Avenue, 9th Floor, New York, NY 10176

Tapad UK Limited
90 High Holborn
Holborn, London WC1V 6LJ
United Kingdom

You can also contact our Privacy Team or our Data Protection Officer (DPO) directly by emailing privacy@tapad.com.

Change of Control

If we undergo a sale, merger, transfer, exchange or other disposition (whether of assets, stock or otherwise) of all or a portion of our business, information we have collected or otherwise acquired may be one of the assets transferred.

Definitions

  • “Clients” refer to companies that purchase our product, the Tapad Graph. Our Clients include companies that buy advertising, advertising technology companies, companies that engage in marketing, advertising and marketing agencies, market research firms, and market analytics firms.
  • “Cookie” is a small piece of data that is stored on your computer by a web browser during internet usage that can then, for example, be used to uniquely identify your browser
  • “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by European Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law
  • “Customer Relationship Management” (CRM) are platforms that help manage a company’s interaction with users of their Services and/or websites
  • “Data Subject” is an identified or identifiable natural person
  • “Identifier” or “ID” is a sequence of characters used or assigned to identify or refer to a device
  • “Mobile Ad ID” is a set of digits that is assigned to a mobile device by the manufacturers of mobile devices. These are specifically for advertising and marketing purposes (different from a hardware ID) that may be reset. For iOS systems made by Apple, this is an IDFA, and for Android systems this is AAID.
  • “Obfuscation” is the action of making something obscure, unclear, or unintelligible
  • “Operating System” or “OS” is software that controls the operation of a computer or device and directs the processing of programs (as by assigning storage space in memory and controlling input and output functions)
  • “Partner” is an entity that which Tapad has a contractual business relationship
  • “Personal Data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an Identifier such as a name, an identification number, location data, an online Identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
  • “Personalisation” is the act of designing or tailoring a user’s online experiences to meet individual preferences
  • “Precise Location Data”, as defined by the NAI, is information that describes the precise geographic location of a device derived through any technology that is capable of determining with reasonable specificity the actual physical location of a person or device, such as GPS level latitude-longitude coordinates or location based Wi-Fi triangulation. Generally, the use of two or fewer decimal places in latitude-longitude data is equivalent to knowing the location to the area of a circle with a radius greater than 500 meters
  • “Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller
  • “Pixel” is a piece of code which is used by a website or Third Party to send data to their servers and/or store data on a computer
  • “Pseudonymisation” is a data management and de-identification procedure by which information fields within a data record are replaced by one or more artificial Identifiers, or Pseudonyms
  • “SDKs” is an acronym for Software Development Kits. An SDK is a set of code that is embedded directly in Partner mobile applications
  • “The Tapad Graph” or “the Graph” is Tapad’s proprietary technology used to establish connections between your Pseudonymised Identifiers
  • “Third Party” or “Third-party” is an entity other than Tapad or the consumer
  • “User Agent String” is a string of information about the context of the user requesting content, typically including type of browser, device, Operating System, and other information

Privacy Notice Changes

Tapad may modify this Privacy Notice at any time at its sole discretion. Use of information collected by Tapad now is subject to the Privacy Notice in effect at the time such information is used. Changes to the Privacy Notice shall be announced by posting the updated Privacy Notice on the Tapad Site. Changes to this Notice will be reflected in the “Last Updated” date above.

What’s New:

  1. Amended October 1, 2019 to update to current practices which include product offerings, privacy principles, data collection practices, region-specific information, marketing practices and inclusion of At a Glance table and definitions.
  2. Amended June 20, 2018 to clarify language throughout.
  3. Amended April 16, 2018 to update industry membership information.
  4. Amended March 7, 2018 to comply with the requirements set by GDPR for privacy policies and reflect that Tapad may receive statistical IDs from Partners and delivered to Clients as part of the Tapad Graph reporting.
  5. Amended April 8, 2017 to reflect that Tapad may collect and use Obfuscated phone number in Pakistan for The Tapad Graph management, analytics, and ad targeting.
  6. Amended November 22, 2016 to reflect that Tapad may collect and use Obfuscated phone number in Malaysia for The Tapad Graph management, analytics, and ad targeting.
  7. Amended October 26, 2016, to better explain how users may opt out in mobile applications.
  8. Amended June 6, 2016, to reflect that in Tapad may collect and use Obfuscated user Identifiers such as email address (or phone number in Thailand only) for The Tapad Graph management, analytics, and ad targeting.
  9. Amended April 7, 2016 to inform consumers that Tapad adheres to the Digital Advertising Alliance of Canada’s Self-Regulatory Principles for Online Behavioural Advertising.
  10. Amended October 13, 2015 to add information and links for European consumers.
  11. Amended November 17, 2014 to describe how we use Precise Location Data and non-sensitive health information and how we share information regarding users’ inferred interests.
  12. Amended May 14, 2014 to reflect re-branding of Evidon to Ghostery.
  13. Amended April 10, 2014 to clarify that some customers who receive data from us may be unable to honor opt-out requests immediately.
  14. Amended March 31, 2014 to remove reference to the TRUSTe Ad Preferences Manager.