Privacy Policy

Updated: Jun 20, 2018, effective on Jun 20, 2018

This privacy policy (“Privacy Policy”) describes how Tapad, Inc. and its European Headquarters, Tapad UK Limited (ICO registration number ZA091566). (“Tapad”) collects and uses information for its own website and in connection with the services (the “Services”) we provide to partners, including clients such as advertisers or publishers. Tapad is a member in good standing of the Network Advertising Initiative (NAI) and adheres to the NAI Code of Conduct. Click here to learn more about the NAI. In the United States, we also participate in the Digital Advertising Alliance (DAA) and self-regulatory programs and adhere to the DAA Principles for Online Behavioral Advertising. Click here to learn more about the DAA. In Europe, we participate in the European Digital Advertising Alliance (EDAA) and self-regulatory programs and adhere to the IAB Europe Online Behavioral Advertising (OBA) framework. Click here to learn more about the EDAA and your online choices in Europe. Should you have any questions or concerns regarding our use or collection of information, please send an email to privacy@tapad.com. You may also learn more by visiting our Glossary of Terms.

What We Do

Through its proprietary Device Graph™ and device unifying technology, Tapad establishes connections between a user’s devices. The result is a holistic view for marketers across multiple, related devices: smartphones, computers, tablets and connected TVs.

Our Principles

  1. Provide Notice. We explain what information we’re collecting and why.
  2. Offer Meaningful Choice. Consumers have access to tools to easily opt-out of our Device Graph and behavioral advertising by Tapad.
  3. Protect Data. We follow reasonable practices to ensure all user data is secured.
  4. No Children. Tapad does not create or use audience segments targeted at children under the age of thirteen.

1. Provide Notice

In order to establish connections between devices, to provide insights and reporting to partners, and to provide more relevant ads to users, we collect and store select information about devices directly from the device. We may also receive additional information about the device or the individual from partners with an existing relationship with the individual, from our clients, from media providers or from other third parties that we might purchase media from. For example, we may receive inferred demographic data, user-declared demographic data, obfuscated phone number (in Pakistan, Thailand, and Malaysia only), obfuscated user login data, or in some instances statistically-derived identifiers.

The technologies we use to collect information include browser cookies, pixels, application software development kits (SDKs), or server-to-server connections with our partners.

  • A cookie is information that is stored on your computer that can uniquely identify your browser.
  • A pixel is a piece of code which is used by a website or third party to assign online activities to a computer or browser. The use of a pixel allows websites and us to record, for example, that a user has visited a particular web page or clicked on a particular ad.
  • We may collect information (as specified in the section below “What may be collected by Tapad”) about select user behavior (e.g., when a user opens an application or interacts with that application) in an application on behalf of that partner. In this case, we may use an application SDK or a server-to-server connection with our partners to collect that information. An application SDK is a library of code that is embedded directly in partner applications. We may also use a server-to-server connection to exchange the same data when an SDK integration is not feasible or practical for the partner. While Tapad uses these technologies to track select activities within an application, including whether or not the user is accessing certain pages or features or is responding to marketing messages, Tapad does not track the emails a user sends or the individuals a user communicates with, or any sensitive financial or health related data.
  • We may also collect information (as specified in the section below “What may be collected by Tapad”) when we receive ad requests from our partners. In this case, we may use an application SDK or a server-to-server connection with our partners to collect that information.

We use these technologies across platforms including websites, mobile applications, email and TV applications so that we can provide the best cross-platform targeting technology possible. Examples of how we deploy these technologies include: (1) when we deliver ads and (2) when we integrate with our partners’ websites and applications to provide cross-device analytics.

We do not use “zombie cookies” or “history sniffing.” We do not use local storage and Flash cookies for any other purpose other than to maintain a persistent opt-out.

What may be collected by Tapad for Device Graph™ management, analytics, and ad targeting:

  • Time stamp
  • User agent string that specifies browser and OS information
  • IP address
  • Unique pseudonymized device identifier, stored in a browser cookie, which can easily be reset or opted-out of as the user desires
  • Other pseudonymized device identifiers mobile ad IDs, for example, IDFA for iOS and Android Ad ID for Android, which can easily be reset as the user desires.
  • URLs or app IDs of a web page or application where an ad may be placed or where a Tapad pixel fires. In the EU, the web page URL is fully deleted and not stored by Tapad.
  • Anonymous data that can be extrapolated from an IP address. For example, we may be able to determine a user’s general location and therefore infer demographic information.
  • Obfuscated user identifier, such as email address (or phone number in Pakistan, Thailand, Bangladesh, and Malaysia only)
  • Unique statistical IDs our partners calculate from information about a mobile device, browser or operating system they collect using non-cookie technologies. For example, a tablet and laptop with similar characteristics such as IP address, user agent, font settings, screen resolution, and plug-ins may be assumed to belong to the same person. Multiple users may share a statistical ID, or one user may have multiple statistical IDs within a Device Graph™

What is not collected by Tapad for Device Graph™ management, analytics, and ad targeting:

  • Name
  • Address
  • Phone number (except in Pakistan, Thailand, Bangladesh, and Malaysia)
  • Password
  • Sensitive personal data, such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health and information about sex life.

We do not use or permit our customers to use precise location data, such as your exact location at any given time, to connect devices in our Device Graph, to infer user interests for online behavioral advertising (which we define to mean advertising to consumers based on activities across websites or apps over time), or to deliver advertisements to you at a precise location (which we define to mean an area with a radius of less than one half mile), without your express consent to Tapad.

Collected information is used to:

  • Evaluate the probability and nature of connections between devices (a key attribute of our Device Graph)
  • Infer eligibility of device for interest and demographic-based segments
  • Provide targeted advertising to users based on the information collected by Tapad unless the user has opted out
  • Provide insights, facilitate ad delivery, and provide reporting back to customers (such as advertisers and publishers) and partners, including statistical reporting in connection with the activity on a website, optimization of location of ad placement, ad performance, reach and frequency metrics, billing, and logging ads served on a particular day to a particular website
  • Provide Device Graph information and inferences about user interests to customers and partners that allow them to target advertising, personalize content, analyze behaviors and engage in other similar services
  • Share aggregate information with third parties
  • Provide cross-screen reporting and analytics for digital media campaigns
  • Seed data for look-alike modeling for audiences

Creation of profiles through the building of audiences by automatic means but without having a legal effect on the user.

In addition, such information may be used by Tapad for internal analysis in order to perform and improve the Services and associated technologies, and to operate and improve the Tapad site (www.tapad.com).

Tapad also receives “Matching IDs” from partners and clients for the purpose of helping our partners and clients understand which of their existing customers or otherwise known IDs match specific IDs in Tapad’s Device Graph. Matching IDs may represent underlying cookie IDs, customer IDs, statistical IDs, email addresses, phone numbers (in Pakistan, Thailand, Bangladesh, and Malaysia only), or other types of data to the partner or client, but Tapad never receives this information in a form that is identifiable to Tapad. Tapad requires that partners and clients obscure and protect all Matching IDs before sending them to Tapad, such that the underlying data is either meaningless to Tapad, as is the case with a 3rd party cookie ID where Tapad has no matching table, or is encrypted such that Tapad has no ability to access the underlying data. Matching IDs may be used for the purpose of analytics and ad targeting, Device Graph management, or to enrich Tapad’s data or services.

We supplement our user segment data and device graph with information from other data partners. The information these data partners provide typically consists of demographic and inferred interest data. Tapad does not collect or use any data, including inferred interest data, that we consider sensitive, such as precise information reflecting a user’s past, present or potential future health or medical condition or treatment, including genetic, genomic and family medical history; certain aspects of a user’s personal life or financial situation; or use of, or interest in, gambling, alcoholic beverages, or “adult” products or services. Tapad partners with Blue Kai, eXelate and other companies to receive information about non-sensitive health and wellness categories. You can view representative lists of such categories available from Blue Kai by clicking here and from eXelate by clicking here.

Legal Basis for processing

To process personal data lawfully Tapad has to follow two separate requirements stemming from two different legal acts in European legislation:

a) To store and gain access to information stored on a device of a user (so called cookies) consent must be obtained. For this “cookie consent”, Tapad relies on the website providers (publishers) and obliges them contractually to pass on only legally obtained data. Through this process, Tapad fulfills its obligation stemming from the ePrivacy Directive.


b) For further processing and creation of the device graph based on various data (including the above cookie data) Tapad uses legitimate interest as a legal basis for processing. Through this Tapad fulfills its obligation based on GDPR, as the processing goes beyond the original placement of the cookie. The legitimate interest in Tapad's processing is the tailoring of promotional communications to Internet users, which is an integral part of the eco-system by which freely available internet content is funded through advertising revenue.

Categories of recipients and countries of transfer

We do share the data that we maintain in our Device Graph with our clients and our partner platforms. Moreover, we transfer data to our service provider who are acting as a data processor for us. Our clients, platform partners and service providers are located in US, Canada, Japan, Malaysia, Singapore, Pakistan, Bangladesh, Turkey (imminently), EU and EEA (Sweden, Norway, Germany, UK, Ireland, Belgium, Netherlands).

All our data transfers are safeguarded by European Standard Contractual Clauses and Data Processing Agreements where this is required by European Data Protection Law.

2. Offer Meaningful Choice

Mobile applications and web browsers operate with different identifiers even though they may be on the same device. This is similar to how different web browsers on your computer have independent identifiers. Because mobile apps and web browser have different identifiers, you will need to opt-out of each environment separately. At this time, we do not respond to browser ‘do not track’ signals, as we await the work of interested stakeholders and others to develop standards for how such signals should be interpreted and to evaluate how they work in practice.

If you are interested in opting out on your computer or mobile web browser, please visit the “Web Browser Opt-out” section below. If you are interested in opting out on your mobile app, please visit the “Mobile Application Opt-out” section below. When you opt out, there may be a limited delay in some of our customers’ ability to update their information and honor your choice.

Web Browser Opt-out

If you would like for Tapad to stop collecting device data for our Device Graph and for targeted advertising in your web browser, please see the opt-out button to the right.

You may also opt out from the Network Advertising Alliance’s opt-out page here or the Digital Advertising Alliance’s Opt-out page here. If you reside in Europe, you may also opt out from the European Digital Advertising Alliance’s opt-out page here, which is available in 27 languages.

We make the best effort to provide a persistent opt-out for online display and, independently, for mobile web. This opt-out must be performed on each device and browser that you want to be opted out on. For example, if you want to opt-out on your computer browser as well as your mobile device browser, you will need to click on the link above in both your computer browser as well as your mobile device browser.

PLEASE NOTE: In the web browser environment, do not just delete cookies from your browser. The Tapad web browser opt-out works by replacing your unique cookie ID with a generic opted-out value. This happens both on the cookie in your browser as well as on our server side. Thus, if you attempt to opt-out by clearing cookies, or deleting your device’s content cache, Tapad will not be able to recognize your device as having opted-out, and if you subsequently visit one of Tapad’s website partners, you may then get a new Tapad cookie.

The above opt-out will only be enabled if you are accessing it from a Javascript-enabled browser and 3rd party cookies are enabled. These two technologies are required for us to provide a persistent opt-out. Other technologies, such as HTML5 local storage, may also be used in order to make opt-out as persistent as possible.

Mobile Application Opt-out

If you would like Tapad to stop collecting device data for our Device Graph and for targeted advertising in your mobile applications, please download the DAA’s AppChoices tool for your mobile operating system and opt-out through the application.

You may also opt out in mobile apps by adjusting your advertising preferences on your mobile device. For example, to adjust your advertising preferences in iOS, visit Settings > Privacy > Advertising > Limit Ad Tracking. To adjust your advertising preferences in Android, visit Settings > Google > Ads > Opt out of interest-based ads.

Please keep in mind that if you opt-out, you will still receive ads though they will not be tailored to your interests. To opt-out from other companies that provide online behavioral advertising services, you can opt-out at the following online advertising industry website: The Digital Advertising Alliance Website, www.aboutads.info or the European Digital Advertising Alliance Website, www.youronlinechoices.eu.

3. Protect Data

Tapad takes significant steps to protect the security of the information that we collect. To that end, we have designed and deployed hardware, software and networking solutions in an effort to reasonably secure and protect access to our systems and data.

Please be aware, however, that no data security measures can be guaranteed to be completely effective. Consequently, we cannot ensure or warrant the security of any Device Graph data or other information. In particular, we cannot guarantee that Device Graph data or other information will not be disclosed, altered, or accessed in accidental circumstances or by unauthorized or unlawful acts of others.

We do not deliver ads based on individual level data that is more than fourteen (14) months old. We retain the information that is reasonably linkable to a device and collected for ad targeting and/or ad delivery and reporting only as long as is legitimately necessary for running advertising campaigns and in no event longer than fourteen (14) months. We keep opt-out information for longer than this period so that we can continue to honor opt-out requests. Aggregate reports generated from this information may also be kept longer.

4. No Children

Tapad does not create or use audience segments targeted at children under the age of thirteen (13).

Personal information you explicitly provide to the Tapad Sites (www.tapad.com):

In addition to collecting data for the purposes listed above, we may also collect user registration information from Tapad Sites (www.tapad.com). Some of Tapad’s services request voluntary user registration or sign-up that, when given, could be classified as Personally Identifiable Information (PII), such as our email newsletter. This might include our business customers’ or prospects’ names, postal addresses, email addresses, and phone numbers. We do not sell or rent data collected from our websites, but we may provide it to third-party service providers as necessary to conduct our business operations and for the performance of our Services with our customers. We also receive and store non-personally identifiable information from these website visits so that we can better target our own ads for Tapad Services and to analyze our own customer base.

Personal information we collect on behalf of advertisers:

In addition to collecting data for the purposes listed above, we may also collect user registration information on behalf of our advertisers. Users may choose to manually and voluntarily enter information that could be classified as PII as part of their interaction with an advertisement or landing page, and we may collect this PII on behalf of those advertisers. Because we are collecting this information on behalf of an advertiser, we may transfer this information to them. We do not sell or rent this information to any third parties for their own use.

Legal and Other Disclosures

We may share personal information when we believe such action is appropriate to comply with the law (e.g., legal process or a statutory authorization); to enforce or apply our customer agreements; to initiate, render, bill, and collect for Services; to protect our rights or property, or to protect users of those services from fraudulent, abusive, or unlawful use of, or subscription to, such services; or if we reasonably believe that an emergency involving immediate danger of death or serious physical injury to any person requires disclosure of communications or justifies disclosure of information without delay.

Data Subject Rights

Tapad takes privacy rights very seriously, and we therefore offer the rights to access, erasure and information to the users whose data we collect and process.

The right to information is served by this privacy policy which contains all relevant information that the user needs to know on Tapad’s data processing.

Where the user wants to execute his or her right to access, he or she can request access to the information processed by Tapad about him or her via the e-mail address: privacy@tapad.com.

The user also has the right to obtain the erasure of the personal data concerning him or her from Tapad. This right is met by the opt-out solutions offered by Tapad. Whenever a user opts-out of the processing conducted by Tapad, all personal data relating to the user and maintained by Tapad will be deleted safely within one week.

The user also has the right to lodge a complaint with a supervisory authority.

Contact details

Tapad, Inc.

60 Madison Ave, 3rd Floor, New York, NY 10010

or

Tapad UK Limited

40 Bernard Street, Bloomsbury, London, WC1N 1LE

You can also contact our Data Protection Officer: privacy@tapad.com

Change of Control

If we undergo a sale, merger, transfer, exchange or other disposition (whether of assets, stock or otherwise) of all or a portion of our business, information we have collected or otherwise acquired may be one of the assets transferred.

Privacy Policy Changes

Tapad may modify this Privacy Policy at any time at its sole discretion. Use of information collected by Tapad now is subject to the Privacy Policy in effect at the time such information is used. Changes to the Privacy Policy shall be announced by posting the updated Privacy Policy on the Tapad Site. Changes to this Policy will be reflected in the “Last Updated” date above.

What’s New:

  1. Amended June 20, 2018 to clarify language throughout.
  2. Amended April 16, 2018 to update industry membership information.
  3. Amended March 7, 2018 to comply with requirements set by GDPR for privacy policies and reflect that Tapad may receive statistical IDs from partners and delivered to clients as part of the Device Graph™ reporting.
  4. Amended April 8, 2017 to reflect that Tapad may collect and use obfuscated phone number in Pakistan for Device Graph™ management, analytics, and ad targeting.
  5. Amended November 22, 2016 to reflect that Tapad may collect and use obfuscated phone number in Malaysia for Device Graph™ management, analytics, and ad targeting.
  6. Amended October 26, 2016, to better explain how users may opt out in mobile applications
  7. Amended June 6, 2016, to reflect that in Tapad may collect and use obfuscated user identifiers such as email address (or phone number in Thailand only) for Device Graph™ management, analytics, and ad targeting
  8. Amended April 7, 2016 to inform consumers that Tapad adheres to the Digital Advertising Alliance of Canada’s Self-Regulatory Principles for Online Behavioural Advertising
  9. Amended October 13, 2015 to add information and links for European consumers
  10. Amended November 17, 2014 to describe how we use precise location data and non-sensitive health information and how we share information regarding users’ inferred interests
  11. Amended May 14, 2014 to reflect re-branding of Evidon to Ghostery
  12. Amended April 10, 2014 to clarify that some customers who receive data from us may be unable to honor opt-out requests immediately
  13. Amended March 31, 2014 to remove reference to the TRUSTe Ad Preferences Manager