GDPR and adloox

ADLOOX provides ad verification services, which enables Advertisers to
control the efficiency of online targeted marketing campaigns. ADLOOX software
checks whether the advertisements have really been broadcasted on the
broadcasters’ websites, in what country the advertisements have been
broadcasted and whether they have been displayed in front of a real web user
and not activated by a bot. ADLOOX is data processor of its clients the
Advertisers, which are data controllers within the meaning of the GDPR
(together with the broadcasting websites).

Operating the ADLOOX platform implies the upload of a script embedded
with the ad impression broadcasted on a website. The script starts running when
the advertisement is displayed on the web browser of the web user. This script
may collect the following information:

URL of the broadcasting website;
Timestamp;
IP address of the web user;
IDFA;
Remote address;
Impression ID
User agent (web browser, OS, device, to be completed)

ADLOOX software can generate a fingerprint from the collected data, such
fingerprint being hereafter used to produce aggregated efficiency statistics on
advertising campaign and communicate them to the Advertiser. The IP address and
other personal data linked with a web user are immediately encrypted upon
collection and remain so until they are either anonymized or erased in
compliance with the rules mentioned below. 

Broadcasting websites which display the advertisements are liable for
consent collection. Advertiser has a legitimate interest to use the ADLOOX
software in order to check the efficiency of targeted marketing campaigns
accepted during these consent collection operations. If the data subjects did
not consent, ADLOOX software will automatically and entirely anonymize any and
all personal data collected.

Personal data are processed for the sole purpose of producing aggregated
statistics, which exclude personal data, and which are hashed and anonymized before any storage in our servers
following a robust process preventing any and all identification
of web users. ADLOOX shall not keep personal data (such as the IP address or
IDFA) and shall only provide its clients Advertisers with statistical data
relating to the country in which the ad impressions have been broadcasted, the
overall frequency and other statistical data relating to the broadcasting of
Advertisers’ campaigns (which may be access on the Advertiser’s ADLOOX
dashboards).

ADLOOX collection and processing servers are exclusively located on
French territory and are subject to appropriate technical and organizational
measures to ensure the security and the control of data access.

In short:

Processing
purpose: personal data (IP address, IDFA, user agent) are only
collected for the purpose to generate aggregated data on the efficiency of
Advertisers’ advertising campaigns;
We anonymise completely the IP information when it arrive into our servers, we don't store it. This process is being made when we retrieve the data with a strong encryption (bcrypt + salt key).

Legal
basis: ADLOOX collects and process data as indicated in its
binding contract with the client Advertiser, provided the web user has given
its express consent to receive targeted advertising to the broadcasting website
(the processing for efficiency measuring being an accessory processing within
the legitimate interest of the Advertiser carrying on the targeted
advertising), encrypts them and anonymizes them irreversibly;

Data
recipients: collected personal data shall not be sent to any
third party recipient. Only aggregated statistics, free of any personal data,
are provided to the client Advertiser;
 
Data
controller: each client Advertiser of ADLOOX;

ADLOOX’s
data protection officer: Romain Bellion;

As a consequence, personal data are
neither processed nor subject to automated decision-making nor transferred
outside of France in any other way whatsoever. They are only hosted on ADLOOX
servers for the time period required to anonymize them and to generate the
statistical data, such time period not to excess one day.

The client Advertiser shall be liable
to provide the appropriate information to publish on the broadcasting website,
including but not limited to the rights for web users to (i) withdraw their
consent, when applicable, and to (ii) oppose the collection of their personal
data, and to ensure exercise of such rights under any circumstances.

ADLOOX uses OVH to collect and store (in France) the data.

Please note that ADLOOX shall not operate profiling processing or
targeted advertising processing, Advertisers and broadcasting websites are the
only ones liable for implementing compliance of such processing with applicable
laws and regulations.