EPSILON PRIVACY POLICY FOR SERVICES


Last Modified: 23 June 2020

Epsilon, formerly known as Conversant, is a digital advertising company. We are part of the Publicis Groupe, headquartered in France but with operations around the world. Our services help online businesses find customers and keep the internet free. We encourage you to read the whole notice but if you wish to jump to a certain subject, please use the table below.

 

-        Privacy commitment and scope of this Privacy Policy

-        What does Epsilon do?

-        IAB Europe and the Transparency & Consent Framework

-        Device access

-        What Personal Data do we process?

-        Pseudonymous Personal Data

-        Direct Identifiable Personal Data

-        How Personal Data is used and lawful basis

-        Social media

-        Who do we share Personal Data with?

-        How long do we keep Personal Data?

-        Your rights

-        International transfers

-        Security

-        Self-regulation

-        Contact us

-        Changes to this Privacy Policy

-        Definitions used in this Privacy Policy

 

Privacy commitment and scope of this Privacy Policy

This Privacy Policy (“Privacy Policy”) describes how Personal Data is collected and used by Epsilon when providing our Services. We care about your privacy and we want you to understand how we process Personal Data and what choices you have with regards to it. We have taken steps to provide you with this information as clear and easy as possible, but if you have any questions you can always contact us (see Contact us).

We believe that data protection is essential to the growth and prosperity of the Internet and that a personalised experience online can provide significant benefits to users if done properly. In accordance with these believes, Epsilon creates results for advertisers in revolutionary ways without compromising users’ privacy or data protection. 

By getting familiar with this Privacy Policy, you have taken the first step in understanding how advertising businesses such as ours help contribute to the Internet’s ability to remain a diverse ecosystem of free content, as well as provide a better digital browsing experience.

What does Epsilon do?

While you visit digital properties, such as websites and mobile applications, there are almost always third parties working behind the scenes to help provide you with a great digital experience. These companies provide services such as analytics, advertising and fraud prevention for retailers, publishers, and other organisations. Epsilon is one of these companies and we help provide the advertising that keeps your favourite blogs free, your favourite stores in business, and your advertising experience more relevant.

Epsilon provides its clients with digital advertising and personalised content across the Internet. To make some of these things possible, and to make smarter decisions, we need to use information that is considered Personal Data.

We also use our technology to provide life-saving messages, geotargeted to individuals in affected areas, during tornadoes and AMBER Alerts. To learn more about these internationally recognised programs established by Epsilon through an organisation called the Federation for Internet Alerts, click here.

IAB Europe and the Transparency & Consent Framework

The Interactive Advertising Bureau in Europe (“IAB EU”) launched its Transparency and Consent Framework (“TCF”) in April 2018. The TCF is an industry tool that supports companies within the digital advertising ecosystem to manage their compliance obligations under the GDPR and the ePrivacy Directive, and it provides a standardised way to provide notice and choice across the Internet. You can read more about the TCF here.

Epsilon participates in the IAB EU’s TCF and complies with its specifications and policies. Epsilon’s identification number as vendor within the TCF is 24. Epsilon also operates a Consent Management Platform (CMP) connected to the IAB EU’s TCF with identification number 23.

Device access

We will only use Cookies or otherwise access your device if you have provided us with consent to do so, as required by the ePrivacy Directive. You may have provided us with consent through a CMP on our website, on one of our clients or partners digital properties or elsewhere across the Internet. You can review and change your choices at any time by clicking on “Review Consent Preferences” in the footer of our website, or by changing your choices in another CMP. However, certain essential Cookies do not require your consent. This includes Cookies that are essential to comply with the GDPR’s security principle as well as Cookies that help ensure that content of a page loads quickly and effectively by distributing the workload across numerous computers.

What Personal Data do we process?

Pseudonymous Personal Data

Epsilon uses Tags and Cookies to collect Pseudonymous Personal Data about the browser or device you are using, including Log Data and information about your browsing behaviour, such as what digital properties that you have visited and online transactions that you have made. This type of Pseudonymous Personal Data is processed whenever you visit digital properties and open emails where our Tags are implemented, including digital properties belonging to our clients and partners such as high street retailers.

We are a part of the digital advertising ecosystem and involved in activities such as Real-Time-Bidding (“RTB”). RTB is a set of technologies and practices used in programmatic advertising that enables advertisers to compete for available digital advertising space and place online adverts on digital properties by automated means. RTB allows for certain information to be sent to participants of the digital advertising ecosystem in Bid Requests. Bid Requests normally contain information that constitutes Personal Data, such a Log Data. This information is used by participants to evaluate the bid opportunity and respond with a bid price to serve an advert on the digital property. We only process Pseudonymised Personal Data that we receive in Bid Requests.

We also perform Cookie syncs with advertising exchanges and other partners, such as Eyeota, which means that we receive and share Cookie IDs with each other. This enables us to recognise information about the user and determine whether we want to respond to a Bid Request or not.

All location data we process is limited to non-precise location data (as defined by IAB EU’s TCF). 

Direct Identifiable Personal Data

Some of our clients provide Direct Identifiable Personal Data such as name, address, email address and associated transactional information, to our Affiliates and processors, with whom we have a contractual relationship.

Our Affiliates also receive Direct Identifiable Personal Data from our partners, such as CACI. CACI provides them with name, address and profiled attributes. The source of the name and address information provided by CACI is the edited Electoral Register. CACI is not an Affiliate of ours and we have no control over its data practices. You can read more about how CACI collects and processes your Personal Data here.

The Directly Identifiable Personal Data our Affiliates receive from our clients and third parties is referred to as data obtained offline or offline data sources in the IAB EU’s TCF, and in this Privacy Policy as “Offline Data”. Our Affiliates pseudonymises the Offline Data received from our clients and partners and provide Epsilon only with Pseudonymous Personal Data. They are under strict limitations to only use the data to enable us to provide the Services and we engage a third party auditor to confirm that we do not receive any Directly Identifiable Personal Data.

How Personal Data is used and lawful basis

Purpose

Description

Lawful basis

Select basis advertising

Using information about the content you are viewing, the application you are using, your approximate location and your device type to select the advertisement that is being shown to you.

Consent

Create a personalised advertising profile

 

Using information that we have collected about you to create a personalised advertising profile of you and your presumed interests.

Consent

Select personalised ads

Using information from your personalised advertising profile to show you personalise advertisements that we believe to be relevant to you.

Consent

Create a personalised content profile

Using information that we have collected about you to create a personalised content profile of you and your presumed interests.

Consent

Select personalised content

Using information from your personalised content profile to show you personalised content that we believe to be relevant to you.

Consent

Measure advertising performance

 

Measuring the performance and effectiveness of advertisements that you have seen or interacted with.

Consent

Apply market research to generate audience insights

Using market research to learn more about the audiences who visit digital properties and view advertisements.

Consent

Develop and improve our products and services

Using information to improve existing systems and software and to develop new products.

Consent

Ensure security, prevent fraud, and debug

Using information collected and processed to monitor for and prevent fraudulent activity as well as ensuring systems and processes work properly and securely.

Legitimate Interest

Technically deliver ads or content

Receiving and sending information about and to your device such as device type and capabilities that allows you to see and interact with advertising and content delivered, e.g. to deliver the right size advertisement creative or video file in a format supported by the device.

Legitimate Interest

 

In support of one or more of the purposes set out above we may use Personal Data that we hold to determine whether different devices are likely to belong to you or your household and to try and distinguish your device from other devices based on information it automatically sends, such as IP address or browser type. This helps us develop a predictive profile of your interests across these different devices, including making sure we do not show you the same advert too often.

Offline Data we receive from our clients and third parties via our Affiliates will be processed based on legitimate interest for receiving and storing purposes. We will only combine Offline Data related to you with other Pseudonymous Personal Data that we hold and process it for the above purposes, if you have given us your prior consent. Offline Data can be combined with your online activity in support of one or more purposes set out above.

Epsilon’s legitimate interests for the purposes of (i) receiving and storing Offline Data; (ii) ensuring security, prevent fraud and debug; and (iii) for technically deliver ads or content include providing our Services and ensuring that our clients are only paying for advertising that is viewed by a natural person (e.g. not a bot). Further information can be provided upon request.

Social media

We sometimes engage social media platforms to display direct marketing to you on their platform. We use “list-based” and “look-a-like” tools to do this. Using list-based tools involves the uploading of Personal Data to the social media platform in question (such as a list of email addresses). The platform then matches the uploaded Personal Data with its own user base. Any user that matches the uploaded list is added into a group that will be sent the selected marketing message. Look-a-like tools offer the ability to build other audiences based on the characteristics of an original audience that was created using a list-based tool. These audiences generally comprise of users that have not previously engaged, but who look like the list-based audience (i.e., they are users with similar interests, behaviours or characteristics). When creating this sort of audience, the social media platform uses Personal Data it has about other users of its platform to find users who match the interests and behaviours of users that are current customers. Examples include Facebook Custom Audiences or LinkedIn Contact Targeting. We will not undertake this processing unless you have provided us with consent for the purposes set out above, and we have contractual controls in place to ensure that the social media platform can only use the Personal Data we share to enable the provision of the Services. We are not responsible for the data practices of social media platforms and recommend you read their own privacy policies.

Who do we share Personal Data with?

We share your Personal Data:

-        With our processors (e.g. our Affiliates for pseudonymisation purposes),

-        With our clients as necessary to provide our Services (only Pseudonymous Data is shared,

-        With participants of the advertising ecosystem such as advertisers, publishers, advertising exchanges, data management platforms, demand side platforms and supply side platforms, to be able to participate in RTB activities,

-        With social media platforms as described above,

-        Third parties in the event of any reorganisation, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of our business, assets or stocks (including in connection with any bankruptcy or similar proceedings); and

-        As we believe necessary and appropriate: (a) under applicable law; (b) to comply with legal processes and obligations; (c) to respond to requests from public and governmental authorities including public and government authorities outside your country of residence; (d) to enforce our terms and conditions; (e) to protect our operations; (f) to protect our rights, privacy, safety or property; and (g) to allow us to pursue available remedies or limit the damages that we may sustain.

How long do we keep Personal Data?

We retain all Personal Data in accordance with our data retention policy which abides by applicable law.  The retention period depends on the type of data. For example, we retain non-transactional Pseudonymous Personal Data we collect or receive online or through Bid Requests for no more than eighteen (18) months.

Your rights

In situations when we rely on consent to process your Personal Data you have the right to withdraw your consent at any time. You can do that via the “Review Consent Preferences” in the footer of our website or via any CMP connected to the IAB EU’s TCF. A CMP will usually pop up on an EU website you haven't visited before that partners with advertising companies to provide you with personalised advertising and a better digital experience.

You may also visit the  European Digital Advertising Alliance opt-out page here. To learn how to opt out of receiving relevant advertisements on mobile applications, please visit this page.  

We understand that you may be interested to know what Personal Data we hold about you and which advertising interest segments we believe to be connected to you (access). You can view this information and even delete it if you choose to do so by clicking here.

If you wish to exercise any other rights you might under GDPR (including rectification, portability and restriction), please contact us using the contact details provided below (see Contact Us).

International transfers

In order to provide our Services, we transfer Personal Data to, and Process Personal Data in, countries outside the European Union (EU), the European Economic Area (EEA) and the United Kingdom. More specifically our servers are located in the Netherlands and the United States, and our processors operate around the world including the United States and India.

We have taken appropriate and suitable safeguards to ensure that your Personal Data will remain protected when transferred outside EU/EEA and the UK. This includes implementing Standard Contractual Clauses for transfers of Personal Data adopted by the European Commission. Further information about our international transfers as well as the safeguards in place can be provided upon request.

Security

We have implemented appropriate technical and organisational security measures to protect the Personal Data in our care, both during transmission and once we receive it. This includes physical and technical security measures to protect our Personal Data from accidental or unlawful destruction, loss, or alteration, and from unauthorised disclosure or access. Although please note that no method of transmitting information over the Internet or storing information is completely secure.

Self-regulation

Our industry has a rigorous voluntary self-regulatory regime, and we are active members of industry groups such as the Network Advertising Initiative (NAI), Interactive Advertising Bureau (IAB), Interactive Advertising Bureau Europe (IAB EU), Interactive Advertising Bureau UK (IAB UK), Digital Advertising Alliance (DAA), European Digital Advertising Alliance (EDAA) and Digital Advertising Alliance of Canada (DAAC). These groups promulgate codes of conduct and principles that impose requirements on participating members such as transparency and choice around the use of Personal Data for interest-based advertising, and some even require regular audits of member privacy practices. Such codes and principles include the NAI Codes of Conduct, the DAA Self-Regulatory Principles, the EDAA Self-Regulatory Principles, and the DAAC Self-Regulatory Principles, which we all support.

Contact us

Conversant Europe Ltd is the controller of the Personal Data that we process as described in this Privacy Policy. If you have any question about the processing please contact us using this contact form. You can also send a letter to Conversant Europe Ltd 1st Floor 2 Television Centre, 101 Wood Lane, London, United Kingdom, W12 7FR.

Our Data Protection Officer is tasked with informing and advising us on the obligations that apply to us under GDPR and other privacy related laws, as well as monitoring our compliance with the same.  If you need to contact our Data Protection Officer, please email us here. However, we respectfully ask that you only contact our Data Protection Officer regarding urgent matters relating to data protection.

As an EU resident, you have the right to report a concern to your country’s Data Protection Authority.  However, we respectfully request that you contact us first so that we can assist you.

Changes to this Privacy Policy

We may occasionally make changes to this Privacy Policy. If we do, we will take appropriate measures to inform you, consistent with the significance of the changes we make, and update the “Last Modified” date above.

Definitions used in this Privacy Policy

The technical nature of our Services means we need to keep referring to complex concepts.  Capitalised words have the following meanings:

Affiliates” means any corporation which controls, is controlled by, or is under common control with Epsilon.

Epsilon” means Conversant Europe Ltd registered in England and Wales with company number 03807256, whose registered address 1st Floor 2 Television Centre, 101 Wood Lane, London, United Kingdom, W12 7FR. Epsilon is formerly known as Conversant.

Cookies” are small text files that are downloaded and stored onto your device (e.g. a computer or smartphone). Cookies allow us to recognise your device and store information about your preferences or past actions. In this Privacy Policy the definition of “Cookies” includes similar technologies that can write or read information on your device such as “Local Shared Objects” (sometimes called Flash Cookies), pixels and web-beacons. For more details on the Cookies we set for our Services, see our Cookie Policy.

Device IDs” are unique identifiers associated with your device. These identifiers are assigned by your device’s operating system, such as Apple’s iOS and Google’s Play Services for Android. Device IDs can be reset in your device settings. 

Directly Identifiable Personal Data” is Personal Data that directly identifies an individual. This type of Persona Data includes information such as full name, home address, telephone number, and email address.

ePrivacy Directive” means Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector as amended.

GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

Log Data includes (i) information that is sent to us by digital properties that have our Tags implemented, such as browser type, browser time, time of access, screen resolution, IP address, referring site URL, current site URL, and search strings; and (ii) information sent to us by advertising exchanges via "Bid Requests", which may include the information in (i) above and other information such as IP addresses, Device IDs, Cookie IDs, non-precise location data, demographic data and other information including audience segmentation. Log Data normally constitutes Personal Data.

Personal Data” means any information relating to an identified or identifiable natural person. Information such as name, identification number, location data and an online identifier is considered Personal Data.

Pseudonymous Personal Data” is Personal Data that cannot be attributed to a specific individual without the use of additional information, for example 'John Smith' converted to “#12345”. Online identifiers such as Cookie IDs and Device IDs are usually considered Pseudonymous Personal Data.

Services” means the digital adverting services that we provide to our clients, including delivering personalised advertising campaigns as well as analytics and reporting on the same.

“Tags” are tiny snippets of code inserted into a digital property that is used to collect data related to a visit. In this Privacy Policy, the definition of “Tags” includes the use of an SDK (Software Development Kit) to enable the same functionality in mobile applications.