Privacy Statement Yep Ads B.V.

These privacy rules (“Privacy Statement”) relate to the processing of personal data by Yep Ads B.V. and/or its affiliated companies (“companies”, “we”, “us”).  Personal data means any information relating to an identified or identifiable natural person (“data subject”).  Processing of personal data means means any operation or set of operations which is performed on (sets of) personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

In this Privacy Statement we explain which personal data we process and for what purposes and means.

We process personal data as set forth in this Privacy Statement so that we can provide digital media services to advertisers and publishers across a range of channels in connection with distributing and/or promoting and/or displaying advertisements (meaning text-based, graphical, interactive, rich media and video, or other digital advertisements, including, without limitation, banners, buttons, towers, skyscrapers, pop-ups, pop-unders and video advertisements) for data subjects visiting web and/or mobile and/or other digital sites used by the publishers, as determined by the advertisers; and also the delivery of performance marketing software that allows media buyers and affiliate networks to track, manage, analyze and optimize media campaigns by providing data analytics (“services”).

We adhere to the requirements of the applicable privacy legislation in our processing, such as the Regulation (EU) 2016/679 of the European parliament and of the council of 27 april 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation or GDPR). That means among other things that:

  • we clearly state our role as data processor and the purposes and means for which we process personal data on behalf of our customers;
  • we limit our collection of personal data to only the personal data that is necessary for legitimate purposes as well as the applicable retention periods;
  • we take appropriate security measures to protect all personal data and demand the same of parties that sub-process personal data on behalf of our customers;
  • we respect the rights of data subjects to offer, correct or delete their personal data upon request, but always in consultation with the relevant customer as the data controller.

Processing of personal data

We act solely as data processor on behalf of our customers as the data controller, meaning our customers determine the purposes and means of the data processing and are ultimately responsible for compliance with all applicable laws and regulations for the protection of the personal data. Said data processing is necessary to provide our services in accordance with the obligations towards our customers, which obligations serve as the required legal basis pursuant to Article 6 GDPR.  Pursuant to Article 30 GDPR, as data processor we have a record of processing activities in place. This record is part of our information security policy and, like other important privacy documents, we ensure the record of processing activities to be regularly evaluated and updated where necessary.

Without prejudice to the existing contractual arrangements with our customers, we will treat all personal data in strict confidence and inform employees and sub-processors involved in the processing of our personal data about the confidential nature of personal data. We ensure that these employees and sub-processors sign an adequate confidentiality agreement and – where applicable – data processing agreement.

In some cases we may collect personal data directly from data subjects when they (register to) use our services, post on our blog, contact our support team, and visit our website. In doing so, we may use the personal data we have collected from them for purposes related to our services – including but not limited – to:

  • verify data subjects’ identity;
  • administer our services;
  • notify data subjects of new or changed services offered in relation to our services;
  • carry out marketing or training relating to our services;
  • assist with the resolution of technical support issues or other issues relating to our services;
  • comply with laws and regulations in applicable jurisdictions;
  • address dispute resolution and anti-fraud issues;
  • communicate with data subjects.

 

The types of personal data and categories of data subjects processed are as follows:

  • types of personal data:
    user IP-address;
    user device ID;
    HTTP referer (an optional HTTP header field that identifies the address of the webpage which is linked to the resources being requested;
    user-agent string identifying the user’s browser and device type;
    unique identifier for bid request.
  • categories of data subjects:
    visitors on the internet;
    customers of publisher/affiliate partners.

 

Legal basis

The processing of the personal data is necessary to provide our services in accordance with the contractual obligations towards our customers, which obligations serve as the required legal basis pursuant to Article 6 GDPR. We also conduct statistical research with personal data. In those events we have a legal interest in conducting research in order to improve our services.

Retention periods

We will store personal data in compliance with the legally required minimum and/or maximum retention obligations as laid down in the applicable legislation. For example, we retain personal data that forms part of the statutory basic administration for a period of five to seven years after the termination of the relevant commercial agreement. In all other cases we will keep the personal data for a maximum period of one year after the end of the relevant commercial agreement.

Involvement of and sharing with third parties

As data processor we can engage other companies as sub-processors to perform an aspect or part of our services to our customers and users; this could be a platform we use for our services. As far as these third parties need access to personal data to support our services, we have contracted the appropriate technical, contractual and organisational measures to ensure these third parties use or process the personal data solely for the intended purposes and conform the instructions from our customers as the data controller, to satifiy our obligations under the applicable data protection laws.

Furthermore, we will not provide personal data to other parties without permission of data subjects, unless this is legally required or permitted. For example, it is possible that investigative authorities request personal data from us in the context of fraud investigations. In that case, the companies are legally obliged to provide this personal data.

With respect to certain aspects of our services to our customers, we transfer certain personal data to our preferred tracking partner based in the USA. We are fully aware of the ruling of the Court of Justice of the EU of 16 July 2020 also known as Schrems II (C-3111/18) with implications for the transfer of personal data. In compliance with the EDPB Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (version 2.0, adopted on 18 June 2021), we have carefully assessed and verified if there is anything in the law and/or practices in force of the USA as a third country that may impinge on the effectiveness of the appropriate safeguards of the transfer tools we are relying on, in the context of our specific transfers.

In this assessment we have taken due account in particular of the following elements:

(i) the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;

(ii) the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards. As regards the impact of such laws and practices on compliance with the applicable data protctions laws and standard contractual clauses, different elements may be considered as part of an overall assessment. Such elements may include relevant and documented practical experience with prior instances of requests for disclosure from public authorities, or the absence of such requests, covering a sufficiently representative time-frame.

This assessment has resulted in the decision to proceed with these transfer without implementing supplementary measures as we consider and are able to demonstrate and document that we have no reason to believe that relevant and problematic legislation will be interpreted and/or applied in practice so as to cover our transferred personal data and data importer.  We also commit ourselves to re-evaluate at appropriate intervals the level of protection afforded to the personal data we transfer to third countries and to monitor if there have been or there will be any developments that may affect it.

Do you have questions about the processing, including any cross-border transfers, of your personal data? Please contact us using the contact details in this Privacy Statement.

Security

We have implemented the following security measures to protect personal data:

  • our system is accessible from the companies’ network and via a secure VPN connection;
  • we use secure connections (HTTPS) to ensure the safety of data transfers;
  • we take organizational access measures;
  • we take physical access measures;
  • we have placed a reversed proxy for dealing with DDoS attacks.

Rights of the data subjects

Based on Chapter III of the GDPR, the data subjects have certain rights with regard to their personal data. The data controller is legally responsible for handling any requests with regard to these rights. When we receive a request from any data subject, and where we act as the data processor on behalf of our customers as the data controller, we shall first inform the applicable customer to verify if and to what extent we are authorised to take any of the below mentioned measures on behalf of the data controller, or if the data controller wishes to handle the request themselves.

A data subject can contact us in writing for:

Access to personal data. The data subject can ask us whether we process its personal data. If that is the case, we will explain which personal data we process, how we process it, for which purpose and on what legal basis. One can also request a copy of its personal data we process.

Correction of personal data. If a data subject feels that the personal data we process is incorrect or incomplete, he or she can request us to supplement or edit the personal data.

Deletion of personal data. A data subject can request us to delete its personal data we process. We will delete the personal data without unreasonable delay after receiving such a request, if: the personal data is no longer needed for the applicable purpose(s); the data subject no longer give us permission to process it, if permission was the base for processing it; the personal data was processed by us as part of direct marketing; the data subject objects against the processing of it and there is no reason (anymore) why we should still be permitted to process the personal data; there is a legal reason to delete the personal data.

Limitation to processing personal data. In some cases the data subject might want a limitation to the processing of its personal data. In that case, one can request us to limit the personal data we process. We will comply with such a request if (after investigation) it turns out to be possible, for example if one doesn’t want all of its personal data deleted, but other personal data is no longer necessary for the original purpose.

Portability of personal data (data portability). The data subject can request a copy of its personal data we process.

If a data subject believes that we do not handle the personal data properly, he or she can submit a complaint to us. In the event the parties cannot resolve it and our response to the complaint does not lead to an acceptable result, the data subject has the right to submit a complaint about us to the Dutch Data Protection Authority (“Autoriteit Persoonsgegevens”). More information about this regulatory body and the submission of complaints can be found at www.autoriteitpersoonsgegevens.nl.

To exercise these above mentioned rights, the data subject can contact us via the contact details at the bottom of this Privacy Statement. We will send a written response within 4 weeks.

Third party websites

This Privacy Statement does not apply to third-party websites that are linked to our website through links. We cannot guarantee that these third parties will handle personal data in a reliable or secure manner. We recommend that visitors read the applicable privacy notice before using such third-party website.

Change of Privacy Statement

We reserve the right to make changes to this Privacy Statement. It is recommended that visitors regularly consult this Privacy Statement so that they are aware of these changes.

Cookie policy

We use cookies on our websites and in our apps. Any visitor can deactivate cookies for all sites in its browser.

What are cookies? Cookies are small, simple text files and are sent to the visitor’s computer, tablet or mobile phone when visiting a website. Cookies increase the user friendliness when visiting our websites or using our apps.

Why do we use cookies? We use cookies to anonymously monitor the number of visitors on the site, which pages are visited and what kind of information requests are made. The cookies that we use, do not contain name or address data; just data concerning the use are stored (pages visited, technical details and IP address). This data is used to analyse the use and visit, so we can optimise our websites and apps, and can be of even better service to the visitor in the future. Naturally, we will handle this information carefully.

What happens when cookies are turned off? If cookies are turned off, we have less insight in the use of our website and can not optimise it to be of even better service to visitors in the future.

Turning off cookies. If a visitor would rather not use cookies, he or she can turn them off at any moment or remove them from the browser. Instructions for changing the settings of a browser can be found under ‘Help’ in the toolbar of most browsers.

To grant visitors of websites more choice in how their personal data is used by Google Analytics, they can also download the Google Analytics Opt-out Browser Add-on.

This Privacy Statement was last updated on February 15,  2022.

 

General contact information

Yep Ads B.V.
Weteringschans 109
1017 SB AMSTERDAM
Tel. +31 (0)20 240 2530.

Contact details Data Protection Officer

Mr. Philippe van Wijnen
Email: [email protected].