Privacy Policy for ConceptX, IAB (TCF)

Introduction - Welcome to ConceptX!

1. We are a digital ad ecosystem provider committed to maximizing ad revenues for digital publishers. Our technology solutions include SSP aggregator solutions, prebid wrapper solutions, contextual audience builders, and yield optimization.

This Privacy Policy outlines how we collect, process, and protect personal data from users of our products and the users of the digital publishers utilizing our services.

The Privacy Policy is designed to comply with relevant data protection regulations, incl. the GDPR, and to provide transparency and clarity for users regarding ConceptX’s data processing practices.
   By using our products and services, you acknowledge that you have read and understood this Privacy Policy.
   Further information of data processing can be found on IAB Transparency & Consent Framework Policies: https://iabeurope.eu/iab-europe-transparency-consent-framework-policies/.

Data Controller/Processor

2. For the purposes of applicable data protection laws, regulations and secondary legislation relating to the processing of personal data, the data controller is first and foremost the digital publisher presenting the ad.

ConceptX adhere to the highest standards in the industry and takes on the responsibility as a Joint Data Controller with our partners.

Legal Basis for Data Processing

3. We will only collect and use personal and non-personal data when the law allows us to and we will generally apply a data processing approach based on data minimization, where we collect as little personal data as possible. 

The data is only processed where it is necessary for our legitimate interests (or those of a third party) and the user’s interests and fundamental rights do not override those interests. We comply with a legal obligation, and we make sure to ask for the user’s consent in advance or require our partners to obtain such consent for any purpose where it is required.
4. We may collect various types of information as specified below to enhance our services and ensure optimal performance.
1. The data that may be collected can generally be classified within the following categories:
   1. Personal Data: Includes data that are personally identifiable information, such as IP addresses and device identifiers. It does not include data where identity has been removed (anonymous data).
   2. Non-personal Data: Includes anonymized data and aggregated information, such as probabilistic data, that can’t identify a specific individual. For example, we may aggregate the usage data to segment the percentage of users accessing a specific website feature.
   3. User-Provided Data: Information voluntarily provided by users, such as through forms or account registration.
   4. Device Characteristics: Details about the user’s device, incl. hardware, operating system, browser settings, and network identifiers.
   5. Browsing and Interaction Data: Information about user interaction with websites and ads, such as page visited, clicks, and engagement metrics.
   6. Non-Precise Locations Data: Details about non-precise location data, such as city and region.
2. The specific data that may be collected can be described as:
   1. IP addresses: Defined as unique numerical labels assigned to devices connected to the internet. IP addresses can be used to identify the location and network characteristics of devices.
   2. Probabilistic identifiers: Defined as data points or attributes used to probabilistically identify or distinguish users, devices, or interactions based on statistical algorithms or patterns.
   3. Device characteristics: Refer to attributes and specifications of devices used by users, incl. hardware configurations, operating systems, browser settings, and network identifiers.
   4. Non-precise location data: Refer to location information that is not highly accurate or specific, such as city or region level.
   5. Privacy choices: Refer to the user’s preferences, consents, or opt-out request regarding the collection, processing, and use of their personal data for advertising and marketing purposes.
   6. Device identifiers: Refer to unique identifiers assigned to individual devices, such as advertising IDs, mobile device IDs, or other persistent identifiers.
   7. Browsing and interaction data: Refer to information about users’ online activities, behaviors, and interaction with websites, apps and digital content.

Legitimate Interest Assessment

5. Legitimate Interest is defined as data processing which is based on the vendor’s legitimate interest in providing relevant ads, balanced against the user’s rights and freedoms. For example, under IAB TCF the Purpose of “Use limited data to select advertising” refers to using data that is limited in scope for selecting and delivering advertisements to users without extensive profiling or personal data processing (ref.https://iabeurope.eu/iab-europe-transparency-consent-framework-policies/).
6. When ConceptX rely on legitimate interest as the legal basis for data processing, we have conducted a Legitimate Interest Assessment, where we (i) identify legitimate interest and its use, (ii) ensure that the processing is necessary for the purpose of delivering relevant services and operations, (iii) assess whether the legitimate interest is overridden by the rights and freedoms of data subjects, considering for example the use of non-personal data.
   1. The following Purposes defined by the IAB TCF are used by ConceptX under the legal basis of Legitimate Interest:
      1. Special Purpose: “Ensuring security, prevent and detect fraud, fix errors.”
         1. Legitimate Interest Justification: ConceptX relies on legitimate interests as a lawful basis for processing personal data to ensure the security of our systems, prevent and detect fraudulent activities in our network of partners, and address technical errors or issues.
      2. Special Purpose: “Deliver and present advertising and content.”
         1. Legitimate Interest Justification: ConceptX relies on legitimate interests as a lawful basis for processing personal data to deliver and present advertising to users, provided that such processing is proportionate and respects users’ rights and interests.
      3. Purpose: “Select basic ads.”
         1. Legitimate Interest Justification: ConceptX only processes non-personal data and use it for ad selection. This purpose involves the selection of advertisements that are not personalized based on the user’s interests or preferences. These ads may be contextually relevant to the content of the Publisher’s website, which the user is visiting. The non-personal data – which includes website URL and timestamp - is generally speaking the bare necessity in order to carry out the ordinary service and operations of the digital publisher as well as vendors without violating the rights and freedoms of the data subjects.
      4. Purpose: “Develop and improve products.”
         1. Legitimate Interest Justification: ConceptX only makes use of general, non-personalized data for product development and improvement purposes, such as enhancing the functionality and user experience of websites and applications. The non-personal data – which includes website URL and timestamp - is generally speaking the bare necessity in order to carry out the ordinary service and operations of the digital publisher as well as vendors without violating the rights and freedoms of the data subjects.

Data Retention Period

7. The data collected is being deleted immediately after each user session and not stored by ConceptX.
8. The data collected by vendors and third parties connected through ConceptX services and operations may have a different period of data retention. We have provided information about each vendor and third party connected to ConceptX in our Vendor List, incl. information regarding their individual privacy policies.

Usage of Collected Data

9. We use the collected data to:
   1. Fulfil our contractual obligations to the partners.
   2. Optimize ad performance and maximize revenue for digital publishers.
   3. Deliver personalized and relevant advertising content.
   4. Analyze and improve our technology solutions and services.
   5. Ensure security and prevent fraud.
   6. Comply with legal and regulatory requirements.

Data Collection Methods

10. We use different methods to collect data, which are described below.
    1. Direct Interactions: Users providing information through forms or account registration.
    2. Automated Technologies: Cookies, tracking pixels, identifier tokens and other similar technologies.
    3. Third-Party Sources: Data from partners and service providers connected to publishers or advertisers delivering the ad, and only when applicable consent has been given to the relevant third-party sources directly by the user.

Use of Cookies and Similar Technologies

11. We don’t use cookies and similar technologies to:
    1. Track user interaction and preferences.
    2. Enhance user experience by personalizing content.
    3. Analyze website traffic and performance.
12. Cookies are small text files that are placed on a user’s device by websites or mobile apps that the user visits. Cookies are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site. Cookies can be categorized as “persistent” or “session” cookies:
    1. Persistent Cookies: A persistent cookie is stored on a user’s device in between browser sessions which allows the preferences or actions of a user to be remembered across the website – or in some cases across different websites.
    2. Session Cookies: A session cookie allows the website or services to link your actions during a browser session. Unlike persistent cookies, session cookies are deleted from your device when you log off from the website or service and then close your browser.
       1. More information about cookies and what cookies have been set can be found on by visiting www.aboutcookies.org or www.allaboutcookies.org. On these websites you can also manage and delete the cookies. To opt out of being tracked by Google Analytics across all websites visithttp://tools.google.com/dlpage/gaoptout.

Data Storage Disclosure & Place of Storage

13. At ConceptX, we are committed to protecting the privacy and security of the personal data we process through our technology platform and services, incl. our SSP aggregator solution, prebid wrapper solution, and contextual audience builder.
14. We will not store your personal data for longer than is necessary to fulfill the respective purpose for which it was collected, unless there is a legal basis for processing it beyond that. We will then delete your data. The respective retention periods depend on the underlying purpose and the type of personal data, and we strive to immediately delete any data collected.

We, as the controller, process your data ourselves exclusively within the European Union (“EU”). However, your data will be processed by the recipients described in the Vendor List who are operating both within and outside the EU and the European Economic Area (hereinafter “EEA”). Please note: If your data is transferred from your home country to another country, the laws protecting your data may differ from those in your country (and may only provide a lower level of protection). For example, in particular, countries outside the EEA have different conditions under which law enforcement authorities can access your data than within the EEA. If we transfer your data to a country outside the EEA, we will take appropriate measures to ensure an adequate level of data protection, for example by concluding so-called standard contractual clauses (ref. Article 46 of the GDPR) or by obtaining your explicit consent (ref. Article 49 (1) sentence 1 lit. a of the GDPR).

You have the right to receive a copy of the specific agreed arrangements to ensure the appropriate level of data protection. Please use the information in the “Contact” section for this purpose.
15. We may share data with:
    1. Service Providers: Partners who assist in delivering our services. This also includes exchanging information with other companies and organisations for the purposes of fraud protection.
    2. Advertisers and Partners: Entities involved in the digital ad ecosystem. This also includes exchanging information with other companies and organisations for the purposes of fraud protection.
    3. Legal Authorities: When required by law or to protect our own and the users’ legal rights, or in order to enforce or apply our terms and conditions, terms of use and/or any other legal agreements; or to protect our rights, property, safety, our customers or others.
    4. Other third parties: We may disclose a user’s personal data to a third party in the event that ConceptX sells or buy any business or assets, in which case ConceptX is required to disclose users’ personal data to the prospective seller or buyer.

Data Security

16. We implement robust security measures to protect personal data against unauthorized access, alteration and disclosure. This covers a variety of technical and organizational security measures that are described in the following:
    1. Technical security measures:
    1. Implementing robust technical security measures is crucial for protecting personal data against various risks, incl. accidental or unlawful destruction, loss, alteration, unauthorized disclosure, abuse, or other forms of unauthorized processing. 

By implementing a combination of technical security measures, ConceptX can enhance the protection of personal data and mitigate the risks associated with unauthorized access, disclosure, or misuse.
    2. Technical security measures that are implemented by ConceptX:
       1. Encryption: We encrypt personal data both in transit and at rest to prevent unauthorized access even if the data is intercepted or stolen. This includes using encryption algorithms, such as HTTPS, to secure data stored on servers, databases, and devices, as well as encrypting data transmitted over networks.
       2. Access Controls:We implement access controls to ensure that only authorized personnel have access to data. This involves role-based access control, where access rights are assigned based on job roles, and implementing strong authentication methods such as multi-factor authentication.
       3. Data Masking and Anonymization:Masking or anonymizing personal data when it is not necessary for processing can reduce the risk of unauthorized disclosure. This involves replacing sensitive data with fictitious or scrambled values while preserving its usability for legitimate purposes. This process makes it impossible for external parties to read and decode.
       4. Firewalls and Intrusion Detection/Prevention Systems (IDS/IPS):We deploy firewalls to help monitor and filter network traffic, detecting and blocking unauthorized access attempts or malicious activities targeting personal data.
       5. Endpoint Security:We secure endpoints such as computers, laptops, smartphones, and tablets with endpoint security solutions can prevent malware infections, unauthorized access, and data breaches. This includes passwords and multi-factor login, antivirus software and endpoint detection.
       6. Secure Configuration and Patch Management:Regularly update and patch software and systems to address known vulnerabilities that could be exploited by attackers. Additionally, configure systems securely according to industry best practices and disable unnecessary services or features that could pose security risks.
       7. Audit Trails and Logging:We have implemented logging mechanisms to record and monitor access to personal data, system activities, and security events. Audit trails can help identify unauthorized access or suspicious activities, enabling timely responses and investigations.
       8. Data Backup and Recovery:We make back up on scripts, to make sure we can easily recover data if data is being lost on the scripts. We don’t store backups of personal data, but solely rely on real-time business functionalities and features embedded in the scripts.
       9. Security Awareness Training:We provide comprehensive security awareness training to employees to educate them about data protection policies, best practices, and potential security threats. Employees are trained to recognize phishing attempts, social engineering tactics, and other common attack vectors targeting personal data.
    2. Organizational security measures:
    1. Organizational security measures play a crucial role in protecting personal data alongside technical measures. These measures focus on establishing policies, procedures, and governance structures to ensure that personal data is handled securely and in compliance with applicable laws and regulations. 

By implementing these organizational security measures, ConceptX can create a culture of data protection and establish robust mechanisms for safeguarding personal data against unauthorized access, disclosure, or misuse.
    2. Organizational security measures that are implemented by ConceptX:
       1. Data Protection Policies and Procedures:We develop and enforce comprehensive data protection policies and procedures that outline how personal data should be handled, processed stored, and transmitted within the organization.
       2. Data Classification:We classify personal data based on its sensitivity and the level of protection required.
       3. Privacy by Design and Default:We incorporate privacy principles into the design and development of systems, products, and services from the outset. We ensure that privacy considerations are integrated into the entire lifecycle of personal data processing, including system architecture, data flows, and user interfaces.
       4. Role-Based Access Control (RBAC):We have implemented RBAC mechanisms to restrict access to personal data based on employees’ roles and responsibilities within the organization. Only authorized personnel have access to personal data necessary for performing their job functions.
       5. Data Minimization:We have adopted a principle of data minimization, which involves limiting the collection, storage, and processing of personal data to what is necessary for the intended purpose. We generally apply real-time business features and functionalities which allow us to never store any personal data. Furthermore, we regularly review and purge unnecessary or outdated processes for handling personal data to reduce the risk of unauthorized disclosure or misuse.
       6. Employee Training and Awareness:We provide regular training and awareness programs to educate employees about data protection policies, procedures, and best practices. Our employees are aware of their responsibilities for protecting personal data and trained to recognize and report security incidents or breaches.
       7. Vendor Management:We have contractual agreements with all of our vendors that include data protection clauses and require them to comply with applicable data protection regulations. In addition to this we have implemented processes and software for vendor management, to assess and monitor the third-party vendors and service providers that have access to personal data.
       8. Incident Response Plan:As part of our framework of internal procedures we have developed an incident response plan that outlines procedures for detecting, assessing, and responding to security incidents involving personal data.
       9. Security Governance and Oversight:We have established a governance structure with clear accountability for data protection and security within the organization. This includes the designation of a Data Protection Officer who oversees compliance with data protection laws and regulations.
       10. Regular Audits and Assessments:We conduct regular audits, risk assessments, and compliance reviews to evaluate the effectiveness of security controls and identify areas for improvement.

User Rights

17. Users have the following rights regarding their personal data:
    1. Access and Rectification: Request access to or correction of their data.
    2. Deletion: Request deletion of their data under certain conditions.
    3. Objection: Object to the processing of their data for specific purposes.
    4. Data Portability: Request a copy of their data for specific purposes and in a structured format.
18. Please use the information in the “Contact” section for this purpose.

International Transfers

19. ConceptX is transferring data between the countries listed below. Where personal data is transferred outside of the EEA, we ensure that appropriate safeguards are in place to protect the data.
    1. Denmark
    2. Norway
    3. Sweden
    4. Finland
    5. Latvia
    6. United Kingdom
    7. Germany
    8. United States

Complaints

20. At ConceptX, we take use prrivacy seriously and are committed to address any concerns you may have regarding the processing of your personal data. We value your feedback and strive to continuously improve our privacy practices.
21. If you believe that your privacy rights have been violated or you have a concern about how we handle your personal data, you can submit a complaint to us using the details described in section below concerning Contact Details.
22. Please provide detailed information about your complaint, incl. your contact details, the nature of your concern, and any relevant supporting documents.
23. Our ordinary process for handling complaints follows a few basic steps. First of all, we acknowledge the receipt of your complaint in due course. Then our DPO will investigate your complaint thoroughly. This may involve reviewing relevant data processing activities, consulting with internal teams, and assessing our compliance with applicable data protection laws. Once investigation has been finalized, we aim to provide a substantive response to your complaint within 30 days. If we require more time to investigate, we will inform you of the delay and provide an estimated response time. We will take appropriate action to address your complaint, which may include correcting any issues, providing additional information, or implementing measures to prevent future occurrences.
24. If you are not satisfied with our response, you have the right to escalate your complaint to a supervisory authority. For residents of the European Union, you can contact your local data protection authority. In Denmark, the Danish Data Protection Agency is called “Datatilsynet” and their contact information can be found onwww.datatilsynet.dk.

Complaints

25. If you have any questions or concerns about this Privacy Policy or your personal data, please contact our Data Protection Officer: Frederik Knudsen, Email: frederik@conceptx.com , Phone: +4560714188 .
26. For ordinary mail, write us at our registered company address: ConceptX, Toldbodgade 18, st., 1253 Copenhagen, Denmark. Att: Data Protection Officer.

Changes to This Privacy Policy

27. We may update this Privacy Policy from time to time. Any changes will be posted on this page with an updated effective date. We encourage users to review this policy periodically to stay informed about how we are protecting their data.

Effective Date: July 2024