Acceptance of our Policy will be made when you register on our platform to enjoy our services, even if for free. Such acceptance will take place when you affirmatively agree to the use of your data for each of the purposes described here. This will indicate that you are aware of and in full agreement with how we will use your information and data.
If you do not agree with this Policy, please do not continue your registration procedure and do not use our services. However, please let us know your disagreement so that we can improve it.
Personal data you provide to us
We collect Personal Data provided by you, such as your contact details (email, phone, CPF and device IDs) when you fill out forms from our network sites. If you provide us with feedback or contact us by email, we will collect your name and email address, as well as any other content included in the email, to send you a reply. We also collect other types of data that you voluntarily provide to us, such as operating system, language, browsing time, among other information, if you contact us about support for the platform.
1.2 Personal data collected through technology
To make our Site and Services more useful to you, our servers (which may be hosted by a third party service provider) collect some of your Personal Data, and system information such as browser, operating system, IP address (a number that is automatically assigned to your computer when you use the Internet, which may vary from session to session), domain name and / or an indication of the date / time of your visit.
1.3 Personal data collected through cookies
"Cookies" are identifiers that we transfer to your browser or device that allow us to recognize your browser or device and tell us how and when pages and resources on our Services are visited and how many people.
As an online platform, GDB will be able to operate together with other companies in a wide range of activities, including to provide localization functionality, advertisers, sponsors and business partners, online and offline, in addition to dissemination tools and performance analysis. Accordingly, we reserve the right to share your information, including location, registration and interest data, with the companies listed below, whenever possible, in an anonymous manner, aiming to preserve your privacy as much as possible. We do not rent, sell or transfer your personal data to anyone except the partner companies listed below. We may come to share your personal data with the following companies:
We employ other companies to perform work on our behalf and we need to share your personal data with them to provide products and services to you. For example, we use data hosting services to store our database. Our Partners are only authorized to use personal data for the specific purposes they were contracted for, therefore, they will not use your personal data for other purposes, in addition to the provision of services provided for in the contract.
Os dados armazenados pelo GDB podem vir a ser utilizados para fins de estatísticas (analytics), com a finalidade do GDB compreender quem são as pessoas que visitam seus sites e que são consumidores dos seus produtos e serviços. Estes dados são pseudomizáveis e não buscam identificar ou tornar identificável os titulares dos dados pessoais, mas tão somente compreender melhor como é o acesso deles nas plataformas GDB, a fim de melhorar a prestação de serviços e customizar produtos mais direcionados aos interesses dos usuários.
The data stored by GDB may be used for statistical purposes (analytics), with the purpose of GDB understanding who are the people who visit its websites and who are consumers of its products and services. These data are pseudomizeable and do not seek to identify or make identifiable the holders of personal data, but only to better understand how they access the GDB platforms, in order to improve the provision of services and customize products more targeted to the interests of users.
To safeguard and protect GDB rights
We reserve the right to access, read, preserve and disclose any data that we believe is necessary to comply with a legal obligation or court order; enforce or enforce our agreements; or protect the rights, property or safety of GDB, our employees, our users or others.
O GDB coleta e transfere dados pessoais coletados no Brasil para países localizados na União Europeia, América Latina e EUA. Essa transferência ocorre para Parceiros do GDB que atuam no processamento de dados pessoais, e essas transferências envolvem apenas empresas Parceiras do GDB que demonstraram estar em processo de conformidade ou em conformidade com a GDPR e com as leis setoriais brasileiras de proteção de dados.
O GDB possui sua sede no Brasil e os dados que coletamos são regidos pela lei brasileira. Ao acessar ou usar os Serviços do GDB ou fornecer dados pessoais para nós, você concorda com o processamento e a transferência de tais dados para o Brasil e para outros países, acima mencionados.
GDB collects and transfers personal data collected in Brazil to countries located in the European Union, Latin America and the USA. This transfer takes place for GDB Partners who work in the processing of personal data, and these transfers involve only GDB Partner companies that have demonstrated to be in compliance process or in compliance with GDPR and with Brazilian sectoral data protection laws.
GDB has its headquarters in Brazil and the data we collect is governed by Brazilian law. By accessing or using the GDB Services or providing personal data to us, you consent to the processing and transfer of such data to Brazil and other countries, mentioned above.
- I – Right of access;
- II – Right of rectification;
- III – Right of exclusion;
- IV – Right to restrict processing;
- V – Right to object to processing;
- VI – Right to explain the logic behind the collection of your data;
- VII – Right to data portability ;.
- VIII – Right to withdraw your consent.
If you have any questions about these issues and how you can exercise these rights, feel free to contact us at firstname.lastname@example.org
We will keep your personal data only for as long as is necessary to fulfill the purposes for which we collect it, including for the purpose of complying with any legal, contractual, accountability or request from competent authorities. To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of personal data, the potential risk of damage from unauthorized use or disclosure of your personal data, the purpose of processing your data and whether we can achieve these purposes through other means, and the applicable legal requirements.
Your account is protected with a password for your privacy and security. If you access your account through a third party website or service, you may have additional or different login protections through that website or service. You must prevent and prevent unauthorized access by third parties to your account and personal data by properly selecting and protecting your password and / or other connection mechanism and limiting access to your computer or device and browser, logging out after you have completed access to your account.
In order to guarantee your privacy and the protection of your personal data, we develop products and services based on the concept of privacy by design, that is, we design products and services that promote the protection of your data and in which you can manage your information directly. In addition to this concept, we have adopted encryption practices, SSL certificates, multifactor authentication (MFA), management of access keys and access groups. We strive to protect the privacy of your account and other personal data that we keep in your records, however, unauthorized account entry or use, hardware or software failure and other factors can compromise the security of your personal data at any time. so please help us to maintain a safe environment for everyone. In addition to adopting good security practices in relation to your account and your data, if you identify or become aware of something that compromises the security of your data, please contact us
First of all, what is the GDPR?
The General Data Protection Regulation (GDPR) is the new European Union regulation on the protection of personal data, aimed at modernizing, unifying and harmonizing of a whole set of data protection rules that were in effect in the European Union since 1995. It will come into force on May 25, 2018 and it will become the most comprehensive data protection legislation in the world, making its innumerous provisions on the collection, processing and storage of personal data, international data transfer, and data subjects rights applied worldwide.
The GDPR focuses on allowing Data Subjects to have more control over their digital data by means of transparency and legal basis for data processing, such as consent. For the GDPR, personal data means any information relating to an identified or identifiable natural person (‘data subject’). In other words, an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Therefore, what types of personal data, for example, does the GDPR protect?
- Basic identity information such as name, address and ID numbers;
- Web data such as location, IP address, cookie data and RFID tags;
- E-mail, login data, consumer data; and
- Interests, profiling data, behavior data, aggregated data.
The GDPR is an European Regulation, despite its global reach. However, we at GDB are committed to serve our clients and site or app owners wherever they operate. So, considering that, we will explain for you our plans for GDPR below, in a brief overview of information.
One of the main points that has generated doubts in several companies around the world is the fact that the provisions of the GDPR have extraterritorial effects, that is, their obligations and their penalties may be effective not only in companies that have headquarters or representation in the EU, but also in companies which are based outside the EU. And this may happen in the following situations:
- (i) companies with subsidiaries or representation in the EU;
- (ii) companies, even without a physical represetation in the EU, but:
- a. the offering of goods or services in the european market;
- b. collect data from individuals who are located in the EU, regardless of nationality;
- c. the monitoring of individuals behaviour as far as their behaviour takes place within the EU, specially through the Internet, regardless of nationality, or
- d. to outsource data processing to companies located in the EU.
Therefore, if your company transfers data to the European Union, or collects natural personal data at the time of collection and / or processing in the European Union while offering services to the EU, or performs profiling of these people, then your company is subject to effects of GDPR.
Aware of this, GDB has been conducting a Data Protection Impact Assessment (DPIA), a methodology used by GDPR to evaluate the impact of corporate operations on data protection, which aims to observe and establish all internal procedures that may be related the privacy and protection of personal data of its customers and partners in order to tailor all of its internal policies and guidelines, as well as align its organizational practices and contracts so that the entire company can comply with data protection standards provided for in the GDPR. Below there are some changes that we have either already implemented dor we are in process of implementation.
Under GDPR, there is a difference to be made between what the regulations call a Controller vs. a Processor. According to GDPR, “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data, in other words, a Controller owns the data and decides where and how to process it.
In other hand, for GDPR, “Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.
So, in our relationship with advertisers and data providers, sometimes we are a Data Controller and in some time we act as a Data Processor, because of this, we are both, Controller and Processor.
According to the European Parliament Controllers are “(…) the principal party for responsibilities such as collecting consent, managing consent-revoking, enabling right to access, etc.” So it is up to you, the data owner and controller, to collect the appropriate consent from natural persons as well as have a simple channel for them to revoke their consent, correct or delete their data.
As an example: users who revoke their consent for the Controller to store and process their data are expected to contact the Controller to initiate their request, even if the data lives on servers that belong to a third-party. The main rights that a Controller has to provide to its users are:
- Consent: A user must provide unambiguous consent before the Controller can track his or her personal data. This consent must include a notice of all the types of data that will be collected, what it will or may be used for, and which partners are involved in this process. That means a partner will need to include GDB in your terms and conditions;
- Transparent information: The Controller shall take appropriate measures to provide any information relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means;
- Right to delete: Natural persons must have a right to have his or her data deleted from both Controller and Processor systems, usually referred to as the “right to be forgotten”; and
- Right to rectify: Natural persons must have the right to have their data corrected or modified from your systems.
As a Processor, we at GDB have a great deal of obligations and it is our intention to be fully compliant with the law to ensure that all of your user data is properly collected and processed. To assure that we comply with GDPR:
- We only process personal data according to the restrictions set in place by our contract and terms, and we do not mine or use the data for any purpose not specifically set in those documents and agreed to by you;
- We do not engage any sub processors or provide your data to third-parties without at least a general agreement in our contract;
- Once our contract is over, all data will be returned or deleted upon request within a timeframe of no longer than 90 calendar days;
- We are open to compliance audits by any and all clients and data providers;
- Even though our servers are located outside of the EU, they are fully GDPR-compliant;
- With the exception of IP addresses and cookies which need to be stored in plain text, all other personal information is stored encrypted using the SHA-256 algorithm; and
We keep a record of all jobs run against your data and how it was processed and used in our systems.
All of these items are already in effect across all of our products including the Data Management Platform and Onboarding Solution.
Yes. Although we think our current operation is secure, we will be taking a few specific actions regarding how we collect, process and activate data of individuals. These changes are:
- The Pixels and SDK will block all incoming EU traffic unless the website or app owner confirms through a custom parameter that consent has been properly collected;
- We have set up the inbox email@example.com as the sole place to receive any and all questions or requests connected to GDPR;
- All partner and client contracts are being reviewed by our legal team, and we will be sending an addendum to include special GDPR protections and agreements;
- We will regularly audit websites that have European traffic that are dropping our pixel. If we find GDPR violations, we will let our partner know and block all requests until the problem is fixed.
It does, and in a big way. Right now, we use our pixel to collect not only campaign impressions and clicks but also behavioral and personal data for the audiences being impacted. This feature allows your first-party data to grow in a massive way and your available targeting capabilities with it.
Under GDPR, this feature won’t be available for most users since asking for consent won’t be possible when the tracking pixel is embedded in the creative and not in the actual website. So there will be a few changes made to campaign tracking (when the user is located within the EU) as well:
- We will only be tracking behavioral and personal data for users that have already given consent in one of your websites;
- All other users exposed to the campaign will be considered anonymous and personal data won’t be collected at all; and
- We will continue to track impressions, clicks and conversions for all ads, but unless consent has been previously given by the user we won’t associate them with a user profile.
We at GDB are performing our best efforts to achieve compliance as soon as possible. But we are aware that compliance is not a fact, but a process. Therefore, we continue doing our best to protect your privacy and your rights. If you have any questions about the topic feel free to contact us through in the following email: firstname.lastname@example.org