Advertising Privacy Policy
View our Website Privacy Policy instead
Our Digital Advertising Privacy Policy’s Purpose
(Last Updated 14 May 2020)
Our aim is to provide clear, transparent information to consumers, clients and business partners about how we process personal data as part our digital advertising services.
This Advertising Privacy Policy may be updated from time to time and should be checked regularly.
(To view our Privacy Policy for this website, which describes how we process our client, publisher and business partner data, click here)
What does it cover?
Our policy covers
- Applicability
- What we do and why we need data
- How do we obtain personal data
- How we use the data
- Sharing data with third parties
- Data subject’s rights
- Data from children
- Date Retention – How long we keep personal data for
- Data protection and security
- Use of cookies and online identifiers
- How to opt out of cookies
- How to complain or ask a question
Applicability
This policy provides an overview of how we process personal data to provide digital advertising services across our Group (see individual contact details for specific countries where we operate). It also provides details that relate to EU data protection laws – the GDPR (General Data Protection Regulation) – including relating to the rights of EU data subjects. For individual local privacy policies for Poland and Brazil please select from our locations above.
What we do and why we need data
Optimise provides digital advertising services and technology to a large number of well-known Brands (banks, retailers, travel agents, etc.) and online Publishers. We operate in two main areas; Digital Advertising and Customer Reward Fulfilment.
Our Digital Advertising services include:
Affiliate Marketing – this is where Advertisers pay Publishers an advertising fee only if the online users that they refer to Advertiser sites go on to purchase a product, apply for a policy or some other concrete outcome.
Display and Interest-Based Advertising – this is where Advertisers pay publishers to raise awareness of their brand by displaying their online Adverts to consumers. This can often involve showing relevant adverts to specific audiences based on their past browsing interests (e.g. those interested in soccer, holidays or any other specific category). Browsing interests are determined using pseudonymous data – i.e. unique data that is treated and processed to ensure it will not identify a specific person. This data is collected using cookies and online identifiers.
Our technology allows Advertisers to measure their digital advertising campaigns and pay Publishers according to results, such as how many people viewed an advert or how many clicks or sales were generated from an advert.
Our Customer Rewards Fulfilment product is used by companies to send vouchers and other rewards to their customers. Much of this happens online (although some of it by post) and our technology allows us to capture customer details, send them vouchers and rewards and then measure whether or not the reward was claimed. Our technology also allows us to measure if a user bought a product or subscribed to a service, which means our Advertisers can incentivise and reward new customers for specific outcomes.
To fulfil our services we sometimes need to process our clients’ customers’ personal data including names, email addresses, postcodes and sometimes bank details. We also need to process online identifiers, such as cookies and IP addresses to measure outcomes. These online identifiers are typically numeric strings and classified as pseudonymous data (a sub category of personal data under some data protection regulations, including the GDPR) which although allow an individual’s interaction with adverts and online content to be measured their actual identity and personal details (i.e. their name, address etc.) remains unknown.
In most situations Optimise is operating as a **“Data Processor” **whereby we only process personal data according to the instructions of the **“Data Controller”*(i.e. our Advertising Clients and online Publisher Partners).
When and if we process data purely for our own purposes we operate as a Data Controller.
Whether acting as a Data Controller or a Data Processor we always take our responsibilities seriously ensuring that we follow the law, meet our obligations to the Data Subject and process personal data in a secure and responsible manner.
Please see further information in the sections below including greater technical detail and how to get in touch is you have a question or complaint.
How we obtain personal data?
We obtain different types of personal data depending on the client and the service we are providing.
In summary, we receive personal data by one of the following means:
- People input their details on our clients’ websites and online forms which is then submitted into our secure systems in order that we can process it according to our clients’ instructions.
- It is sent to us by our clients/partners in order that we can process it according to their instructions.
- Via online identifiers (cookie numeric references etc.) which are recorded in our systems when people clicking on our clients’ advertising campaign banners and links, which have been displayed on publisher web sites (such as shopping comparison, cashback and blog websites).
- Via online identifiers (e.g. cookie numeric references etc.) which are recorded in our systems when people visit our clients’/partners’ websites using our technology.
How we use personal data
Typically, when we use personal data we do so on the instruction of our clients who have to ensure that they are legally allowed to share the data with us. If we process personal data for our own purposes, then we will always make sure we have the legal basis to do so. Typically, the legal basis to process personal data will be stated in customer terms and conditions or in privacy policies or people will have provided their consent by ticking an online consent box, for example.
Under EU law (GDPR), when personal data belonging to an EU citizen is processed the Data Controller will use one of a number of legal bases to do so, including;
Contract (e.g. where a customer contract is in place which allows processing to happen)
Consent (i.e. where a customer or data subject has provided their consent, for example, by opting in)
Legitimate Interest (where the Data Controller has a reasonable ground and interest that does not conflict with the rights of the consumer / data subject).
In summary we process personal data to:
- Send communications to our clients’ customers including by email and through the post. For this we collect names, email address and postal addresses.
- Fulfil Rewards, Vouchers and Payments to our clients’ customers. For this this we collect names, email address and sometimes postal addresses and bank details.
- Verify claims for cashback or other forms of incentive made by our clients’ customers. For this we process names, email address, postal addresses along with “proof of purchase” data such as purchase or policy references which is needed to check that claims are genuine.
- Measure and report on the performance of our clients’ and publishers’ online advertising campaigns. For this we process online identifiers including cookie references, IP addresses and device IDs.
- Measure and report on what products have been purchased through the online advertising campaigns that we manage for our clients. For this we process product purchase details such as what was purchased and how much it cost.
- Capture leads on behalf of our clients through our network of publisher partners. Typically, this involves users submitting their details on online forms to express an interest in a product or service. The data submitted is passed on to our clients who get in touch with the user.
- Serve relevant, interest-based adverts to consumers. For this we process online identifiers including cookies references, IP addresses and device IDs as well as information about user browsing content and subject matter.
- Serve relevant adverts based on location. For this we process an IP address.
- To detect suspicious or fraudulent activity through our clients’ advertising campaigns and also to protect our systems against malicious attacks (DDOS attacks). For this we process online identifiers such as IP addresses.
Sharing personal data with third parties
Personal data, including online identifiers such as cookie IDs and browsing behaviours data that we have collected via our digital advertising technology, will only be shared with third parties if we have a legal right to do so.
We generally rely on our publishers and advertisers to determine any applicable legal basis for capturing data when using our digital advertising services, which might include obtaining consent from users on their websites. The legal basis may also be based on a contractual arrangement or because the Data Controller has a Legitimate Interest to process the data based on their particular business circumstances including their relationship with the consumer and the nature of the data and processing activity.
When we process personal data such as names, email addresses or any other customer data on behalf of our clients and publishers (Data Controllers) we will only share this with third parties if we are instructed to do so by the Data Controller. If we receive personal data directly from an individual we will seek permission or ensure we have an appropriate legal right before sharing it with a third party.
Optimise technology is hosted with AWS (Amazon Web Services). Whilst technically AWS are a data processor, we do not allow them to access our company data. We only use their services for their online hosting and storage processes knowing that they provide world class security and privacy infrastructure.
We also partner with other third-party technology suppliers for some of our advertising campaigns including:
| Supplier | Processing Purpose |
|---|---|
| Amazon Web Services https://aws.amazon.com/ | Hosting of Optimise server infrastructure and storage of data |
| Leadbyte www.leadbyte.co.uk | Storing and transmission of lead data submitted by online users on some advertising campaigns. |
| Response Tap https://www.responsetap.com/ | Telephone call-length duration measurement for “call” advertising campaigns. |
Our third-party suppliers (who may be required to process personal data in order for us to provide or Digital Advertising and Rewards Fulfilment services) list can be found here - https://optimisemedia.com/third-parties/
In addition we also process and share data with our Advertiser clients (these are the Data Controllers / brands that users click through to from online adverts and links). Some of our Advertising clients appoint third-party suppliers such as Advertising and Media Agencies to provide additional services. Optimise may share the data that we process with these parties if instructed to do so by our Advertising clients (who will be acting as Data Controllers). Agencies include (and are not limited to):
GroupM (and its group of companies including Msix, Mediacom and Mindshare)
Whenever data is shared we ensure that we use appropriate security and privacy controls such as hashing and encryption. We also make sure that we only share with third-parties who have appropriate security controls.
Data subject’s “rights”
Many national data protection laws provide data subjects (the individuals that the personal data relates to) with a set of specific rights. Where European and UK laws are concerned these include the right to be informed, to access and to object to processing of personal data. EU citizens can exercise these rights under a Subject Access Request. You can see the full list of rights under EU laws here. https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/)
To exercise any of these rights you should contact the relevant Data Controller – usually the business that you have provided your personal data to. If you get in touch with Optimise we will need to verify your identity and may also need to gain permission from our Data Controller (e.g. our client) before we can help. We will assist with all requests but may charge an administration fee, which we would make you aware of in advance.
Contact information for other countries can be found on the relevant local websites. See here https://www.optimisemedia.com/contact/.
To get in touch with our UK based Data Protection Officer please contact DPOUK@optimisemedia.com
Data from children
We do not knowingly collect personal data from children (under 13). If you have reason to believe that we have please get in touch and we will delete it.
Data Retention – How long we keep personal data for
We only use the personal data that is required for the specific processing purpose. For example, if we do not specifically require your name and address then we will not collect and process those items.
Once we know that we no longer require the data for the specific purpose that it was collected for (and where our Data Controllers or data protection laws require us to do so) we will then delete or anonymise it.
Our data retention policies and processes vary based on the specific client and processing scenarios as well as the processing location, but typically include:
- Cashback user enquiry data such as names, addresses and purchase references are deleted 15 months after the query has been resolved.
- Email and personal address data collected from users that register as part of our Reward and Voucher fulfilment service is retained for different periods of time to reflect how it is processed;
- Personal registration data submitted by users is deleted 12-15 months if no reward was sent to a user. If a reward was sent to a user we keep the data in secure archive storage for 7 years for taxation audit purposes but remove from our marketing systems after 27 months.
- Enquiries that we receive or about our Rewards and Vouchers fulfilment services are deleted after 24 months.
- IP addresses and device IDs – for our Affiliate Marketing advertising campaigns are encrypted and pseudonymised as soon as we receive them.
- Optimise cookies are typically deleted from user devices after 30-60 days
- Unique online identifiers (e.g. cookie IDs) which we process for measuring advertising campaigns are deleted from our systems after 6 months. (See technical information relating to cookies below).
Data Protection and Security
We implement reasonable security measures to protect the information in our care, both during transmission and once we receive it. This includes, but is not limited to, the use of firewalls and encryption. It should be noted that no method of transmission over the Internet, or method of electronic storage is 100% secure. Therefore, while we strive to use appropriate means to protect your information, we cannot guarantee its absolute security.
Our business also uses appropriate data protection processes and policies to ensure that our products are developed with privacy in mind and that our staff are informed of our procedures and obligations to act responsibly.
Use of cookies and online identifiers
Just as cookies and similar online identifier technologies play a crucial part in making websites function correctly (shopping, logging in to banks etc.) they are also very important to digital advertising. Without them there is no effective means to show users adverts that are relevant to their interests. It would also often be impossible for businesses to measure the effectiveness of advertising campaigns and the budgets that are spent on them.
You can read more about cookies here: www.allaboutcookies.org
Optimise use a number of cookies and online identifiers to ensure our advertising campaigns and business services function properly and can be measured on devices (computers, mobiles, tablets etc.) including:
Session cookies which expire and are deleted when you close your browser. They include pseudonymous or completely anonymous references which allow us to understand whether a user made a purchase straight after clicking on one of our advertiser’s links.
Persistent cookies which are set to remain on your computer for a set period of time. They use pseudonymous or completely anonymous references and allow us to understand if a user came back to make a purchase having previously clicked on one of our advertisers’ links. They also allow us to join data together over a period of time (6 months) to understand which advertising campaigns have contributed to or led to subsequent outcomes (e.g. clicks and sales). These cookies generally last between 30-60 days.
IP addresses are used to help us match outcomes (clicks and sales, for example) to specific advertising campaigns. We also use IP addresses for fraud detection purposes. Optimise encrypt and hash (scramble the digits) these IDs and pseudonymous references as a measure to minimise the personal data we hold.
Device IDs, (which are set by your device manufacturer) and include IFA, are GoogleAID, Windows AdvertisingID used understand whether a user clicked on an advert or made a purchase on our mobile app advertising campaigns. These pseudonymous IDs are hashed on import and deleted after 6 months. Opt out is possible in the device settings
Interest-based cookies, which collect browsing data from the Advertiser and Publisher websites which use our Display and Interest-Based Advertising services. The data allows interest-based adverts to be displayed to users. We do not use interest-based cookies on campaigns unless we have permission from our partners and any appropriate consents from the online users. Most of our affiliate marketing campaigns (see above) do not use interest-based cookies and will only do so if this has been agreed and appropriate measures are in place (including getting consent, if applicable).
Cookie Tables (detailed technical information regarding our individual cookies)
The tables below detail the cookies that are used in connection with the Optimise services outlined in this Advertising Privacy Policy. For practicality we have arranged our cookie information to reflect the service that we provide (Affiliate Marketing, Customer Rewards Fulfilment and Display and Interest-Based Advertising)
Optimise Affiliate Marketing and Customer Rewards Fulfilment Cookies
The following cookies are set by Optimise when a Publisher’s website customer or user clicks on an advert or link relating to one of our clients (brands). The cookies are used for measuring the outcomes (e.g. whether a click or sale was generated for our client) of Affiliate and Customer Rewards Fulfilment campaigns and providing aggregated campaign reports and insights.
| Cookie Name | Purpose | Cookie (technical name) | Cookie Domain | Type | Cookie Contents | Privacy Measures |
|---|---|---|---|---|---|---|
| Optimise Attribution | To provide a means to attribute an outcome (e.g. sale or quote) generated from advertising campaigns to a specific Affiliate. | OMG-{MID} | track.omguk.com track.omgpl.com track.in.omgpm.comtrack.affiliserve.com | 1st party | Anonymous references:AID, UID, UID2, UID3, UID4, UID5, DateTime, VCountMapPseudonymousreferences:SSKey | Pseudonymous references:Deleted with cookie after 30-60 days.Deleted from systems after 6 months (or 1-2 years if required for validation purposes).Cookie opt outs are stated below |
| OMGSession | Provides affiliate campaign measurement data for individual user sessions. | OMGSession | track.omguk.com track.omgpl.com track.in.omgpm.comtrack.affiliserve.com | 1st party | Pseudonymous reference:SessionID | Pseudonymous references:Deleted with cookie after 30-60 days.Deleted from systems after 6 monthsCookie opt outs are stated below |
| OMGID | Enables measurement and analytics data of performance marketing campaigns across the Optimise Advertiser and Publisher network | OMGID | track.omguk.com track.omgpl.com track.in.omgpm.comtrack.affiliserve.com | 1st party | Pseudonymous reference:UUserID | Pseudonymous references:Deleted with cookie after 30-60 days.Deleted from systems after 6 months.Cookie opt outs are stated below |
| Optimise Channel | To provide a means to store the last referring channel | OMG-Channel-{MID} | track.omguk.com track.omgpl.com track.in.omgpm.comtrack.affiliserve.com | 1st party | Channel Identifier | Pseudonymous references:Deleted with cookie after 60 days.Deleted from systems after 6 months.Cookie opt outs are stated below |
| Advertiser Attribution Cookie (optional) | Read by the Optimise conversion tag to provide a backup means to attribute a sale to a specific Affiliate. | OMG-{MID} | Advertiser Domain | 1st party | Pseudonymous reference:SSKEY | Pseudonymous references:Deleted with cookie after 30-60 days.Deleted from systems after 6 months (or 1-2 years if required for validation purposes).Cookie opt outs are stated below |
Third Party Cookies and Opt outs
Our technology integrates with a number of the third-party solution providers used by the clients (advertisers) we work with in order to measure the effectiveness of their online campaigns. Optimise does not share data with these companies although by clicking on our Advertisers links their cookies may be placed on users’ devices and provide our advertisers with data to help them measure their advertising campaigns.
If you would like more information about the cookies and data used by these suppliers, as well as information on how to opt-out, please see their individual privacy policies listed below
| Name | Privacy and Opt Out(to find out more about opting out of these cookies click the links below) |
|---|---|
| Google DoubleClick | https://www.google.com/policies/technologies/ads/ |
| Microsoft | http://choice.live.com/advertisementchoice/ |
| Conversant (MediaPlex) | https://optout.conversantmedia.com/ |
| Google Analytics | https://www.google.com/intl/en/policies/privacy/ |
| Atlas | https://atlassolutions.com/privacy-policy/about-our-ads/ |
| Ensighten | https://www.ensighten.com/privacy-policy/ |
| Google Tag Manager | https://www.google.com/intl/en/policies/privacy/ |
| Signal Bright Tag | https://www.signal.co/privacy-policy/ |
| Tealium | https://tealium.com/cookie-policy/ |
| Adobe analytics | https://www.adobe.com/uk/privacy/opt-out.html |
| Appsflyer | https://www.appsflyer.com/optout |
| Tune | https://optoutmobile.com/ |
| Apsalar | https://apsalar.com/privacy-policy/ |
| Adjust | https://www.adjust.com/opt-out/ |
| Kochava | https://www.kochava.com/support/privacy/ |
How to opt-out of Optimise cookies
The Advertisers and Publishers that use Optimise cookies should provide consumers with the ability to opt out. Some of them will use their own technical systems or third-party consent tools/widgets to do this.
It is possible to opt out using the links below.
To opt out of Optimise Affiliate Marketing and Customer Rewards Fulfillment Cookies.
To opt-out Click Here.
To opt-in Click Here.
Please be aware that by opting out of cookies this will create a cookie in your browser that identifies that that you have opted out. If you delete that cookie from your browser you will need to opt-out again. In many cases the opt-out cookie will only be set on this browser on the device and browser that you opted out from. If you use another browser or computer you may well need to opt-out again.
You can also control how cookies operate on your device by modifying your browser settings. You will need to ensure that you are running an up to date browser.
For Internet Explorer, go to Tools > Internet Options > General > Delete… and follow the instructions.
For Firefox click the Menu button > Library > History> Clear your recent history… and follow the instructions.
For Chrome, at the top right click > Settings > Advanced > Privacy and Security > Clear browsing data… and follow the instructions.
For Edge, at the top right click the … icon > Settings > Choose what to clear and follow the instructions.
For Safari, Select Preferences from the Safari menu or hold down the Command key and the comma key at the same time (Command+,).
Go to the Privacy tab and click the Remove All Website Data button and follow the instructions.
More detailed information is provided here www.aboutcookies.org/Default.aspx?page=2
Opting out of Mobile Devices
Mobile web – use the instructions above to clear cookies in a browser on your mobile device and to control how cookies operate in browsers on mobile devices.
Mobile apps – Mobile applications do not use cookies, instead you can reset your device’s Advertiser ID:
iOS – Go to Settings > General > About > Advertising and tap Reset Advertising Identifier
Android – Complete the following steps
Tap the menu icon to display the apps list.
From the available apps list, locate and tap the Google Settings icon (or search for Google Services in your device’s main setting app
Tap the Ads option from the Google Settings interface.
Once the Ads window comes up, tap Reset advertising ID.
To find out more about Google Android Advertiser IDs, please visit this link: https://privacy.google.com/?hl=en. To find out more about Apple Advertiser IDs, visit this following link: https://www.apple.com/uk/privacy/.
How to complain or ask a question
To get in touch with our Data Protection Officer please contact DPOUK@optimisemedia.com
We will assist with all requests but may charge an administration fee, which we will notify you of in advance.