Privacy policy.

Targeted Advertising Campaigns

The core of our business is helping our clients to target their online advertising and marketing campaigns to people likely to be interested in them. In doing that we use personal data from a few different sources in a few different ways, and we work with a few different technology providers. We provide more details about what we mean by technology providers below.

The techniques that we use which involve personal data will typically rely on tracking cookies, or on similar technologies like tracking pixels or mobile device advertising IDs, to build a profile of people’s likely interests and characteristics based on browsing history.

The way this works is that each device, or browser within a device, (e.g. a computer, a phone or a tablet) are assigned a series of identifiers which allow the device, to be recognised when you visit different websites. Over time, it is possible to build up a picture of the kind of person who might be using that device based on things like the pages they visit, the time of day when they visit and how long they spend there.

It is important to understand that this does not mean that we actually know who you are. We don’t know your name, or your address, or your email, or your phone number, or anything else that would enable us to identify you in the offline world. We only have an idea based on the picture we have built about you and only when you are using the device. Our clients might know who you are from other sources, but they don’t tell us. If Google DV360, Twitter or LinkedIn are involved, then they might also know who you are if you have an account with them, but they don’t share that personal data with us.

As far as we are concerned, when you are using your device, based on the picture that we have built about you, we will know you as (for example) “Device ID 123456, usually located in the Greater Manchester area, probably a woman, probably aged 45-51, appears to be interested in rugby, cars and foreign travel”.

If one of our clients ask us to run an advertising campaign which (for example) is aimed at people interested in cars near Manchester, we will put together an ‘audience’ of people who we believe would be interested in that advertising campaign. The ‘audience’ will be made up of device IDs where the picture that we have built matches with our client’s requirements (as can be seen above). Depending on our client’s advertising campaign we will in some instances purchase device IDs from third parties data providers in addition to those pictures we have built ourselves. Where we purchase device IDs for an advertising campaign from a third party we will only see the device ID, and not the picture that has been built about the person using that device. The third party will determine whether the person using that device would be interested in the advertising campaign. We then access the audience via technology providers where we then run and serve the advertisement accordingly on behalf of our client.

We might combine the approach above with other targeting techniques not involving personal data, such as “contextual” targeting (i.e. buying ads on pages with specific kinds of content) or advertising only on specific websites.

The net effect of all this on you is that, when you browse the Internet or use ad-supported apps on your tablet or phone, you are more likely to see advertisement A rather than advertisement B.

We explain more about how we collect personal data, and the different ways we use it, below.

Retargeting

“Retargeting” is the practice of using tracking cookies (or similar technologies) to show you adverts for businesses whose sites you have visited.

Typically we use retargeting where our client is running a wider campaign which directs people to a specific “landing page” on its website. We can then (with your agreement) use a cookie set by one of our technology partners to “mark” you as someone who has visited that landing page, which we can then use to cause adverts for the client to be displayed to you when you visit other sites.

Automated bidding on advertising space

Automated bidding is a type of online advertisement where the buying and selling of advertisements is done in real time through an automated auction process. This happens during the time that you are waiting for a webpage to load in your browser so that once a webpage is loaded the advertisement of the ‘auction winner’ is displayed on that webpage.

When you type in the address for a webpage which works with one of our technology providers we will use the picture we have built about you (as detailed above) to ‘bid’ on serving an advertisement to you on that webpage on behalf of our clients.

Geo-targeting

We access location data held by our third party data provider to make sure that the advertising campaigns are run only in the locations where they are relevant. For example, a car dealership may only service Reading and the surrounding areas. We use the location data to make sure that the advertising campaigns are only served in this area. This also means that you will only see advertisements that are relevant to you.

Social media advertising

We place adverts with social media platforms to be displayed on their platforms. These adverts are typically targeted using the platforms’ own audience data, which we don’t ever see; instead, we simply specify the criteria for targeting (for example, people in the Greater Manchester area with an interest in cars).

Reporting on adverts served, views, click etc

We analyse and report to our clients on how many adverts were served, how many times they were viewed and how many people clicked on the advertisements.

The reports are based on factors such as geographical locations, particular websites where advertisements were placed, time and days of the week. We use third party service providers who assist with our analysis and reporting which is done in an aggregate form, so that we cannot identify people.

Fraud prevention and brand safety

We and our technology partners process personal data in order to meet industry standards of “brand safety” (preventing a brand’s ads from appearing in inappropriate places) and fraud prevention (preventing the artificial inflation of the number of hits on an advert in order to obtain additional payment).

We’re Gold Standard Certified by the IAB UK. Supporting the change that drives improvement in the industry, we’re committed to LEAN ad standards. We work with independent bodies such as TAG and are certified in their Brand Safety Program in which we are Independently audited by a 3rd party verification specialist BPA. In addition, we follow the UK Good Practice Principles outlined by the Digital Trading Standards Group.

We rely on the legal basis of consent in order to process your personal data. The only exception to this is when we use non identifiable metrics for reporting in which case we rely on the legal basis of legitimate interest. Any time we use legitimate interest as our legal basis for processing we carry out a balancing test to ensure that our rights and interests do not outweigh your rights under the law.

When relying on consent, while we do not have a direct relationship with you, we will process personal data where you have given consent to one of our clients to collect your personal data on their website, website publishers, or one of our third party data providers. We carry out checks on how they ask for that consent to make sure they are doing so in line with current industry standards. We provide more details below about what we mean by these different groups.

All parties processing your personal data under the legal basis of consent should provide you with a facility to withdraw that consent. If they do not or cannot, then you can always contact us using the information above and we should be able to help. As detailed above, because we do not hold any personal data that can identify you in the offline world we will need your cooperation in establishing your cookie ID or device ID.

Opting Out

You have the right to opt out of targeted advertising at any time. You may do so by contacting us as described above or if you prefer, you can also achieve the same practical effect by deleting cookies from your device and resetting your mobile device advertising ID by managing your browser’s cookie preferences. it will then be impossible to re-associate your device with the browsing data we have associated.

Please note that if you use more than one device or browser type you may need to repeat this process. Further to this resetting your browser or device means that will you appear to be a “new” device. As such you may continue to receive adverts in the future if you do not continue to manage your preferences. For further details on how to manage your preferences please see aboutcookies.org or www.allaboutcookies.org. If you wish to opt out of our technology partners use of your data please here for more detail: Lotame -https://www.lotame.com/privacy/privacy-manager/ Trade Desk - https://www.adsrvr.org/

Data collected by us from our clients’ websites

Sometimes we will collect data directly from our clients’ websites, using a cookie set by our technology providers. We provide more details about the technology providers we use below.

We will use the personal data for the duration of our client’s campaign. The personal data is stored by our technology providers and will be stored for the lifespan of the cookie. The retention period for the personal data will be dependent on the retention period set by the technology provider. If you would like further information about how long your personal data is kept you can contact our technology providers or our data protection team (see details above).

Data provided to us by website publishers we work with directly

When we talk about website publishers, we mean the owners and operators of the websites you visit, and who sell advertising space to us on behalf of our clients.

For some of our campaigns we work directly with website publishers to ensure we have accurate information for our advertising campaigns. Where a website publisher has asked you to verify specific details about yourself so that they can engage with you offsite, such as that you work in finance or within a certain age bracket we will use this personal data to assist us with building our picture about you as detailed above. We will only receive this personal data about you where you have provided consent to the website publisher.

We will use the personal data for the duration of our client’s campaign. The personal data is stored by our technology providers and will be stored for the lifespan of the cookie or similar technologies such as Device ID’s etc. . The retention period for the personal data will be dependent on the retention period set by the technology provider. If you would like further information about how long the personal data is kept you can contact our technology providers or our data protection team (see details above).

Audience data from third party data providers

Our third party data providers will have built their own pictures about you in the same way we have described above. We use pre-created audiences (i.e. lists of device IDs inferred to be used by people with specific characteristics) from certain third party data providers made available by our technology providers.

Where we use audience data from third party data providers we do not receive an actual copy of that data, or see the “raw data”. It is instead added to the audience data we have created using the platform we have with our technology providers.

We will only use this personal data from third party data providers at the time in which an advertisement is served to you by us. We do not store it for any future use.

Location data

We can access location data from our third party technology providers.

When using mobile devices our third party data provider will, if you have enabled that setting on your device, collect your location when you are using a mobile application that they partner with. The location data that is collected will related to your latitude and longitude coordinates, to six point coordinates (e.g. 23.2332290) whilst you are in the mobile application for an advertising campaign whilst you are in the mobile application.

In addition to location data collected from mobile devices our technology providers collect details of your location is also collected IP address, device location, GPS location, Wi-Fi location or Bluetooth details to enable them to serve ads accordingly. The links below provide further details about how they our technology providers collect, store and use your personal data.

Your location data will be collected and used at the time of determining whether to serve a particular ad to you and stored after this point.

Cross Device Matching

Sometimes our technology providers will carry out cross-device or cross-environment tracking. As it is likely that people own multiple devices this enables the technology providers to link the devices back to you, this will create a collection of known identifiers about you that can be associated across your different devices, which is called an ‘ID graph’. We will access the ‘ID graph’ through our technology providers to serve you advertisements across different devices, control how many advertisements you see overall from us to ensure the frequency is capped and to see how successful a particular advertisement is for reporting purposes.

We do not receive copies of personal data relating to cross device matching.

Our technology providers offer functions and capabilities such as advertisement serving, data storage, third party data sets (as detailed above), cookie settings and geo-location data.

The technology providers who provide us with these data management platforms are:

• The Trade Desk
  You can find details of how The Trade Desk use your personal data on their privacy notice here: https://www.thetradedesk.com/general/privacy

• Stackadapt
  You can find details of how Stackadapt use your personal data on their privacy notice here: https://www.stackadapt.com/privacy-policy

• Lotame
  You can find details of how Lotame use your personal data on their privacy notice here: https://www.lotame.com/about-lotame/privacy/

• Google
  You can find details of how Google use your personal data on their privacy notice here: https://policies.google.com/privacy

• Teads:
  You can find details of how Teads use your personal data on their privacy notice here: https://www.teads.com/privacy-policy/

• Octane 11
  You can find details of how Octane 11 use your personal data on their privacy notice here: https://www.octane11.com/privacy-policy/

• Bombora
  You can find details of how Bombora use your personal data on their privacy notice here: https://bombora.com/privacy/

• Twitter
  We buy advertising on Twitter’s platform on behalf of our clients. You can find Twitter’s privacy notice here: https://twitter.com/en/privacy

• LinkedIn
  We buy advertising on LinkedIn’s platform on behalf of our clients. You can find LinkedIn’s privacy notice here: https://www.linkedin.com/legal/privacy-policy

• DoubleVerify
  We use DoubleVerify to help with reporting on ad performance, and for brand safety and fraud prevention and detection. You can find DoubleVerify’s privacy notice here: https://www.doubleverify.com/privacy/

• Oracle
  We use an Oracle product called Moat to help with reporting on ad performance, and for brand safety and fraud prevention and detection. You can find Oracle’s privacy notice here: https://www.oracle.com/legal/privacy/

In order to provide our services we share your data with the technology providers as listed above, our clients and the sub-processors that we use in order to provide the environments in which we process data for business purposes. When sharing data, we complete our own due diligence ensure that any partner, provider of processor offers you an equivalent level of protection under the law.

If you would like further information regarding your data, how it has been shared and with whom please contact our data protection and privacy office on the details set out above.

Due to the global nature of some of our technology providers there maybe circumstances where we transfer information outside of the UK or the EEA. If we do so, then your personal data will only be transferred on one of the following conditions:

• Where the transfer is subject to one or more of the "appropriate safeguards" for international transfers prescribed by applicable law (e.g. Data Transfer Assessments and Standard Contract Clauses adopted by the European Commission and/or the UK IDTA and UK Addendum as adopted by the UK Government);

• A European Commission or UK Government decision provides that the country or territory to which the transfer is made ensures an adequate level of protection; or

• There exists another situation where the transfer is permitted under applicable law (for example, where we have your explicit consent).

Said mechanisms ensure that your personal data is protected to the same standard as it would be within the UK or the EEA.

If you would like further details about how the technology providers transfer your personal data please click on the links above or contact our data protection team (see above for contact details).

The safety and security of your data is important to us. As an ISO27001 certified organisation, we are committed to applying and continuously improving appropriate technical and organisational security measures to meet our legal, contractual, and regulatory obligations. We support and adhere to industry standards such as IAB Gold Standard and are TAG BSC Certified with independent audit verification. More information about our cybersecurity program, including proof of ISO27001 certification, is available on request.

As set out above we use personal data in order to make decisions around whether or not to surface an advert to you or whether or not to bid on opportunities to serve ads to you. The ways in which we use data or algorithms may be considered automated decision making processes. Equally the data that we process in terms of creating a picture of your online habits may be considered as creating a profile of you. Please note that the processing activities that we undertake do not effect your legal rights in any way. You have the right to object to such processing and if you wish to do so please contact us.

Please note that as we do not store data that enables us to directly identify you, you may need to provide us with additional information to enable us to support your rights under the legislation.

We collect and process personal data as part of our business to business relationships when we act on behalf of organizations, such as our advertising clients, in order to provide those services agreed as under our contract of service.

Such processing activities include;

• Taking steps to enter into, maintain and managing our contract of service with you

• Managing any disputes or complaints in relation to the services we provide

• Processing in furtherance of our commercial activities such as to maintain and manage our business operations

• Management reporting and internal process requirements

• To develop and improve our products and services

• To communicate with you regarding additional product offerings and to facilitate making campaign and events

• To communicate with you regarding any queries you raise via the website.

• We may also process your personal information for the establishment, exercise, or defence of legal claims or if we proceed with a claim against you or

• In order to give effect to your rights under data protection legislation or any other legal obligations that we are subject to.

Whenever we process personal data we must have a legal basis in order to do so. In the majority of cases we will rely on

• The legal basis of contract

• Legitimate interest, that interest being in order to run our business in an efficient and effective manner,

• To fulfil our legal or regulatory obligations or

• In some cases, with your consent.

When we rely on the lawful basis of legitimate interest we conduct a balancing exercise to ensure that our interests are proportionate and do not override your rights and interests as a data subject. In some instances, you have the right to object to this kind so use. If you wish to object lease contact our data protection team using the details set out above.

Please note that if consent is our legal basis for processing you will be provided further information prior to the collection of your data. You also have the right to withdraw your consent at any time. If you wish to do so please contact us directly.

We collect your personal data as part of our business relationship when you are acting on behalf of your organisation. We collect your data from a number of different sources including:

• Directly from you in person, by telephone, email, surveys or via our website;

• From publicly available sources such as internet search engines and social media sites;

• From call recording when you interact with us

• From our website, including the use of cookie and web analytics. Please see our cookies policy for further information

• From third parties in connection with any acquisition or merger of a business by us.

We will only send you marking information regarding:

• Our own products and services

• Industry related insights and news

You have the right to stop the use of your personal data for direct marking activity. Please contact us is you no longer wish to receive marking communications. If you do choose to stop receiving marketing communications from us, we will ensure that you do not receive such material going forward unless you specifically request it in the future.

Please note even although you have opted out of receiving marketing communication from us, we will still continue to send you any necessary information regarding any business contractual relationship you continue to have with us or communications we are required to issue in order to fulfil or legal and regulatory obligations.

There may be circumstances where we share your personal data with other parties. Such examples include:

• Our third party service providers such as IT suppliers, auditors, marketing agencies, documents management providers and tax advisors;

• Regulators who govern how we operate such as the ICO and the Advertising Standard Authority;

• Third parties in connection with any sale, transfer or disposal of our business.

• Other entities within the Next 15 group for the purposes of administrating technical and admin support.

• We may also disclose your personal information to other third parties where disclosure if required by law or by a regulator with authority over us on the grounds of substantial public interest.

There may be circumstances where we transfer information to our service providers/ data processors outside of the UK or the EEA. If we do so, then your personal data will only be transferred on one of the following conditions:

• Where the transfer is subject to one or more of the "appropriate safeguards" for international transfers prescribed by applicable law (e.g. Data Transfer Assessments and Standard Contract Clauses adopted by the European Commission and/or the UK IDTA and UK Addendum as adopted by the UK Government);

• A European Commission or UK Government decision provides that the country or territory to which the transfer is made ensures an adequate level of protection; or

• There exists another situation where the transfer is permitted under applicable law (for example, where we have your explicit consent).

Said mechanism ensure that your personal data is protected to the same standard as it would be within the UK or the EEA.

If you would like further details about how the technology providers transfer your personal data please click on the links above or contact our data protection team (see above for contact details).

The safety and security of your data is important to us. As an ISO27001 certified organisation, we are committed to applying and continuously improving appropriate technical and organisational security measures to meet our legal, contractual, and regulatory obligations. We support and adhere to industry standards such as IAB Gold Standard and TAG BSC Certified with independent audit verification. More information about our cybersecurity program, including proof of ISO27001 certification, is available on request.

Your data will not be subject to any automated decision making or profiling activity.

We are required to provide individuals with clear and precise transparency information regarding who we are and what we do with your data. This Privacy Notice along with other transparency information gives effect to this right

Individuals have the right to access and receive copies of their personal data alongside other supplementary information as required. If you wish to affect this right please contact our data protection team on the details provided above

Individuals have the right to ensure that the information that we hold about them is accurate. If you believe that the personal information that we hold about you is inaccurate or incomplete, then please contact us to request that we amend or update our records

You have the right to request that all data pertaining to you be erased from our systems. Please note that there are certain circumstances where this request may not be possible. If we are unable to comply, we will issue you with meaningful information regarding why this is the case

There may be circumstances where we will restrict the processing of your data. For example, if we are investigating a claim that your personal information is no longer accurate or you object to the processing taking place

You have the right to request that your information be compiled into a common, machine-readable format and either provided directly to you or sent by us to a third-party you nominate. If this is not possible, we will issue you with information setting out why this cannot be done

You have the right to object to us processing your data or a category of data that we hold about you. If we are unable to comply with your request, we will issue you with meaningful information regarding why this is the case

You have the right to request human intervention relation to any process involving automated decision making or profiling where that processing results in legal or similarly significant effects