As at the date of this list, Publift’s joint controller, processor and sub-processor partners include:
Publift’s Ad Network Partners
Partner | GDPR role (joint controller; processor; controller) | Services include | Regions of processing include | Personal data includes | Time data may be processed for (retention and deletion)? | Nature and purpose of the processing include | Obligations to keep data secure | Data breach notification requirements and handling of regulatory requests | Handling of data subject requests and rights | Data transferred outside of EU? If so, what mechanisms and protections are in place? | Privacy Notice |
---|---|---|---|---|---|---|---|---|---|---|---|
AppMonet (dba “Adapt MX”) | Separate controllers | Programmatic advertising services | US | Device data Bid request data Including: anonymous data and technical information including but not limited to cookies and beacon data, metadata, usage data, geo-location data, and streaming data, with regard to the devices and systems used to access the Publift’s content and Publift’s advertising and the activities, preferences and attributes of the users of the Publift’s content and the Publift’s advertising content. |
90 days. | To provide, manage, maintain, and improve its services (including disclosure of impression-level information to other relevant parties).To provide and improve its services and provide related support, understand how a user interacts with the content and sites, preventing fraud, and customize a user’s experience. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | See here |
Index Exchange | Processor of publisher data; controller of Index Exchange data | Programmatic advertising services | EEA Asia North America |
Device data Bid request data Including: ad response data, bid request data, bid response data, data regarding the advertising campaign of a client, location data based upon an IP address, cookie data, device IDs, any hashed identity tokens and data provided by Index Exchange, Demand Side Platforms, or clients. |
Up to 5 years. | Process personal data to provide platform services when it is permitted by law and supported by a valid legal justification. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | See here |
Magnite (Formerly Rubicon) | Controller | Programmatic advertising services | EEA North America UK Australia Asia South America |
Device data Bid request data Including: • usage information • log information • device information • location information • internet service provider • deidentified information (encrypted or hashed email addresses) • derived information. |
As long as is necessary for the purpose(s) for which it was originally collected, or for other legitimate business purposes.Some data typically stored for up to 90 days before it is anonymized and aggregated. | Collect to enable clients to offer and buy advertising opportunities; to operate and improve technology; to compile statistics and conduct research and development; to prepare reports of visitor activity; to enable standard advertising controls; to analyze and report on ad performance, campaign reporting, and campaign forecasting; to protect, investigate, and deter against fraudulent, unauthorized, or illegal activity.To deliver end users targeted advertising; to create profiles of end users for targeted advertising; to create audience segments. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | See here |
OpenX | Controller | Programmatic advertising services | EEA North America |
Device data Bid request data Including: unique online identifiers, online and offline activity and interests, geolocation information, browser, device and service information, ad reporting and delivery information. |
For a maximum of 90 days from the last date it was received. | To facilitate non-interest based advertising;to facilitate interest-based advertising;to understand activities and preferences; to measure ad performance; to build and improve products, features and models. | Materially in accordance with applicable GDPR laws. | Materially in accordance with applicable GDPR laws. | Materially in accordance with applicable GDPR laws. | Materially in accordance with applicable GDPR laws. | See here |
Teads | Controller | Programmatic advertising services | EEA Africa Asia Australia UK North America South America |
Device data Bid request data Including: cookie ID; mobile advertising ID; IP address; approx post code; page URL; date and time interacted with ad; browser information; device information; network type or carrier information. |
Cookie ID is stored in the browser for 365 days after its creation. Records of activities linked to the cookie ID are stored in the database for 4 months. Other information such as mobile advertising ID, IP address; approximate postcode; page URL; interactions; date and time; browser information; device information; network type: 4 months. |
Collect, use, analyze and process partner data: (i) to perform an agreement; (ii) as part of its business operations, to operate, manage, test, maintain and enhance the technology, service, platform and other products, programs and/or service, including as part of its re/targeting capabilities, to serve interest based ads to users, to combine the partner data with other sourced data; and to share the partner data with its buyers partners. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | See here |
Criteo | Co-data controller | Programmatic advertising services | EEA | Device data Bid request data Including: non-identifying data to improve the Criteo Technology and other Criteo products, programs, and/or services. This non-identifying data may include on-site user behavior and user/page content data, URLs, statistics, or internal search queries. |
Technical data collected for up to 13 months from the date of collection, and expires 13 months after they are last updated. Opt-out cookie expires after five years. |
Display personalised advertising Display contextual advertising Sales matching/attribution Fraud prevention/fight against fraud/IVT Data model training Billing Reporting Incident resolution |
In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | See here |
Equativ (fka Smart AdServer) | Processor Controller of Personal Data Processed through certain cookies and processing of Data Subject’s IP address for the purpose of ensuring security, preventing fraud and debugging. |
Programmatic advertising services | EEA North America |
Device data Bid request data Including: • IP address; • Server ID; • Browser ID, OS ID, screen size; • ISP ID, postal code, phone prefix, country, region, city, DMA zone ID; • Timestamp, longitude, latitude, connection type; • Keywords associated with user; • Timestamp of last visit. |
Duration of the Agreement | To perform Smart Ad Server’s Services to Publift (including providing, operating, managing, maintaining Smart Adserver’s Platform); • To perform contextual and/or interest-based advertising; • To perform optimization in respect to a campaign, including to limit the number of times a Data Subject sees a particular ad; • To show ads related to the content of the concerned web page; • To report aggregated statistics. |
In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | See here |
Sharethrough (formerly District M) | Controller | Programmatic advertising services | EEA North America Asia |
Device data Bid request data Including: cookie identifiers, third party online identifiers, mobile device identifiers, browser and device information, IP addresses. |
In accordance with each Party’s data retention policy, and only for the time period necessary to deliver each Party’s Services pursuant to the Terms of Service. | For the purposes of delivering personalized advertising to the Data Subject pursuant to the Terms of Service. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | See here |
ConnectAd | ConnectAd is processor; Publift is controller | Programmatic advertising services | EEA | Device data Including: IP (for the time of processing) and cookie ID |
30 days, extended on each user contact with a proper TCF consent. | Following the IAB TCF Framework (nature and purpose depend on the consent and purpose granted). | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | See here |
Kueez Entertainment Ltd | Separate controllers | Programmatic advertising services | EU UK US |
Device identifiers and internet or electronic network activity (IP addresses, GAID/IDFA, browsing history, timestamps) Geo-location information (non-precise) |
Personal data will be retained (a) as necessary for the parties to achieve the purpose of the agreement; and (b) subject to each party's retention policy. |
To administer the ad campaigns (including for retargeting and behavioral advertising purposes), for the protection against fraudulent activity, for analytics and reporting purposes, and as needed to provide and improve the services. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | See here |
Opti Digital | Data processor | Curation of ad inventory Aggregation and enrichment of ads Utilisation of proprietary ad templates to display ads in various sizes and media types |
EU US |
• First-party or third-party IDs (not retained - sent to SSP and other partners)
• IP address: deleted after 30 days • Browser: anonymised after 30 days • UserAgent: deleted after 30 days • Device: anonymized after 30 days • Country: anonymised after 30 days • Visited URL (publisher domain): deleted after 30 days • Previous URL (referral domain): deleted after 30 days |
See “Personal Data includes” column | Collection, analysis, transfer to advertisers and other partners, storage, backup, deletion | In accordance with GDPR | In accordance with GDPR | In accordance with GDPR | In accordance with GDPR | N/A, given processor role. |
Sonobi | Independent controller | Programmatic advertising services | EU UK US |
Identity data, i.e. online identifiers (e.g. IDFA, IP address) User agent Ad and content click/view information Segment data such as interests |
Up to 60 days from the last date that Sonobi received any data in relation to an end user. | To provide the services as permitted under the agreement | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | See here |
Adagio | Independent controller | Programmatic advertising services | EU US |
IP address, Device ID, and Unique ID (either generated by Adagio or by a Bidder). | The data will be retained for as long as required for the Processing Purposes, and will be deleted immediately after. | Retrieval of end-user IP address and end-user specific user IDs (created by either Adagio, Publisher,Publisher’s Suppliers and/or Adagio’s Suppliers) from end-user device and/or Publisher. Transfer of said personal data to consumer device and/or Adagio’s Suppliers (for consumers in EEA/UK, only if consent has been provided through Publisher). Creation of fully anonymised aggregates for reporting and optimization purposes. No personal data is stored by Adagio beyond the time required to execute the tasks described above. (collectively, the “Processing Purposes”) |
In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | See here |
Primis | Independent controller | Programmatic advertising services | US EU |
Any direct or indirect identifying information, including without limitation: IP addresses, IFV, IFA, GAID and/or MAID or other similar identifiers (e.g., IDFA/ AAID or any device IDs), privacy string, cookie data or other unique identifiers and information about end-users’ devices, geolocation, inferred interests. | Personal Data will be retained by each party for as long as necessary to fulfil the purposes of processing. | Serving targeted advertising and associated ad reporting / measurement, ad optimisation and other related services. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | See here |
OneTag | Independent controller | Advertising services | EU/UK US |
• Privacy choice • Privacy and interaction data • Non precise location data • Device identifiers • Device characteristics • IP addresses primarily in pseudonymised form (i.e. IP addresses with the last octet replaced with a zero) |
OneTag shall retain end user data for a period of a year and a half from the date of collection, at the end of which OneTag shall delete such data. | •Store and/or access information on a device [1] •Use limited data to select advertising [2] •Create profiles for personalised advertising [3] •Use profiles to select personalised advertising [4] •Measure advertising performance [7] •Understand audiences through statistics or combinations of data from different sources [9] •Develop and improve services [10] The numbering corresponds to the IAB TCF framework. |
In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | See here |
Ogury | Independent controller | Contextual and identifier-based advertising | EU/UK US |
Device and OS related information (Device model and manufacturer, screen’s dimensions, OS version, Virtual Machine name and version, android standby bucket) Details of the Property and web browser in which the Ogury technologies are incorporated (asset key, App name and version or mobile web address and ad unit) Context information (Device Internet connection type, User agent, language and country codes, local time, time-zone) The version number of the Ogury technologies used by the Digital Property What each Ogury ad is about. The format of each Ogury ad (e.g., text, image, or video). Where the Ogury advertisement is displayed within a Digital Property or elsewhere. End-User interaction with the advertisement (for example, clicks and how long it was displayed for). End-User interaction with websites after clicking on an Ogury advertisement. A Device’s unique Advertising ID, such as Google AAID or Apple IDFA. Cookie IDs Device IP Address |
Up to 13 months. | Provision of digital advertising services | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | See here |
Xandr | Co-Controller and Processor (depending on the processing activities) | Targeted advertising and related forecasting and reporting | EU/UK US AUS |
Identifiers: Unique identifiers, other identifiers, hashed email address, IP Address, data that could be used for device fingerprinting, latitude and longitude; Demographic information: location, age range, gender, other Client-specified demographics (tied to an identifier); Behavioral data: frequency of identifiers visiting and viewing Sites and viewing and taking actions with respect to Ad Units; and Interest-Based Data: probabilistic inferences regarding a Data Subject's interests and preferences. |
It is usually aggregated or deleted within 33 days (or 93 days for select members), after which time it is aggregated or deleted. | Targeted advertising and related forecasting and reporting | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws, including SCCs. | See here |
Kargo | Independent Controller | Ad targeting, ad serving and data analytics | US EU/UK |
Usage data Tracking data Aggregate data |
Up to 18 months | Advertising purposes | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | See here |