Privacy Policy

1. Introduction and background
2. Privacy practices of Smaato advertising services
3. Cookies, pixel labels, and SDK
4. Consumer control and opt-out options
5. Privacy practices of Smaato website
6. Data access and retention
7. Data security
8. Third-party websites and apps
9. Users outside the US
10.California Do Not Track
11. General Data Protection Regulation (GDPR)
12. Our membership and affiliation
13. Changes to this Privacy Policy
14. Contact us
BidMatrix provides this Privacy Policy to explain how we collect, use and share information.
This Privacy Policy (the "Policy") covers BidMatrix's treatment of two types of information:

- We receive from customers regarding the use of our Software Development Kit (" SDK "), other collection interfaces (collectively referred to as the "API"), BidMatrix Demand Platform (" SDX ") or BidMatrix Publisher Platform (" SPX ") (collectively referred to as "BidMatrix Ad Services") of the third party Mobile Application (the "Application") of the End user (the "End User"), and
- We received the information through the company website in the bid matrix. About us. HTML or any other web site where this Policy is published, as well as information we obtain through other Company services and portals available to our customers and business partners (the "BidMatrix Web site"). We describe the information received through the BidMatrix website in section 5 below, "Privacy Practices at BidMatrix Website"

We encourage consumers to understand how information (including information we collect) can be used to market to them and how to exercise their choices to allow or limit such marketing. We describe the ways in which consumers exercise this opt-in or opt-out marketing in section 4 below, entitled "Consumer Control and opt-out options"

BidMatrix provides mobile advertising technology services that facilitate transactions between demand-side platforms, advertisers, application developers, publishers of mobile websites and/or applications, advertising exchanges (collectively "clients") and service providers (collectively "Partners"). We do this by offering BidMatrix advertising services and other tools to our clients. Clients use BidMatrix advertising services and other tools to serve ads to end users, and we in turn provide services to help clients (and their own clients) serve ads that end users are interested in. We explain what SDKS and apis are in section 3 below, "Cookies, Pixel Tags, and SDKS," which also explains how cookies and similar technologies (which we also use to serve BidMatrix ads) work.

Through the bidmatrix advertising service, we may collect information about end users (within the scope of the client passing this information to bidmatrix), including:

- It can infer the IP address of the geographical location and the system configuration information, such as the information of the end-user operating system;
- Rough geographical location information;
- Accurate geographical location, such as the longitude and latitude data of the end user;
- Cookie ID, mobile ad identifier, such as IOS idfas and Google ad ID (collectively referred to as "mobile ID");
- Age;
- Gender;
- Device type and other device information (for example, whether the end user uses a smartphone or tablet, and related information);
- Network supplier;
- Mobile browsers (such as Firefox, Safari and chrome); and
- Other unique identifiers that may be associated with the end-user device, including identifiers provided by the client or its service provider.

We call all the above information "service information".

We use the Service Information to provide a variety of services to our Clients related to advertising and marketing, including services we may describe elsewhere on BidMatrix Websites. This includes use of the Service Information for purposes such as to:

- Provide customer, technical, and operational support for the BidMatrix Ad Services, detect and protect against errors, fraud, or other criminal activity, and resolve disputes and enforce our terms and conditions and other rights we may have. This may also include analyzing, customizing, and improving the features of the BidMatrix Ad Services; Provide information and analytics to Clients about the advertising inventory provided through the BidMatrix Ad Services;
- We, or our Clients, may deploy online cookies to track End Users across mobile websites and/or apps, or to associate End Users and these cookies with Mobile IDs. You can learn more about cookies and similar technologies, such as web beacons and SDKs, in Section 3 below, titled “Cookies, Pixel Tags, and SDKs.”

We share service information with clients and partners to provide BidMatrix advertising services. For example, we share service information with:

- Customers and their marketing and service providers, so that they can serve targeted advertising to end users on mobile websites and/or applications;
- Partners that facilitate BidMatrix's AD service capabilities (for example, traffic and AD quality verification vendors and data centers).

Even if clients no longer access our SDK, we can continue to use and share the service information described in this policy.

The processes we describe above often involve cookies or similar technologies that may be relevant to other information about the end user, such as the end user's interests, demographics, or transactions. This is often referred to as "interest-based advertising" and individuals interested in controlling or learning about such advertising are encouraged to visit section 4 below, "Consumer Control and Opt-out options," or to visit the Digital Advertising Alliance (DAA) website at www.aboutads. Information.
We can also share service information with third parties:
- Pursuant to a request or authorization by an End User or Client;
- If the disclosure is provided to: (a) comply in good faith with applicable laws, rules, regulations, governmental and quasi-governmental requests, court orders, or subpoenas, including for purposes of national security and law enforcement; (b) enforce our terms and conditions or other agreements; or (c) protect our, or any other person’s or entity’s, interests, rights, property, or safety, or in connection with an investigation of suspected or actual unlawful activity;
- Where the information is aggregated or de-identified; and
- As part of a business purchase, sale, merger, consolidation, investment, change in control, transfer of all or substantially all of our assets, reorganization or liquidation, bankruptcy, or in connection with steps taken in anticipation of such an event (e.g. due diligence).

A cookie is a small data file that contains a string of characters, such as a unique browser identifier. Cookies are stored on your computer or other devices and serve as a unique marker to identify your browser. When you visit the bidmatrix website, our server may deploy cookies on your browser. Our customers and partners can also do this on the bidmatrix website, our customers' and partners' websites, and elsewhere. Bidmatrix can use both session cookies and persistent cookies. Unlike session cookies, persistent cookies persist after you close your browser and may be used by your browser when it subsequently visits any given website. Using persistent cookies, website operators (or third parties working with them) can "remember" what you have done on the website before, and personalize the website for you or the advertisements you see. This technology may also provide website operators or third parties (or us, when you visit the bidmatrix website) with information about your IP address, browser type, web pages you visited before or after visiting a website, web pages you visited, and the date and time you visited.

A pixel tag (also commonly known as a web beacon or clear GIF) is an invisible 1 x 1 pixel that is placed on certain web pages. When you access a web page with a pixel tag, the pixel tag may generate a generic notice of the visit, and permit us, or our Clients or Partners, to set or read cookies. Pixel tags are used in combination with cookies to track the activity on a website by a particular browser on a particular device. If you disable cookies, pixel tags simply detect a given website visit.

For example, we can use cookies individually or with our customers and partners to "remember" you, track trends, and gather information about how you use our customers' or partners' websites or interact with advertising. We, as well as our customers and partners, use cookies to serve you relevant content and replace irrelevant ads with ads that better match your interests. If you wish to opt-out of interest-based mobile advertising, please see section 4 below, entitled "Consumer Controls and Opt-out Options" Please note that disabling cookies may prevent you from accessing certain features and products of the BidMatrix site, as well as features and products of other sites you visit.

We or our customers or partners may use or use mobile SDKS (including our own SDKS, which are described in more detail in this policy) to collect information such as mobile ID, And information relating to how mobile devices and their users interact with our BidMatrix advertising services and the people who use our BidMatrix advertising services. SDKS are computer code that application developers can include in their applications to display ads, collect data, and implement related services. Sometimes we get our data through other (usually simpler) interfaces that provide us with similar data, often referred to as apis. For example, we can use these technologies to analyze or measure certain ads through apps and browsers based on information relevant to your mobile device. If you would like to opt out of advertising that has been tailored to you in this way on mobile devices, please follow the instructions in section 4 below, "Consumer Controls and Opt-out options.

In most cases, consumers can control whether they are willing to receive relevant advertising and marketing emails from our customers. To change the cookie bidmatrix settings on your device through the bidmatrix website, please visit our cookie policy.

You can opt out of many of the publishers, platforms and service providers we work with that support online interest-based advertising from cookies or similar technologies by visiting the Digital Advertising Alliance’s consumer education and opt-out page at http://www.aboutads.info (or the European Interactive Digital Advertising Alliance’s opt-out page at http://www.youronlinechoices.eu if you are located in the European Union).
Some of our publisher Clients have their own opt-out mechanisms that are linked from their websites or their online-posted privacy policies. You should review the privacy policies of those companies for these opt-out links if you no longer wish to receive targeted advertising from a certain company, or multiple companies.
You can also click below to opt out of having the BidMatrix Ad services used to select ads for your browser based on your online web browsing behavior. When you opt out, an opt out cookie (from smaato.net) will be stored in your web browser. Our platform will know the choice you have made when it sees your opt out cookie, and will apply your choice to all companies using BidMatrix Ad services for online interest-based advertising from cookies.

Please note: This type of opt out is cookie-based, which means that if you block cookies, upgrade your browser or delete your cookies, you will need to opt out again. Also, in order for your opt out choice to be effective, you must ensure that your browser is set to accept third-party cookies such as the BidMatrix opt out cookie. Some browsers block third-party cookies by default, and you may need to change your browser settings to accept third-party cookies before opting out. If you use a different device or browser, or erase cookies from your browser, you will need to renew your opt out choice.
Even if you opt out, BidMatrix may continue to collect data for other purposes, and when you visit the websites of publisher clients that use our platform, you will still receive ads for BidMatrix advertising services, but such ads will not be personalized to you.

By accessing the Settings on your Apple or Android mobile device, you can choose not to have your mobile ID used for certain types of interest-based mobile ads (also known as "cross-app ads"), including ads executed by BidMatrix, as shown below:
Apple devices: If you have an Apple device, you can opt out of most cross-app ads by upgrading to iOS 6.0 or later and enabling "Restricted AD Tracking."
- iOS 7 and Higher: Go to Settings → Privacy → Advertising, and toggle “Limit Ad Tracking” to ‘ON.’
- iOS 6: Go to Settings → General → About → Advertising, and toggle “Limit Ad Tracking” to ‘ON.’
- Android Devices: If you have an Android device, you can opt out of most cross-app advertising by going to Google Settings → Ads, and selecting the option to opt out of interest-based ads.

Please note that these platforms control how these settings work, so the above instructions may change, and the precise language may be different on certain (particularly, on older) devices. Likewise, if your device uses other platforms not described above, please check the settings for those devices.

Advertisers may also provide ways for you to opt out from, or limit their collection of, certain information from and about you. Please refer to the privacy policies for retailers, apps, and mobile websites to learn more about their privacy practices.

You may opt out from receiving promotional emails from us, such as emails to inform you about events and new services, by following the “unsubscribe” instructions in any promotional email you receive, or by contacting us at [email protected]. Please note, however, that we may still send you non-promotional emails relating to your relationship with us.

The BidMatrix website provides information about BidMatrix and our products and services. Through the BidMatrix website, we collect information that you voluntarily disclose to us, and we may automatically obtain the information collected.

We collect information that you voluntarily disclose to us, such as your name, mailing address, email address, phone number, credit card number and other billing information, when registering for an account, expressing interest in obtaining additional information about BidMatrix or our products and services, or contacting us through the BidMatrix website. You may also provide us with certain information about your business or other individuals.

When you visit the BidMatrix Websites, we may use cookies and pixel tags that we associate with unique identifiers to keep track of visitor interactions and personalize your experience on the BidMatrix Websites. For more information, please see Section 3 above, titled “Cookies, Pixel Tags, and SDKs.”

We may also use third-party services, such as Google Analytics, that gather information such as your IP address, browser type, the web page from which you came to the BidMatrixWebsites, and the times of your visit. In addition, as you browse the BidMatrixWebsites, advertising cookies may be placed on your computer so that we can “remember” your interests. Our display advertising partners may then help us retarget ads to you on other sites based on your interactions with the BidMatrix Websites. To opt out of such interest-based mobile advertising, please see Section 4 above, titled “Consumer Control and Opt-Out Options.” Opting out in this way will not prevent you from receiving ads; rather, the ads you see will be less customized to you.

In addition to the uses described elsewhere in this Policy, we use the information we collect through the BidMatrix Websites (alone or in combination) to provide, market, improve, and operate the BidMatrix Websites, BidMatrix Ad Services, and any other products or services we have or may develop. This includes use of the information to:
- Fulfill your requests;
- Send information about our products and services, including marketing communications;
- Respond to your questions, concerns, or customer service inquiries;
- Create aggregated or de-identified information;
- Comply with applicable laws, prevent fraud, mitigate risk, and perform similar purposes;
- Understand usage trends and preferences;
- Analyze, improve, and provide products and services;
- Customize the content and advertising you see on the BidMatrix Websites, across the Internet, and elsewhere; and/or
- Perform other purposes at your request.

We may share the information we collect through the BidMatrix Websites in the following situations:

- With your consent, including through this Policy;
- With our affiliates;
- With third parties that help us to operate our business and provide our services, such as entities that provide us with technical, customer, billing, administrative, event planning, marketing, or operational services;
- As part of a business purchase, sale, merger, consolidation, investment, change in control, transfer of all or substantially all of our assets, reorganization or liquidation, bankruptcy, or in connection with steps taken in anticipation of such an event (e.g. due diligence);
- When required by law or in response to lawful process, such as a subpoena, or to cooperate in good faith with a request from a government or law enforcement agency or official, including for purposes of national security and law enforcement;
- If we believe sharing the information may prevent physical, financial or other harm, injury, or loss; or
- If we believe sharing the information is necessary to protect our, or any other person’s or entity’s, interests, rights, property, or safety, or in connection with an investigation of suspected or actual unlawful activity.

With respect to aggregated or de-identified information, we may share such information without restriction.

For the purpose of designing our website in line with your needs, evaluating it from a business management perspective, controlling it and continuously optimizing our pages, we use services described in more detail below on the basis of Art. 6 Para. 1 lit. a) and f) GDPR. All of the mentioned processing operations result in a transfer of data to the servers of the providers of tracking or targeting technologies commissioned by us. Some of these servers are located in the USA. The data transfer is based on so-called standard contractual clauses of the EU Commission or under the EU-US Privacy Shield.

If you do not agree with the storage and evaluation of your data, you can object to the storage and processing of your data in the consent banner on our website. In this case, a so-called opt-out cookie will be stored in your browser, which means that the services used will not process any session data. However, you may then no longer be able to use all the functions on our websites.

You can also prevent the storage of cookies by adjusting your browser software accordingly; however, we would like to point out that in this case you may not be able to use all functions of our websites to their full extent.

We use the reCaptcha service of Google LLC (“Google”), 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, to protect us from spam and misuse.

We use this processing on the basis of Art. 6 para. 1 lit. f) GDPR.

This service serves to distinguish whether an entry was made by a human being or abusively by automated, machine processing. To determine this, Google places a cookie in your browser when you use the reCaptcha service and collects and processes the following data:

- Referrer URL (address of the page on which the captcha is used)
- Browser, browser size and resolution, browser plug-ins, date, language setting
- Mouse- or Touch-Events within the reCaptcha box
- Assignment to a Google account (if you are currently logged in to Google when using the reCaptcha service, this will be recognized and assigned)

Your input behaviour (e.g. answering the reCAPTCHA question, input speed into the form fields, order of selection of input fields by the user) is processed to improve pattern recognition on Google.

Google also reads the cookies from other Google services such as Gmail, Search and Analytics. All of the above data is sent to Google in encrypted form. Google’s subsequent evaluation decides in which form the captcha is displayed on the page – in the form of a checkbox or by text input. A readout or saving of personal data from the input fields of the respective form does not take place. Further information about Google’s privacy policy can be found at https://www.google.com/policies/privacy/ .

BidMatrix uses Google Universal Analytics, a web analytics tool from Google. Google is certified under the Privacy Shield Agreement (https://www.privacyshield.gov) and we have a privacy agreement with Google.

Google uses Cookies. The information generated by the Cookies on the use of the BidMatrix website by the users are usually transmitted to a Google server in the USA and stored there. However, BidMatrix has activated the IP anonymisation, so that your IP address will be shortened by Google within member states of the European Union or in other signatory states to the Agreement on the European Economic Area before this happens. Only in exceptional cases will the full IP address be transferred to a Google server in the USA and shortened there. On behalf of BidMatrix, Google will use this information to evaluate your use of the website, to compile reports on the website activities and to provide further services to us in connection with the use of the website and the Internet. The IP address transmitted by your browser within the framework of Google Analytics is not combined with other data from Google.

We use this processing on the basis of Art. 6 Par. 1 lit. f) GDPR for range measurement and evaluation (so-called statistics). In this case there is no further processing of your data for marketing or retargeting purposes. This serves the business optimisation of our processes. If you have given your consent (Art. 6 para. 1 lit. a) GDPR), we will also process your data for marketing purposes.

You can find more information on terms of use and data protection at https://www.google.com/analytics/terms or https://marketingplatform.google.com/about/.

We would like to point out that on this website Google Analytics has been extended by the code "gat._anonymizeIp();" in order to ensure anonymous processing of IP addresses (so-called IP masking).

If you do not agree with the processing of your data by Google Analytics, you can object here: https://tools.google.com/dlpage/gaoptout?hl=de

Generally speaking, we retain the information collected from the BidMatrix Websites and BidMatrix Ad Services for as long as necessary to achieve our objectives as detailed in this Policy, and to comply with our legal obligations, resolve disputes, and enforce our agreements.

If you are a resident of the European Economic Area (EEA), Switzerland, or the United Kingdom (UK), you may obtain a copy of the information we have about you, and correct or amend such information, by contacting us at privacy(at)smaato.com. You may read more about this and other rights in Section 11 below.

We have administrative, technical, and physical safeguards in place in our physical facilities and in our computer systems, databases, and communications networks that are designed to protect the information from loss, misuse, or alteration. No method of electronic transmission or storage is 100% secure. Therefore, we cannot guarantee absolute security of your information.

To assist with data security, you understand that YOU ARE RESPONSIBLE FOR MAINTAINING THE SECRECY OF ANY ACCOUNT CREDENTIALS THAT CAN BE USED TO ACCESS ANY ACCOUNT WITH SMAATO. ANY ACTIONS TAKEN USING YOUR ACCOUNT CREDENTIALS ARE YOUR SOLE RESPONSIBILITY.

This Policy only applies to the BidMatrix Websites and the BidMatrix Ad Services. We are not responsible for the privacy practices or disclosures of websites, developers, or apps that access or use the BidMatrix Websites or BidMatrix Ad Services. Likewise, when you access the BidMatrix Websites, you may be directed to other websites that are also beyond our control. We encourage you to read the applicable privacy policies and terms and conditions of such third parties and websites, and the industry tools that we have referenced in this Policy.

The BidMatrix Websites and BidMatrix Ad Services are provided, supported, and hosted in the United States, and their operation is governed by United States law. If you are using the BidMatrix Websites or BidMatrixAd Services from outside the United States, be aware that your Information may be transferred to, stored, and processed in the United States and other countries where our facilities are located. The data protection and other laws of the United States might not be as comprehensive as those in your country. By using the BidMatrix Websites or BidMatrix Ad Services, you consent to your information being transferred to our facilities and to the facilities of those third parties with whom we share your information as described in this Policy.

Please see Section 11 below, titled “The EU General Data Protection Regulation (GDPR)” for additional information we provide for the benefit of residents of the EEA, Switzerland, and the UK.

We do not currently recognize or respond to browser-initiated Do-Not-Track signals, as there is currently no industry-wide consensus as to uniform Do-Not-Track standards, implementations, or solutions. Please review Section 4 above, titled “Consumer Control and Opt-Out Options,” for information about your marketing choices.

As of May 25, 2018, a new data privacy law known as the EU General Data Protection Regulation (the “GDPR”) will be in effect through the EEA, Switzerland, and the UK. The GDPR requires BidMatrix and those using our services to provide users with certain information about the processing of their “Personal Data.” “Personal Data” is a term used under the GDPR that means, generally, data that identifies or can identify a particular unique user or device – for instance, names, addresses, Mobile IDs, and precise location data.

To comply with the GDPR, we provide the below representations and information, which are specific to persons located in the EEA, Switzerland, or the UK and to the processing of personal data in the context of the activities of BidMatrix, Inc., Barcastraße 5, 22087 Hamburg, Germany.

The GDPR requires us to tell you about the legal ground we are relying on to process any Personal Data about you. The legal grounds for us processing your Personal Data for the purposes set out in Sections 1 and 2 above (and Section 5 as to the BidMatrix Websites) will typically be because:

- You provided your consent. In order to store and gain access to information stored on your device, we rely on your consent. For this “cookie consent” (which applies not only to “cookies” but also to Mobile IDs), we rely on mobile app developers and oblige them contractually to pass on only legally obtained data. We do so to fulfill our obligations under the ePrivacy Directive. We may choose to obtain consent in other cases as well, in which case we will adhere to applicable laws relating to such consent and its withdrawal;
- The processing is in our legitimate interest. In some cases, we rely on legitimate interest as a legal basis for processing Personal Data, in order to provide our and/or other data controllers’ services. Such processing goes beyond the original collection of Mobile IDs. A legitimate interest we rely on, for instance, is the tailoring of promotional communications within mobile apps and services, which is beneficial to End Users and is an integral part of the ecosystem by which freely available content is funded through advertising revenue. This also may include providing analysis of and reporting about ad campaigns. We also rely on legitimate interest when we use Personal Data to maintain the security of our services, such as to detect fraud or to ensure that bugs are detected and fixed;
- Contractual relationships. Sometimes, we process certain data as necessary under a contractual relationship we have (such as our customer records and contact information);
- Legal obligations. Finally, some processing of data may be necessary for us to comply with our legal or regulatory obligations.

As BidMatrix is a global company and works with other global companies and technologies, we may need to transfer your Personal Data outside of the country from which it was originally provided. For instance, we may transfer your data to third parties that we work with who may be located in jurisdictions outside of the EEA, Switzerland, or the UK, and which may have data protection laws that are less strict in comparison to those in Europe.

When we transfer Personal Data outside of the EEA, Switzerland, or the UK, we take steps to ensure appropriate safeguards are in place to protect your Personal Data.

Your Personal Data will only be transferred to third countries outside the EEA, Switzerland or the UK within the legally permissible framework. We transfer Personal Data to third countries outside the EU/EEA (a) as stipulated by law or based on your consent, (b) based on the adequacy decisions of the European Commission (a public and updated list of these countries can be found here) and (c) by contractual regulations such as the EU Standard Data Protection Clauses (a public and updated list of these clauses can be found here). These safeguards shall ensure an adequate level of protection of your Personal Data and you can access further details regarding these safeguards upon request.

BidMatrix also complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework (collectively, the “Privacy Shield”) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Data transferred from the European Union (EU), the UK, and Switzerland to the United States. BidMatrix has certified to the U.S. Department of Commerce that it adheres to the Privacy Shield Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement with respect to such Personal Data. When BidMatrix transfers Personal Data protected by the Privacy Shield Principles to a third party acting as an agent on BidMatrix’s behalf, BidMatrix has certain liability under the Privacy Shield if both (a) the agent processes the Personal Data in a manner inconsistent with the Privacy Shield and (b) BidMatrix is responsible for the event giving rise to the damage. With respect to compliance with the Privacy Shield, BidMatrix is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission.

If there is any conflict between the terms of this Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit this page.

If you have any questions or complaints about BidMatrix’s privacy practices, you may contact BidMatrix at the contact information in Section 14 below, titled “Contacting Us,” and we will work with you to resolve your issue. If you are a resident of the EU, UK, or Switzerland, you may also contact your appropriate European Data Protection Authority, the UK Information Commissioner’s Office, or the Swiss Federal Data Protection and Information Commissioner, respectively, with questions or complaints about our privacy practices.

If you are a resident of the EU, UK, or Switzerland and are dissatisfied with the manner in which we have addressed your concerns about our privacy practices, you may seek further assistance from our independent recourse mechanism, the JAMS EU-U.S. and Swiss-U.S. Privacy Shield Program, which we offer to you for concerns related to our compliance with the Privacy Shield Principles and general privacy practices:

https://www.jamsadr.com/eu-us-privacy-shield

Claims shall be arbitrated free of charge by our arbitration provider, JAMS, though each party shall be responsible for its own attorneys’ fees. Please be advised that, pursuant to the Privacy Shield, the arbitrator(s) may only impose individual-specific, non-monetary, equitable relief necessary to remedy any violation of the Privacy Shield Principles.

Under certain conditions, residents of the EU, UK and Switzerland who have unresolved complaints after: (1) contacting BidMatrix to resolve the issue; (2) seeking assistance from our independent recourse mechanism; and (3) contacting the U.S. Department of Commerce (either directly or through a European Data Protection Authority, the UK Information Commissioner’s Office, or the Swiss Federal Data Protection and Information Commissioner) and affording the U.S. Department of Commerce time to attempt to resolve the issue, may elect to invoke binding arbitration through the Privacy Shield arbitration process, more fully described on the Privacy Shield website.

As a general matter, we retain your Personal Data for only as long as necessary to provide our BidMatrix Ad Services, or for other important purposes such as complying with legal obligations, resolving disputes, and enforcing our agreements. We generally render Mobile IDs inactive within 13 months, provided that we may retain them if we have a legal or significant operational need to do so, such as for auditing, corporate record-keeping, compliance accounting, or bug-fixes.

If you are a Client of ours and thus have an account with us, we will typically retain your business-to-business Personal Data for a period of 3 years after you have requested that your account be closed, or such account has been inactive.

The GDPR provides you with certain rights in respect to Personal Data that data controllers hold about you, including certain rights to access Personal Data, to request correction of the Personal Data, to request to restrict or delete Personal Data, and to object to our processing of your Personal Data (including profiling for online ad targeting).

Right to Access: If you wish to exercise your right to access Personal Data we process as a data controller, you may do so by requesting access through the e-mail address privacy(at)smaato.com. When we receive your request, we will provide you with current, step-by-step instructions to follow in order to obtain access. We will then assess requests to exercise data access rights on a case-by-case basis; in doing so, we consider the difficulty of verifying whether a mobile identifier and data we have linked to it truly and solely belongs to the data subject making the request, as well as the potential adverse effects on disclosure of personal data to the wrong individual. Because such improper disclosure would likely adversely affect the privacy rights and freedoms of the data subject, we may limit the Personal Data we make available. Please note that we will only grant requests submitted via email for Personal Data for which we are a data controller, as explained further below. Where we act as a data processor for one of our Clients, we will refer your request to that Client. Please identify the Client your request refers to (if possible), to simplify this process.

Right to Correct: If you wish to exercise your right to correct Personal Data, you may do so by contacting us at the contact information below.
Right to Object to Processing or to Withdraw Consent: By using the device-based “opt-out” signals described in Section 4(b) above, you may withdraw consent for processing on which we rely on consent. If you do so, we will cease processing your Personal Data for purposes of our services within 30 days or less. We either collect these opt-out signals ourselves or receive them from the mobile apps we work with.
Right to Erasure. You also have the right to obtain the erasure of Personal Data concerning you that we hold as a data controller. The above opt-out process satisfies this right. When an End User opts-out through device settings, and we receive this signal from our Clients, the Personal Data we use to provide our services will be deleted within 30 days (if you have an Android device) or permanently rendered disconnected to your device (if you have an iOS device). We will also manually delete your Personal Data, subject our identity verification process mentioned above, if you prefer that we do so; please contact us at privacy(at)smaato.com for further instructions on exercising this right manually. Please note, however, that we may retain copies of certain Personal Data on inactive or back-up files, for our own internal and necessary purposes, such as auditing, accounting and billing, legal, or bug detection. We will retain your Personal Data for the period necessary to fulfill any important purposes that we have in retaining it, principally regarding legal, auditing, accounting, and billing obligations.
Right to Lodge Complaints. You have the right to lodge a complaint with a supervisory authority. However, we hope that you will first consult with us, so that we may work with you to resolve any complaint or concern you might have.

EU data protection law makes a distinction between organizations that process Personal Data for their own purposes (known as “data controllers”) and organizations that process Personal Data on behalf of other organizations (known as “data processors”). If you have a question or complaint about how your Personal Data is handled, we encourage you to direct your inquiry to the relevant data controller, since data controllers hold primary responsibility for your Personal Data.

BidMatrix may act as either a data controller or a data processor in handling your Personal Data, depending on the precise circumstances. For instance, for Personal Data that we use internally and independently to operate the BidMatrix Ad Services, and for Personal Data that we collect about our Clients, we are a data controller. But when we handle Personal Data strictly on behalf of our Clients or Partners in order to provide our services to them, we are a data processor. Thus, for instance, if you have questions about data that is used primarily by a mobile app on which our technology is embedded – or companies that serve ads that use our technology – you should contact those companies regarding questions about the Personal Data they handle and control.

This data protection information applies to data processing by the data controller BidMatrix Inc. for users based in the European Economic Area, Switzerland or the UK, unless otherwise stated in a service-specific data protection notice.
BidMatrix, Inc.
240 Stockton Street, 9th Floor
San Francisco, CA 94108

Barcastraße 5, 1st Floor
22087 Hamburg, Germany

E-mail: privacy(at)smaato.com
Our Data Protection Officer:
Fieldfisher Tech Rechtsanwaltsgesellschaft mbH
Am Sandtorkai 68
20457 Hamburg

The Hamburg Commissioner for Data Protection and Freedom of Information

Ludwig-Erhard-Str 22, 7th floor
20459 Hamburg
Tel.: +49 (040) 42854-4040
E-mail: mailbox(at)datenschutz.hamburg.de
12. Our Memberships and Affiliations
To help and foster the protection of consumer privacy, BidMatrix is an active member or participant of industry associations that govern the policies on consumer privacy in the context of internet-based advertising, including: the Interactive Advertising Bureau (IAB) America and Europe, the Digital Advertising Alliance (DAA), and the European Interactive Digital Advertising Alliance (EDAA).

BidMatrix participates in, and complies with the policies and technical specifications of, the IAB Europe Transparency and Consent Framework (IAB TCF). BidMatrix’s IAB Europe-assigned identification number is Vendor ID #82.

Please see Section 4 above, titled “Consumer Control and Opt-Out Options,” for more information about your privacy choices.

We may occasionally update this Policy to reflect changes to our privacy practices. The amended Policy will be displayed on the BidMatrix Websites. Please check our Policy regularly to ensure you have read the latest version and to stay informed of our privacy practices. Your continued access to and use of the BidMatrix Websites and BidMatrix Ad Services constitute your acknowledgement of this Policy and any updates.

If you have any general questions regarding this Policy, you may contact us by email at privacy(at)smaato.com or mailing the following address:

BidMatrix, Inc.
240 Stockton Street, 9th Floor
San Francisco, CA 94108