Platform Privacy Policy

• Scope of this Privacy Policy
• The Semasio Services
• Sources of Personal Data
• Types of Personal Data
• How we use Personal Data
• How our Clients use Personal Data
• Personal Data Sharing and Disclosure
• Our Legal Basis
• Your Right to Opt-Out or Withdraw Consent
• Additional Privacy Rights
• How Long We Retain Personal Data
• How We Protect Your Personal Data
• International Data Transfers
• CCPA Metrics
• Changes to this Privacy Policy
• Contact Information

This privacy policy describes how Semasio collects, uses, and discloses personal data in providing consumer data products and services to clients through the Semasio Platform.

We also operate corporate websites, designed for our own clients and prospective clients, and others who want to learn about our Services. We address personal data we collect on our corporate website and personal data we collect for business-to-business purposes in our Business Services Privacy Policy. Data collected on our corporate websites is not incorporated into our Services. Please visit our Business Services Privacy Policy if you wish to opt-out of any data collected on through your visit to our corporate webpages.

Semasio operates globally, including in Europe and the United States, and processes personal data in accordance with this privacy policy. The General Data Protection Regulation (“GDPR”) sets standards for data protection in Europe. In the United States, the California Consumer Privacy Act as amended (“CCPA”) provides certain rights to residents of California. Other states’ laws (upon becoming effective) provide similar (though not identical) rights to their own residents. Semasio closely follows the development of data protection regulation in Europe, the United States, and in the rest of the world.

Please note that this privacy policy does not apply to your personal data when we act as a service provider or processor on our clients’ behalf. When we are in this role, our clients decide how and why your personal data should be used and you should contact our client directly regarding your privacy choices. Additionally, our clients may have privacy obligations in connection with personal data they share with our Services or process on our Platform. Information about these circumstances is set forth in Section 6 below.

The Semasio Platform (the “Platform”) enables our clients to understand consumers and the webpages they visit. Through natural language processing and advanced semantic targeting, the Platform utilizes advanced semantic understanding of page and content meaning.

The Platform also ingests personal data collected from individuals’ online activities. This personal data may be collected through Semasio’s own tracking technologies (“Tracking Points”), or the data may be sourced from tracking points maintained by third parties. From these data points information may be derived and stored using a cookie set in the user's browser or identifier in a mobile device for identification. Semasio collects and stores online identifiers (“Cookie IDs”) and mobile advertising identifiers ("MAIDs”). Cookies are small files that enable Semasio to store information related to an internet user, on a personal computer or another device from visits to websites, and to “remember” a particular individual, on a particular web browser. Similarly, a MAID is a unique identifier that iOS or Android assigns to each mobile device and that can be used to connect mobile activity back to a specific individual.

Semasio synchronizes these identifiers with additional personal data associated with the same individual which is shared with Semasio by its commercial data sources or clients. This process may constitute profiling as defined by applicable law in certain territories. Semasio does not, however, carry out profiling in furtherance of automated decisions that produce legal or similarly significant effects or automated decision-making as defined under the GDPR (Art. 22 GDPR).

As further described in Section 5 below, the Platform enables our clients to create audience segments which are used by our clients to deliver online advertising to specific users (targeted advertising) or to create contextual segments which are used by our clients to deliver online advertising to specific websites (contextual advertising). Semasio also licenses (or “sells” as defined under certain US state privacy laws) the personal data it collects, for targeted advertising, and for various data modeling, research, and analytics purposes.

Semasio Advertising Industry Frameworks

Europe

Semasio is inspected and certified by ePrivacy GmbH and adheres to the Principles of the EDAA Online Behavioural Advertising (OBA) Framework.

United States

Semasio is a member of the Network Advertising Initiative (NAI).

Global

• Semasio receives personal data from the categories of third-party data sources listed below (“commercial sources”). The commercial sources supply personal data which may originate online or offline and which may or may not involve Tracking Points.
• Consumer data compilers and resellers
• Advertising networks and publishers
• Advertisers and agencies
• Semasio also receives personal data from our affiliates who receive personal data from the same categories of commercial sources. A list of our affiliates is here.
• Semasio’s clients may place Semasio Tracking Points on their digital properties to collect personal data related to their advertising campaigns. Where Semasio Tracking Points are used, our clients control the placement of our Tracking Pixel on their digital properties. You are under no obligation to provide your personal data to us via a Semasio Tracking Point. The Semasio opt-out page can be accessed here.

The Services do not utilize directly identifiable data such as your name, home address, phone number, or government identifiers such as your social security number. When our commercial sources share personal data that originated in directly identifiable form, it is pseudonymized before we process the data for the purposes described in Section 5 below. This means the directly identifiable information is removed and replaced with identifiers. This process allows us to connect your identifiers to other pseudonymous data about you in our databases.

From our commercial sources, we collect and store the following categories of personal data:

• Online Identifiers, such as Cookie IDs, MAIDs, IP addresses, user IDs, or other online identifiers
• Internet or other electronic network activity information based on your browsing activity, such as behavioral or interest data such as web pages, content, or advertisements viewed or clicked on, and time stamps
• Commercial or transactions information, such as products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies (note we do not collect any payment information such as credit card details)
• Survey or volunteered data, such as self-reported information provided by individuals to the commercial sources regarding interests, opinions, activities, or characteristics, including household data such as the number of household members, number of earners in the household, or household income level
• Professional or employment information, such as current or past field of employment
• Demographic information, such as age, gender, or occupation

Inferences
Our commercial sources also share inferred data, which means they have made certain inferences about a consumer’s preferences, interests, characteristics, or attitudes prior to sharing the personal data with us. Inferred data may also include inferences regarding your general (not precise) location based on IP address. Using our technology and data in the Platform, users of our Platform can also create similar inferences inside our Platform, provided that in processing personal data in the Platform, users are prohibited from creating sensitive inferences that could be deemed to be sensitive personal data.

Children
We do not knowingly collect personal data of individuals under the age of 18. We use reasonable efforts to remove the data of such individuals from our databases based on the applicable laws in the relevant jurisdiction. If you are a parent or guardian and believe we have collected data of a minor under the legal age in a particular jurisdiction, please contact us at privacy@semasio.com. If we learn we have inadvertently collected such data, we will promptly delete the data.

Special or Sensitive Categories of Personal Data
Except as otherwise described in this privacy policy (see Section 5), we do not knowingly collect personal data deemed “sensitive” or a “special category of personal data” where not permitted to do so under applicable privacy laws in the relevant jurisdictions where the Services operate (“sensitive personal data”). The meaning of sensitive personal data differs by jurisdiction, but often means data that reveals your race, religion, ethnicity, sexual orientation, gender identity, political or philosophical beliefs, or a medical condition or diagnosis; it sometimes includes any information about health or sexuality, or trade union membership. These categories sometimes overlap with characteristics of protected classifications under California or other US law.

Semasio uses and sells personal data to enable our clients (and their end clients) to perform, analyze and measure online marketing campaigns. Personal data is used to create audience segments, for consumer insights for digital and other advertising purposes, and to model contextual segments. Advertising campaigns are delivered by third party platforms. For targeted advertising delivery, lists of Cookie IDs/MAIDs are sent via our data centers to real-time bidding or other platforms that activate on audience segments to deliver advertising campaigns.

We have included a detailed description of these purposes in the following. We have also included references to our purposes under the IAB Framework.

The commercial purposes for which we use personal data

a. For Interest Based Advertising
Our Services include creating data products and providing datasets to our clients and making such datasets available to other advertisers or agencies for purchase via third party platforms, generally regarding which consumers are most likely to be interested (or disinterested) in certain offers.

• Users of our Platform may create defined audience segments (“audience segments”) for the purpose of targeted advertising based on common demographics and/or shared (actual or inferred) interests or preferences (e.g., if a particular consumer is relatively likely to enjoy a particular type of travel, be a “green” consumer, or enjoy particular types of music).
• This includes processing, creating or supplementing user profiles on our Platform for the purpose of creating audience segments. Creation of audience segments includes the creation of “lookalikes” where the audience segments are created by inferring that individuals in the audiences may have similar interests as individuals who have expressed an interest in the particular topic of the advertisement.
• The audience segments created on our Platform are delivered to third party platforms for activation via real-time bidding to reach individuals who may be interested in the topic of the advertisement.
• Semasio does not support the creation of audience segments that would reveal sensitive personal data of individuals in violation of applicable laws, including that would convey information or enable inferences about a consumer’s health. Semasio regularly reviews its syndicated taxonomy of audience segments for compliance with applicable laws and the NAI code of conduct as applicable. Semasio does not support personalized advertising on sensitive personal data such as sensitive health areas or sexual orientation as defined by applicable laws.

Where our clients operate the Platform in a self-service capacity and create custom audience segments, our clients are required to comply with applicable contract terms and policies, and they are responsible (as a data controller) for the audience segments they create.

Under the IAB Framework, we pursue the following purposes for the processing activities described in this section: “Create profiles for personalized advertising”.

b. For Matching or Linking Personal Data from Different Sources.

• The Services may identify and link browsers and devices likely to be associated with you so that ads and ad campaigns can be targeted, capped, analyzed, measured and sequenced across those devices. For example, audience segments may help our clients avoid showing you ads for the shoes you were looking at on your phone but that you already purchased on your tablet. Instead, our clients may want to show you ads for an upcoming triathlon where you can put those shoes to work.
• We may also create or use “identity” graphs or tables to connect identifiers and signals that correlate with individual consumers to help our clients locate consumers across various channels or devices based on common personal, device-based, or network-based identifiers (e.g. cookie IDs, IP addresses, or hashed emails).

Under the IAB Framework, we pursue the following purposes for the processing activities described in this section: “Understand audiences through statistics or combinations of data from different sources”.

c. For Insights or Analytics Purposes.

• Our Services help our clients identify and understand their own customers and prospective customers better, by providing insights about them. Our databases help our clients get a full view of their customers and prospective customers to help them predict future buying behaviors, build brand loyalty, predict trends in the marketplace, or for other media consumption or business intelligence purposes.
• This includes generating insights on audiences allowing our clients to better understand the composition of an audience. This may also include enabling clients to see which user IDs have seen one or more URLs from a certain list.

Under the IAB Framework, we pursue the following purposes for the processing activities described in this section: “Understand audiences through statistics or combinations of data from different sources“.

d. For Modeling Contextual Segments.

• Users of our Platform may analyze personal data to identify highly indexed contextual segments. This also includes processing, creating or supplementing user profiles on our Platform for the purpose of creating the contextual segments. The contextual segments that result from this modeling process do not include personal data but instead are lists of websites (URLs) our clients wish to target (or exclude) corresponding to a semantic topic (“contextual segments”). Our contextual segments are used by third party platforms to deliver advertising campaigns to relevant websites rather than to audiences of relevant individuals.
• Sensitive personal data may be used as seed data to model contextual segments. Our commercial sources (including advertisers) are required to comply with all applicable laws in sharing any personal data with Semasio. We contractually require our commercial sources who supply sensitive personal data to obtain (explicit) consent from individuals to use the data for the purpose of modeling contextual segments.

Under the IAB Framework, we pursue the following purposes for the processing activities described in this section: “Create profiles for personalized advertising”, “Understand audiences through statistics or combinations of data from different sources“.

The business purposes for which we use personal data

e. To Develop and Improve our Services.

We also use your personal data for our own internal purposes, such as to operate, analyze, improve, test, update and verify our Services; and develop new products.

Under the IAB Framework, we pursue the following purposes for the processing activities described in this section: “Develop and improve services“.

f. For Other Internal Purposes.

We also may use personal data for auditing for legal and other compliance purposes, aiding in ensuring security and integrity to the extent the use of personal data is reasonably necessary and proportionate for such purposes, debugging to identify and repair errors that impair existing intended functionality, short-term and transient use, and for the establishment, or the exercise or defence of legal claims.

Our clients often include advertisers and agencies who act on behalf of advertisers.

Our clients are responsible for their own personal data processing activities, including when they operate our Services through self-service access to our Platform or when they supply personal data to the Platform for their advertising and marketing purposes.

While we generally act as a data controller, in limited circumstances we may act as a data processor or service provider to our clients in accordance with the client’s instructions and use that personal data only for the client.

Semasio discloses personal data in the form of audience segments to third party marketing services providers and platforms such as demand side platforms that activate on the data to deliver advertisements for their clients, as well as service providers that help us provide the Services we have described above (or other Services we may add in the future). Semasio may also disclose personal data as further described in this privacy policy, including this Section 7.

• Sharing With Marketing Platforms
  We disclose audience segments to third party marketing platforms who are typically intermediaries or resellers and who may further combine the personal data with other datasets or license the personal data or derived data they create to their own clients (who may also be our clients), including to help provide more tailored targeted marketing, advertising, and communications. Likewise, we may share personal data with third party marketing platforms for analytics purposes, including to help them or their or our clients analyze campaign performance, inform future campaigns, or to handle, analyze, or combine the personal data.
• Sharing With Clients
  Our clients include (but are not limited to) brands who use personal data to market and advertise to their own customers (and prospective customers); advertising agencies; and/or other data compilers, who work with their own clients. Our platform and services can be used by advertisers in any industry sector. We typically do not disclose any raw data, including personal data, directly to clients. Clients with self-service access to the Semasio Platform are able process personal data in the Platform through dashboard tools and such clients may transfer audience segments from the Semasio Platform to authorized third party marketing platforms for activation. In limited circumstances, we may share personal data directly with clients (or the client’s service providers or processors, such as a hosting provider or data management platform) subject to permitted use and purpose limitations.
• Sharing With Service Providers
  We may share personal data we collect with our service providers listed here. Our service providers only perform services on our behalf and subject to our instructions. Further information about our service providers can be found in the table below.
• Sharing for Legal Purposes
  We may share personal data with third parties to: (a) comply with legal process or a regulatory investigation (e.g. a subpoena or court order); (b) enforce contract terms or other legal rights, this privacy policy, including investigation of potential violations thereof; (c) respond to claims that any content violates the rights of third parties; and/or (d) protect the rights, property or personal safety of us, our platform, our clients, our agents and affiliates, our users and/or the public. We likewise may provide personal data to other companies and organizations (including law enforcement) for fraud protection, and spam/malware prevention, and similar purposes.
• Sharing In Event of a Corporate Transaction
  We may share personal data in the event of a corporate transaction, including for example a merger, investment, acquisition, reorganization, consolidation, bankruptcy, liquidation, or sale of some or all of our assets, or for purposes of due diligence connected with any such transaction.
• Sharing of Aggregate Information
  We may aggregate and/or de-identify any information collected so that such information can no longer be linked to you or your device and thus has become anonymous information as that term or its equivalents are defined under the GDPR or other applicable laws. We may use such anonymous information that is not personal data for any purpose, including without limitation for research and marketing purposes, and may also share such data with any third parties, including advertisers, promotional partners, and sponsors, in our discretion.
• Sharing With Affiliates
  Subject to Section 13 below (International Data Transfers) may share your personal data with any affiliated or subsidiary companies for any of the purposes described in this privacy policy. A list of our affiliates is here.

Our disclosure, share and sale of personal data under the State Privacy Laws

In the United States, the California Consumer Privacy Act as amended (“CCPA”) provides certain rights to California residents. Other states’ laws provide similar (though not identical) rights to their own residents (collectively, the “State Privacy Laws”). For state residents in jurisdictions where the State Privacy Laws apply, we may disclose, sell and/or share (as those terms are defined under the State Privacy Laws), personal data collected from and about you.

Our Platform is frequently used to share audience segments (whether as part of our own syndicated taxonomy or as custom audience segments created by our clients) for targeted advertising (also known as cross-context behavioral advertising). Accordingly, all of the categories of personal data described in Section 4 above may have been shared or sold for interest-based advertising or related commercial purposes as described in Section 5 above with the categories of third-party recipients identified in the last column of the chart below. Provided, however, that personal data provided to Semasio from its clients or commercial sources for the purpose of modeling Contextual Segments as described in Section 5.d. is not shared or sold. Additionally, we do not knowingly share or sell sensitive personal data.

Information about which category of personal data is shared with whom

The chart describes how and with whom we disclose, sell and/or share personal data, and whether (based on the definition of sell or share in the State Privacy Laws) we believe we have sold or shared a particular category of personal data in the prior 12 months. Where we have sold or shared a particular category of data, it is most frequently in the form of audience segments which include only inferred information and not actual information.

For transparency, we’ve been deliberately inclusive in our terminology, by including within categories both types of third parties (e.g., “clients”) and types of platforms through which clients and other third parties might access data (e.g., “advertising networks”).