Effective Date July 2nd, 2026
Table of Contents
About this Notice
Criteo and its affiliates (“we”, “us”, “our”) are committed to respecting and protecting the privacy of its clients, prospective clients, partners and suppliers.
This Notice explains how we collect, use, disclose, and protect personal data relating to you in the context of (1) the processing of your personal data by Criteo on any of Criteo’s websites (including criteo.com and criteo.investorroom.com) and/or (2) the processing of your personal data as part of our business relationships with our clients, prospective clients, partners and suppliers.
We kindly ask you to take the time to carefully read this Notice. It is particularly important to us that you fully understand our data usage practices and how you can exercise your rights regarding your personal data.
This Notice is intended to comply with applicable data protection and privacy laws in the countries where we operate, including the General Data Protection Regulation (GDPR) and equivalent national laws in the European Economic Area and the United Kingdom. In the United States, this Notice serves as a Notice at Collection of your personal information according to applicable US State privacy laws. In case of conflict between this Notice and applicable local law, local law will prevail.
Who is the controller of your data?
Depending on your location and contracting entity, the data controller (or “business”) responsible for your personal data will be Criteo SA and/or the relevant affiliated group company. Where appropriate, these entities act as joint controllers (or “businesses”) and cooperate to ensure your personal data is processed in compliance with applicable data protection laws.
Click here to view the list of the Criteo Group entities
What data do we collect about you?
“Personal data” includes data that directly identifies you (e.g., your name), data that indirectly identifies you (e.g., your device ID), and data that can be linked to you.
As part of your relationship with us, we collect and use the following categories of personal data:
| Category | Details |
| Identification and contact data | Name, position, professional phone number, company name, company address, location, payment and billing data, professional email address (e.g., when you use the “Contact Us” form or when you write to a Criteo team member) |
| Communication data | Reason for reaching out to Criteo and contents of communications with Criteo (e.g., correspondence with our sales team or requests you send to us), date and time of communication, status of request received by Criteo |
| Criteo account credentials | Username, password and service used (if you have a Criteo account) |
| Testimonial data | Data included in testimonials about your use of Criteo services |
| Browsing data | Internet protocol (IP) addresses, device ID, browser type, Internet service provider (ISP), referring/exit pages, files viewed on our site (e.g., HTML pages, graphics, etc.), operating system, date/time stamp, and/or clickstream data |
| Identifiers | Cookie ID, device ID, IP address, hashed email address |
| Coarse location data | Approximate location based on IP address |
| Usage data | Time, date and content of your interactions with Criteo Services, browsing data and data linked to your Criteo account, if you have one |
| Email delivery and engagement data | Information about whether an email was delivered, bounced, opened, whether links in the email were clicked, the date and time of these events, and related technical information used to measure email performance and deliverability |
Categories of personal data we do not collect
| Category | Details |
| Sensitive data | We do not knowingly collect, sell, share or process any special categories of data as defined under the GDPR or any sensitive personal information as defined under the CCPA. |
| Children data | We do not knowingly collect, sell, share or process personal data about data subjects under the age of 16 or the permitted legal age if higher. |
| Precise location data | Criteo does not collect your precise geolocation, for instance based on your GPS location. Criteo only collects and uses coarse location data derived from your IP address. |
We collect your personal data directly from you (e.g., during events, when you contact us, during our business relationship) but also through automated means (e.g., when you browse one of Criteo’s websites). When we ask you to provide your personal data, we clearly state where its collection is mandatory. We appreciate your cooperation in providing us with complete, accurate, and up-to-date data.
How do we use your data?
We use your data for the following purposes:
| Purpose | Details | Legal basis | Data used |
| Responding to inquiries | Responding to inquiries you may send to us by email, through our contact form or our chat feature. | Legitimate interest to conduct our business activities | Identification and contact data
Communication data
|
| Managing commercial relationships with clients, partners and suppliers | Monitoring contractual engagement to provide our services as well as billing. | Contract performance and/or legitimate interest to conduct our business activities | Identification and contact data
Criteo account credentials
Communication data
|
| Sending service-related communications | Sending emails related to your account and our business relationship, including onboarding, support, billing and security. | Contract performance and/or legitimate interest to conduct our business activities | Identification and contact data
Communication data
|
| Sending B2B marketing materials by email | Promoting Criteo’s services and invitation to events. | Consent and/or legitimate interest to advertise our services | Identification and contact data
Communication data
|
| Organizing Criteo events | Organizing and following up with the attendees of Criteo events. | Consent and/or legitimate interest to organize events promoting our activities | Identification and contact data
Communication data
|
| Providing Criteo Services | Managing access to our platforms and solutions. | Legitimate interest to conduct our business activities | Identification and contact data
Criteo account credentials
Usage data
|
| Analyzing the performance of our services | Analyzing how you use our services and your interactions with Criteo teams. | Legitimate interest to analyze the performance of our services | Identification and contact data
Communication data
Usage data
Testimonial data
|
| Ensuring email deliverability, performance and engagement with business communications | Using email technologies, including tracking pixels and link tracking, to understand whether those emails are delivered, opened and engaged with, to improve deliverability, reduce unnecessary communications, and improve the relevance and effectiveness of our business communications. | Legitimate interest to analyze the performance of our services and/or consent | Identification and contact data
Communication data
Usage data
Coarse location data
|
| Keeping our website and services safe and secure | Implementing measures in order to block bot attacks and identify fraudulent activity. | Legitimate interest | Usage data
Browsing data
Identifiers
Coarse location data
|
| Publishing testimonials on our website | With your consent, processing your data to publish your testimonials on our website. | Consent | Identification and contact data
Testimonial data
|
| Personalizing your user experience on our website in accordance with your preferences | For this purpose, we use cookies that enable us to provide you enhanced functionality and personalization, to recognize you and remember information you have entered during your browsing on our website (such as language choice, country you are browsing from, or browser type).
A full list of cookies we use for this purpose is available by clicking on “Cookie Management” at the bottom of any page of our website.
| Consent and/or legitimate interest to improve user experience | Browsing data
Usage data
Identifiers
Coarse location data
|
| Analyzing how our website and services are used | For this purpose, we use cookies that allow us to count visits and traffic sources so we can measure and improve the performance of our website. They help us to know which pages are the most and least popular and see how visitors move around the website.
A full list of cookies we use for this purpose is available by clicking on “Cookie Management” at the bottom of any page of our website.
| Consent and/or legitimate interest to analyze how our website and services are used | Browsing data
Usage data
Identifiers
Coarse location data
|
| Personalizing online advertising | For this purpose, we use tracking technologies such as cookies, pixels, and social media tags (e.g., Meta Pixel, LinkedIn Insight Tag) to collect and process personal data for personalized advertising and marketing purposes. This enables us to show our advertisements to visitors who are interested in our products on partner websites and apps and to measure the effectiveness of our advertising campaigns. Cookies are also set through our website by our advertising partners. The data may be used by those companies to build a profile of your interests and show you relevant adverts on other websites.
Retargeting technologies rely on cookies or similar technologies to display advertisements based on your past browsing behavior.
A full list of cookies we use for this purpose is available here.
| Consent | Identifiers
Browsing data
Coarse location data
|
| Managing our social media pages | Managing our LinkedIn, YouTube, Instagram and X pages. We act as joint controllers with these social media platforms. | Legitimate interest to manage our social media accounts | Identification and contact data
Communication data
Identifiers
|
| Exercising and defending our rights | Exercising and enforcing our rights, including before courts and administrative authorities. | Legitimate interest to exercise and defend our rights | Identification and contact data
Communication data
Testimonial data
Criteo account credentials
Browsing data
Usage data
|
| Complying with our legal obligations and internal control requirements (including accounting and auditing) | Complying with applicable legal requirements, particularly in the field of compliance, tax, anti-corruption, anti-money laundering and know your customer, health and safety, export controls and trade, reporting, whistleblowing and accounting. Complying and verifying compliance with our internal control requirements. | Compliance with legal obligations and legitimate interest to ensure compliance with our internal control requirements | Identification and contact data
Communication data
Testimonial data
Criteo account credentials
Browsing data
Usage data
|
Our processing operations do not involve automated individual decision-making within the meaning of Article 22 of the GDPR, i.e. decision-making based exclusively on automated processing, including profiling, which produces legal effects or significantly affects you in a similar way.
How long do we keep your data?
Personal data processed for the purposes described above will be stored only to the extent necessary during the term of your business relationship with Criteo, during a transition period (e.g., for the compliance of Criteo’s obligations regarding data retention as established in the applicable laws), or for purposes of documenting the business relationship (e.g., vis-à-vis authorities, etc.).
Business records are typically retained for 5 years after the termination of the business relationship. Data processed for accounting purposes will typically be retained for a period of 10 years, in accordance with applicable law. Data collected via cookies and trackers are retained for a maximum of 13 months.
If a judicial action is initiated, personal data may be stored until the end of such action, including any potential periods for appeal, and will thereafter be deleted or archived as permitted by applicable law.
How do we protect your data?
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, accidental loss, destruction, alteration, or disclosure. These measures are designed to ensure a level of security appropriate to the risk presented by the processing of your personal data.
We maintain physical, electronic, and procedural safeguards to protect your personal data, including:
- Access controls to systems and data on a need-to-know basis
- Encryption and secure storage of data where appropriate
- Regular monitoring and testing of our security measures
- Training and awareness programs for employees regarding data protection and information security
- Procedures for responding to suspected data breaches
We also require our service providers and partners who process personal data on our behalf to implement appropriate security measures in line with applicable legal requirements and best practices.
Who do we share your data with?
We only share personal data where necessary to operate our services, as required by law or to defend or exercise our rights, and we take measures to ensure these recipients protect your data.
| Category | Description |
| Our affiliates and subsidiaries | As necessary in connection with our business operations. |
| Acquiring entities | If Criteo business is sold or transferred in whole or in part (or such a sale or transfer is being contemplated), your personal data may be transferred to the acquirer or potential acquirer as part of the transfer itself or as part of an initial review for such transfer (i.e. due diligence), subject to any rights provided by applicable law, including jurisdictions where the acquirer or potential acquirer is located. |
| Criteo Business Partners | In connection with business operations, identification, contact and communication data may be transferred to existing or potential business partners, suppliers, customers, or other third parties.
With your consent, Criteo may share your personal data with advertising and social media platforms. A full list of these recipients is available in our Consent Management Platform accessible by clicking on “Cookie Management” at the bottom of any page of our website.
|
| Service providers | Personal data may be shared with one or more third parties to process personal data under appropriate instructions ("data processors").
Data processors may include service providers such as email service providers, customer communication platforms or data hosting providers, and will be subject to contractual obligations to implement appropriate technical and organisational security measures to safeguard personal data, and to process personal data only as instructed.
|
| Regulators, authorities, and other third parties | As necessary, personal data may be transferred to regulators, courts, and other authorities (e.g., tax and law enforcement authorities), independent external advisors (e.g., auditors, outside counsels), insurance providers, internal compliance and investigation teams (including external advisers appointed to conduct internal investigations). |
Please note that some of these recipients may be in countries outside of Europe. In some cases, this may include countries located outside the European Union (“EU”) and/or European Economic Area (“EEA”).
Some countries where recipients are located already provide an adequate level of protection for this data, and transfers to other countries such as the USA may be protected under arrangements such as the EU-US Data Protection Framework.
Otherwise, Criteo will take all necessary measures to ensure that transfers outside of the EU/EEA are adequately protected as required by applicable data protection law. This will include using appropriate safeguards such as the EU Standard Data Protection Clauses. You can obtain a copy of these safeguards by contacting us (see Who can you contact if you have questions?).
What rights do you have in relation to your data?
Depending on your location, you have several rights in relation to your personal data.
These rights may be limited, including if fulfilling your request requires disclosure of another person’s personal data, infringes on third-party rights, or if we are required to retain your data to comply with our legal obligations.
These rights can be summarized as follows:
| Right | Description |
| Right of access | You have the right to confirm with us whether your personal data is processed, and if it is, to request access to that personal data including a copy of the personal data processed, the categories of personal data processed, the purpose of the processing and the recipients or categories of recipients. We do have to consider the interests of others though, so this is not an absolute right. |
| Right to rectification | You have the right to request the rectification of inaccurate or incomplete personal data concerning you. |
| Right to erasure | In certain circumstances, you may have the right to ask us to erase your personal data. |
| Right to restrict processing | In certain circumstances, you may have the right to request that we restrict processing of your personal data. |
| Right to object | Under certain circumstances, you may have the right to object, on grounds relating to your situation, to the processing of your personal data by us, and you may require us to no longer process it. You can always object to processing your personal data for marketing purposes. |
| Right to withdraw your consent | You can withdraw your consent to the processing of your personal data. You can withdraw consent to cookies through our consent management platform by clicking on “Cookie Management” at the bottom of any page of our website. |
| Right to data portability | When we process your personal data based on your consent or the performance of a contractual agreement, you have the right to receive personal data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format, and you may have the right to request that we transmit that data to another entity. |
| Right to give directives for the storage and communication of your personal data after your death | You have a right to give directives for the storage and communication of your personal data after your death, and we will act accordingly. |
| Right to lodge a complaint | You also have the right to lodge a complaint with the competent data protection supervisory authority. In France, this authority is the CNIL. |
To exercise any of these rights, please contact us as stated below (see Who can you contact if you have questions?).
While specific rights and terminology may vary by state, the information below reflects the core protections available under U.S. state privacy laws (including California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, and Delaware).
Categories of personal information we collect
The tables under the sections How do we use your data? and Who do we share your data with?
describe our data practices over the past 12 months, including the categories of personal information we have collected, the purposes for which we use it, and the categories of third parties with whom we disclose such information.
Your rights under U.S. state privacy laws
Under U.S. state privacy laws, you may have the following rights regarding your personal information:
| Right | Description |
| Right to know and access | You have the right to request details about the categories and specific pieces of personal information we collect, use, disclose, share, or sell. |
| Right to delete | You have the right to request the deletion of personal information we hold about you, subject to legal exceptions. |
| Right to correct | You have the right to request the correction of inaccurate personal information we maintain. |
| Right to opt-out of ‘sales’ or ‘sharing’ | You have the right to request that Criteo stops selling or sharing your personal information for cross-context behavioral advertising. |
| Right to limit use of sensitive personal information | Criteo does not process sensitive personal information. |
| Right to non-discrimination | You will not be discriminated against for exercising your privacy rights. |
You may exercise your rights directly or through an authorized agent. We may need to verify your identity before processing your request. We respond to all valid requests within the time limits set by law.
To exercise any of these rights, please contact us as stated below (see Who can you contact if you have questions?).
If you have any question regarding this Notice or our use of your personal data, or if you want to exercise your rights, you can contact our Data Protection Officer by email at dpo [at] criteo.com or by postal mail at Criteo – Data Protection Office – 32 rue Blanche 75009 Paris France.
Visiting other websites
Our website includes links to other websites whose privacy practices may differ from ours. If you submit personal data to any of those websites, your information is governed by their privacy statements. We encourage you to carefully read the privacy statement of any website you visit.
Changes to this Notice
We may update this Notice from time to time, notably to ensure it reflects our current data processing activities. If we update this Notice, we will inform you of such an update and provide you with access to the updated Notice.