Privacy Policy

Effective Date July 17, 2026

Table of Contents

About Criteo

Criteo (“we”, “us”, “our”) provides digital services that enable “advertisers” — like brands and retailers — to promote products and services on websites, apps and other platforms operated by “publishers”.

Criteo displays ads that are the most relevant to Internet users, without directly identifying them, based on products and services they have previously viewed, put in their digital shopping carts or purchased. Criteo can also display ads based on the content of a webpage a user is visiting or the app they are using.

As an Internet user, you may encounter ads for products and services that might interest you on websites, apps, and platforms that use our technologies.

About this Notice

This Ads Privacy Notice (“Notice”) explains how we collect, use, disclose, and protect data when you visit and use websites, apps or platforms that incorporate our technologies. You can find out if an advertiser or publisher uses Criteo by looking up their privacy policy, cookie policy or cookie banner.

This Notice is intended to comply with applicable data protection and privacy laws in the countries where we operate, including the General Data Protection Regulation (“GDPR”) and equivalent national laws in the European Economic Area and the United Kingdom. In the United States, this Notice serves as a Notice at Collection of your personal information according to applicable US State privacy laws.

This Notice only applies to data collected through Criteo’s ad technologies. It does not apply to the use of your data on Criteo-owned websites or in the context of business relationships, which is governed by Criteo’s Corporate Privacy Notice. It also does not apply to the use of your data as part of recruitment processes, which is governed by Criteo’s Job Applicants Privacy Notice.

Who is the controller of your data?

Criteo, advertisers, and/or publishers act as joint data controllers (or “businesses”) for the processing activity consisting in storing or reading information (e.g., cookies, device identifiers) on your device when our technology is used on their properties. Criteo acts as a sole data controller (or “business”) for processing carried out for the purpose of performing its online advertising activities.

Criteo also works with partners when providing its ads services. These partners act as data controllers (or “businesses”) in their own right and process personal data according to their own terms and under their own responsibility.

Click here to view the list of our partners

What data do we process about you?

To provide our ads services, we only process pseudonymized, technical information, and limited commerce-related events listed in the table below — not information that directly identifies you such as your name or email address.

CategoryDescription Source
Pseudonymized identifiersCriteo-generated identifier (“UID”): Identifier assigned to the Criteo cookie set on your web browser (cross-device where relevant). For example, the value of the UID could be 13278a5c-3997-4b97-826d-19609eecb975.

Device identifier: Advertising identifier of your device, including smartphone, tablet, or connected TV (such as Apple IDFA, Google AAID or Samsung IFA).

Partner-generated identifiers: Exchange platform identifiers and matches provided by Partners.

Advertiser-generated identifiers: CRM identifiers like hashed email addresses, hashed phone numbers, and membership or loyalty card numbers. For example, an email address might be transformed into 98307a5ba02fa1072b8792f743bd8b515 1360556b8e5a6120fa9a04ae02c88c0.
Advertisers
Publishers
Partners
Technical informationDevice-level information: Technical details about your browser, apps, and device—such as the type of device you use (for example, smartphone or computer), your browser name and version, operating system language and version, and your system date and time.

Internet connection: The IP address used to access the advertiser’s or publisher’s website, app, or platform.

Other: Use of an advertising blocker.
Advertisers
Publishers
Partners
Commerce eventsSelected shopping events: Products viewed, put in a shopping cart or purchased on an advertiser’s website or app, including date and time of the event, URL of the page or the name of the app or (brick-and-mortar) shop where the event took place.

Ad interactions: Ad seen or clicked on, including date and time of the event, URL of the page or the name of the app where the event took place.
Advertisers
Publishers
Partners
Coarse location dataInformation about your coarse location (country, region, or city) derived from your IP address. For example, “The IP address used to visit the website is in New York City”.Partners

Please note that some of the types of data above may not be classified as personal data or personally identifiable information in every jurisdiction.

Categories of personal data we do not collect

CategoryDetails
Sensitive dataCriteo has adopted policies and guidelines strictly prohibiting advertisers and publishers to share with us special categories of data as defined under the GDPR or any sensitive personal information as defined under the CCPA (e.g., relating to health, race, or sexual life).
Children dataCriteo has adopted policies and guidelines strictly prohibiting advertising that specifically targets children under the age required to consent to the collection of personal information, as defined by applicable law.
Precise location dataCriteo does not collect your precise geolocation, for instance based on your GPS location. Criteo only collects and uses coarse location data derived from your IP address.

How do we use your data?

We use the data collected through our technologies to deliver and measure personalized and contextual advertising, improve our services, ensure their security, and meet our legal and contractual obligations.

Processing for which Criteo, advertisers, and/or publishers act as joint data controllers

PurposeDetailsLegal basisData used
Store and/or read information on your devicePlacing and/or reading a Criteo cookie on your browser.

Reading your device identifier such as Apple’s IDFA ID or Google’s AAID.
If you are in the European Economic Area or in the United Kingdom or in another jurisdiction where consent is legally required:

Consent collected by advertisers and publishers on their websites, apps or other platforms.
Pseudonymized identifiers

Processing for which Criteo acts as a sole data controller

PurposeDetailsLegal basisData used
Display personalized advertisingDisplaying personalized advertising on websites, apps or other platforms, including by relying on real-time bidding.

Measuring the performance of ad campaigns.
If you are in the European Economic Area or in the United Kingdom or in another jurisdiction where consent is legally required:

Consent collected by advertisers and publishers on their websites, apps or other platforms.
Pseudonymized identifiers
Technical information
Commerce events
Coarse location data
Display contextual advertisingDisplaying relevant advertising based on the content of the web page, app or other platform you visit or use, including by relying on real-time bidding.

Measuring the performance of ad campaigns.
If you are in the European Economic Area or in the United Kingdom or in another jurisdiction where consent is legally required:

Consent collected by publishers on their websites, apps or other platforms.
Pseudonymized identifiers
Technical information
Commerce events
Coarse location data
Attribution & conversion measurement Matching purchases and app installations with campaign events, like clicks and displays of ads. Criteo's legitimate interest to conduct its business. Pseudonymized Identifiers
Technical information
Commerce events
Matching purchases and app installations with campaign events, like clicks and displays of ads.Criteo's legitimate interest to conduct its business.Pseudonymized Identifiers
Technical information
Commerce events
Fraud prevention, fight against fraud & invalid traffic (IVT)Detecting activities that do not match human activity.Criteo's legitimate interest to fulfill contractual commitments and meeting industry standards.Pseudonymized identifiers
Technical information
Data model training & service optimizationTraining data models to improve the performance of Criteo's advertising operations.Criteo's legitimate interest in training its models to improve the performance of its advertising operations.Pseudonymized identifiers
Technical information
Commerce events
Coarse location data
BillingBilling advertisers and verifying invoices received from publishers.Criteo's legitimate interest to conduct its business.Technical information
Commerce events
ReportingPreparing reports for advertisers based on aggregated data.Criteo's legitimate interest to conduct its business and to fulfill its contractual commitments.Pseudonymized identifiers
Technical information
Commerce events
Coarse location data
Incident resolutionTroubleshooting ongoing or recent incidents.Criteo's legitimate interest to ensure the security of its systems and business continuity.Pseudonymized identifiers
Technical information
Commerce events
Coarse location data

Our processing operations do not involve automated individual decision-making within the meaning of Article 22 of the GDPR, i.e. decision-making based exclusively on automated processing, including profiling, which produces legal effects or significantly affects you in a similar way.

How long do we keep your data?

We retain data for 13 months from the date of collection to maintain continuity in advertising campaigns and reporting, after which data is deleted or aggregated.

How do we protect your data?

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, accidental loss, destruction, alteration, or disclosure. These measures are designed to ensure a level of security appropriate to the risk presented by the processing of your personal data.

We maintain physical, electronic, and procedural safeguards to protect your personal data, including:

  • Access controls to systems and data on a need-to-know basis
  • Encryption and secure storage of data where appropriate
  • Regular monitoring and testing of our security measures
  • Training and awareness programs for employees regarding data protection and information security
  • Procedures for responding to suspected data breaches

We also require our service providers and partners who process personal data on our behalf to implement appropriate security measures in line with applicable legal requirements and best practices.

Who do we share your data with?

We only share personal data where necessary to operate our services, as required by law or to defend or exercise our rights, and we take measures to ensure these recipients protect your data.

CategoryRecipientsDescription
Advertisers and publishersAdvertisers and their processorsBrands, retailers, and other organizations that use our ads services to deliver, measure, and optimize their advertising campaigns. We share data with them to help reach relevant audiences, measure performance, and improve ad effectiveness.
Publishers and their processorsWebsite, app or other platform operators that display ads or provide digital content monetized through advertising. We share data with them to enable the display of ads and to measure ad performance and revenues.
Partners

Click here to view the list of our partners
Demand-side platforms (DSPs)Technology platforms used by advertisers and agencies to buy advertising inventory in real time. We share data with DSPs to enable the purchase of ad impressions through programmatic auctions and to ensure that ads are shown to relevant audiences.
Supply-side platforms (SSPs)Technology platforms that help publishers manage, sell, and optimize their ad inventory. We share data with SSPs to facilitate real-time bidding transactions and to ensure that eligible ads are displayed on the appropriate inventory.
Data platforms and audience partnersPartners that provide audience segments or other insights based on aggregated or pseudonymous data. We share data with them to enrich audience understanding, segment audiences, and improve ad relevance.
Partners allowing us to match several identifiersPartners who help us reconcile different identifiers (such as cookie identifiers, device identifiers, or hashed email addresses) to maintain consistency across devices and platforms and to deliver more accurate ad personalization and measurement.
Partners allowing us to fight against fraudPartners who help detect, prevent, and investigate invalid traffic, fraudulent clicks, or other malicious activities that could harm users, advertisers, or publishers.
Partners allowing us to approximate your general locationPartners providing IP-based location services to help us deliver content and ads relevant to your general area (for example, at the city or regional level) and to detect suspicious traffic patterns.
Service providersOur service providersCompanies providing us services, such as hosting, analytics, customer support, auditing, security, and marketing support. These providers act under our instructions and are bound by confidentiality and data protection obligations.
Criteo GroupOur affiliates and subsidiariesOther entities within our corporate group that support the operation, improvement, and governance of our ads services, including for administrative, technical, or compliance purposes.
OtherAny recipient necessary to comply with legal, regulatory, judicial or administrative obligations or to exercise and defend our rightsPublic authorities, courts, law enforcement, or regulators when required to comply with applicable laws or respond to lawful requests or defend or exercise our rights.

Please note that some of these recipients may be in countries outside of Europe. In some cases, this may include countries located outside the European Union (“EU”) and/or European Economic Area (“EEA”).

Some countries where recipients are located already provide an adequate level of protection for this data, and transfers to other countries such as the USA may be protected under arrangements such as the EU-US Data Protection Framework.

Otherwise, Criteo will take all necessary measures to ensure that transfers outside of the EU/EEA are adequately protected as required by applicable data protection law. This will include using appropriate safeguards such as the EU Standard Data Protection Clauses. You can obtain a copy of these safeguards by contacting us (see Who can you contact if you have questions?).

What rights do you have in relation to your data?

Depending on your location, you have several rights in relation to your personal data.

These rights may be limited, including if fulfilling your request requires disclosure of another person’s personal data, infringes on third-party rights, or if we are required to retain your data to comply with our legal obligations.

These rights can be summarized as follows:

RightDescription
Right of accessYou have the right to confirm with us whether your personal data is processed, and if it is, to request access to that personal data including a copy of the personal data processed, the categories of personal data processed, the purpose of the processing and the recipients or categories of recipients. We do have to consider the interests of others though, so this is not an absolute right.
Right to rectificationYou have the right to request the rectification of inaccurate or incomplete personal data concerning you.
Right to erasureIn certain circumstances, you may have the right to ask us to erase your personal data.
Right to restrict processingIn certain circumstances, you may have the right to request that we restrict processing of your personal data.
Right to objectUnder certain circumstances, you may have the right to object, on grounds relating to your situation, to the processing of your personal data by us, and you may require us to no longer process it. You can always object to processing your personal data for marketing purposes.
Right to withdraw your consentFor processing activities based on your consent, you can withdraw your consent to the processing of your personal data by Criteo.
Right to data portabilityWhen we process your personal data based on your consent, you have the right to receive personal data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format, and you may have the right to request that we transmit that data to another entity.
Right to give directives for the storage and communication of your personal data after your deathYou have a right to give directives for the storage and communication of your personal data after your death, and we will act accordingly.
Right to lodge a complaintYou also have the right to lodge a complaint with the competent data protection supervisory authority.

Click here to exercise your rights

Information for U.S. residents

While specific rights and terminology may vary by state, the information below reflects the core protections available under U.S. state privacy laws (including California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, and Delaware).

Categories of personal information we collect

Criteo collects the following categories of personal information for the purpose of displaying and measuring personalized ads:

  • Identifiers (e.g., cookie identifiers, mobile advertising identifiers, hashed email addresses, IP addresses)
  • Internet or network activity information (e.g., URLs of visited websites, names of apps used, and interactions with ads)
  • Commercial information (e.g., records of products viewed, placed in a shopping cart, or purchased)

In the past 12 months, we have disclosed or sold these categories of personal information for the commercial purpose of providing cross-context behavioral advertising to the categories of third parties listed in the section Who do we share your data with?

We collect and use this information primarily for marketing, advertising, analytics, and service improvement, as well as for:

  • Auditing (e.g., counting ad impressions and verifying quality)
  • Debugging (e.g., fixing errors and ensuring service functionality)
  • Security (e.g., detecting and protecting against malicious activity)
  • Research & Development (e.g., improving service performance and developing new features)

Criteo does not knowingly collect the personal information of individuals under 16 years of age.

Your rights under U.S. state privacy laws

Under U.S. state privacy laws, you may have the following rights regarding your personal information:

RightDescription
Right to know and accessYou have the right to request details about the categories and specific pieces of personal information we collect, use, disclose, share, or sell.
Right to deleteYou have the right to request the deletion of personal information we hold about you, subject to legal exceptions.
Right to correctYou have the right to request the correction of inaccurate personal information we maintain.
Right to opt-out of ‘sales’ or ‘sharing’You have the right to request that Criteo stops selling or sharing your personal information for cross-context behavioral advertising.
Right to limit use of sensitive personal informationCriteo does not process sensitive personal information.
Right to non-discriminationYou will not be discriminated against for exercising your privacy rights.

You may exercise your rights directly or through an authorized agent. We may need to verify your identity before processing your request. We respond to all valid requests within the time limits set by law.

Click here to exercise your rights

Data broker information

CRITEO CORP., THE ENTITY MAINTAINING THIS WEBSITE IN THE US, IS A DATA BROKER UNDER CHAPTER 509 OF THE TEXAS BUSINESS AND COMMERCE CODE. TO CONDUCT BUSINESS IN TEXAS, A DATA BROKER MUST REGISTER WITH THE TEXAS SECRETARY OF STATE (TEXAS SOS). YOU MAY SEARCH THE DATA BROKER REGISTRY ON THE TEXAS SOS WEBSITE TO IDENTIFY A SPECIFIC DATA BROKER AND VIEW ITS REGISTRATION INFORMATION.

CRITEO CORP. IS ALSO A REGISTERED DATA BROKER IN CALIFORNIA UNDER CALIFORNIA BUSINESS AND PROFESSIONS CODE § 1798.99.80 ET SEQ., AS AMENDED BY THE CALIFORNIA DELETE ACT (SB 362). THE CALIFORNIA PRIVACY PROTECTION AGENCY (CPPA) MAINTAINS A REGISTRY OF DATA BROKERS, WHICH YOU CAN SEARCH ON THE CPPA WEBSITE. CALIFORNIA RESIDENTS MAY ALSO REQUEST DELETION OF THEIR PERSONAL INFORMATION FROM ALL REGISTERED DATA BROKERS THROUGH THE CPPA’S CENTRALIZED DELETION MECHANISM.

Who can you contact if you have questions?

If you have any question regarding this Notice or our use of your personal data, you can contact our Data Protection Officer by email at dpo [at] criteo.com or by postal mail at Criteo – Data Protection Office – 32 rue Blanche 75009 Paris France.

Changes to this Notice

We may update this Notice from time to time, notably to ensure it reflects our current data processing activities. If we update this Notice, we will inform you of such an update and provide you with access to the updated Notice.