How we use your data

The identity and contact details of the controller

The company responsible for processing personal data in relation to our services is Criteo, a public limited company with its registered office at 32 rue Blanche, 75009 Paris, FRANCE, and registered with the Paris Trade and Companies Register under number 484 786 249.

Criteo acts as a co-controller together with its clients and partners. This is justified by the fact that the collection of personal data, as well as the collection of your consent in cases where the applicable regulations provide for it, takes place on their respective websites and applicable mobile devices that we do not control. As such, our contractual agreements with them provide that they are responsible to inform you of the presence of our technologies on their websites and mobile applications, collecting your consent for the collection and use of your data to provide you with personalized advertising and offering you an easy way to disable our services.

 

The contact details of the Data Protection Officer

By post: Data Protection Officer – 32 rue Blanche, 75009 Paris, FRANCE.
By email: dpo@criteo.com

In addition, if you have any questions about privacy or the use of your data in connection with our services, you may contact our US-based dispute resolution service provider free of charge at https://feedback-form.truste.com/watchdog/request.

 

The purposes of the processing for which your personal data is intended

All of our personal data processing activities are aimed at displaying personalized advertisements.

 

The legal basis of the processing operation for which your data is intended

In countries where applicable regulations require users’ consent to the use of cookies or any similar technology, our processing operations are based on this consent, collected on the websites and mobile applications of Advertisers and Publishers.

In addition, we consider that we have a legitimate interest in processing your data for the purposes expressed in this notice in order to:

  • honor our commercial agreements with our customers and partners;
  • allow our Advertisers to promote their products and services;
  • and allow our Publishers to finance their activities.

 

The categories of data used in the context of our services

The personal data we use in the context of our services are as follows, classified according to the sources from which they come.

Data collected on Advertisers' websites and mobile applications

When you browse the website or mobile application of a Publisher using our technologies or using an Ad exchange platform with which we work, we collect the following data:

Identifiers

  • Identifier of a Criteo cookie that we have assigned to your web browser

Example: UID=13278a5c-3997-4b97-826d-19609eecb975

  • Advertising ID of your Smartphone (such as Apple’s IDFA ID or Google’s AAID)

Example: 6D93078A-8259-4BA4-AE5B-76104861E7DC

  • An Exchange platform cookie ID if applicable

This allows Criteo to recognize your browser or mobile device and assign to it in the data that we may collect, without identifying you.

Technical information related to the device you use

  • User-agent string of your browser, (i.e. a series of characters sent by your browser to the server of the website you are visiting to communicate information about the type of device you are using (smartphone, computer, etc.) and the operating system of your device (version, language, system date and time, etc.))

Example: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36

  • Use of an advertising blocker

This allows Criteo to optimize the display of ads on the device you are using.

Non-precise data regarding your internet connection

  • Truncated IP address

Example: 91.199.242 (last octet removed)

We never use your full IP address to personalize the ads we display to you.

This allows Criteo to recognize your browser or mobile device and assign to it the navigation data that we may collect, without identifying you and to derive non-precise information about your geographical location (country, region or city) in order to display advertisements for products available in your geographical area.

Browsing events

  • Data relating to your use of a website or mobile application

Examples : Products you have viewed, products you have put in your shopping cart and products you have purchased

For each navigation event, we also collect the date and time of the event, the URL of the page or the name of the application on which the event took place.

This allows Criteo to identify the products that interest you.

Non-precise data regarding your internet connection

  • Truncated IP address

Example: 91.199.242 (last octet removed)

We never use your full IP address to personalize the ads we display to you.

This allows Criteo to recognize your browser or mobile device and assign to it the navigation data that we may collect, without identifying you. And to derive non-precise information about your geographical location (country, region or city) in order to display advertisements for products available in your geographical area.

Data regarding your internet connection

  • Full IP address

Example: 91.199.242.236

This helps in combating fraud, in particular by detecting activities that do not match human activity. It allows Criteo to invoice our services to Advertisers, in particular when you click on our ads and create reports on advertising campaigns containing aggregate data for a set of users.

Data transmitted by the Advertiser (optional)

  • CRM identifier that the Advertiser has assigned to you within its own customer relationship management software
  • Extra data used by the Advertiser (eg. date of travel, price)
  • Events that happened in a physical store
  • Advertising ID of your smartphone (such as Apple’s IDFA ID or Google’s AAID)

Example: 6D93078A-8259-4BA4-AE5B-76104861E7DC

  • Pseudonymized mail addresses

The email addresses transmitted by Advertisers are subject to pseudonymization methods to irreversibly transform them into a series of characters. For example, once pseudonymized, the address nom@email.com would become 98307a5ba02fa1072b8792f743bd8b5151360556b8e5a6120fa9a04ae02c88c0.

This improves our ability to provide you with a seamless experience across all browsers and devices you use and enables Criteo to onboard CRM audiences built by advertisers.

Data collected on Publishers' websites and mobile applications

Identifiers

  • Identifier of a Criteo cookie that we have assinged to your web browser

Example: UID=13278a5c-3997-4b97-826d-19609eecb975

  • Advertising ID of your Smartphone (such as Apple’s IDFA ID or Google’s AAID)

Example: 6D93078A-8259-4BA4-AE5B-76104861E7DC

  • An Exchange platform cookie ID if applicable

This allows Criteo to recognize your browser or mobile device and assign to it in the data that we may collect, without identifying you.

Technical information related to the device you use

  • User-agent string of your browser, (i.e. a series of characters sent by your browser to the server of the website you are visiting to communicate information about the type of device you are using (smartphone, computer, etc.) and the operating system of your device (version, language, system date and time, etc.))

Example: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36

  • Use of an advertising blocker

This allows Criteo to optimize the display of ads on the device you are using.

Information relating to the advertising insert on the Publisher’s website or application 

  • URL of the website or name of the Publisher’s application
  • Characteristics of the advertising space (size, visibility, etc.)

This allows Criteo to know the characteristics of the advertising spaces on which we are likely to display ads.

Non-precise data related to your Internet connection

  • Truncated IP address

Example: 91.199.242 (last octet removed)

We never use your full IP address to personalize the ads we display to you.

This allows Criteo to recognize your browser or mobile device and assign to it the navigation data that we may collect, without identifying you. And to derive non-precise information about your geographical location (country, region or city) in order to display advertisements for products available in your geographical area.

Data transmitted by the Publisher (optional)

  • Pseudonymized mail addresses

The email addresses transmitted by Advertisers are subject to pseudonymization methods to irreversibly transform them into a series of characters. For example, once pseudonymized, the address nom@email.com would become 98307a5ba02fa1072b8792f743bd8b5151360556b8e5a6120fa9a04ae02c88c0.

This allows Criteo to improve our ability to provide you with a seamless experience across all browsers and devices you use.

Information about your interactions with advertisements

  • Number of ads that have been displayed to you
  • How you interacted with the ads (viewing, clicking)

This allows Criteo to avoid displaying the same ads too often and to detect what product is of interest to you within our ad.

Data related to your Internet connection

  • Full IP address

Example: 91.199.242.236

This allows Criteo to combat fraud, in particular by detecting activities that do not match human activity, invoice our services to Advertisers, in particular when you click on our ads and to create reports on advertising campaigns containing aggregate data for a set of users.

Data collected from our Partners

We use partners to provide us with the following categories of data:

Identifiers Matches

Examples:

The Criteo UID=13278a5c-3997-4b97-826d-19609eecb975 and the advertising ID 6D93078A-8259-4BA4-AE5B-76104861E7DC belong to the same person,
but this person cannot be identified.

The Criteo identifier UID=13278a5c-3997-4b97-826d-19609eecb975 corresponds to the partner identifier PartnerID=xxxxxxx.

The Criteo UID=13278a5c-3997-4b97-826d-19609eecb975 and the pseudonymized
email address 98307a5ba02fa1072b8792f743bd8b5151360556b8e5a6120fa9a04ae02c88c0 belong to the same person, although this person cannot be identified.

Our partners provide us with matches between several identifiers to allow us to more effectively associate multiple identifiers. The combination of Criteo identifiers allows us to offer you a harmonized experience of our services regardless of the environment from which you are browsing. Learn more about how Criteo services works across multiple environments.

Data allowing us to fight against fraud

Example:

List of truncated IP addresses identified as carrying out fraudulent activities.

In order to combat fraud, we use partners to detect and report fraudulent activities (for example, resulting from a computer bot rather than human interaction.)

Geolocation data

Examples:

  • The truncated IP address used to visit the website is in the United States.
  • The truncated IP address used to visit the website is New York City.
  • The product ABC has been purchased by the Criteo UID=13278a5c-3997-4b97-826d-19609eecb975 in the brick and mortar store 123 of the Advertiser XYZ

Our partners provide us with information about your geographical location derived from your truncated IP address, points of interest that are near you (e.g. stores that are geographically close to you) or the products you have been purchasing in a brick and mortar store of the advertisers that are using our services to manage their online marketing campaigns. This allows us to improve the relevance of our services by displaying advertisements forproducts available in your geographical area.

Click here to view the list of our partners.

 

The categories of recipients of your data

Supply-side platforms

In order to have advertising inventories on which to display our ads, we participate in real-time auctions (often called “Real-Time Bidding”) on marketplaces. To do this, we must synchronize the identifiers used by Criteo with those used by these marketplaces in order to participate in the auction by sending our bid and the advertising we wish to display.

This means that we must communicate to these marketplaces the identifier that we use to recognize your browser or device without ever being able to identify you.

Data platforms

Some Advertisers use data platforms (namely platforms named “Data Management Platforms” or “Customer Data Platforms), which allow them to facilitate the implementation of audience segmentation and communicate it to online advertising industry players such as Criteo. These communications require the synchronization of the identifiers used by Criteo with those used by this platform when you visit an Advertiser site.

This implies that we communicate to these platforms the identifier that we use to recognize your browser or device without ever being able to identify you.

Partners allowing us to match several identifiers

In order to more effectively associate Criteo identifiers with each other, we may need to share with partners the identifier of a Criteo cookie that we have assigned to your web browser. The combination of Criteo identifiers allows us to offer you a consistent experience of our services regardless of the environment from which you are browsing.

Partners allowing us to fight against fraud

We provide limited data to our anti-fraud partners to enable them to effectively detect and report fraudulent activity to us.

Partners allowing us to locate you inaccurately

We may transmit your truncated IP address to our partners so that they can deduce from it information that is not specific to your geographical location (country, region or city). This allows us to improve the relevance of our services by displaying advertisements for products that are available in points of sale near you.

Partners of Criteo's clients

Some of our clients may ask us to exchange some data with their partners, through the ads we serve to you for purposes compatible with the purpose of displaying personalized advertisements, for instance to mesure the efficiency of their campaigns.

Our subsidiaries and affiliates

We may transmit data to our subsidiaries and affiliates for processing in accordance with this notice for the purposes of our services.

In addition, Criteo reserves the right to disclose all or part of its data in the event of a merger, acquisition, dissolution or sale of all or part of its assets. You will then be informed by email and/or by a prominent message on our website of any change in ownership or regarding the use of your data and the rights you will have over them.

Any recipient necessary to comply with legal, regulatory, judicial or administrative obligations

In some situations, we may disclose data in response to legal requests from authorities, such as to comply with the law or national security requirements. We may also disclose information about you if required by law, such as to comply with a subpoena or other legal process or if we believe in good faith that such disclosure is necessary to protect our rights, your safety or the safety of others, investigate a case of fraud or respond to a request from the government.

 

Click here to view the list of our partners.

 

Transfers of personal data to a recipient in a third country or international organizations

Our services may involve cross-border data exchanges with subsidiaries or partners located in countries outside the European Union. In which case, when these countries do not benefit from an adequacy decision under the Article 45 of the GDPR, we use a variety of measures to ensure that your personal data transferred to these countries receives adequate protection in accordance with the GDPR, such as signing the Standard Contractual Clauses adopted by the European Commission, verifying the recipient has adopted Binding Corporate Rules or adheres to the EU-U.S. and Swiss-U.S. Privacy Shield Framework.

 

The length of time for which your data will be kept

We keep personal data for a maximum of 13 months from the date of collection. The same duration applies to cookies placed by Criteo on your web browsers for advertising purpose.

 

The existence of automated decision-making, including profiling, as referred to in Article 22(1) and (4) of the GDPR

Our processing operations do not involve automated individual decision-making within the meaning of Article 22 of the GDPR, i.e. decision-making based exclusively on automated processing, including profiling, which produces legal effects or significantly affects you in a similar way.