How we use your data

The identity and contact details of the controller

The company responsible for processing personal data in relation to our services is Criteo, a public limited company with its registered office at 32 rue Blanche, 75009 Paris, FRANCE, and registered with the Paris Trade and Companies Register under number 484 786 249.

Criteo acts as a joint controller together with its clients and partners. This is justified by the fact that the collection of personal data, as well as the collection of your consent if you are in the European Economic Area, takes place on their respective websites and applicable mobile devices that we do not control. As such, our contractual agreements with them provide that they are responsible to inform you of the presence of our technologies on their websites and mobile applications, collecting your consent for the collection and use of your data to provide you with personalized advertising and offering you an easy way to disable our services.

 

The contact details of the Data Protection Officer

By post: Data Protection Officer – 32 rue Blanche, 75009 Paris, FRANCE.
By email: dpo@criteo.com

In addition, if you have any questions about privacy or the use of your data in connection with our services, you may contact our US-based dispute resolution service provider free of charge at https://feedback-form.truste.com/watchdog/request.

 

The purposes and legal basis of the processing for which your personal data is intended

We can only drop a Criteo cookie on your browser or use your mobile advertising ID (such as Apple’s IDFA ID or Google’s AAID) with your prior consent if you are located in the European Economic Area. Your consent will be collected by the Advertiser or Publisher who operates the websites and/or mobile applications you use.

PURPOSELEGAL BASISDESCRIPTIONCATEGORIES OF DATA WE USE
(For more information see ¨The categories of data used in the context of our services¨ below)
DISPLAY PERSONALIZED ADVERTISINGIf you live in the European Economic Area: Consent collected by the Advertisers and Publishers on their website/mobile appDisplaying personalized advertising on websites and in mobile applications.

o Data collection by Criteo's servers from Advertisers' and Publishers' websites and mobile applications.

o Recording, organizing and analyzing this data in order for Criteo to decide:

(a) whether or not to display an advertisement or to decide the level of the Internet user's bidding (in the context of Real Time Bidding) or to promote sponsored advertisements of particular brands on publishers’ properties; and

b) choose the ad to be displayed on the device

o Purchase advertising space

o Display personalized ads on Publisher websites and mobile applications.

o Measure performance of ads displayed
Data collected on Advertisers’ websites and mobile applications:
- Identifiers
- Technical information related to the device
- Non-precise data regarding the internet connection
- Data regarding the internet connection of the device
- Browsing events
- Data transmitted by the Advertiser

Data collected on Publisher’s websites and mobile applications
- Identifiers
- Technical information related to the device used
- Information relating to the advertising insert on the Client / Partner properties
- Non precise data regarding the internet connection
- Data regarding your internet connection
- Information about your interactions with advertisements
- Data transmitted by the Publisher
-
Data collected from Criteo’s Partners:
- Identifiers matches
- Data allowing Criteo to fight against fraud (e.g.: list of IP addresses identified as fraudulent)
- Geolocation data
DISPLAY CONTEXTUAL ADVERTISINGIf you live in the European Economic Area: Consent collected by the Advertisers and Publishers on their website/mobile appDisplaying relevant advertising based on the content of the web page or mobile app you visit.

o Data collection by Criteo's servers from Advertisers' and Publishers' websites.

o Recording, organizing and analyzing this data in order for Criteo to decide:

(a) whether or not to display an advertisement based on targeting rules defined on URLs (typically: domains) and/or their content (e.g. topics or keywords), and to decide the price level of bidding for the given display opportunity (in the context of Real Time Bidding ); and

b) choose the ad to be displayed on the device.

o Purchase advertising space

o Display contextual advertising on websites and mobile applications

o Measure performance of ads displayed
Data collected on Advertisers’ websites and mobile applications:
- Identifiers
- Technical information related to the device used
- Non-precise data regarding the internet connection
- Data regarding the internet connection
- Browsing events
- Data transmitted by the Advertiser

Data collected on Publisher’s websites and mobile applications
- Identifiers
- Technical information related to the device you use
- Information relating to the advertising insert on the Client / Partner properties
- Non precise data regarding the internet connection
- Data regarding your internet connection
- Information about the interactions with advertisements
- Data transmitted by the Publisher

Data collected from Criteo’s Partners:
- Identifiers matches
- Data allowing Criteo to fight against fraud(e.g.: list of IP addresses identified as fraudulent)
- Geolocation data
SALES MATCHING / ATTRIBUTIONCriteo's legitimate interest to conduct its businessMatching user conversions (e.g. purchases, app installs) to campaign events, like clicks and displays.- Identifiers
- Technical information related to the device used
- Browsing events
- Data transmitted by the Advertiser
- Information about the interactions with advertisements
- Data transmitted by the Publisher
FRAUD PREVENTION / FIGHT AGAINST FRAUD / IVTCriteo's legitimate interest to fulfill its contractual/sectorial commitments and to ensure safe advertisingDetecting activities that do not match human activity.Full IP addresses
DATA MODEL TRAININGCriteo's legitimate interest in training its models to improve the performance of its advertising operationsTraining data models to improve the performance of Criteo’s advertising operations.Same categories of data as for displaying personalized/contextual advertising
BILLINGCriteo's legitimate interest to conduct its businessAllowing Criteo to bill its Clients- Technical information related to the device used
- Information about your interactions with advertisements
REPORTINGCriteo's legitimate interest to conduct its business and to fulfill its contractual commitmentsPrepare reports for its Clients based on aggregated data.Same categories of data as for displaying personalized/contextual advertising
INCIDENT RESOLUTIONCriteo's legitimate interest to ensure the security of its systems and business continuityTroubleshooting of ongoing or recent production incidents.Same categories of data as for displaying personalized/contextual advertising

The categories of data used in the context of our services

The personal data we use in the context of our services are as follows, classified according to the sources from which they come.

Data collected on Advertisers' websites and mobile applications

When you browse the website or mobile application of an Advertiser using our technologies or using an Ad exchange platform with which we work, we collect the following data:

Identifiers

  • Identifier of a Criteo cookie that we have assigned to your web browser

Example: UID=13278a5c-3997-4b97-826d-19609eecb975

  • Advertising ID of your Smartphone (such as Apple’s IDFA ID or Google’s AAID)

Example: 6D93078A-8259-4BA4-AE5B-76104861E7DC

  • An Exchange platform cookie ID if applicable
  • A cross device ID

Example: ae3601c5-315d-3600-715e-cd853ed01d3a

This allows Criteo to recognize your browser or mobile device and assign to it in the data that we may collect, without identifying you.

Technical information related to the device you use

  • User-agent string of your browser, (i.e. a series of characters sent by your browser to the server of the website you are visiting to communicate information about the type of device you are using (smartphone, computer, etc.) and the operating system of your device (version, language, system date and time, etc.))

Example: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36

  • Use of an advertising blocker

This allows Criteo to optimize the display of ads on the device you are using.

Data regarding your internet connection

  • Truncated IP address

Example: 91.199.242 (last octet removed)

This allows Criteo to recognize your browser or mobile device and assign to it the navigation data that we may collect, without identifying you.

Browsing events

  • Data relating to your use of a website or mobile application

Examples : Products you have viewed, products you have put in your shopping cart and products you have purchased

For each navigation event, we also collect the date and time of the event, the URL of the page or the name of the application on which the event took place.

This allows Criteo to identify the products that interest you.

  • IP address

Example: 91.199.242.236

This allows Criteo to derive non-precise information about your geographical location (country, region or city) in order to display advertisements for products available in your geographical area.

Data necessary for fraud prevention / fight against fraud

  • Full IP address

Example: 91.199.242.236

This helps in combating fraud, in particular by detecting activities that do not match human activity. It allows Criteo to invoice our services to Advertisers, in particular when you click on our ads and create reports on advertising campaigns containing aggregate data for a set of users.

Data transmitted by the Advertiser

  • CRM identifier that the Advertiser has assigned to you within its own customer relationship management software
  • Extra data used by the Advertiser (eg. date of travel, price)
  • Events that happened in a physical store
  • Advertising ID of your smartphone (such as Apple’s IDFA ID or Google’s AAID)

Example: 6D93078A-8259-4BA4-AE5B-76104861E7DC

  • Pseudonymized mail addresses

The email addresses transmitted by Advertisers are subject to pseudonymization methods to irreversibly transform them into a series of characters. For example, once pseudonymized, the address nom@email.com would become 98307a5ba02fa1072b8792f743bd8b5151360556b8e5a6120fa9a04ae02c88c0.

This improves our ability to provide you with a seamless experience across all browsers and devices you use and enables Criteo to onboard CRM audiences built by Advertisers.

Data collected on Publishers' websites and mobile applications

Identifiers

  • Identifier of a Criteo cookie that we have assigned to your web browser

Example: UID=13278a5c-3997-4b97-826d-19609eecb975

  • Advertising ID of your Smartphone (such as Apple’s IDFA ID or Google’s AAID)

Example: 6D93078A-8259-4BA4-AE5B-76104861E7DC

  • An Exchange platform cookie ID if applicable

This allows Criteo to recognize your browser or mobile device and assign to it in the data that we may collect, without identifying you.

Technical information related to the device you use

  • User-agent string of your browser, (i.e. a series of characters sent by your browser to the server of the website you are visiting to communicate information about the type of device you are using (smartphone, computer, etc.) and the operating system of your device (version, language, system date and time, etc.))

Example: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36

  • Use of an advertising blocker

This allows Criteo to optimize the display of ads on the device you are using.

Information relating to the advertising insert on the Publisher’s website or application 

  • URL of the website or name of the Publisher’s application
  • Characteristics of the advertising space (size, visibility, etc.)

This allows Criteo to know the characteristics of the advertising spaces on which we are likely to display ads.

Data related to your Internet connection

  • Truncated IP address

Example: 91.199.242 (last octet removed)

This allows Criteo to recognize your browser or mobile device and assign to it the navigation data that we may collect, without identifying you.

  • IP address

This allows Criteo to derive non-precise information about your geographical location (country, region or city) in order to display advertisements for products available in your geographical area

Data transmitted by the Publisher

  • Pseudonymized mail addresses

The email addresses transmitted by Advertisers are subject to pseudonymization methods to irreversibly transform them into a series of characters. For example, once pseudonymized, the address nom@email.com would become 98307a5ba02fa1072b8792f743bd8b5151360556b8e5a6120fa9a04ae02c88c0.

This allows Criteo to improve our ability to provide you with a seamless experience across all browsers and devices you use.

Information about your interactions with advertisements

  • Number of ads that have been displayed to you
  • How you interacted with the ads (viewing, clicking)

This allows Criteo to avoid displaying the same ads too often and to detect what product is of interest to you within our ad.

Data necessary for fraud prevention / fight against fraud

  • Full IP address

Example: 91.199.242.236

This allows Criteo to combat fraud, in particular by detecting activities that do not match human activity, invoice our services to Advertisers, in particular when you click on our ads and to create reports on advertising campaigns containing aggregate data for a set of users.

Data collected from our Partners

We use partners to provide us with the following categories of data:

Identifiers Matches

Examples:

The Criteo UID=13278a5c-3997-4b97-826d-19609eecb975 and the advertising ID 6D93078A-8259-4BA4-AE5B-76104861E7DC belong to the same person,
but this person cannot be identified.

The Criteo identifier UID=13278a5c-3997-4b97-826d-19609eecb975 corresponds to the partner identifier PartnerID=xxxxxxx.

The Criteo UID=13278a5c-3997-4b97-826d-19609eecb975 and the pseudonymized
email address 98307a5ba02fa1072b8792f743bd8b5151360556b8e5a6120fa9a04ae02c88c0 belong to the same person, although this person cannot be identified.

Our partners provide us with matches between several identifiers to allow us to more effectively associate multiple identifiers. The combination of Criteo identifiers allows us to offer you a harmonized experience of our services regardless of the environment from which you are browsing. Learn more about how Criteo services works across multiple environments.

Data allowing us to fight against fraud

Example:

List of truncated IP addresses identified as carrying out fraudulent activities.

In order to combat fraud, we use partners to detect and report fraudulent activities (for example, resulting from a computer bot rather than human interaction.)

Geolocation data

Examples:

  • The IP address used to visit the website is in the United States.
  • The IP address used to visit the website is New York City.
  • The product ABC has been purchased by the Criteo UID=13278a5c-3997-4b97-826d-19609eecb975 in the brick and mortar store 123 of the Advertiser XYZ

Our partners provide us with information about your geographical location derived from your IP address, points of interest that are near you (e.g. stores that are geographically close to you) or the products you have been purchasing in a brick and mortar store of the advertisers that are using our services to manage their online marketing campaigns. This allows us to improve the relevance of our services by displaying advertisements forproducts available in your geographical area.

Click here to view the list of our partners.

 

The categories of recipients of your data

Supply-side platforms

In order to have advertising inventories on which to display our ads, we participate in real-time auctions (often called “Real-Time Bidding”) on marketplaces. To do this, we must synchronize the identifiers used by Criteo with those used by these marketplaces in order to participate in the auction by sending our bid and the advertising we wish to display.

This means that we must communicate to these marketplaces the identifier that we use to recognize your browser or device without ever being able to identify you.

Data platforms

Some Advertisers use data platforms (namely platforms named “Data Management Platforms” or “Customer Data Platforms), which allow them to facilitate the implementation of audience segmentation and communicate it to online advertising industry players such as Criteo. These communications require the synchronization of the identifiers used by Criteo with those used by this platform when you visit an Advertiser site.

This implies that we communicate to these platforms the identifier that we use to recognize your browser or device without ever being able to identify you.

Partners allowing us to match several identifiers

In order to more effectively associate Criteo identifiers with each other, we may need to share with partners the identifier of a Criteo cookie that we have assigned to your web browser. The combination of Criteo identifiers allows us to offer you a consistent experience of our services regardless of the environment from which you are browsing.

Partners allowing us to fight against fraud

We provide limited data to our anti-fraud partners to enable them to effectively detect and report fraudulent activity to us.

Partners allowing us to locate you inaccurately

We may transmit your IP address to our partners so that they can deduce from it information that is not specific to your geographical location (country, region or city). This allows us to improve the relevance of our services by displaying advertisements for products that are available in points of sale near you.

Partners of Criteo's clients

Some of our clients may ask us to exchange some data with their partners, through the ads we serve to you for purposes compatible with the purpose of displaying personalized advertisements, for instance to mesure the efficiency of their campaigns.

Our subsidiaries and affiliates

We may transmit data to our subsidiaries and affiliates for processing in accordance with this notice for the purposes of our services.

In addition, Criteo reserves the right to disclose all or part of its data in the event of a merger, acquisition, dissolution or sale of all or part of its assets. You will then be informed by email and/or by a prominent message on our website of any change in ownership or regarding the use of your data and the rights you will have over them.

Any recipient necessary to comply with legal, regulatory, judicial or administrative obligations

In some situations, we may disclose data in response to legal requests from authorities, such as to comply with the law or national security requirements. We may also disclose information about you if required by law, such as to comply with a subpoena or other legal process or if we believe in good faith that such disclosure is necessary to protect our rights, your safety or the safety of others, investigate a case of fraud or respond to a request from the government.

 

Click here to view the list of our partners.

 

Transfers of personal data to a recipient in a third country or international organizations

Our services may involve cross-border data exchanges with subsidiaries or partners located in countries outside the European Economic Area. In which case, when these countries do not benefit from an adequacy decision under the Article 45 of the GDPR, we use a variety of measures to ensure that your personal data transferred to these countries receives adequate protection in accordance with the GDPR, such as signing the Standard Contractual Clauses adopted by the European Commission.

 

The length of time for which your data will be kept

We keep personal data for a maximum of 13 months from the date of collection. The same duration applies to cookies placed by Criteo on your web browsers for advertising purpose.

 

The existence of automated decision-making, including profiling, as referred to in Article 22(1) and (4) of the GDPR

Our processing operations do not involve automated individual decision-making within the meaning of Article 22 of the GDPR, i.e. decision-making based exclusively on automated processing, including profiling, which produces legal effects or significantly affects you in a similar way.