Last updated: December 19, 2023
- What does this Policy cover?
- What personal data do we collect?
- Why do we collect, use, and store this personal data?
- How and to whom do we share your personal data?
- What choices and rights do you have with respect to the data we process?
- How long do we retain your personal data?
- How can you contact us?
1. What does this Policy cover?
This Policy describes how OpenX (“OpenX“, “we“, “us” or “our“) processes your personal data. It applies only to visitors to the OpenX website.
This Policy describes the choices or rights you may have with respect to our processing of your data, including a right you may have to object to some of the processing that OpenX carries out. More information about your choices and rights, and how to exercise them, is set out in the “Your choices and rights” section.
The data processing described in this Policy may be limited as required by applicable law, including the General Data Protection Regulation (“GDPR”) the California Consumer Privacy Act (“CCPA”), and other federal or state laws, to the extent those laws apply to you.
2. What personal data do we collect?
We collect certain information through our website when you choose to provide it (for example, when you create an account with us or contact us using a website form), such as:
- Information to identify you, such as your name, surname, contact details (email address and phone number), company name, job title, reason why you contact us;
- Information necessary to establish and access your OpenX Community account, such as your username and password;
- Your marketing preferences, including any consents you have given us; and
- The content of communications you send us.
We also collect certain information automatically including:
- Unique online identifiers (e.g., IP address, cookies, mobile advertising identifiers such as Apple IDFA and Android Advertising ID);
- Browser information (e.g., browser type, version, or language);
- Device information (e.g., screen dimensions, device brand, and model);
- Internet service information (e.g., Internet Service Provider used by you);
- Derived location data (as derived from IP address or GPS (for mobile)).
3. Why do we collect, use, and store this personal data?
We collect, use and store your personal data under the legal bases set out below.
To fulfil a contract, or take steps linked to a contract, that we have with you. This includes:
- Communicating with you; and
- Providing customer service.
As required to conduct our business and pursue our legitimate interests. This includes:
- To provide the OpenX products and services you have requested, and respond to any comments or complaints you may send us;
- To monitor use of our website and use this information to improve and protect our services;
- To personalize our services for you;
- To confirm your identity when making payments in order to prevent fraud or detect and prevent any other malicious, fraudulent, invalid, or illegal activity, if applicable;
- To investigate any complaints received from you, or from others, about our website, products, or services;
- To ensure data are securely transmitted and processed;
- To ensure correct and efficient operation of systems and processes, including monitoring and enhancing the performance of systems and processes;
- To manage legal claims or compliance, regulatory and investigative processes as necessary (including disclosure of such information in connection with legal processes or litigation); and
- To invite you to take part in market research.
Where you give us consent or we are otherwise permitted to process your data after we give you notice of our processing. For example:
- We may send you direct marketing (e.g., quarterly newsletters or our regular emails that highlight relevant services we offer), which may be sent directly from us or via third party service providers;
- On other occasions where we ask you for consent or provide you with notice of processing, we will use the data for the purpose which we explain at that time.
Wherever we rely on your consent, you will always be able to withdraw that consent, although we may have other legal grounds for processing your data for other purposes, such as those set out above. Additionally, please note that withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.
In some cases, we are able to send you direct marketing without your consent, where we rely on our legitimate interests. You have the right to opt-out of direct marketing at any time. You can do this by following the instructions in the communication where this is an electronic message, or by contacting us using the details set out below.
Because we are compelled to do so by law:
- In response to requests by government or law enforcement authorities conducting an investigation.
4. How and to whom do we share your personal data?
- With your express permission;
- With other entities in the OpenX group for business purposes, such as making sure that questions or comments submitted via our “Contact Us” form are addressed appropriately;
- To our advisers (or the advisers of potential purchasers or new owners) in the event that we, or some or all of our affiliated entities or assets, are merged, sold, transferred (including in bankruptcy), or otherwise subject to a material corporate change;
- Where we believe it is necessary to protect OpenX or our users, enforce our terms or the legal rights of OpenX or others, or comply with a request from governmental authorities, legal processes, or other legal obligations; and
- Where we contract with third parties to provide certain services under our instruction, including service providers managing distribution of our marketing content, data analytics, web hosting, web development, and our website operation or cloud computing services (“Vendors”). We ask Vendors to confirm that their privacy and security practices are consistent with ours, provide them with information only to the extent necessary to perform the services we request, and prohibit them from using such information for any other purposes. A list of these service providers is available here.
OpenX may offer online resources that facilitate discussion amongst our customers and other third parties. Whenever you voluntarily post information to any public forum we operate, please be aware that such information (along with your username) is accessible to other users of the forum, including members of the public if the forum is open to the public.
OpenX is in the process of certifying for compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. OpenX has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. OpenX has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.
The Federal Trade Commission has jurisdiction over OpenX’s compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF).
If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) here.
Under certain conditions, more fully described on the DPF website here, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted. In cases of onward transfer to third parties, OpenX is generally liable for the acts of the third party that are in violation of the DPF Principles.
In parallel to adhering to Data Privacy Framework, in the event that personal data collected from a UK or EEA data subject is transferred outside of the UK or the EEA to an organization in a country which is not subject to an adequacy decision by the EU Commission or considered adequate as determined by applicable data protection laws, we take additional steps to ensure your personal data is adequately protected (e.g., by way of EU Commission-approved Standard Contractual Clauses or by relying on other data transfer mechanisms approved under applicable data protection laws). We are also committed to conducting data transfer impact assessments and adopting any supplementary measures required to mitigate any risks to you identified in such an assessment. A copy of the relevant mechanism can be obtained for your review on request by contacting us using the details set out below.
6. What choices and rights do you have with respect to the data we process?
UK/EEA based individuals
You have the right to ask us for a copy of your personal data; to correct, delete or restrict processing of your personal data; and to obtain the personal data we have collected from you provide in a structured, machine readable format. In addition, you can object to the processing of your personal data in some circumstances (in particular, where we don’t have to process the data to meet a contractual or other legal requirement).
These rights may be limited, for example if fulfilling your request would reveal personal data about another person, or if you ask us to delete information which we are required by law or have compelling legitimate interests to keep. If you have unresolved concerns, you have the right to complain to a data protection authority where you live, work or believe a breach has taken place. You’ll find contact details for your data protection authority here if you are an EEA based individual or here if you are a UK based individual.
Data which provision is mandatory is indicated on relevant forms that you complete. Where provision of data is mandatory, if relevant data is not provided, we will not be able to fulfil your requests to register, make a purchase or otherwise engage with OpenX. Providing us with information other than marked as mandatory is optional.
If you would like to exercise any of the rights listed above, please reach us here.
U.S. based individuals
Residents of California, Colorado, Connecticut, Virginia, and Utah may exercise the following rights regarding your personal data, subject to certain exceptions and limitations:
- The right to confirm whether we have processed your personal data.
- The right to know and access, in a portable format that is accessible to you, the categories and specific pieces of personal data we collect, use, share, and sell about you, the categories of sources from which we collected your personal data, our purposes for collecting, using, sharing, and selling your personal data, the categories of your personal data that we have shared or sold for a business purpose, and the categories of third parties with which we have shared or sold your personal data.
- The right to correct inaccuracies related to the personal data we have collected from or about you.
- The right to request that we delete the personal data we have collected from or about you.
- The right to opt out of our processing and sharing of your personal data for purposes of interest-based advertising, also called “cross-context behavioral advertising” or “targeted advertising,” which our services facilitate, as well as the right to opt out of our sales of your personal data.
- The right not to be discriminated or retaliated against for exercising any of these data rights.
While some states provide residents with additional rights related to “sensitive” personal data, OpenX does not knowingly collect this type of personal data.
To exercise any of the above rights, please reach us here or call us at (855) 231-3834. You may be asked to submit verifying information in certain circumstances, as described below. Depending on your state, if you have submitted a request that we have not fulfilled, you may appeal our decision by contacting us here.
Verification Process and Required Information: Because most of the information we store can only identify a particular browser or device, and cannot identify you individually, we may need to request additional information from you to verify your identity or understand the scope of your request. Such additional information may include your online identifier (i.e. cookie or mobile advertising ID) and some proof that the devices that have the cookie or mobile advertising ID you provide are yours, such as a screenshot of the applicable cookie or of a screen that displays the mobile advertising ID or other documentation that can verify you.
Authorized Agent: You may designate an authorized agent to make a CCPA request on your behalf by verifying your identity and providing written permission to your agent to make the request for you.
Minors’ Personal Data: We do not sell the personal data of consumers that we know to be under 16 years of age or share such data for purposes of interest-based advertising (also known as “targeted” or “cross-context behavioral” advertising).
Collection, Disclosure or Sale of Personal Information:
- In the last 12 months, we collected categories of personal data about California residents directly from those residents and automatically when they visited our website.
Information About Past Year’s CCPA Requests: In 2022, with respect to requests from California residents submitted under the California Privacy Protection Act, as amended (“CCPA”), OpenX:
- Received 87 requests to know, complied with all of them in an average of 38 days, and denied none of them.
- Received 92 requests to delete, complied with all of them in an average of 36 days, and denied none of them.
- Received 138 requests to opt-out, complied with all of them in an average of 5 days, and denied none of them.
- Received 17 requests that did not provide a specific type of request and denied none of them.
In some instances, although we have not denied a request, we cannot fully complete the data subject’s requested action due to an inability to connect the data in our systems to the data provided by the data subject. In such instances, we request additional information from the data subject.
7. How long do we retain your personal data?
Where we process account data collected via our website, we generally retain it for as long as you are an active customer of OpenX. Where we process personal data in connection with performing a contract with you or your organization, we keep the data for so long as the contract remains in force and for a certain period after its expiration; this period depends on the applicable claims’ limitation periods and may vary between jurisdictions. We encourage you to contact us here to obtain more specific information on how long we may retain your personal data.
Where we collect certain information about you or your device automatically, we retain this information for various periods, depending on the lifespan of the specific cookie that facilitated collection. Please contact us here to know more about the lifespan of cookies that we use on our website.
Where we process personal data for marketing purposes or with your consent, we process the data until you ask us to stop and for a short period after this (to allow us to implement your request). We also keep a record of the fact that you have asked us not to send you direct marketing or to process your data so that we can respect your request in future.
9. How can you contact us?
You can also reach us at:
OpenX Technologies Inc.
Attention: Legal Department
177 E. Colorado Blvd., #3039, Pasadena, CA 91105
You may also contact our data protection officer at email@example.com or by calling us at (855) 231-3834.