Privacy Notice (original) (raw)

1. Who is DoubleVerify?

DoubleVerify’s accredited platforms provide independent digital media measurement, data and analytics about advertisement (or "ad") impression delivery and website traffic, to help advertisers, agencies and advertising inventory sellers (together "Customers") confirm accurate delivery characteristics, including brand suitability, viewability metrics, contextual and environmental parameters (for example, the website on which an ad appears, and where it appears on the webpage), ad impression and website traffic quality characteristics, and provide insights that allow our Customers to make informed decisions about the placement of their creative and brand.

We believe in providing strong privacy protections to any individual whose information we may process in any capacity – because we believe privacy is a fundamental right, not something that should depend on where you may live. To live up to that principle, we treat any data that relates or is linked to an identified or identifiable individual as "Personal Information" regardless of that individual’s location. As it relates to our Solutions, DoubleVerify limits any information we collect to information that does not allow the identification of an individual without additional information. For example, DoubleVerify processes your Internet Protocol ("IP") address, which is a number that is automatically assigned to a computer when the Internet is used. While DoubleVerify treats such information as Personal Information, in accordance with best practices and applicable laws, we never combine that information with any other data that would enable us to identify the individual to whom it relates.

This Solutions Privacy Notice is intended to inform individuals whose data may be processed through our Solutions ("End User(s)" or, "you" and "your") of : (1) the types of information DoubleVerify may gather about you or your device when an advertisement that is analyzed by us is delivered to you on a website you are viewing or in an app you are using, (2) our privacy practices, how we may use, share, and otherwise process information that is deemed Personal Information, and (3) what your rights are with regards to such Personal Information. This Solutions Privacy Notice also explains what non-personal information ("Technical Information") we collect about the ads that we track and how we use that Technical Information to power our Solutions.

2. What is our role, goals and legal basis of Processing?

DoubleVerify’s fraud identification and elimination ("Fraud Elimination"), geography compliance verification ("Geo Verification") and Page Level Engagement Metric Solutions require the processing of Personal Information. Except in limited circumstances outlined below, with respect to laws and regulations such as the General Data Protection Regulation ("GDPR"), DoubleVerify operates Fraud Elimination as a "controller", and it operates Geo Verification and Page Level Engagement Metrics as a "processor". With respect to the California Consumer Privacy Act ("CCPA") and other US state regulatory frameworks, our designation may vary depending on the specific relationship with each Customer. Since the Personal Information we process is collected by our technology and "made available" to us by our Customers, we generally operate as a "contractor under CCPA or as a "processor" under other US state laws and regulatory frameworks. Notwithstanding the foregoing, in limited circumstances where Personal Information is shared with DoubleVerify via custom designed integrations and other non-standard means, for example when such Personal Information is collected and provided by a Customer for DoubleVerify’s analysis, we may be deemed a "processor" or a "service provider" under CCPA. This scenario is most common in our partnerships with social media Customers and other Customers that operate proprietary environments, often referred to as "walled gardens".

Except for Fraud Elimination, including as required to qualify impressions according to standard industry practices (e.g., Media Ratings Council guidelines), Geo Verification, and Page Level Engagement Metrics, DoubleVerify’s other Solutions (such as viewability, brand safety and suitability) do not generally require the processing of Personal Information. However, there are circumstances, such as instances where we may provide such Solutions to Customers that operate "walled gardens", where these Customers, in their role as controllers, may require DoubleVerify to process additional Personal Information of End Users or individuals who create accounts and content within the Customer’s environments. In any such scenario, the determination as to what Personal Data is processed is made by the Customers, who in their role of controllers, also determine, in their sole discretion, the legal basis of processing of such Personal Information. For further information about these Customers’ privacy practices, the Personal Information processed and the applicable legal basis of processing, you should review each Customer’s relevant and applicable privacy notice or statements. If you contact DoubleVerify to inquire about these programs, we can provide some basic information about the work we do for these Customers, but we will recommend that you contact the individual Customer or review the privacy documentation they make available on their properties.

As it relates to law such as the GDPR, DoubleVerify’s legal basis for processing Personal Information through our Solutions is the legitimate interest of: (i) our Customers to avoid ad-related fraud, present geographically accurate and compliant information to End Users and, in limited scenarios, enable publisher Customers to assess the performance of certain content (ii) the End Users in receiving fraud-free and geographically accurate and compliant information, and (iii) the general public in the continued availability of a free internet.

DoubleVerify participates in the IAB Transparency and Consent Framework (TCFv2.2 – Vendor ID 126), with legitimate interest as the default basis of data collection associated with the following purposes:

• Ensure security, prevent and detect fraud, and fix errors (Special Purpose 1)
• Deliver and present advertising and content (Special Purpose 2)
• Save and communicate privacy choices (Special Purpose 3)
• Measure advertising performance (Purpose 7)
• Measure content performance (Purpose 8)
• Develop and improve services (Purpose 10)

In limited scenarios, the entity in charge of the IAB Europe Transparency & Consent Framework on the property where DoubleVerify Solutions operate may make the Geo Verification or Page Level Engagement Metrics Solutions subject to consent. In these very limited instances, consent would apply to the following purposes:

• Use limited data to select advertising (Purpose 2)
• Measure advertising performance (Purpose 7)
• Measure content performance (Purpose 8)
• Develop and improve services (Purpose 10)

3. What data do we collect and for what purposes?

DoubleVerify, to carry out its business purposes of providing, maintaining and improving its Solutions collects and uses certain categories of Personal Information and Technical Information. The categories of Personal Information and Technical Information processed through the DoubleVerify Solutions are outlined below. To the extent Personal Information is required for the operation of one or more features of a DoubleVerify Solution, such Personal Information will be used only for the specific purposes outlined below, unless otherwise required by law. Additionally, in some circumstances, it may be necessary to process the Personal Information in conjunction with some Technical Information for DoubleVerify’s Solutions to properly function. In any such scenarios, the combined data is considered Personal Information and protected accordingly. We do not combine, analyze or enrich the Personal Information and Technical Information we process with additional information with the goal of identifying the End Users. We never track you or your online activities across apps and websites or over time, we do not rely on persistent technologies such as third-party cookies and we never create profiles or audience groups to target individuals.

1. Categories of Technical Information collected and used to power the DoubleVerify Solutions:
   • Advertising campaign attributes – The identifier of the advertiser that delivers an ad, its campaign and placement identifiers, the identifiers of the media property selling the inventory to the advertiser or any intermediary advertising platform are collected and processed to identify the Customer we are servicing, to apply the correct settings for the Customer, to segment the Customer reports according to these identifiers and to bill the Customer.
   • Web content attributes – The web address (URL) of the page/frame where the ad is being delivered to, and the address of any referring pages/frames are collected to ensure the ads are delivered in the right context our Customer has set in the profile settings in our system.
   • Mobile application attributes – The mobile application name, mobile application id, app store, developer of the application, star ratings of the application, age rating of the application and other publicly available information about the mobile application where the advertisement is delivered to. This information is used to ensure the advertisements are delivered in the right context our Customer has set in the profile settings in our system.
   • Digital environment attributes – The type of connected device the advertisement is being delivered to: mobile, desktop, connected TV or other device, the browser type and version used to render the page where the ad appears and the operating system are collected to determine what version of our code would properly run in that environment and to properly measure if the advertisement had the chance to become viewable on the screen according to industry standards which vary between environments.
   • Viewability attributes – The location of the ad on the page, the size of the ad, the size of the screen, the size of the viewport, the tab focus status, the browser focus status, the time duration the ad was in the viewable part of the webpage and the scroll position of the webpage are collected to determine and report to our Customers if the advertisement had the chance to become viewable on the screen.
   • Exposure and engagement attributes – Data that shows if the ad was clicked, swiped, tapped or touched, resized, skipped, muted, paused, rotated, hovered or changed volume is collected to help our Customers measure the performance of the advertisement, the advertising campaign or the media property.
2. Categories of data collected and used to power Fraud Elimination:
   • Pseudonymous electronic presence and device identifiers – i.e. IP address, user agent string or derivatives of these two values – are used in order to assess whether the online presence or device is participating in or associated with a fraudulent scheme.
3. Categories of data collected and used to power Geo Verification:
   • Pseudonymous electronic presence and device identifiers – IP address – are collected to determine the geographical location they are associated with. Each IP is associated with a country, and in some instances, with a Designated Market Area (or "DMA"), which is a term to describe metro clusters. Within the United States, IPs are associated with DMAs as well as zip codes. Your exact geolocation information (also known as precise geolocation) is never collected, received or inferred.
4. Categories of data collected and used to power Page Level Engagement Metrics:
   • Pseudonymous electronic presence and device identifiers – IP address – are received as a technical necessity to establish the connection with the device. Additionally, limited interaction information, in the form of time spent on the page, percentage of page scrolled or similar values, are assessed to enable publisher Customers to measure the quality of the content analyzed. While limited Personal Information is processed as part of this Solution, the objective is unrelated from analyzing any data related to the individual but rather focused on the performance of content on the page.

In limited circumstances, DoubleVerify may be required by some of its Customers, for example Customers that operates as a "walled garden(s)", to process additional Personal Information to enable its Solutions. Such additional Personal Information may relate to you as an End User, to individuals who create accounts within such "walled gardens" or individuals who create content that is published within such "walled garden" environments. To the extent DoubleVerify is required by one of its Customers that operate as "walled gardens" to process additional Personal Information to enable certain Solutions, DoubleVerify shall process such Personal Information solely for the purpose of fulfilling its obligations to the Customer and strictly in accordance with the Customer’s instructions, as required to operate, maintain and, where applicable, improve the Solutions. We work diligently with these Customers to ensure the Personal Information processed is limited only to the Personal Information necessary to achieve these purposes. In limited circumstances, our interaction with "walled gardens" may result in incidental receipt of Personal Information. DoubleVerify works diligently to monitor any such instances to ensure such Personal Information is not processed beyond receipt except to securely purge it from our systems. Since in these scenarios the specific categories of Personal Information are dependent on the custom integration and decisions of the Customer, and vary from Customer to Customer, if you have further questions, we recommend that you contact the individual Customer or review the privacy documentation they make available on their properties.

The Solutions are not intended to or directed at the processing of children’s Personal Information. We do not knowingly collect Personal Information from children, as such term is defined by applicable laws from time to time. If you are a parent or guardian and believe your child’s Personal Information may have been processed through the Solutions, please contact us by using the information in Section 13, How to Contact DoubleVerify below and we will take steps to securely delete their Personal Information from our systems.

4. How do we use the data we collect?

DoubleVerify only uses the Technical Information and Personal Information collected for the purposes outlined in Section 3, What Data do we Collect and for What Purposes?, of this Solutions Privacy Notice. In general, the Technical Information and your Personal Information are processed to provide reporting, dashboards, feedback and insights ("Reporting") to our Customers. DV’s standard Reporting is anonymized and aggregated. To the extent more granular reporting is requested by our Customers, for example impression level or URL level reporting, impressions are generally de-identified to prevent Personal Information of End Users from being shared with Customers. Notwithstanding the foregoing, as required from time to time to comply with obligations in our Customer agreements, reporting may include limited pseudonymous information.

Reporting built for Customers that operate as "walled gardens" (for example social media companies) and other Customers that rely on such reporting (for example companies that advertise on social media feeds) may include information of individuals who create accounts within such "walled gardens" or individuals who create content that is published within such "walled garden" environments.

This Section provides additional insight into how the Technical Information and your Personal Information is processed to achieve the business purposes specified in Section 3 of this Solutions Privacy Notice.

DoubleVerify uses the Technical Information collected through the Solutions, as specified in Section 3.1, in the following ways s:

• To analyze and report on the context in which advertisements are displayed, their quality, authenticity and performance. Specifically, information illustrating whether an ad being displayed is in compliance with a Customer’s pre-set legal and placement requirements, as well as preference settings the Customer has established in our system.
• To provide insights and preemptive decisioning of impression opportunities. DoubleVerify technology analyzes the data characteristics of an impression opportunity and determines whether the Customer’s advertisement should be displayed or not, for example by determining that the surrounding content does not align with that Customer’s branding and preferences.

DoubleVerify, to power Fraud Elimination, uses the Technical Information and Personal Information collected through the Solutions, as specified in Section 3.1 and 3.2, to:

• To review and identify specific ad impressions that are fraudulent due to being generated by bot-controlled, non-human browsers.
• To assess and identify invalid traffic such as traffic generated by ad injectors, traffic originated in data centers, misrepresented traffic, emulated traffic and other types of invalid traffic.
• To analyze and identify websites, mobile and connected device apps, and media properties that have fraudulent traffic and/or generate fraudulent advertising impressions.
• To identify traffic patterns across websites participating in fraudulent advertising activity.
• To differentiate between traffic generated by bot-controlled, non-human browsers and human browsers.
• To determine whether ads analyzed follow applicable legal requirements and preferences set by our Customers.
• Determine if a middleware is attempting to misrepresent its operating characteristics to prevent the identification of fraud or other invalid traffic.
• Determine if website traffic or ad impressions are originating from a server farm rather than human-generated browsing activity.
• Determine if traffic is being acquired through fraudulent practices or through other traffic acquisition practices that are not compliant with a Customer’s guidelines or preferences.
• To create records of IP addresses and user agent strings associated with fraudulent schemes and non-human generated traffic ("Fraud Tables"). Because such data points are associated with non-human interactions, they do not constitute Personal Information.

DoubleVerify, to power Geo Verification, uses the Technical Information and Personal Information collected through the Solutions, as specified in Section 3.3, to:

• Assess at high level (country, state, region, or, for US residents, zip code) the geographic location of the End User and verify if the End User is located within the Customer’s campaign or traffic settings.

DoubleVerify, to power Page Level Engagement Metrics, uses the Technical Information and Personal Information collected through the Solutions, as specified in Section 3.4. to:

• Enable publisher Customers to measure the performance of certain content on their properties.

To the extent DoubleVerify is required by one of its Customers that operate as "walled gardens" to process additional Personal Information to enable certain Solutions, DoubleVerify shall process such Personal Information solely for the purpose of fulfilling its obligations to the Customer and strictly in accordance with the Customer’s instructions, as required to operate, maintain and, where applicable, improve the Solutions. If you have any questions, we recommend that you contact the specific Customer or review the privacy documentation they make available on their properties.

Additionally, it may become necessary for your Personal Information to be used (e.g., analyzed) in connection with:

(a) an order from a government entity, tribunal, law enforcement or regulatory agency requiring such use (for example as part of an ongoing investigation, subpoena, similar legal process or proceeding);

(b) an applicable law, regulation, or rule, to ensure compliance with specific requirements therein; or,

(c) our good faith belief that such use is necessary to protect or defend our rights or the rights of others, to assist in an investigation or to prevent illegal activity.

5. How and to whom do we disclose data?

DoubleVerify does not disclose Personal Information to third parties, except as strictly necessary for our business purposes to operate, maintain and improve our Solutions. To the extent we voluntarily share any Personal Information, we ensure it is protected by the recipients in a manner consistent with our own policies and standards.

We may share your Personal Information with:

Service Providers – companies we have contracted to provide us services such as IT and system administration, infrastructure and hosting services, research and analytics, support and quality assurance, security and other services, for the purposes and pursuant to the legal basis described above. You can request a list of our Service Providers, what Personal Information they receive and for what purposes by contacting us. You can find out contact information in Section 13 How to Contact DoubleVerify of this Solutions Privacy Notice.

Affiliates – such as a parent company, sister companies, subsidiaries, joint ventures or other companies under common control, to the extent necessary to operate, maintain and improve our Solutions. You can request a list of our Affiliates, what Personal Information they receive and for what purposes by contacting us. You can find out contact information in Section 13 How to Contact DoubleVerify of this Solutions Privacy Notice.

Third Parties engaged by our Customers – to support our Customers, we may integrate our Solutions with other tools and services engaged by our Customers to deliver enhanced services and reporting capabilities. Under no circumstances do we receive data from these integrations that enable DoubleVerify to enrich our data and identify End Users. In limited scenarios, we may share impression level information with companies engaged by our Customers to conduct research on marketing effectiveness. In limited circumstances, our Customers may instruct us to share certain Personal Information required to enable functionality of a product or service not managed by DoubleVerify.

Third Parties involved in a Corporate Transaction – in the event that DoubleVerify is acquired or merged with another company, or in the event of a reorganization, dissolution or other fundamental corporate change.

We may be legally required to disclose your Personal Information:

(a) If a government entity, tribunal, law enforcement or regulatory agency requires such disclosure (for example as part of an ongoing investigation, subpoena, similar legal process or proceeding);

(b) As otherwise required under any applicable law, regulation, or rule; or,

(c) If we believe, in good faith, that such disclosure is necessary to protect or defend our rights or the rights of others, to assist in an investigation or to prevent illegal activity.

Fraud Tables and other Fraud Elimination related reports, data feeds, APIs and dashboards that do not contain Personal Information may be shared with or made available to Customers and other third parties, including for example industry organizations, as necessary for DoubleVerify to carry out its business purposes of providing, maintaining and improving the Fraud Elimination portion of our Solutions and combat ad-fraud.

Except as otherwise explained in this Solutions Privacy Notice, or as required by our Customer agreements, we do not share Personal Information with our Customers. Standard reports and analytics we make available to Customers via our Reporting Portal, except for certain reporting related to "walled gardens", are aggregated and anonymous. Reporting is generally aggregated, but in some circumstances granular reporting is provided via FTP end points or APIs. We may share Technical Information, which is anonymous, in aggregated formats or in its raw form, with Customers and their designated recipients, as well as with third parties as we may deem necessary to carry out our business purposes of providing, maintaining and improving the Solutions. Additionally, we may share anonymous or de-identified data on an aggregate basis in the normal course of operating our business; for example, to publish case studies and reports to show trends about the benefits and performance of our Solutions.

For the avoidance of doubt and except as it relates to its relationship with its Customers, DoubleVerify does not make disclosures of Personal Information to entities that operate as a "business" or a "third party" under laws such as the CCPA.

6. How long do we keep Personal Information?

DoubleVerify retains any Personal Information processed through its Solutions only as long as necessary to effectuate the purposes outlined in this Solutions Privacy Notice, and in no event longer than forty-five (45) days. Upon the expiration of that period, the Personal Information is securely purged from DoubleVerify’s systems.

In limited circumstances it may become necessary or required to retain your Personal Information for an extended period of time, for example:

(a) If a government entity, tribunal, law enforcement or regulatory agency requires such extended retention (as part of an ongoing investigation, subpoena, similar legal process or proceeding);

(b) As otherwise required to ensure compliance with an applicable law, regulation, or rule; or,

(c) If we believe, in good faith, that such retention is necessary to protect or defend our rights or the rights of others, to assist in an investigation or to prevent illegal activity.

Fraud Tables may be retained indefinitely to ensure the proper functionality of the Fraud Elimination Solution.

Technical Information, as it is anonymous in nature, may be retained by DoubleVerify indefinitely or as long as otherwise provided for in DoubleVerify’s policies and permitted by applicable laws and DoubleVerify’s agreements with its Customers.

7. How is Personal Information secured?

DoubleVerify has implemented appropriate technical, physical and organizational measures designed to protect Personal Information against accidental or unlawful destruction or accidental loss, damage, alteration, unauthorized disclosure or access, as well as all other forms of unlawful processing. While we follow generally accepted standards and best practices to protect Personal Information, no method of storage or transmission is 100% secure. However, we are constantly working to improve our safeguards and keep your Personal Information secure.

8. How is Personal Information transferred internationally?

Please be aware that the Personal Information we collect may be transferred to and maintained on servers or databases located outside your state, province, country, or other jurisdiction. While your Personal Information may be transmitted through a local temporary data center to ensure the Solutions are efficient and responsive, DoubleVerify ultimately stores all Personal Information collected through the Solutions in the United States. As a global company, we have office locations in the United States, the United Kingdom, France, Belgium, Finland, Germany, Israel, Canada, Mexico, Brazil, Japan, India, Singapore and Australia. Our employees at these locations may be required to access your Personal Information to support our Solutions. The level of data protection established in some of these locations, such as the United States, may be lower than the one established in the European Union or other jurisdictions that have enacted strong privacy laws and regulations.

We take measures to ensure that your Personal Information is stored safely with us, meeting regulatory privacy and security requirements imposed on European Union businesses. We also ensure that any other recipient of your Personal Information offers an adequate level of protection and security, for instance, by entering into the appropriate back-to-back agreements and, if required, standard contractual clauses or an alternative mechanism for the transfer of data as approved by the European Commission or other applicable regulator. DoubleVerify’s privacy practices, described in this Privacy Notice, comply with the APEC Cross Border Privacy Rules (CBPR) System and the Privacy Recognition for Processors (PRP) system. The APEC CBPR system and the APEC PRP system provide frameworks for organizations to ensure protection of personal information transferred among participating APEC economies. More information about the APEC frameworks can be found here. If you have any questions about where we store Personal Information you can contact us as outlined in Section 13 How to Contact DoubleVerify of this Global Privacy Notice.

In addition, DoubleVerify Inc., and its subsidiaries Outrigger Media, Inc. d/b/a OpenSlate, Scibids Technology Inc. and Zentrick Inc. ("DoubleVerify"), complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. DoubleVerify has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) under the UK Extension to the EU-U.S. DPF. DoubleVerify has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

In the context of onward transfers, DoubleVerify is accountable for the processing of personal data it receives, under the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and Swiss-U.S. DPF and subsequently transfers to a third party acting as an agent on its behalf. DoubleVerify remains liable under the EU-U.S. DPF Principles, and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF Principles if the DoubleVerify’s agent processes personal information in a manner inconsistent with the EU-U.S. DPF Principles, and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF Principles, unless the DoubleVerify proves that it is not responsible for the event giving rise to damage.

The Federal Trade Commission has jurisdiction over DoubleVerify’s compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF. In certain situations, DoubleVerify may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, DoubleVerify commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU and UK and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF should first us by using the information outlined in Section 13 How to Contact DoubleVerify of this Global Privacy Notice. In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, DoubleVerify commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF to TRUSTe, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://feedback-form.truste.com/watchdog/request for more information or to file a complaint. These dispute resolution services are provided at no cost to you.

For complaints regarding EU-U.S. DPF, the UK Extension to the EU-U.S DPF, and Swiss-U.S. DPF compliance not resolved by any of the other DPF mechanisms, you have the possibility, under certain conditions, to invoke binding arbitration. Further information can be found on the official DPF website: https://www.dataprivacyframework.gov/framework-article/ANNEX-I-introduction.

9. What are your rights?

End Users in certain jurisdictions may have data subject rights enabling them to make requests related to their Personal Information. Most jurisdictions also provide End Users with the right to be informed of how any Personal Information is collected, used and with whom it may have been shared or disclosed, as well as for what purposes. DoubleVerify’s Solutions Privacy Notice is intended to meet any such requirements, but if you have any additional questions or would like to better understand how your Personal Information may have been collected, used or with whom it may have been shared or disclosed, and why, please contact us by using Section 13 How to Contact DoubleVerify below.

Residents of the European Economic Area, the United Kingdom, Switzerland or California, among others, have several rights under the applicable privacy laws and regulations, such as under the GDPR and the CCPA. To exercise these rights, you can use this Form or contact us using Section 13 How to Contact DoubleVerify below. In accordance with certain laws and regulations, such as the CCPA, you may also designate an authorized agent to submit a request or exercise a right on your behalf. We will not discriminate or retaliate against you for exercising your rights.

These rights are:

a) The right to access to any Personal Information we may hold about you, including information about the categories and the specific pieces of Personal Information.

b) The right to correct any inaccurate Personal Information we may hold about you. Please keep in mind that due to the nature of the Personal Information we collect and the method of our collection, it is highly unlikely that we hold Personal Information that is inaccurate or that would meet the circumstances requiring a correction.

c) The right to request that DoubleVerify delete any Personal Information we may hold about you.

d) The right to request that the processing of Personal Information about you be suspended or restricted for a period of time, for example, while you assess whether you have other rights you would want to exercise.

e) To the extent your Personal Information is processed based on a legitimate interest, you have a right to object to such processing.

f) To the extent your Personal Information is processed based on your consent, to withdraw such consent via the IAB Europe Transparency & Consent Framework.

To the fullest extent possible, we fulfill any request related to an End User provided we can match the End User to Personal Information we hold on our systems. However, in certain circumstances we may be required to verify your identity to fulfill a request. To verify your identity or understand the scope of your request we may need to request additional information about you. You will not be required to create an account with us to submit a request or have it fulfilled. You will need to provide an email address so we can communicate with you and support your request, as well as any information we may need to allow us to verify whether we hold any Personal Information about you. Please be aware that circumstances may exist that will render us unable to fulfill your request, but if we are unable to fulfill your request we will explain why. To the extent we do not hold any Personal Information about you we will let you know. We make best efforts to respond to all inquiries and requests as soon as reasonably possible, but please allow up to thirty (30) days for us to respond.

To the extent DoubleVerify serves as a "processor", "contractor" or "service provider", as defined in the applicable law, you may need to direct your requests to exercise your rights to the relevant Customer who serves as the "controller" or "business".

10. Additional Disclosures

Certain privacy laws and regulations, such as the CCPA, require businesses to disclose whether they sell Personal Information. DoubleVerify does not disclose Personal Information in a way that would constitute a "sale" or "sharing" under California, Virginia, Nevada or similar laws.

11. Does DoubleVerify use Artificial Intelligence?

DoubleVerify uses Artificial Intelligence ("AI") in various capacities and ways throughout the organization. While DoubleVerify makes use of AI technologies, we do not engage in "automated decision making" as defined by applicable privacy laws and regulations.

12. Governing law

To the extent applicable and permitted by applicable laws and regulations, this Solutions Privacy Notice is governed by and interpreted in accordance with the internal laws of the state of Delaware, and jurisdiction and venue for any dispute will be in Delaware.

12. Do we update this Solutions Privacy Notice?

We may update this Solutions Privacy Notice from time to time to reflect changes in our Solutions, practices, policies or other internal or external changes, as well as to comply with new legal requirements. Any changes will be posted as soon as they go into effect. If we make updates, we will update the "effective date" listed at the top of this Solutions Privacy Notice to help you understand when changes were made. To stay informed of any such updates, we encourage you to refer back to this Solutions Privacy Notice regularly. Please note that any translation of this Solutions Privacy Notice is intended solely to facilitate your access to this information. The English version is the only official version of this Solutions Privacy Notice and any translation inaccuracies or discrepancies are not binding and have no legal effect for compliance or enforcement purposes.

If you have any questions, concerns or comments about this Solutions Privacy Notice, or you believe your Personal Information has been used in a way that is not consistent with the Privacy Notice or your choices, you can contact our Privacy Team at:

Privacy Officer / Data Protection Officer (Privacy Team) Contact Information
DoubleVerify Inc.
462 Broadway
New York, NY 10013
privacy@doubleverify.com

If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.- based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request. We are committed to achieving a fair resolution of any complaint or concern you may have about your privacy or this Solutions Privacy Notice. However, if you believe we have not been able to assist you, nothing in this Solutions Privacy Notice limits or attempts to limit your rights under applicable laws, including your ability, depending on your country of residence, to file a complaint with your local Data Protection Authority or other agency with jurisdiction over privacy related matters.