Privacy Outbrain (original) (raw)

1. Who we are, What we do, How you can contact Outbrain, our DPO or the relevant authorities

Who we are:

This privacy policy applies to Outbrain Inc., a Delaware, USA corporation with headquarters in New York; and its affiliated subsidiaries (collectively, “Outbrain,” or “we“, “us“, “our“). We operate in various offices around the world and we partner with publishers and marketers across the globe.

Please note that Outbrains’ subsidiary Outbrain DSP (formerly Zemanta) Inc has a separate Privacy Policy, which can be found here.

What we do:

Outbrain’s mission is to serve interesting recommendations to you based on what we believe are your interests. To achieve our mission we enter into agreements with:

• online publishers and partners who want to recommend relevant content to their readers (this is Outbrain Engage);
• advertisers who want readers to view their content (this is Outbrain Amplify); and
• third party partners who help us serve relevant recommendations.

For further information on our Amplify (advertiser) services see here and our Engage (publisher) services see here.

How to contact us:

We regularly review our compliance with this Privacy Policy. Questions, comments and requests regarding this Privacy Policy are welcomed and should be addressed in the first instance to privacy@outbrain.com or by mail to Outbrain Inc., 111 West 19th Street, 3rd Floor, New York, NY 10011, USA, Attn: Privacy Questions.

If Outbrain does not satisfactorily answer your questions or concerns, you may also contact the following for advice, support or complaints:

• Outbrain’s Data Protection Officer (“DPO”) at dpo@outbrain.com ; and/or
• the Information Commissioner’s Office, which is Outbrain’s lead supervisory authority within the European Territories.

2. Alliances and Adherence

• We adhere to the Self-Regulatory Principles set forth by the Digital Advertising Alliance (DAA) and the European Interactive Digital Advertising Alliance (EDAA);
• We are members in good standing of the Network Advertising Initiative (NAI), an association dedicated to responsible data collection and its use for digital advertising as well as the Digital Advertising Alliance of Canada (DAAC) AdChoices Program. We also adhere to the NAI Code of Conduct for Web and Mobile. Outbrain also adheres to the Interactive Advertising Bureau’s (IAB) Self-Regulatory Principles for Online Behavioral Advertising, and the IAB Europe OBA Framework; and
• We are also TAG Brand Safety Certified here.

3. Outbrain User Types (including Opt Out Options)

Much of this Privacy Policy is divided into sections based on the way you may interact with Outbrain. You are either a Site Visitor, a User and/or a Business Partner (as defined below). Please determine what user type you are. For each user type we’ve explained what information we collect and why, what cookies and other similar technologies we use, how we share such information and your rights.

Site Visitors: You are a Site Visitor when you visit and interact with our web sites, web pages, interactive features, blogs and their respective contents at Outbrain.com (or any derivation, such as Outbrain.co.uk; Outbrain.fr; outbrain.de etc.) (“Our Sites“).

See more here.

Users: You are a User when you visit a page of a website or application of one of Outbrain’s partners where the Outbrain widget is installed or our recommendations are placed (“Partner Sites”). For example, if you visit https://news.sky.com/uk, www.spiegel.de or www.cnn.com, the Outbrain widget is implemented on those websites. You know you are engaging with an Outbrain widget when you see text referencing Outbrain (e.g., “Recommended by Outbrain”, “by Outbrain” near recommendations If you click on the hyperlinked reference to Outbrain you will see a detailed notice that enables you to navigate to Outbrain’s Interest Portal and this Privacy Policy where you can opt out of personalized recommendations. In some instances, a partner may have white-label Outbrain’s service for their own offering. In such an event, such partners must disclose their use of Outbrain in their privacy policies.

Example of an Outbrain Widget

See more here.

Business Partners: You are a Business Partner when you register (or email with Outbrain) on behalf of the company you work for to use the Outbrain Amplify or Outbrain Engage Services.

See more here.

4. Security Measures, Transfers Outside the EEA, Sharing and Data Retention

Security

Outbrain has a dedicated security team. We maintain tight controls over the personal data we collect, retaining it in firewalled and secured databases with strictly limited and controlled access rights, to ensure it is secure. Please see our security standards for more information.

Business Partners have access to certain password-protected features of the Amplify or Engage service. Business Partners are responsible for keeping this password confidential and for ensuring the same for their employees and/or their agents. Please remember that, unfortunately, the transmission of information via the internet is never completely secure. A common Internet scam is known as “spoofing” or “phishing.” This occurs when you receive an email from what appears to be a legitimate source requesting personal data from you. Please be aware that we will not send you any emails requesting you to verify credit card, bank information, or any other personal data. If you ever receive an email that appears to be from us requesting such information from you, do not respond to it, and do not click on any links appearing in the email. Instead, please forward the email to us at legal@outbrain.com, as we will investigate instances of possible Internet fraud.

Data Transfers Outside the EU/EEA

When we transfer personal data from the European Economic Area (EEA) we will ensure such transfers are in compliance with relevant data protection laws, including, if applicable, EU Standard Contractual Clauses, or a European Commission positive adequacy decision under Article 25(6) of Directive 95/46/EC or Article 45 of the GDPR. In other words, your rights and protections remain with your data and we used approved contractual clauses and other measures designed to ensure that the recipients of your personal data protect it. Outbrain has in place the Standard Contractual Clauses between Outbrain entities to govern the transfer of data outside of the EEA.

Sharing

In addition to the description of how we may disclose your personal data for each user type, we may also disclose personal data as follows:

• Within the family of companies controlled by Outbrain for internal reasons, primarily for business and operational purposes;
• If we go through a business transition, such as a merger, acquisition by another company, or sale of all or a portion of our assets, your personal data will likely be among the assets transferred;
• When legally required to do so (e.g., to cooperate with law enforcement investigations or other legal proceedings); and/or
• To respond to a genuine emergency.

In addition, we combine your personal data with those of other users in order to share trend information and aggregate user statistics with third parties, always in aggregated and anonymized form.

Data Retention

The retention period for each of the cookies Outbrain uses (whether our own or on our behalf by third parties) is stated in the Cookie Table. More specifically, the Outbrain cookie (Obuid),which is used for tracking user actions such as clicks, expires three (3) months after a user visited a particular site within our network however, this cookie will reset if a user returns to the same site or different site within our network. In addition, we do not retain any individual data point on a User for more than 13 months. For example, if UUID 123 read an article on December 31, 2018, on February 1, 2019 that article will no longer be part of UUID 123’s profile. Outbrain also maintains a Data Retention Policy that details the retention period for personal data based on our analysis of how long the specific data is reasonably required for legal or business purposes. When we no longer need personal data, we securely delete or destroy it. Aggregated data, which cannot identify a device/browser (or individual) and is used for purposes of reporting and analysis, is maintained for as long as commercially necessary.

5. Children and Sensitive Data

Children

None of our services are intentionally directed at children under 16. We do not knowingly collect personal data from anyone under 16 years of age. If we determine upon collection that a Site Visitor, a User or a Business Partner is under 16, we will not use or maintain his/her personal data. If we become aware that we have unknowingly collected personal data from a child under the age of 16, we will make reasonable efforts to delete such information from our records. If you’re a kid, please go play in the yard, don’t use or interact with Outbrain!

Sensitive data

We do not collect or receive any sensitive categories of personal data.

6. European Territory Visitors

In compliance with certain privacy laws, in particular the European General Data Protection Regulation (GDPR), Outbrain provides specific additional rights for individuals who interact with Outbrain such as the right to access, rectification, right to object, to complaint, erasure and blockage. More specifically and under certain circumstances:

• the right to request information about whether and which personal data is processed by us, and the right to demand that personal data is rectified or amended.
• the right to request that personal data should be deleted.
• the right to demand that the processing of personal data should be restricted.
• withdraw your consent to the processing and use of your data completely or partially at any time with future application.
• have the right to obtain your personal data in a common, structured and mechanically readable format.
• contact our data protection officer if there are any questions, comments, complaints or requests in connection with our statement on data protection and the processing of your personal data.
• the right to complain to the responsible supervisory authority if believed that the processing of your personal data is in violation of the legislation.

In addition to the above, we reference certain rights for European Territory citizens throughout this Privacy Policy. Pursuant to the GDPR, citizens from “European Territories” mean the European Economic Area (EEA), the European Free Trade Area (EFTA) and Switzerland. For the purpose of this Privacy Policy, the term “European Territories” shall continue to include the United Kingdom, even after the United Kingdom leaves the European Economic Area following Brexit. If you are in the UK, or the European Economic Areas, the controller of your data is Outbrain UK Limited.

Please email Privacy@outbrain.com with any questions about exercising any of the above rights.

7. California Privacy Rights

This section applies only to California residents. It describes how we collect, use and share Personal Information of California residents in operating our business, and their rights with respect to that Personal Information. For purposes of this section, “ Personal Information” has the meaning given in the California Consumer Privacy Act of 2018 (“ CCPA”) but does not include information exempted from the scope of the CCPA.

(a) Your California privacy rights.

As a California resident, you have the rights listed below. However, these rights are not absolute, and in certain cases we may decline your request as permitted by law.

• **Information.**You can request the following information about how we have collected and used your Personal Information during the past 12 months:
  • The categories of Personal Information that we have collected.
  • The categories of sources from which we collected Personal Information.
  • The business or commercial purpose for collecting and/or selling Personal Information.
  • The categories of third parties with whom we share Personal Information.
  • Whether we have disclosed your Personal Information for a business purpose, and if so, the categories of Personal Information received by each category of third party recipient.
  • Whether we’ve sold your Personal Information, and if so, the categories of Personal Information received by each category of third party recipient.
• Access . You can request a copy of the Personal Information that we have collected about you during the past 12 months.
• Deletion. You can ask us to delete the Personal Information that we have collected from you.
• Opt-out of sales . If we sell your Personal Information, you can opt-out. In addition, if you direct us not to sell your Personal Information, we will consider it a request pursuant to California’s “Shine the Light” law to stop sharing your personal information covered by that law with third parties for their direct marketing purposes.
• Opt-in. We contractually prohibit our publishing and advertising clients from placing our technology on pages that target individuals younger than 16 years old. If we learn that you are younger than 16 years old, we will asking for your permission (or if you are younger than 13 years old, your parent or guardian’s permission) to sell your Personal Information before we do so.
• **Non discrimination.**You are entitled to exercise the rights described above free from discrimination. This means that we will not penalize you for exercising your rights by taking actions such as denying you services; increasing the price/rate of services; decreasing service quality; or suggesting that we may penalize you as described above for exercising your rights.

(b) How to exercise your rights

You may exercise your California privacy rights described above as follows:

• Right to information, access and deletion. You can request to exercise your information, access and deletion rights by:
  • calling us toll free on 1-866-I-OPT-OUT and entering service code 253# to leave us a message.
  • emailing privacy@outbrain.com
• Right to opt-out of the “sale” of your Personal Information. We do not sell your Personal Information in the conventional sense (i.e., for money). However, like many companies, we use services that help deliver interest-based ads to you. California law classifies our use of these services as a “sale” of your Personal Information to the companies that provide the services. This is because we allow them to collect information from our website users (e.g., online identifiers and browsing activity) so they can help serve ads more likely to interest you. To opt-out from this “sale”, click on this link which will take you to our Interest Profile where you can opt out of personalised recommendations.

We will need to confirm your identity and California residency to process your requests to exercise your information, access or deletion rights. We cannot process your request if you do not provide us with sufficient detail to allow us to understand and respond to it.

(c) Personal information that we collect, use and share

The chart below summarizes how we collect, use and share Personal Information by reference to the statutory categories specified in the CCPA, and describes our practices during the 12 months preceding the effective date of this Privacy Policy. Categories in the chart refer to the categories described above in the general section of this Privacy Policy.

8. “Do Not Track” Disclosure

Some browsers transmit Do Not Track (DNT) signals to websites. Because there is no common understanding of how to interpret the DNT signal, Outbrain does not currently alter, change, or respond to DNT requests or signals from these browsers. We will continue to monitor industry activity in this area and reassess our DNT practices as necessary. In the meantime, you can use the range of other tools we provide to control data collection and use, including the ability to opt out of receiving personalized recommendations in the Users section.

9. EU-US Data Protection Framework (DPF) Participation

Outbrain complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Outbrain has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Outbrain has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/

Please click here to view our certification.

10. Complaint and Dispute Resolution Procedure under the DPF

Outbrain’s internal complaints mechanism

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Outbrain commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU and UK individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF should first contact Outbrain at: DPO@outbrain.com

You may have the right to lodge a complaint with the data protection authority of your country of residence. If you live in the UK, you can make a complaint with the Information Commissioner’s Office (ICO) at this address. If you live in the EU, you can find the relevant data protection authority here. To submit a complaint to the FTC, click here.

Independent Recourse Mechanism

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Outbrain commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF to Judicial Arbitration and Mediation Services, Inc. (JAMS), an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit JAMS for more information or to file a complaint. The services of JAMS are provided at no cost to you. Please contact or visit the https://www.jamsadr.com/DPF-Dispute-Resolution for more information or to file a complaint.

The Federal Trade Commission has jurisdiction over Outbrain’s compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF.

Arbitration

You may also be able to invoke binding arbitration for unresolved complaints but prior to initiating such arbitration, a resident of a European country (including Switzerland) participating in the DPF must first:

(1) contact us and afford us the opportunity to resolve the issue;
(2) seek assistance from JAMS (an independent recourse mechanism); and
(3) contact the U.S. Department of Commerce (either directly or through a European Data Protection Authority) and afford the Department of Commerce time to attempt to resolve the issue.

If such a resident invokes binding arbitration, each party shall be responsible for its own attorney’s fees. Please be advised that, pursuant to the DPF, the arbitrator(s) may only impose individual-specific, non-monetary, equitable relief necessary to remedy any violation of the DPF Principles with respect to the resident. The arbitration option may not be invoked if the individual’s same claimed violation of the Principles

(1) has previously been subject to binding arbitration;
(2) was the subject of a final judgement entered in a court action to which the individual was a party; or
(3) was previously settled by the parties.

For more details, please click here.

European Individual Rights Under The DPF

Outbrain must provide you:

• Information on the types of personal data collected
• Information on the purposes of collection and use
• Information on the type or identity of third parties to which your personal data is disclosed
• Choices for limiting use and disclosure of your personal data
• Access to your personal data
• Notification of the organization’s liability if it transfers your personal data
• Notification of the requirement to disclose your personal data in response to lawful requests by public authorities
• Reasonable and appropriate security for your personal data
• A response to your complaint within 45 days
• Cost-free independent dispute resolution to address your data protection concerns
• The ability to invoke binding arbitration to address any complaint that the organization has violated its obligations under the DPF Principles to you and that has not been resolved by other means

OUTBRAIN’S LIABILITY IN CASES OF ONWARD TRANSFERS TO THIRD PARTIES

In the context of an onward transfer, Outbrain has responsibility for the processing of personal information it receives under the DPF Principles and subsequently transfers to a third party acting as an agent on its behalf. Outbrain remains liable under the DPF Principles if its agent processes such personal information in a manner inconsistent with the DPF Principles, unless Outbrain proves that it is not responsible for the event giving rise to the damage.

11. How This Privacy Policy May Change

We may change this Privacy Policy from time to time. We will place a prominent notice that will be visible to you as a Site Visitor or Business Partner, but we do not have a means of advising Users of an update by way of notice. You should check back here periodically to see if the Privacy Policy has been updated as we will always show the date of the latest modification of the Privacy Policy at the top of the page so you can tell when it was last revised.

Data Protection Officer (DPO)

To communicate with our Data Protection Officer, please email at dpo@outbrain.com or use the contact details below.

Contact us

General questions

If you have any questions or concerns about your privacy you may contact us at:

Outbrain Inc. 111 West 19th Street 3rd Floor New York, NY 10011, USA Attn: Privacy questions

Email: privacy@outbrain.com or dpo@outbrain.com

You may also contact your local data protection authority. A list of local data protection authorities is available here.