Services Privacy Policy

1. Introduction

This document describes the processing of personal data that Neodata (Data Processor) performs for third parties (Data Controllers). The relationships between Neodata and the Data Controller (or “Customer” hereinafter) and the information contained in this document take into account the obligations and responsibilities of each of the parties involved as defined by the GDPR.
In no event shall Neodata, which intervenes exclusively as a mere provider of technical services, be vested with the power to decide the purposes and the basic method of processing or the security profile for management of the data. Therefore, when processing the data collected through the provision of the Services, Neodata and all of the group’s subsidiaries always and exclusively act on the basis of the decisions and instructions provided by the Customer, who is the sole data controller, and work under its management and supervision. Furthermore, it should be noted that this Privacy Policy does not apply to third-party applications or software (services) that are integrated with Neodata’s services.

2. Scope of the Services Privacy Policy

He processing performed by Neodata is based on the consent of the data subject acquired by the Data Controllers and allows the Customers to profile and analyse the behaviour of users (hereinafter “Users”) who visit their websites, view their advertising campaigns or use mobile devices with their app as well as to provide recommendations on editorial content and manage the delivery of online advertising campaigns.
Neodata specialises in the analysis of Big Data and is a provider of functional modules that can be integrated with each other or with other external platforms. The functional modules offered by Neodata can be found on two platforms:

• exaudi (Data management platform) allows the collection and analysis of data relating to the characteristics and behaviour of users and enables its use for tactical or strategic purposes.
• ad.agio (Ad Server) allows the management and delivery of multi-platform digital content.

The integration of exaudi and ad.agio allows the management and delivery of targeted web content.

3. Neodata Technology – exaudi & ad.agio

exaudi is a DMP (Data Management Platform), namely a software platform developed and offered on the market by Neodata Group which:

1. allows the aggregation in one place of the data managed by a Data Controller, coming from online and offline sources, relating to the characteristics and behaviour of people,
2. enables the Data Controller to use it for tactical or strategic purposes.

The platform mainly performs profiling activities, i.e. the processing of personal data used to assess aspects relating to a natural person such as personal preferences, interests, reliability, behaviour, location and movement. (ref GDPR Art.4: Definition of Profiling).

ad.agio is an adserver used for the management of online advertising campaigns that stores digital content and is capable of delivering it to a user by generating an impression. The data contained on the platforms mainly concerns web or mobile users (customers or potential customers of the Data Controller) who used a device to interact with content under the Data Controller’s control. In addition, the data may also come from external suppliers that authorise its use by the Data Controller for clearly defined purposes.

4. The use of cookies in the services offered by Neodata

In order to provide its services, Neodata uses “cookies” (hereinafter “Cookies”), namely small text files that store certain information related to users’ navigation. Cookies are installed on the User’s browser and can be read, modified or deleted by the User by changing the settings on their browser and do not contain viruses. In general, Cookies are divided into “technical” and “profiling” cookies. Neodata uses both technical Cookies and profiling Cookies. The use of one or both categories of Cookies depends on the service that Neodata provides to the Customer. The following table shows which types of cookies (i.e. “technical” or “profiling”) are used by Neodata and its subsidiaries according to the specific service provided:

Cookies installed via Neodata services usually refer to the smart-dmp.com and neodatagroup.com domains, unless otherwise requested and stated by the Customer in its Privacy Policy or cookie policy.
The fact that there is a link on the websites or other spaces of the Customer, or of the subjects to whom the former provides its services to connect the resources hosted by Neodata or that the Cookies installed refer to the Neodata domains does not imply that Neodata manages the processing operations implemented independently by the Customer through the use of its tools.
Said tracking tools (e.g. cookies, AAID (Android Adverting ID) e IDFA (Apple Identifier Advertiser) attribute a unique ID to the User through which their habits can be tracked, recognising them upon each visit and personalising the messages based on that. The unique ID is, indeed, associated to the User’s browser or device and in no event the data collected is used by Neodata, either directly or indirectly, to determine their personal identity.

5. Data collected and received by the Data Controller

Neodata is capable of collecting information on users by monitoring the touch-points of the Data Controller of the first and/or second part, through scripts (entered using tags) performed in browsers, executed within browsers, or through pixels inserted in the email, or through a proprietary SDK that the Data Controller integrates into its mobile applications. Touch-points can be voluntary or induced and are of the following types:

• view a domain’s web page;
• view a DEM;
• view adv;
• use of a mobile app
• CTA response (call to action).

In the process of interaction between a user and web and app content, Neodata detects certain information, initially also stored in Technical Cookies and/or Profiling Cookies, such as: Device Id, Device info, Ip address, Action Type (View, Impression, Click, CTA), Content Type (Text, Picture, Video), position and other details provided by the user who accesses the various data sources. For mobile devices that contain applications installed by the Data Controller or by third parties chosen by the Data Controller, Neodata can get Users’ information about the type of device used, connection’s type, carrier’s name, the geographical position. Tracking can be activated only after the User has previously authorized the application to send the data.

In addition, there are other types of data that the Data Controller may request Neodata to integrate within its systems that include:

• user identification data,
• data relating to the user’s characteristics,
• data relating to generic actions performed by the user (events).

6. Information extracted from data

Neodata is capable of performing automated processing, including profiling, that allows the extrapolation of information on users such as:

• geographical location: obtained from the IP addresses to which the internet connections made by users and / or the geographical coordinates of the device are associated;
• user interests: obtained based on preferences for the use of the contents expressed implicitly by users through browsing; the contents are associated with the IAB interest categories and/or categories defined by the Data Controller;
• classification of visited contents: obtained by analyzing the free text on the HTML pages visited by the user and associating the categories of the taxonomy of the IAB and/or the taxonomy defined by the Data Controller that are most represented by it;
• gender and age: obtained by analyzing the interests associated with each user and deriving the gender and presumed age of the user through specific classification models.

Neodata enables the Data Controller to build user groups, called clusters, implementing rules that consider the features and / or actions performed by users. Neodata Group data processing services do not allow the construction of profiling clusters related to minors (age < 18 y.o.).

Neodata can collect personal data:

• non-PII data(Personally identifiable information) that does not allow direct identification of the data subject.
• PIIdata that allows the direct identification of the data subject if and only if it is expressly provided by the user.

Neodata can integrate personal data on its platform:

• non-PII data.
• PII dataonly if necessary for specific purposes defined by the Data Controller.

Through the processing of non-PII data & PII data, Neodata acquires information on users relating to:

1. personal preferences,
2. user characteristics,
3. interests,
4. behavior,
5. location and movement.

7. Use of data

For the sole purposes related to the provision of Services, Neodata may share the information collected, in aggregate form or not, with subsidiaries, affiliates or partners of the Customer and only in response to its express request.

The information processed by Neodata can be integrated with external platforms such as: DSP/SSP, DMP, DEM, Ad-Server and CRM which, among other things, allow the activation of information processed on users to deliver profiled contents (tactical purposes).

Furthermore, the information processed by Neodata can be used to generate statistics or perform analyses for use in reports or dashboards (strategic purposes).

The Customer is required to obtain prior consent from the User in relation to the use of said tools.

Neodata reserves the right to communicate the data collected to the competent authorities (including judicial authorities) in the cases imposed by law or upon request of the authority involved.

8. Technologies used

Neodata Group uses three possible cloud service providers (sub-processors): Microsoft^® Azure, Amazon AWS and Google Cloud Platform.

The suppliers provide cloud technology infrastructures that allow large-scale workloads to be run on virtual machines such as developing applications using integrated services, managing relational databases, managing non-relational databases, executing SQL-like queries in real time and adopting measures of adequate technical and organizational security for data protection.

9. Non-EU transfers

The servers used by Neodata for storing and processing are located exclusively within the EU.
Therefore no data is transferred outside the EU.

10. Data processing commitments and security measures

Neodata, in using the technologies necessary for the processing of big data, undertakes to:

1. Minimise the number of personal data;
2. Process personal data in separate compartments;
3. Process personal data at the highest level of aggregation with the lowest possible degree of detail, compatibly with the purposes of the processing defined by the Data Controller;
4. Minimise the type of personal data at each stage of the process compatibly with the purposes.
5. Allow the interaction with data through the enabling of roles associated with the purposes characterised by different operations, formats and types of data.

When appointing the Controller-Processor, the Data Controller determines the period of execution of the processing and the consequent determination of the data retention period.

All data is extracted, processed and stored exclusively for purposes related to the provision of Neodata Services through their systems and is destroyed when no longer necessary for said purposes. The data is kept for a period of time not exceeding the achievement of the purposes for which it was processed.

Neodata pays particular attention to data security and has established a dedicated internal team that works continuously to protect the data and information belonging to the data subjects of the processing by continuously implementing state of the art technical and organisational security measures to ensure an appropriate level of security. Nevertheless, the current level of the technique does not allow total control over the methods of data transmission over the Internet or its storage.

11. Data subject’s Rights and Data Protection Officer

The data subject can communicate with the Data Protection Officer (DPO) of Neodata by sending an email to dpo@neodatagroup.com.

In order to exercise their rights, such as: request for access, request for rectification, deletion, limitation and portability, a data subject can send an email to privacy@neodatagroup.com.

The data subject has the right to oppose processing performed by Neodata by visiting the link below. This impediment is termed an Opt-out, through which Users prevent Neodata from inserting Cookies in their browsers on behalf of the Customer. Users who have activated the Opt-out can decide to restore the Cookies at any time by clicking on the Opt-in button available at the following link.

Users can also request Opt-in by selecting Neodata on the YourOnLineChoice web site at the following link.

Furthermore, users can take position against the tracking of mobile data by configuring their devices according to what is indicated in the paragraph “13 Management of preferences for Adv Digital Identifiers”.

12. Management of preferences relating to Cookies

The User can manage the preferences relating to Cookies directly in their browser and prevent, among others, Neodata from installing any. Using browser preferences, it is also possible to delete Cookies previously installed.

The User can find information on how to manage cookies in the browser at the following addresses: Google Chrome, Mozilla Firefox, Apple Safari and Microsoft Internet Explorer, Microsoft Edge.

Please note, however, that the deactivation of Cookies may interfere with the proper functioning of certain websites (e.g. access to areas protected by username and password).

13. Management of Adv Digital Identifier preferences

It is possible for the user to limit the disclosure of some personal data by his mobile device by changing the related settings.

For iOS mobile devices, go to “Settings” from the device’s home screen, scroll down to “Privacy”, select “Advertising” and activate “Limit ad tracking”.

For Android mobile devices, go to “Google Settings”, select “Announcements” and then the “Opt Out of Interest Based Ads” checkbox.

Nessie Project

Neodata Group manages, as data processor, the adversiding profiling cookies of the following companies, partecipating in NESSIE Project:

• AdnKronos
• Barilla
• Bolton
• Ferrero
• Henkel
• Nestlè
• Perfetti Van Melle
• Piaggio
• Valsoia
• 4w MarketPlace

By this project Neodata Group, through automated processing and always of advertisement purposes, promotions and commercial offers in line with the preferences expressed by the user during the web navigation, cross and enrich the data obtained from cookies to obtains new information about users, to create homogeneous clusters and summaries related to each user. Neodata Group services are also capable to synchronize data with external business intelligence platforms and marketing automatic platforms.

Neodata Group data processing services do not allow the creation of profiling clusters related to minors.

If a user has visited the sites of those companies, or even other sites where advertising banners of those companies have appeared, he has probably consented in full to the use of these cookies according to the indication of the brief information. Users can revoke your consent by clicking on the opt-out button; or, alternatively, you can express your consent by clicking the opt-in button.