COMMITTED TO YOUR PRIVACY
Crimtan is dedicated to the highest standards of consumer privacy. Our technology and systems were designed to use only non-personally identifiable information to ensure the privacy and protection of all consumer data and to exceed industry best practices and data protection laws. Crimtan are a long-standing, active member of IAB’s Behavioural Targeting Council, a founder signatory to the EU Framework for Online Behavioural Advertising and one of the first online ad companies to roll out the AdChoices icon.
Online Behavioural Advertising (OBA). Notice and User Choice
Crimtan develops anonymous profiles of web users for the purpose of delivering more relevant online advertisements. You can find out more about OBA, cookies and industry best practice, opt out of OBA and access the EU Framework for OBA at the Your Online Choices website. Crimtan was one of the first companies to gain the EDAA Trust Seal, demonstrating full compliance with the OBA Self-Regulatory Programme.
As a founder signatory to the EU Framework for OBA, Crimtan and our contracted web partners will:
- provide clear and unambiguous notice to users that we collect data for the purposes of OBA. This notice shall include information about what types of data are collected, how this data is being used and how users can decline OBA.
- provide straightforward information on how to decline OBA and ensure that this information is prominently displayed and easily accessible.
If you have a complaint
Web users have the right to complain about Crimtan’s compliance with EU Framework for OBA. In the first instance users should contact us with full details of the complaint. If Crimtan does not respond to the complaint within 7 days users may take their complaint, via the IAB, to a panel of the OBA Board who will review it and decide if any action should be taken.
- PURPOSE AND OVERVIEW OF THIS PRIVACY NOTICE
This privacy notice provides information about how Crimtan Holdings Limited a company registered in England & Wales under company number 07810698 (Crimtan, we, us or our) collects and processes data in connection with advertising services.
We provide services that allow online advertisers contracted to members of the Crimtan Group (our advertiser clients) to deliver relevant advertising more accurately. We believe internet users benefit by encountering advertising that is more relevant to their perceived interests – we call this Relevant Advertising.
The Crimtan Group is made up of different legal entities, details of which can be found here https://crimtan.com/crimtan-group-companies/.
- THE DATA WE STORE AND USE
We attribute an identifier to your browser or device (an ID). This identifier is not associated with any data that identifies anything other than your browser or device.
Once you consent to Relevant Advertising, when you visit the sites of our advertiser clients or sites where we serve online advertising, we associate what we learn about your visit with the ID. Here is how this works:
Where you have consented to Relevant Advertising, we may collect, use and store different kinds of data against the ID (we refer to this as ID-related Data) which we have grouped together as follows:
Technical Data which includes:
- internet protocol (IP) address
- browser type and version
- time zone setting and location
- browser plug-in types and versions
- operating system
Profile Data which includes the perceived interests associated with the ID.
Usage Data which includes:
- web pages which have been viewed and the date and time of viewing
- domain type
- responses to an advertisement delivered by us for our advertiser clients
Consent to Relevant Advertising which includes the preferences you communicate to us.
We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from ID-related Data but is not associated with an ID, and thus is not treated as personal data in law. For example, we may aggregate your Usage Data with Usage Data associated with other IDs to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with ID-related Data, we treat the combined data as personal data which will be used in accordance with this privacy notice.
We do not collect any Special Categories of Personal Data against an ID (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.
- HOW IS ID-RELATED DATA COLLECTED?
We use different methods to collect ID-related Data including through:
- Direct interactions. This includes your consent to Relevant Advertising when you register your consents/non-consents which we associate with the ID.
- Automated technologies or interactions. Once you have consented to Relevant Advertising, then as the ID interacts with websites containing our cookies and pixels, we may automatically collect Technical Data and Usage Data and associate it with the ID.
Please see our cookie information page https://crimtan.com/cookie-info/ for further details.
Third parties or publicly available sources. We may receive data on the perceived characteristics and interests that we associate with the ID from various sources providing data based on location and category-based interests.
- HOW WE USE ID-RELATED DATA
We will only use ID-related Data in ways that the law allows us to. Most commonly, we will use ID-related Data in the following circumstances:
- To provide Relevant Advertising that you have consented to receive
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests
- Where we need to comply with a legal or regulatory obligation
In line with the requirements of the law, we generally rely on your consent as the legal basis for collecting and processing ID-related Data.
You must be no younger than 16 years of age (or, where relevant, such younger age – not below 13 years of age – that is permissible in the country where you are based) in order to give your consent to us for the collecting and processing of ID-related Data.
PURPOSES FOR WHICH WE WILL USE ID-RELATED DATA
We have set out below, in a table format, a description of all the ways we plan to use ID-related Data, and the legal basis we rely on to do so.
|Purpose/Activity||Type of data||Lawful basis for processing||Retention Period|
|To set up set up an ID||(a) ID
(b) Consent to Relevant Advertising
|To effect the consents and non-consents you give to us||Until you withdraw your consent to Relevant Advertising or exercise any of your rights to prevent processing of ID-related Data|
|To deliver Relevant Advertising to you||(a) Technical
|To effect the consents you give to us||Until you withdraw your consent to Relevant Advertising or exercise any of your rights to prevent processing of ID-related Data|
|To create and update a profile of perceived interests against an ID in order to establish which advertisements may be relevant to that ID||(a) Technical
|To effect the consents you give to us against that ID||Until you withdraw your consent to Relevant Advertising or exercise any of your rights to prevent processing of ID-related Data|
|To measure or understand the effectiveness of the advertising we deliver to that ID||(a) Technical
|(a) To effect the consents you give to us against that ID
(b) Necessary for our legitimate interests (to study how IDs use our products/services, to develop them, to grow our business and to inform our marketing strategy)
WITHDRAWAL OF CONSENT
You can withdraw the consent you provide to us for an ID by emailing email@example.com. You will need to provide information requested at the time in order to process withdrawal of consent.
BROWSERS BLOCKING COOKIES OR ID CREATION
CHANGE OF PURPOSE
We will only use ID-related Data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact our DPO at the email address referred to below.
If we need to use ID-related Data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process ID-related Data without your knowledge or consent where this is required or permitted by law.
- DISCLOSURES OF ID-RELATED DATA
In order to give effect to consent against an ID for Relevant Advertising we share some or all of ID-related Data with our advertiser clients or their service providers where required for the serving of Relevant Advertising for the purposes set out in the table in Section 4 above.
- INTERNATIONAL TRANSFERS
Whenever we transfer ID-related Data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
- We will only transfer ID-related Data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
- Where we use certain service providers, we will use forms of contract that give personal data the same protection it has with the EEA.
- Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US.
- DATA SECURITY
We have put in place appropriate security measures to prevent ID-related Data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to ID-related Data to those employees, agents, contractors and other third parties who have a business need to know. They will only process ID-related Data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
- HOW LONG WILL WE USE ID-RELATED DATA?
We will only retain ID-related Data for as long as necessary to fulfil the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for ID-related Data, we consider the amount, nature, and sensitivity of the data, the potential risk of harm from unauthorised use or disclosure of ID-related Data, the purposes for which we process ID-related Data, and the applicable legal requirements.
Details of retention periods for different elements of ID-related Data are set out in the table in Section 4 above.
- YOUR LEGAL RIGHTS
Under certain circumstances, you have rights under data protection laws in relation to ID-related Data. You have the right to:
- Request access to ID-related Data (commonly known as a “data subject access request”). This enables you to receive a copy of the ID-related Data we hold about you and to check that we are lawfully processing it.
- Request correction of ID-related Data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
- Request erasure of ID-related Data. This enables you to ask us to delete ID-related Data where there is no good reason for us continuing to process it. You also have the right to ask us to delete ID-related Data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase ID-related Data to comply with a legal or regulatory obligation. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
- Request restriction of processing of ID-related Data. This enables you to ask us to suspend the processing of ID-related Data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; or (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims.
- Request the transfer of ID-related Data to you or to a third party. We will provide to you, or a third party you have chosen, ID-related Data in a structured, commonly used, machine-readable format.
- Withdraw consent to the processing of ID-related Data, or to profiling by means of ID-related Data, by the method set out in Section 4 above. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, you will cease to be served Relevant Advertising within 72 hours.
If you wish to exercise any of the rights set out above, please contact our DPO by email to the address specified below.
NO FEE USUALLY REQUIRED
You will not have to pay a fee to access ID-related Data (or to exercise any of your other legal rights as specified in Section 9) after May 25th, 2018. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances. A small fee (£10) is chargeable for data subject access requests prior to May 25th, 2018.
WHAT WE MAY NEED FROM YOU
We may need to request specific information from you to help us confirm your identity and ensure your right to access the relevant ID-related Data (or to exercise any of your other legal rights). This is a security measure we take to help avoid ID-related Data being disclosed to a person who has no right to receive it. Note, however, that we do cannot be certain of the identity of the person who provided us with consent to Relevant Advertising, and we must necessarily accept that contact made through the browser associated with an ID is entitled to the legal rights associated with the relevant ID-related Data.
We may also contact you to ask you for further information in relation to your request to help speed up our response.
TIME LIMIT TO RESPOND
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
- DATA PROTECTION OFFICER AND CONTACT DETAILS
We have appointed a data protection officer (DPO) who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact our DPO using the details set out below.
Our full contact details are:-
Full name of legal entity: Crimtan Holdings Limited
Title of DPO: Data Protection Officer
Email address of DPO: firstname.lastname@example.org
Crimtan postal address: 1-2 Castle Lane, London SW1E 6DR
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO and would be grateful if you contacted us in the first instance. If you contact us, we may keep a record of that communication. We may retain emails or other communications sent to us from consumers in order to help process inquiries, respond to requests, and improve our general service levels.