As at the date of this list, Publift’s joint controller, processor and sub-processor partners include:
Publift’s Ad Network Partners
| Partner | GDPR role (joint controller; processor; controller) | Services include | Regions of processing include | Personal data includes | Time data may be processed for (retention and deletion)? | Nature and purpose of the processing include | Obligations to keep data secure | Data breach notification requirements and handling of regulatory requests | Handling of data subject requests and rights | Data transferred outside of EU? If so, what mechanisms and protections are in place? | Privacy Notice |
|---|---|---|---|---|---|---|---|---|---|---|---|
| AppMonet (dba “Adapt MX”) | Separate controllers | Programmatic advertising services | US | Device data Bid request data Including: anonymous data and technical information including but not limited to cookies and beacon data, metadata, usage data, geo-location data, and streaming data, with regard to the devices and systems used to access the Publift’s content and Publift’s advertising and the activities, preferences and attributes of the users of the Publift’s content and the Publift’s advertising content. |
90 days. | To provide, manage, maintain, and improve its services (including disclosure of impression-level information to other relevant parties).To provide and improve its services and provide related support, understand how a user interacts with the content and sites, preventing fraud, and customize a user’s experience. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | See here |
| Index Exchange | Processor of publisher data; controller of Index Exchange data | Programmatic advertising services | EEA Asia North America |
Device data Bid request data Including: ad response data, bid request data, bid response data, data regarding the advertising campaign of a client, location data based upon an IP address, cookie data, device IDs, any hashed identity tokens and data provided by Index Exchange, Demand Side Platforms, or clients. |
Up to 5 years. | Process personal data to provide platform services when it is permitted by law and supported by a valid legal justification. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | See here |
| Magnite (Formerly Rubicon) | Controller | Programmatic advertising services | EEA North America UK Australia Asia South America |
Device data Bid request data Including: • usage information • log information • device information • location information • internet service provider • deidentified information (encrypted or hashed email addresses) • derived information. |
As long as is necessary for the purpose(s) for which it was originally collected, or for other legitimate business purposes.Some data typically stored for up to 90 days before it is anonymized and aggregated. | Collect to enable clients to offer and buy advertising opportunities; to operate and improve technology; to compile statistics and conduct research and development; to prepare reports of visitor activity; to enable standard advertising controls; to analyze and report on ad performance, campaign reporting, and campaign forecasting; to protect, investigate, and deter against fraudulent, unauthorized, or illegal activity.To deliver end users targeted advertising; to create profiles of end users for targeted advertising; to create audience segments. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | See here |
| OpenX | Controller | Programmatic advertising services | EEA North America |
Device data Bid request data Including: unique online identifiers, online and offline activity and interests, geolocation information, browser, device and service information, ad reporting and delivery information. |
For a maximum of 90 days from the last date it was received. | To facilitate non-interest based advertising;to facilitate interest-based advertising;to understand activities and preferences; to measure ad performance; to build and improve products, features and models. | Materially in accordance with applicable GDPR laws. | Materially in accordance with applicable GDPR laws. | Materially in accordance with applicable GDPR laws. | Materially in accordance with applicable GDPR laws. | See here |
| Teads | Controller | Programmatic advertising services | EEA Africa Asia Australia UK North America South America |
Device data Bid request data Including: cookie ID; mobile advertising ID; IP address; approx post code; page URL; date and time interacted with ad; browser information; device information; network type or carrier information. |
Cookie ID is stored in the browser for 365 days after its creation. Records of activities linked to the cookie ID are stored in the database for 4 months. Other information such as mobile advertising ID, IP address; approximate postcode; page URL; interactions; date and time; browser information; device information; network type: 4 months. |
Collect, use, analyze and process partner data: (i) to perform an agreement; (ii) as part of its business operations, to operate, manage, test, maintain and enhance the technology, service, platform and other products, programs and/or service, including as part of its re/targeting capabilities, to serve interest based ads to users, to combine the partner data with other sourced data; and to share the partner data with its buyers partners. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | See here |
| Criteo | Co-data controller | Programmatic advertising services | EEA | Device data Bid request data Including: non-identifying data to improve the Criteo Technology and other Criteo products, programs, and/or services. This non-identifying data may include on-site user behavior and user/page content data, URLs, statistics, or internal search queries. |
Technical data collected for up to 13 months from the date of collection, and expires 13 months after they are last updated. Opt-out cookie expires after five years. |
Display personalised advertising Display contextual advertising Sales matching/attribution Fraud prevention/fight against fraud/IVT Data model training Billing Reporting Incident resolution |
In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | See here |
| Equativ (fka Smart AdServer) | Processor Controller of Personal Data Processed through certain cookies and processing of Data Subject’s IP address for the purpose of ensuring security, preventing fraud and debugging. |
Programmatic advertising services | EEA North America |
Device data Bid request data Including: • IP address; • Server ID; • Browser ID, OS ID, screen size; • ISP ID, postal code, phone prefix, country, region, city, DMA zone ID; • Timestamp, longitude, latitude, connection type; • Keywords associated with user; • Timestamp of last visit. |
Duration of the Agreement | To perform Smart Ad Server’s Services to Publift (including providing, operating, managing, maintaining Smart Adserver’s Platform); • To perform contextual and/or interest-based advertising; • To perform optimization in respect to a campaign, including to limit the number of times a Data Subject sees a particular ad; • To show ads related to the content of the concerned web page; • To report aggregated statistics. |
In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | See here |
| Sharethrough (formerly District M) | Controller | Programmatic advertising services | EEA North America Asia |
Device data Bid request data Including: cookie identifiers, third party online identifiers, mobile device identifiers, browser and device information, IP addresses. |
In accordance with each Party’s data retention policy, and only for the time period necessary to deliver each Party’s Services pursuant to the Terms of Service. | For the purposes of delivering personalized advertising to the Data Subject pursuant to the Terms of Service. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | See here |
| ConnectAd | ConnectAd is processor; Publift is controller | Programmatic advertising services | EEA | Device data Including: IP (for the time of processing) and cookie ID |
30 days, extended on each user contact with a proper TCF consent. | Following the IAB TCF Framework (nature and purpose depend on the consent and purpose granted). | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | See here |