Privacy Policy

This Privacy Policy describes, in Plain English, the steps taken by AdTheorent Holding Company, Inc. ("AdTheorent" or the "Company") (Nasdaq: ADTH), to safeguard the privacy rights of Web site visitors who receive digital advertisements through publishers and media supported by our Demand-Side Platform (DSP) and related services (Users). In our pursuit of these business objectives we adhere to the fundamental principles of transparency, user control and data security. AdTheorent is a member of the Internet Advertising Bureau and adheres to the IAB/DAA’s Self-Regulatory Principles for Online Behavioral Advertising, including the unique principles applicable to the mobile environment.

AdTheorent is a Network Advertising Initiative (NAI) member and we adhere to the NAI Code of Conduct.

This Privacy Policy describes the types of data that we do and do not receive through our DSP, and the services we provide to our clients generally. This Privacy Policy is subject to change from time to time, in which case we will post an updated version on the Privacy section of our Web site. Changes to this Privacy Policy will take effect 30-days after the updated Privacy Policy is posted to our Web site’s privacy page, located at www.adtheorent.com/privacy-policy.

Who We Are

AdTheorent is a publicly traded (NASDAQ-listed) digital ad network and DSP which uses machine learning, data science and related technology to assist advertisers and advertising agencies in their efforts to deliver targeted and useful digital advertisements to consumers. We purchase media (in real time) from our inventory sources (consisting of app or web publishers or the advertising exchanges which make their digital ad inventory available for purchase (Inventory Partners)), and we serve digital advertisements through such media on behalf of our advertiser clients in an intelligent manner. AdTheorent predictive models help AdTheorent determine which advertising “impressions” (meaning, User web page or app visits or CTV viewing opportunities) are most likely to yield engagement and interest on the part of the User. AdTheorent models utilize the data made available to AdTheorent from its Inventory Partners, as described below.

We Do Not Collect Sensitive Personally Identifiable Information or Sensitive Consumer Information

We do not collect Sensitive Personally Identifiable Information (“SPII”) or Sensitive Consumer Information (“SCI”) about individual Users for any purpose. In other words, our DSP does not use SPII or SCI to target ads to individual Users. For purposes of this Privacy Policy, (i) SPII means any information that could be used to personally identify the User, such as the User’s name, Social Security Number, phone number (fixed or mobile), email address, credit card information, or any other data that could be used to personally identify the User; and (ii) SCI means sensitive information about a User such as financial account numbers, insurance plan numbers, or protected health information (PHI) as that term is defined under the HIPAA Privacy Rule. AdTheorent does store data that, in conjunction with other publicly accessible data, could be considered non-sensitive PII, such as IP Address, Cookie Ids and Device Advertising Ids (i.e., “non-sensitive PII”). This data is stored separately, and role-based access controls are in place which limit the linking or correlation of such data elements, and the Company does not use this data to seek to distinguish or trace an individual’s identity.

The Cookie IDs and advertising IDs maintained and stored by the Company are used for re-targeting and frequency-capping purposes. In some cases such IDs are tied to web browsing history.

To the extent any of our Partners (as defined below) gather PII, their privacy policies will govern its use.

For purposes of this Privacy Policy SPII and SCI are referred to collectively as SPII and non-sensitive PII is referred to as PII. In addition, to the extent any of our Partners gather PII, we do not aggregate such information in a manner that could be used to identify any User. For example, in some instances we cross-reference non-sensitive PII information with a “hashed” version (i.e., a coded version) of a corresponding physical address or email address. We do this to provide more transparency to advertisers regarding the users who engaged with their ads and to provide more effective targeting (including in some cases identifying which devices correspond to the same unidentified User or which devices correspond to associates of such User (Cross-Device Linking)), and although we maintain statistical information about such Users' devices ("Device-Identified Information,"as defined below), or aggregate information not associated with any individual device or user ("Aggregate Infomation"), we do not create profiles of specific Users which include the identity of the User or include SPII or SCI.

Non-Sensitive PII and Other Data We Do Collect

We collect IP Address, Mobile Advertising IDs (Android Advertising ID and Apple ID for Advertising) and identifiers stored as third-party cookies in the User's browser (collectively, "Device-Identified Information"). These identifiers are colleted from devices, browsers and connected television where applicable.

We collect non-sensitive PII and other data both from our Inventory Partners and pixels places on our advertising clients' websites. The data received from our inventory partners is sent by mobile applications, websites, and streaming video content the User visits. Data from pixels on advertiser sites is collected through standard HTTP header variables and third-party cookies set when the User visits the advertiser site.

This information enables our DSP to deliver the most relevant and useful advertisement given the Aggregate Information and Devie-Identified Information available about the media "impression." We currrently do not store any cookies on User devices to identify any User. We do store cookies on User devices in order to pseudonymously identify one device from another. The ID stored in the cookie is an anonymous unique ID (AUID).

AdTheorent and its Partners may use non-cookie technologies to recognize a User's computer or device and/or to collect and record information about the User. A User's web browser may not permit the User to block the use of these non-cookie technologies, and those browser settings that block cookies may have no effect on such techniques.

Our advertising clients may onboard audience-based data by sending matched pseudonymous identifiers associated with audience segment identifiers which we will use for delivering digital advertising to the audience that our client's request. This process is facilitated through third-party data management platforms. In the process, we do not receive any PII data associated with a User, only the matched pseudonymous identifiers used for delivering audience-targeted advertising.

How We Use Non-Sensitive PII Data and Other Data To Make Advertisements More Relevant to Users

When we serve digital advertisements on behalf of our advertiser clients we endeavor to make the ads relevant to Users. We accomplish this by matching ads with relevant non-sensitive Device-Identified Information and other characteristics about the device and the publication that the User has visited, such as the time of day and date, content on the site or app, latitude/longitude of User, other devices associated with the User, carrier network, type of device/browser, IP address, as well as Aggregate Information such as demographic information and other non-sensitive PII data provided through our Partners. In other words, although we may serve an ad to a User based on certain demographic information about the Users (e.g., female in New York between the ages of 35 and 50), our DSP does not know – nor do we seek to know – who that User is, or any information that would allow us to identify who the User is.

Currently we receive certain device IDs (Android Advertising ID, Apple IDFA) in some cases to verify a User election, such as a User-requested app install request. In those cases we obtain the device ID or other Device-Identified Information not to track the User, but rather to substantiate for our advertiser clients whether the User installed the app.

In order to ensure the geographic relevance of ads that we serve and to identify correlations between disparate devices and Users, we derive User device location data from information made available to us from Inventory Partners and data partners, as follows:

• We gather device latitude/longitude data from bid requests which we are provided access by our Inventory Partners. We translate the latitude/longitude provided into a physical street address (a process which we refer to as “reverse geocoding”).
• We use models (which consider frequency and temporal proximity) to identify the physical address (i.e., household address) which corresponds to the device.
• We also use models to identify the IP address corresponding to a given physical address.
• Once we know the household or other physical location with respect to which a device is associated, we can group specific devices up into a “household” or other physical location.
• Using the geographic data, we can target devices associated with the “household” (i.e., correlated devices).
• Derived physical addresses are also used to match an advertiser’s internal datasets to devices within our ecosystem. This allows AdTheorent to target ads to devices that are associated with customers of our advertiser clients (although AdTheorent does not ever learn or receive access to the name or identity of any User).

We will not use a User’s current GPS geographic location to target an ad unless we or one of our data or inventory Partners have previously obtained permission to do so. Because we do not have a nexus with a User before the User generates a specific bid request, we rely on our inventory partners to adhere to contractual requirements and applicable regulatory and self-regulatory guidelines, including any requirements related to obtaining User consent to access the User’s geographic location. Our contracts with our Partners require them to adhere to applicable privacy rules.

If we intend to obtain or use this information in the future we will update our Privacy Policy accordingly, as described above, to clearly delineate a User’s rights; provided, however, that any User is free to Opt-Out of any such future practice or use of User-specific behavioral, geocoding or interest-based targeted advertising by clicking here.

In addition, more information about opting out of interest-based advertising is available on the opt-out pages maintained by the:

• Network Advertising Initiative (“NAI”)
  • http://www.networkadvertising.org/choices/ 
  • Mobile device specific details: https://www.networkadvertising.org/mobile-choice
  • Connected TV specific details: https://www.networkadvertising.org/internet-connected-tv-choices/ 
• Digital Advertising Alliance (DAA)
  • http://www.aboutads.info/choices/

Through our DSP, we work with a broad network of publishers, Inventory Partners, carriers, networks and advertisers (“Partners”). Our Partners may have certain rights to the data we collect on their behalf, and each of our Partners maintains its own privacy policy.

We may share aggregated data, or non-personal data with third parties and we may share Non-Sensitive PII Data with our advertiser and agency clients who hire us to run their campaigns.

To learn more about Interest-Based Advertising or to opt-out of this type of advertising by those third parties that are members of self-regulatory programs such as the Network Advertising Initiative, please visit the NAI’s website (www.networkadvertising.org) which will allow you to opt out of Interest-Based Advertising by one, or all, NAI members.

How We Comply with Self-Regulatory Requirements & State Privacy Laws Related to Precise Location Data

AdTheorent adheres to NAI Code of Conduct related to the collection and use of Precise Location Data, consistent with NAI guidance submitted on the NAI blog on April 1, 2016.  As a third-party DSP, AdTheorent complies through its adherence to the requirements of the Digital Advertising Alliance (DAA) Mobile Guidance, Section IV.B.2, which provides a number of methods for third party ad networks to obtain reasonable assurances that a first party publisher, such as a mobile application, has obtained such consent on their behalf. Such methods include: (i) entering into a contract with the first party publisher under which the first party agrees to obtain consent to the third party’s data collection and use, (ii) obtaining other written assurances from the first party publisher to the same effect; (iii) verifying that the first party publisher publicly represents that it adheres to industry Self-Regulatory Principles; (iv) verifying that the first party obtains consent to the collection of Precise Location Data and provides clear, meaningful, and prominent notice that such data may be transferred to third parties; and/or (v) verifying that the first party participates in a mechanism offered by a platform or operating system that provides the ability to obtain consent that satisfies this Principle.

Certain state laws have classified precise location data as sensitive private information requiring user consent to be shared. As described above, AdTheorent has implemented compiance processes to facilitate communication with publisher partners related to user consent.

How We Safeguard the Security of Aggregate User Data

All the data we hold is protected by multiple layers of physical, electronic and administrative safeguards, to secure it against accidental, unauthorized or unlawful access, use, modification, disclosure, loss or destruction.

From time-to-time we may share the Aggregate Information with Publishers and Networks for reporting and accounting purposes, as well as other unaffiliated third parties for various purposes such as statistical or educational analysis. In these cases we work with organizations we believe to have appropriate safeguards in place to protect data at the levels we require. In situations where we are obligated by law, we may also disclose information in order to investigate, prevent or take action regarding suspected or actual prohibited activities, included but not limited to, fraud and situations involving potential threats to the physical safety of any person.

Rules Applicable to Connected Television (CTV) Advertising

As an omni-channel DSP, AdTheorent may make use of connected-tv identifiers through our exchange partner relationships for purposes of targeting advertising.  In recognition of NAI's Viewed-Content Advertising disclosure requirements, we note:

• AdTheorent may collect data from connected televisions;
• AdTheorent may collect connected television advertising identifiers; and
• AdTheorent's data retention disclosures address data linked to connected television advertising identifiers.

How We Meet Our Obligations Under Laws, Regulations and Standards Intended to Safeguard Children

AdTheorent takes various steps to ensure compliance with the federal Children’s Online Privacy Protection Act (COPPA), CPRA, as well as voluntary industry frameworks such as NAI and the Children’s Advertising Review Unit (CARU), administered by the Council of Better Business Bureau’s, Inc., including the following:

• We do not store data regarding users under age 16 (per COPPA, CPRA and NAI standards); when an impression is flagged indicating a pre-16 child user, AdTheorent does not collect data from that impression or otherwise model off that data.
• We work with responsible Publishers and App Partners who acknowledge contractually their responsibilities under applicable laws and FTC regulations. Such publishers have their own incentives not to make COPPA-governed data/information available to ad networks such as AdTheorent.
• We utilize IAB brand safety categories in filtering impressions on which to serve advertisements, including filtering by the IAB category “any other content you wouldn’t show your children.”
• Our in-house creative team monitors and ensures that all AdTheorent-prepared creative is consistent with the CARU General Guidelines, available here.
• We work with established brands with an appreciation for and understanding of the importance of CARU’s standards.
• We also take precautions to also not collect data from apps or sites that are clearly targeted towards children under age 16, regardless of whether bid data identifies the User as under age 16.

Data Retention Period

AdTheorent maintains data related to media served for a period of 13 months past date of collection.

AdTheorent Data Protection Officer & Compliance Team

AdTheorent has appointed a Data Protection Officer who oversees AdTheorent’s technical infrastructure and process as such relate to privacy and data security matters. AdTheorent’s Data Protection Officer also participates as a member of the AdTheorent Privacy Task Force, which group is comprised of AdTheorent leadership individuals responsible for implementing and executing on the requirements described in this Policy. AdTheorent’s Data Protection Officer is reachable as described below under “Contact Us for More Information.”

How We Meet Our Obligations Under the EU General Data Protection Regulation (GDPR) and ePrivacy Directive

AdTheorent’s business focus is the United States market and most of our business activities to date relate to purchasing media impressions correlated to Users within the United States, but from time to time we also provide services to our clients related to international advertising campaigns, including campaigns in the European Union (the “EU”), in which case we may purchase digital media impressions and deliver digital ads to Users located in the EU. In such cases AdTheorent adheres to protocols, standards and rules described in the General Data Protection Regulation (“GDPR”) and ePrivacy Directive, as summarized below. AdTheorent has implemented a “compliance by design” approach to GDPR compliance which exceeds the requirements of the GDPR and ePrivacy Directive, using de-identification and anonymization processes to prevent AdTheorent from using or storing Personal Data.

AdTheorent’s ‘Legal Basis’ to Process and Use Personal Data

The GDPR itself does not require consent to be able to process a User’s Personal Data for online advertising. Rather, it requires that any company that “processes” data must have a “legal basis” to do so. Under the GDPR, “processing” is defined broadly to include virtually any automated process that touches data -- including, for example, us receiving data in bid requests from our inventory Partners. GDPR allows companies to process Personal Data to further its own “legitimate interests” or those of a third party, as long as doing so won’t adversely infringe on the rights and freedoms of the User. This is a supportable legal basis for our processing activities, as well as User consent when available.

The Article 29 Data Protection Working Party (an independent advisory body made up of representatives of the national data protection authorities, the European Commission and the European Data Protection Supervisor), Opinion 06/2014, notes that retailers/advertisers have a legitimate interest in getting to know their customers’ preferences and marketing to them. While recognizing this legitimate interest, AdTheorent is also sensitive to the potential negative consequences for Users resulting from intrusions to their privacy. As a result, AdTheorent takes various affirmative steps to limit the types of Personal Data that is receives, to de-identify data and to use data in aggregated methods when possible.

AdTheorent Inventory Partners’ Legal Basis Under GDPR

AdTheorent has no direct relationship with Users in order to obtain affirmative consent. However, AdTheorent’s contractual arrangements with EU suppliers and Partners ensure that such Partners will not provide Personal Data about EU data subjects unless the Partner either: (i) obtains and manages opt-in consents from such EU data subjects; or (ii) identifies an alternative ‘legal basis” permitted under GDPR.

AdTheorent Approach: Consent & De-Identification

Currently, AdTheorent adheres to an internal best practice of de-identifying Personal Data originating from EU countries, even when AdTheorent’s inventory Partner(s) rely on Consent as the legal basis for sharing Personal Data. As a result, AdTheorent will not store any User Personal Data, as defined by GDPR. Simply stated, for all bid requests originating from countries that fall under GDPR, even if User consent is communicated as having been provided, AdTheorent will adhere to the following process:

• Remove the last Octet of the IP Address. This eliminates the ability to isolate that IP address to a given device or location.
• Replace the Advertising ID (Android Advertising Id or Apples ID for Advertising) with all zeros. This eliminates the ability to track the activity of the particular device.
• Round the Latitude/Longitude data to two decimal places. This eliminates the ability to determine the location of the device below the city level.
• Do not set a cookie on the device. This eliminates the ability to track the browsing activity of the device or share the device info with any other data partners.

As a result of these methods AdTheorent does not maintain any Personal Data related to any identified or identifiable natural person (data subject) in the EU, as defined in GDPR, even if that person has provided consent to AdTheorent’s Partner and such consent is communicated to AdTheorent.

IAB EU Consent Framework

AdTheorent has registered as a global vendor with the IAB EU Consent framework. This framework facilitates the communication and management of User consents within the context of the digital advertising ecosystem in which publishers work with numerous vendors to deliver targeted advertisements.

More information about the IAB EU Consent framework is here.

As a result of AdTheorent’s registering and implementing the IAB EU Consent Framework, publisher Partners are able to include AdTheorent in their respective consent forms and processes. Simply stated, AdTheorent will be included in the publishers’ list of advertising partners for whom User consent is requested. This implementation allows users to opt-in to all or individual vendors.

“Profiling” Under GDPR

GDPR contains certain rules related to “profiling,” which is the automated processing of Personal Data for the purpose of evaluating, analyzing or predicting a data subject’s interests, location, or preferences. This includes the collection or use of personal data over time to deliver users with targeted ads. AdTheorent generates automated predictive models for the purpose of identifying Users who would be most interested in engaging with a given type of digital advertisement. As such, we do engage in “profiling.” That being said, GDPR only requires opt-in consent for profiling that produces a "legal effect" or which "significantly affects" an end user (for example, an automated decision to deny someone credit on the basis of a profile). Targeting through our platform only controls the type of advertisement that an end user might see, and does not produce a legal or significant effect. As such, any profiling associated with our platform and services does not require opt-in consent. In fact, the GDPR expressly acknowledges that 'ordinary' profiling can be conducted on the basis of legitimate interests.

If you would like to Opt-Out of automated profiling on our network, please click here.

Because we may engage in Cross-Device Linking, in order for a User to effectuate a complete opt-out of all tailored advertising by AdTheorent, that User will need to perform an opt out on each browser or device.

The Data We Collect – AdTheorent’s Digital Supply Chain – and the Purpose for Collection

As noted above, AdTheorent minimizes the extent to which it obtains and uses data about Users to the minimum data attributes needed to provide relevant and useful digital advertisements to Users on behalf of AdTheorent’s advertiser clients. In campaigns outside the EU, we use such data to generate predictive models and to determine which Users are most likely to engage with given advertisements, and then we target those Users on digital properties which have integrated with our Partner digital advertising exchanges and other inventory partners. Currently the only non-sensitive PII elements that we store and use related to Users (excluding EU Users) as part of our services on advertising campaigns is limited to: (i) User IP address; (ii) User Advertising ID (Android Advertising Id or Apples ID for Advertising); (iii) User cookie IDs; and (iv) User latitude/longitude data corresponding to User’s geographic location at time advertising impression is provided to AdTheorent. As noted above, regarding Users located in the EU we do not store any Personal Data and we follow defined processes for de-identification and anonymization of data made available to us.

Under no circumstances will AdTheorent use or store the special categories of data referenced in Article 9 of GDPR. Such special categories include personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

AdTheorent also will not engage in the household device correlation measures described above, which process is not used for any campaign governed by GDPR.

AdTheorent Privacy Rights Infrastructure

As noted above, AdTheorent does not store Personal Data elements related to EU Users.

If any data subject or User desires to obtain access to the Personal Data or request that AdTheorent erase or correct such Personal Data, or otherwise object to such collection, AdTheorent will accommodate such request(s) by advising the User about AdTheorent’s policy against storing any EU User Personal Data. AdTheorent is also working to create an automated on-line form to assist in the processing of these requests, which will be provided as an update to this Policy.

Summary of Your Rights

• You have the right to right to file a complaint with a supervisory authority, which you may direct to our Data Protection Officer as described below.
• You have the right to request what Personal Information we retain about you, and the right to request erasure of such Personal Information.
• You have the right to request updates or corrections to any Personal Data that we store about you, after which we will provide confirmation of what information was updated or what corrections were made.
• You have the right to opt-out of automated profiling on our network, as described above.

Applicability of ePrivacy Directive

Independent of GDPR, the EU ePrivacy Directive (and the new ePrivacy Regulation that is currently being negotiated) independently requires consent for AdTheorent’s Partners (and publishers generally) to be able to place cookies or otherwise access a User’s device. This type of consent, which is currently generally obtained through “cookie banners”, is still required despite GDPR. AdTheorent, like other ad tech companies, are not able to obtain this consent independently, so our contracts with Inventory Partners ensure that they obtain this consent (directly or through their participating publishers) on our behalf.

How We Meet Our Obligations Under Canada’s Privacy Law - The Personal Information Protection and Electronic Documents Act (PIPEDA)

To the extent that AdTheorent delivers digital advertisements related to advertising campaigns to Users located in Canada, AdTheorent complies with the Personal Information Protection and Electronic Documents Act ("PIPEDA"), which sets forth Canada’s federal private sector privacy law that governs the collection, use and disclosure of personal information in the course of commercial activity as defined by the Act.

As required under PIPEDA, AdTheorent considers the sensitivity of the Personal Data and Users’ reasonable expectations in determining the level of consent that must be obtained in connection with delivering advertisements to Users. In accessing and using third-party applications and web properties published by our Inventory Partners, Users consent to receiving advertisements as part of that experience, which is a reasonable expectation of such use. AdTheorent relies on such implied consent and advises Users to review the service terms and privacy policies associated with the web and app publications that such Users access and use in order to understand how Personal Data is collected, used, and disclosed by such third-party applications.

In addition, as described in this Policy, AdTheorent limits and clearly defines the extent to which it will obtain and use Personal Data, which Personal Data will not be used or disclosed for purposes other than the stated purposes for which it was collected. In sum and as described more fully in this Policy generally, AdTheorent will not use or store SPII or SCI (each defined above) or data not relevant for the intended purpose of making advertisements more relevant and useful to Users. Furthermore, AdTheorent maintains a clearly defined opt-out infrastructure for all Users as set forth here.

AdTheorent has appointed a Privacy Officer/Data Protection Officer and Data Protection Team whose responsibilities include overseeing compliance with PIPEDA. For further information, contact information for the Privacy Officer can be found at the end of this Privacy Policy.

Special Considerations Applicable to Healthcare and Pharmaceutical Campaigns

In addition to the above safeguards and processes, AdTheorent adheres to additional rules and best practices related to digital advertising in the healthcare and pharmaceutical industries. As noted above, AdTheorent does not obtain and therefore will not use (for any purpose, including but not limited to ad targeting or the development or refinement of predictive models) any Private Health Information (PHI) about any individual as that term is used under the Health Insurance Portability and Accountability Act (HIPAA) and the HIPAA Privacy Rule thereunder. AdTheorent healthcare and pharmaceutical campaigns may utilize contextual targeting techniques which may include geographic targeting and site-based targeting, and AdTheorent predictive models may be employed without using any PHI or Sensitive PII. To the extent AdTheorent leverages third party data to inform its predictive models and targeting strategies, such third parties do not provide or use PHI or Sensitive PII and AdTheorent will never receive or use PHI or Sensitive PII from such third parties. Rather, such third parties use aggregated metrics and de-identified data only.

AdTheoret Use of Third-Party Health Audiences

AdTheorent may leverage third-party audience segments for the targeting or measurement of direct-to-consumer (DTC) and healthcare provider (HCP) advertising.  In such cases, the audience segment or measurement data is licensed by one of more of AdTheorent's data Partners. 

AdTheorent Health Predictive Audiences 

AdTheorent also creates "direct to consumer" (DTC) predictive audiences, using custom machine-learning models, to target statistically modeled representative "audiences" by analyzing digital ad impression attributes likely to be associated with any of the following conditions or statuses: (i) the diagnosis of a specific condition or conditions, (ii) the prescription of a specific medication, or set of medications, or (iii) the receipt of a specific procedure or set of procedures. These predictive audiences are typically used to promote awareness of a new medication, pharmaceutical brand, medical device, etc. to that group of relevant consumers. By design, AdTheorent's method complies with the NAI's published Guidance for NAI Members: Health Audience Segments (July 2020): https://thenai.org/wp-content/uploads/2021/07/nai_healthtargeting2020.pdf   

Custom Predictive Health Audience examples:

• Condition-Based Audiences (Dx) (Examples: Asthma, Atrial Fibrillation, Diabetes, Hemophilia, Osteoporosis, Prostate Cancer, Vitiligo; or a custom set of ICD9/ICD10 codes)
• Prescription-Based Audiences (Rx) (Examples: Abilify, Apixaban, Humira, Omalizuman, Omeprazole, Xarelto; or generic medication or NDC codes)
• Procedure-Based Audiences (Px) (Examples: All biopsy procedures, Carpal Tunnel Surgery, Chemotherapy, Heart Transplant, Hip Replacement; or a custom set of CPT codes)
• Combination of Foregoing (Examples: Diagnosed with Rheumatoid Arthritis and prescribed Humira or had a procedure called Synovectomy)

AdTheorent’s Use of National Provider Identifiers (NPI)

AdTheorent leverages aggregate third-party data to access NPI-level information for the purpose of targeting health care providers (HCP).  Our third party partner maintains a privacy policy to ensure the appropriate opt-in and opt-out safeguards for HCP data. 

Special Rules Applicable to Geo-Targeting or Geo-Fencing Health Facilities (New York State and Washington State)

Effective July 1, 2023, AdTheorent does not permit geotargeting/geofencing of any healthcare facility located in New York (state) or Washington (state) for the purpose of serving advertisements within the geofenced area, provided that such tactics will be permitted in New York if the advertiser is the healthcare facility itself.

Special Considerations Applicable to Political Campaigns

From time to time, AdTheorent may utilize, as part of a political ad campaign, certain third party-provided standard/syndicated audience segments, or custom audience segments.

Standard Political Segments

Third party political segments are created primarily via voter registration data collected from state and local governments. These audiences are executed for political candidates and issue advocacy groups running digital campaigns and can be used to target voters based on a variety of attributes.

Standard Political Segments

Congressional/state house/state senate district

• Registered party & length of voter registration
• Voter ideology
• Voting history & behavior (Example: voted in primary, general, etc.)
• Voter demographics
• Likelihood to donate to candidates/parties
• Likelihood to support certain candidates/issues

Custom Political Segments

From time to time, AdTheorent may also leverage third party-provided Custom Political Audience Segments. Custom political audiences contain similar seed elements (voter registration data) to the syndicated audiences and are created when the specific attributes needed to target an advertiser’s desired consumer is more niche or must meet very specific political/voter behavior attributes.

Examples include:

-    List of voters who have previously donated to a candidate’s campaign or party (often provided by client)

-    Women living in the Northeast who voted in 2016, but not 2020

-    Voters who regularly vote in Primary and State elections, but did not vote in the last Midterm election

Special Considerations Applicable to Financial Services Campaigns

In addition to the above safeguards and processes, AdTheorent adheres to additional rules and best practices related to digital advertising in the financial services industry. As noted above, AdTheorent does not obtain and therefore will not use (for any purpose, including but not limited to ad targeting or the development or refinement of predictive models) any Sensitive PII about any individual. AdTheorent financial services campaigns may utilize contextual targeting techniques which may include geographic targeting and site-based targeting, and AdTheorent predictive models may be employed without using any Sensitive PII. With respect to the predictive models and targeting strategies deployed and used for financial services campaigns, such models and targeting strategies will not use Sensitive PII and AdTheorent will not develop or use models or targeting strategies based on any “prohibited criteria” for purposes of the Equal Credit Reporting Act or Fair Credit Reporting Act.

California Consumer Privacy Act (CCPA) and California Privacy Rights Act (Effective 2023)

The California Consumer Privacy Act (CCPA) is a California law which focuses on the right of Californians to know what Personal Information is being collected about them, the right to know what Personal Information is sold or disclosed and to whom, and the right to say "no" to the sale of Personal Information.

The law goes into effect on January 1, 2020 (the "Effective Date"). On or before the Effective Date, AdTheorent processes, systems and policies, including data management and security processes and practices, were updated to facilitate compliance.

Generally speaking, CCPA provides consumers with the following enumerated rights:

• (1) The right of Californians to know what Personal Information is being collected about them and how it is used or disclosed or sold.
• (2) The right of Californians to know whether their Personal Information is sold or disclosed and to whom.
• (3) The right of Californians to say no to the sale of Personal Information.
• (4) The right of Californians to access their Personal Information.
• (5) The right of Californians to equal service and price, even if they exercise their privacy rights.

The following specific disclosures relate to AdTheorent's compliance with CCPA:

• AdTheorent is not a "seller" of Personal Information but AdTheorent is a downstream "user" or certain Personal Information provided by publishers.
• Although AdTheorent does process or use IP address data, advertising IDs, web and app visitation data, cookie IDs and geo-location data, all of which constitute "Personal Information" under CCPA, we do not utilize "sensitive Personal Information" (as described above), nor do we sell Personal Information.
• AdTheorent is a signatory to the IAB CCPA Framework to assist/enable publisher partners with processing/executing "upstream" user requests to (i) "opt-out" of the sale of Personal Information; and (ii) know what Personal Information about them is available and being used.  In other words, if a user makes a request to one of our publisher partners, the publisher partner will pass along that request to AdTheorent using the IAB CCPA Framework. AdTheorent has implemented a framework to capture these opt-out signals, log them and then apply User preferences to downstream processes within AdTheorent's data science/ML and service-delivery teams.
• AdTheorent's Privacy Policy advises Californians and all users of their rights, including rights pursuant to the CCPA as summarized here.

Note Regarding the IAB CCPA Framework

The IAB organized a multi-stakeholder effort to create a "Framework" for compliance with the CCPA, to be used by publishers and technology companies when engaged in programmatic transactions. AdTheorent is a Signatory to the IAB CCPA Framework.

The Framework is intended to be used by those publishers who "sell" Personal Information and those technology companies that they sell it to.  It is also intended to create "service provider" relationships between publishers and technology companies so that limitations on the use of data and mechanisms for accountability can be imposed when the consumer opts-out of a "sale." Additionally, those publishers that do not "sell" Personal Information in the delivery of a digital ad can still leverage the Framework due to the service provider relationships that are created and facilitated by it.

While the Framework is intended to support the aforementioned use cases, other use cases and paths to compliance exist.  The Digital Advertising Alliance, in partnership with IAB and other trade associations, is also working on compliance tools.  Through collaborative industry efforts, a holistic set of compliance solutions can be made available for companies to adopt depending on each company's business practices and interpretation of the law.

Similar Requirements Under Additional State Laws (Effective 2023)

AdTheorent’s privacy policies, originally implemented pursuant to CCPA, are intended to comply with the following additional state laws, effective in 2023:

•   CPRA (See below)

•   Virginia Consumer Data Protection Act – effective January 1, 2023​

•   Colorado Privacy Act – effective July 1, 2023​

•   Connecticut Data Privacy Act – effective July 1, 2023​

•   Utah Consumer Privacy Act – effective December 31, 2023

Submitting a Request to Know or Delete

If you would like to request what Personal Information AdTheorent has collected about you, and how we use it or disclose it, or you would like to request that any such Personal Information be deleted, please do so using this form:  Request to Know or Delete Form

Categories of Personal Information Collected by AdTheorent

To make our digital ads more relevant to users, we collect and use the following Personal Information, which information is made available to us by the publisher partners on whose properties we serve ads:

• IP address data

• Mobile advertising IDs (MAID), consisting of IDFA (Apple ID) or Android ID (AAID)

• Web and app visitation history data

• Geo-location data

• Cookie IDs (CUID), if applicable

AdTheorent uses such data for the limited purpose of ad-targeting (including processing by data science predictive models) and attribution (within the permitted data uses published by the apps and publications on which AdTheorent-served ads appear), and no other purpose.  Importantly, AdTheorent does not use such data to build or maintain user “profiles” or to obtain information about any user’s “identity.”  

Categories of Personal Information Disclosed to Third Parties

In some cases we disclose Personal Information to contracted third parties who assist us in providing our services to advertisers.  The following is a list of categories of third parties with whom AdTheorent may share some or all of the above referenced Personal Data:

• Data management partners (DMPs), which partners provide access to a number of contracted data providers.

• First party data integrators, which partners facilitate access to and activation of an advertiser client’s first party data (i.e., CRM lists).   

• Measurement and ad verification partners, which partners assist AdTheorent and its clients in reporting on ad delivery and KPI conversions, detecting fraudulent impressions, impressions that are not brand safe or viewable, and to provide post-campaign effectiveness reports.

Right to Non-Discrimination for Exercise of Consumer Privacy Rights

No consumer will be discriminated against or in any way treated adversely because the consumer elect to exercise any rights conferred by CCPA, as summarized in this Privacy Policy.

Additional Requirements Under California Privacy Rights Act (Effective 2023)

In 2023, the California Privacy Rights Act (CPRA) amends and extends the CCPA.  In addition to the rights conveyed to consumers under the CCPA, the CPRA extends to consumers the following additional rights:

·   Consumers may request correction of PI stored about the consumer.

·   Consumers may request that businesses limit the disclosure of sensitive PI. 

·   Consumers may request information about the logic involved in automated decision-making processes and a description of the likely outcomes. For example: any algorithms used to monitor a consumer’s online activity in order to build a profile for targeted advertisements. 

·   Consumers may opt-out of the sharing of their PI – e.g., transfer of consumer PI to a third party for cross-context behavioral advertising -- regardless of whether money is involved. 

Additional Info on IAB
https://www.iab.com/ccpa/

Contact Us for Further Information

If you have any questions about this Policy or our privacy practices, please email us at either or both of these addresses:

AdTheorent Data Protection Officer:

dataprotection@adtheorent.com

AdTheorent Legal:

legal@adtheorent.com

You may also reach us using the following toll-free number:1-800-804-1359.

This Privacy Policy was last updated September, 2023.