INVIDI AB

Ad-Tech Services Privacy Policy

Effective Date: July 31, 2023

---

This Ad-Tech Services Privacy Policy (this “Policy“) describes how INVIDI TECHNOLOGIES AB (“INVIDI AB, ” “we, ” “our, ” or “us“) collects, uses and otherwise processes information in connection with the INVIDI Pulse platform (“INVIDI Pulse“) and related ad serving technology, tools and services provided by INVIDI AB (collectively, the “Ad-Tech Services“).

INVIDI AB is a registered Global Vendor with the IAB Europe’s Transparency and Consent Framework, and complies with its Specifications and Policies. INVIDI AB’s identification number within the framework is 438. For more information, please visit iabeurope.eu.

INVIDI AB is a proud member of the IAB Sweden.

Contact Information
Name	INVIDI TECHNOLOGIES AB
Address	46C Sankt Eriksgatan, 112 34 Stockholm, Sweden
Email Contact for Company and for the Office of the Data Protection Officer (DPO)	privacyoffice@invidi.com
Download/Print Version	Ad-Tech Services Privacy Policy (PDF)

1.  Introduction.

The purpose of this Policy is to provide customers that purchase and use the Ad-Tech Services, including third-party video network operators (our “Customers“), third parties who purchase ad inventory through the Ad-Tech Services, such as advertisers and ad agencies (our “Ad-Tech Partner(s)“), and viewers or end users of our Customers’ products, services, platforms, or other properties (“End User(s)“), the information needed to assess the processing of Information through the Ad-Tech Services, as well as to outline how INVIDI AB has established measures to maintain compliance with Applicable Law, including where applicable, the GDPR. This Policy applies to information INVIDI AB collects and otherwise processes from Customers (“Customer Information“), Ad-Tech Partners (“Ad-Tech Partner Information“), and End Users (“End User Information“) in connection with the Ad-Tech Services, to the extent that any of the foregoing consist of Personal Data. INVIDI AB is not responsible for Information processed by third parties or through third-party services. This Policy does not apply to the processing of Personal Data outside of the Ad-Tech Services, including through INVIDI AB’s website. For more information about how we process Information on our website, please visit our online Privacy Policy. Please note that this Policy offers a general overview of the processing activities and data protection measures associated with the Ad-Tech Services. If you are a Customer or Ad-Tech Partner, please refer to the relevant Data Processing Addendum for further information about the processing involved in the use of the Ad-Tech Services referenced in this Policy. This Policy is current as of the Effective Date above; however, we may change or update the Policy from time to time. If we make any material changes to how we process Personal Data, we will endeavor to provide you with notice in advance of such change by providing written notice or by posting an updated version on INVIDI AB’s website or through the Ad-Tech Services. We will seek consent to any material changes if and where required by Data Protection Laws.

2.  Definitions.

As used in this Policy, the following terms shall have the following meanings: “Affiliates” means companies controlling, controlled by, or under common control with INVIDI AB; “Applicable Law(s)” means (i) Data Protection Laws with respect to Personal Data in respect of which INVIDI AB or the relevant Customer or Ad-Tech Partner is subject to; and (ii) any other applicable law with respect to any Personal Data in respect of which INVIDI AB or a relevant Customer or Ad-Tech Partner is subject to; “Data Protection Law(s)” means any law, rule, regulation, decree, statute, or other enactment applicable to the processing of Personal Data received by INVIDI AB pursuant to or in connection with the Ad-Tech Services including, to the extent applicable, EU Data Protection Laws; “Data Subject Request” has the meaning set forth in Section 5.e below; “EEA” means the European Economic Area; “EU Data Protection Law(s)” means any and all data protection or data privacy laws, rules, regulations, decrees, statutes, or other enactments of the EEA and its Member States that are applicable to the processing of Personal Data by the Ad-Tech Services, including as applicable, the GDPR and laws and regulations implementing or supplementing the GDPR; “GDPR” means EU General Data Protection Regulation 2016/679; “Information” means, collectively, Customer Information, Ad-Tech Partner Information, and End User Information. “Personal Data” means, to the extent processed by INVIDI AB in connection with the Ad-Tech Services, any Customer Information, Ad-Tech Partner Information, or End User Information that relates to an identified or identifiable natural person; “Restricted Transfer” means a transfer of Personal Data to or from INVIDI AB or a Subprocessor, or between two establishments of INVIDI AB or a Subprocessor; in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws) in the absence of Standard Contractual Clauses or other lawful data transfer mechanisms that are recognized under Data Protection Laws as providing an adequate level of protection for such transfers; “Standard Contractual Clauses” means the standard data protection clauses for the transfer of Personal Data to processors established in third countries approved by the European Commission, the approved version of which is set out in the European Commission’s Decision 2010/87/EU of 5 February 2010; “Subprocessor” means any processor engaged by INVIDI AB, including subcontractors, appointed by or on behalf of INVIDI AB to process Personal Data on behalf of a Customer or Ad-Tech Partner in connection with the Ad-Tech Services; and The terms, “European Commission“, “controller“, “data subject“, “Member State“, “personal data breach“, “processor“, “processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

3.  Ad-Tech Services description

The Ad-Tech Services consist of various ad serving tools that allow Customers to manage ad inventory and serve addressable advertisements to End Users across media types and devices. When an End User accesses or uses a Customer’s product, service, platform, or other applicable property, information about the End User is sent from the End User’s device to the Ad-Tech Services, and then matched with parameters provided in advance by Ad-Tech Partners so that such Ad-Tech Partners can place orders and serve addressable advertisements to such End Users.

4.  Customers and Ad-Tech Partners

This Section 4 sets forth information with respect to INVIDI AB’s processing of Customer Information and Ad-Tech Partner Information. For more information about our data protection practices with respect to such information, please also see Section 6 below. For information about how we process End User Information, please see Section 5 below.

1. Respective roles.

   With respect to any Customer Information or Ad-Tech Partner Information processed by INVIDI AB through or in connection with the Ad-Tech Services, INVIDI AB is the controller and employees, agents or contractors of a Customer or an Ad-Tech Partner act as data subjects, as those terms are defined in the GDPR. The specific details of each Customer or Ad-Tech Partner’s Personal Data that will be processed by INVIDI AB, including the duration, purpose and categories of such Personal Data, and the rights and obligations of the parties, will be defined in the applicable Data Processing Addendum with such Customer or Ad-Tech Partner.

2. Information we collect.

   We collect Customer Information and Ad-Tech Partner Information directly from, respectively, our Customers and Ad-Tech Partners. For example, we will collect a Customer or Ad-Tech Partners’ employee, agent or contractors’ contact information when they enter into a contractual relationship with INVIDI AB or if and when they inquire about the Ad-Tech Services. We may also collect other Personal Data that Customers or Ad-Tech Partners choose to provide through the Ad-Tech Services, such as the contents of messages that a Customer or Ad-Tech Partner submits through the Ad-Tech Services. We may also collect Personal Data from prospective Customers or Ad-Tech Partners through publicly available sources. When a Customer or Ad-Tech Partner registers to use the Ad-Tech Services, we collect Personal Data, including the Customer or Ad-Tech Partner’s employee, contractor or agent’s name, email address, telephone number, payment card information, billing information, and/or any other Personal Data the Customer or Ad-Tech Partner employee, agent or contractor may choose to provide through the Ad-Tech Services. We may also work with third-party service providers to process payments to or from our Customers and/or Ad-Tech Partners on our behalf. A list of these vendors are set forth in the applicable Data Processing Addendum between INVIDI AB and the relevant Customer or Ad-Tech Partner. INVIDI AB will not have access to the Personal Data a Customer or Ad-Tech Partner provides to these third parties, but we encourage our Customers and Ad-Tech Partners to visit their privacy policies to understand their data practices.

3. How we use Customer Information and Ad-Tech Partner Information.

   We use Customer Information and Ad-Tech Partner Information for the following purposes:

   • Providing the Ad-Tech Services. To provide the Ad-Tech Services and for other customer service purposes and to otherwise manage Customer and Ad-Tech Partner accounts.
   • Communicating with Customers, Ad-Tech Partners, or others . To communicate, via email or otherwise, with Customers or Ad-Tech Partners about their relevant accounts; to respond to Customer or Ad-Tech Partner inquiries, requests, or complaints; and to provide Customers and Ad-Tech Partners with news, best practices, or other helpful or interesting information, in accordance with their communications preferences.
   • Marketing and advertising. To provide Customers or Ad-Tech Partners with newsletters, special offers, and promotions, including via email, and for other marketing, advertising, promotional purposes, and general updates about INVIDI AB or our Affiliates. These communications will be sent in accordance with the communications preferences of our Customers or Ad-Tech Partners.

4. How we disclose Customer Information and Ad-Tech Partner Information.

   We may disclose Customer Information and Ad-Tech Partner Information as follows:

   • INVIDI AB Affiliates. We may disclose Customer Information or Ad-Tech Partner Information to any of INVIDI AB’s Affiliates, parent companies, or subsidiaries to process for the purposes described in this Policy.
   • INVIDI AB service providers. We may disclose Customer Information or Ad-Tech Partner Information to vendors, service providers, agents, contractors, or others who perform functions, such as maintenance, data analysis, customer relationship management, email marketing, surveys, payment card processing, data hosting, and fraud detection, on our behalf.
   • Other Customers or Ad-Tech Partners. We may disclose Customer Information or Ad-Tech Partner Information to other Customers or Ad-Tech Partners where relevant to the Ad-Tech Services we provide. For example, we may provide Ad-Tech Partners with information about which Customers’ products, services, platforms or properties their ads have appeared on.

5. Customer and Ad-Tech Partner rights.

   Customers and Ad-Tech Partners may access, correct, or update the Personal Data they have provided to INVIDI AB by updating such information in their account, emailing their INVIDI AB account manager, or by emailing us at privacyoffice@invidi.com. We may send periodic promotional or informational emails to Customers or Ad-Tech Partners in accordance with their communications preferences. At any time, Customers and Ad-Tech Partners may opt out of such communications by following the opt-out instructions contained in the email. Please note that if a Customer or Ad-Tech Partner opts out of receiving emails about recommendations or other information we think may be of interest, we may still send emails to such Customer or Ad-Tech Partner about their account or any Ad-Tech Services they have requested or received from us.

5.  End Users.

This Section 5 sets forth information with respect to INVIDI AB’s processing of End User Information. For more information about our data protection practices with respect to such End User Information, please also see Section 6 below. For information about how we process Customer Information and/or Ad-Tech Partner Information, please see Section 4 above.

1. Respective roles.

   With respect to End User Information processed by INVIDI AB through the Ad-Tech Services, the Customer is the controller, and End User is a data subject, and INVIDI AB acts as a processor, as those terms are defined in the GDPR. The specific details of End User Information that will be processed by INVIDI AB on behalf of a Customer, including the duration, purpose and categories of any Personal Data, and the rights and obligations of the parties, will be defined in the applicable Data Processing Addendum with such Customer.

2. Information we collect.

   INVIDI AB automatically collects End User Information when End Users interact with the Ad-Tech Services that appear on Customers’ products, services, platforms, or other properties. We collect this End User Information through cookies and other technologies. Customers are solely responsible for selecting the types of End User Information processed through or in connection with the Ad-Tech Services. Notwithstanding the forgoing, INVIDI AB generally collects, uses and otherwise processes the following End User Information on behalf of Customers in their use of the Ad-Tech Services: (i) persistent identifiers, (ii) IP addresses, and (iii) geolocation. The Ad-Tech Services may also process other data elements, which may consist of Special Categories of Personal Data, if and to the extent a Customer has opted in to the processing of such information. Our Customers are solely responsible for obtaining consent on our behalf, where required by Applicable Law, for us to process this End User Information.

3. How we disclose End User Information.

   INVIDI AB does not process End Users’ Personal Data other than on a Customer’s documented instructions, as set forth in an applicable Data Processing Addendum with such Customer, and as reasonably necessary to provide the Customer with the Ad-Tech Services, unless processing is required by Applicable Law to which INVIDI AB is subject. Notwithstanding the foregoing, in general, we process End User Information for the following purposes:

   • Provide the Ad-Tech Services. To provide the Ad-Tech Services to our Customers, Ad-Tech Partners, and End Users.
   • Serve addressable advertisements to End Users on behalf of Customers . To serve addressable ads to End Users on behalf of and as directed by our Customers; to assist Customers with ad inventory management; to identify unique End Users across multiple devices to serve addressable advertisements; to analyze the effectiveness of advertising campaigns; to provide aggregated information about End User interests; and to create data segments and groups.

   INVIDI AB does not knowingly create segments or groups based upon Special Categories of Personal Data; however, the Ad-Tech Services may process Special Categories of Personal Data if and to the extent a Customer has opted in to the processing of such information. Our Customers are solely responsible for obtaining such End Users’ explicit consent, where required by Applicable Law, for us to process this End User Information.

4. How we use End User Information.

   INVIDI AB does not disclose End Users’ Personal Data other than on a Customer’s documented instructions, as set forth in an applicable Data Processing Addendum with such Customer, and as reasonably necessary to provide the Customer with the Ad-Tech Services, unless disclosure is required by Applicable Law to which INVIDI AB is subject. Notwithstanding the forgoing, in addition to sharing certain End User Information as directed by Customers, INVIDI AB may disclose End User Information as follows:

   • INVIDI AB Affiliates. INVIDI AB may disclose End User Information to any INVIDI AB Affiliates, parent companies, or subsidiaries to process such End User Information for the purposes described in this Policy.
   • INVIDI AB service providers. INVIDI AB may disclose End User Information to vendors, service providers, agents, contractors, or others who perform functions, such as maintenance, data analysis, customer relationship management, email marketing, surveys, payment card processing, data hosting, or fraud detection, on our behalf. Notwithstanding the foregoing, to the extent such End User Information consists of any Personal Data, INVIDI AB only shares such Personal Data with service providers who will utilize the information to provide their services to INVIDI AB.
   • Customers and Ad-Tech Partners. INVIDI AB may disclose End User Information to Customers or Ad-Tech Partners where relevant to the Ad-Tech Services we provide to such Customers and/or Ad-Tech Partners.

5. End User rights.

   INVIDI AB, to the extent legally permitted, will promptly notify the relevant Customer if and when INVIDI AB receives a request from an End User to exercise such End User’s right of access, right to rectification, restriction of processing, erasure, data portability, object to the processing, or its right not to be subject to an automated individual decision making (each such request, a “Data Subject Request“). Taking into account the nature of the processing, INVIDI AB will assist the Customer by appropriate technical and organizational measures, insofar as possible, for the fulfilment of the Customer’s obligation to respond to a Data Subject Request under Data Protection Law. In addition, to the extent a Customer, in its use of the Ad-Tech Services, does not have the ability to address a Data Subject Request, INVIDI AB will, upon the Customer’s written request, provide commercially reasonable efforts to assist the Customer in responding to such Data Subject Request, to the extent INVIDI AB is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Law.

6. Children.

   INVIDI AB does not knowingly collect any End User Information or target any advertisements on Customer products, services, platforms, or properties directed to children under the age of thirteen.

6.  General provisions applicable to Customers, Ad-Tech Partners and End Users.

1. Other ways we use Information.

   We use Information for the purposes respectively set forth in Sections 4 and 5 above, as well as for the following purposes:

   • Analyze the use of the Ad-Tech Services. To the extent aggregated or de-identified Information is no longer considered Personal Data, for any purpose, including analysis, internal operations, and to improve the quality of the Ad-Tech Services.
   • Legal compliance. To comply with obligations under Applicable Laws, including requests from law enforcement or other governmental entities.
   • Protecting rights and interests. To protect our rights and interests and the rights and interests of our Customers, Ad-Tech Partners, End Users, and the general public, as well as to enforce this Policy and other INVIDI AB policies.

2. Other ways we disclose Information.

   When we share Information with third parties as specified above, we require such recipients to agree to only use such Information in accordance with this Policy and our contractual specifications. In addition to the disclosures detailed above, we may also disclose Information for the following purposes:

   • Business transfers. INVIDI AB reserves the right to disclose and/or transfer Information to another entity if we are acquired by or merged with another company, if we sell or transfer a business unit or assets to another company, as part of a bankruptcy proceeding, or as part of any other similar business transfer.
   • Legal compliance. To comply with obligations under Applicable Laws, including requests from law enforcement or other governmental entities.
   • Protecting rights and interests. To investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any person, violations of our this Policy and/or other INVIDI AB policies, or as evidence in litigation in which we are involved, to the extent we believe disclosure of such Information is necessary.
   • Aggregate and de-identified Information. We may disclose aggregated or de-identified Information to our Customers, Ad-Tech Partners, Affiliates or third parties without restriction, to the extent aggregated or de-identified Information is no longer considered Personal Data.

3. Legal Basis.

   INVIDI AB processes End User Information as a processor on behalf of our Customers. To the extent Customers or Ad-Tech Partners need to collect, disclose or otherwise process, or allow INVIDI AB to facilitate in the collection, disclosure or other processing of Personal Data in connection with the Ad-Tech Services, it is the responsibility of such Customers or Ad-Tech Partners to determine the appropriate legal basis for doing so, as well as providing the necessary privacy notices and obtaining any required consent(s). Where required, INVIDI AB’s legal basis for processing Personal Data will depend on the Personal Data concerned and the specific context in which we collect it. However, in connection with the Ad-Tech Services, we collect Personal Data and process it on the basis of the following: Consent: Where we have the appropriate consent to do so. Performance of a Contract: Where we need to process the Personal Data to perform a contract. Legitimate Interest: Where the processing is in our legitimate interests and not overridden by data protection interests or fundamental rights and freedoms, including fraud prevention, developing and improving our products, and conducting analytics to enhance end user experiences. Legal Obligations: Where we need to comply with law or a legal obligation to which we are subject.

4. Third-party links.

   The Ad-Tech Services may contain links to third-party products, services, platforms, websites, or other properties. Any access to and/or use of any of the forgoing are not governed by this Policy but instead by the privacy policies of those third-parties. INVIDI AB is not responsible for the information security nor privacy practices of such third-parties.

5. Retention.

   INVIDI AB retains Information for the period of time defined by a Customer or Ad-Tech Partner, as applicable, in the relevant Data Processing Addendum with such party. Notwithstanding the foregoing, INVIDI AB retains Personal Data only for as long as reasonably necessary to fulfil the purposes we collected it for, including to provide the Ad-Tech Services and/or for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain Personal Data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation. To determine the appropriate retention period for Personal Data, INVIDI AB considers the amount, nature and sensitivity of the Personal Data, the potential risk of harm from unauthorized use or disclosure of Personal Data, the purposes for which we process Personal Data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

6. Security.

   Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, INVIDI AB, in relation to Personal Data, implements appropriate technical and organizational measures that are designed to ensure a level of security appropriate to such risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR. In assessing the appropriate level of security, INVIDI AB takes account of the risks that are presented by processing, in particular from a personal data breach. INVIDI AB has implemented information security policies that set forth technical, administrative, and physical safeguards for the protection of Personal Data. INVIDI AB regularly reviews such policies and improves them where necessary.

7. INVIDI AB personnel.

   INVIDI AB has appointed an Office of the DPO in order to inform and advise INVIDI AB and its staff on its data protection obligations, and for monitoring compliance with those obligations and with INVIDI AB’s data protection policies. The Office of the DPO can be reached at privacyoffice@invidi.com with any data processing or data protection inquiries. INVIDI AB takes reasonable steps to ensure the reliability of any employee, agent or contractor of INVIDI AB who may have access to Personal Data and implements access controls to limit access to Personal Data. All INVIDI AB personnel who have access to Personal Data are educated and regularly trained on INVIDI AB’s data protection policies and the treatment of Personal Data, including the obligation of confidentiality with respect to such data.

8. Third-Party Subprocessors.

   Customers can exercise their rights with respect to Subprocessor changes according to the provisions of the applicable Data Processing Addendum. Notwithstanding the forgoing, with respect to each Subprocessor: (i) before a Subprocessor first processes Personal Data, INVIDI AB carries out adequate due diligence to ensure that the Subprocessor is capable of providing the appropriate level of protection for such Information; (ii) INVIDI AB ensures that the arrangement between INVIDI AB and Subprocessor is governed by a written contract including terms which offer at least the same level of protection for Personal Data as those set out in the applicable Data Processing Addendum and meet the requirements of Article 28(3) of the GDPR; and (iii) where the arrangement involves a Restricted Transfer, INVIDI AB ensures that a valid legal mechanism is adopted, including, for example, incorporation of the Standard Contractual Clauses into the agreement between INVIDI AB and Subprocessor.

9. Restricted Transfers.

   INVIDI AB transfers Personal Data outside the EEA and, where available, we rely on adequacy determinations to do so. However, as part of our global operations, we may transfer Information to a country that may not offer the same level of protection for Personal Data as the country in which it was collected. To ensure that Personal Data is adequately protected when transferred outside the EEA, INVIDI AB’s Data Processing Addendum includes Standard Contractual Clauses to permit the transfer of Personal Data from the EEA to, for example, the United States.

7.  Contact Us

If you have questions about how INVIDI AB processes Personal Data, please contact the Office of the DPO at privacyoffice@invidi.com . In some jurisdictions and contexts where we act as a data controller, you may have a right to request that we:

• Provide you information about how we use your personal information;
• Give you access to, and a copy of your personal information we hold in our systems;
• Delete all or some of the personal information we have about you (e.g., if it is no longer needed to provide Services to you);
• Stop using, and ensure that all third parties stop using, some or all of your personal information (e.g., if we no longer have a legal basis to process it); and
• Note any violations of the Privacy Policy.

For EU and UK users, in cases where we act solely as controller, you can send us an email at privacyoffice@invidi.com or write to us at the address above, Attn: Legal Counsel. We will respond to your request within a reasonable timeframe, although we may in some circumstances require that you validate your identity and sometimes we may not be able to accommodate your request based on the information we have available.