EPSILON PRIVACY POLICY FOR SERVICES
MIDDLE EAST
Last Modified: 16 October 2024
Epsilon is an advertising company. We are part of the Publicis Groupe, headquartered in France but with operations around the world. Our services help businesses find customers and keep the internet free. We encourage you to read the whole notice but if you wish to jump to a certain subject, please use the table below.
- Privacy commitment and scope of this Privacy Policy
- What does Epsilon do?
- The use of Cookies and Device access
- What Personal Data do we process?
- How Personal Data is used and lawful basis
- Social media
- Who do we share Personal Data with?
- How long do we keep Personal Data?
- Your rights
- International transfers
- Security
- Self-regulation
- Contact us
- Changes to this Privacy Policy
- Definitions used in this Privacy Policy
Throughout this Privacy Policy we use several capitalised terms. You can find the definitions for these here.
Privacy commitment and scope of this Privacy Policy
This Privacy Policy (“Privacy Policy”) describes how Personal Data is collected and used by Epsilon when providing our Services. We care about your privacy, and we want you to understand how we process Personal Data and what choices you have with regards to it. We have taken steps to provide you with this information as clear and easy as possible, but if you have any questions you can always Contact us.
We believe that data protection is essential to the growth and prosperity of the Internet and that a personalised experience online can provide significant benefits to users if done properly. In accordance with these believes, Epsilon creates results for advertisers in revolutionary ways without compromising users’ privacy or data protection.
By getting familiar with this Privacy Policy, you have taken the first step in understanding how advertising businesses such as ours help contribute to the Internet’s ability to remain a diverse ecosystem of free content, as well as provide a better digital browsing experience.
What does Epsilon do?
While you visit digital properties, such as websites and mobile applications, there are almost always third-parties working behind the scenes to help provide you with a great digital experience. These companies provide services such as analytics, advertising and fraud prevention for retailers, publishers, and other organisations. Epsilon is one of these companies and we help provide the advertising that keeps your favourite blogs free, your favourite stores in business, and your advertising experience more relevant.
Epsilon provides its clients with digital advertising and personalised content across the Internet. To make some of these things possible, and to make smarter decisions, we need to use information that is considered Personal Data. You can read more about the different Services we provide to our clients on our website: https://www.epsilon.com/
Use of Cookies and Device access
We will only use Cookies or otherwise access your device (for example by using a Tag) if you have provided us with consent to do so, as and if required by applicable laws (including Data Protection Laws). If so, you may have provided us with consent through a consent management platform (CMP) on one of our clients’ or partners’ digital properties. If you want to withdraw your consent to Epsilon, please visit our Consumer Request Portal.
What Personal Data do we process?
Pseudonymous Personal Data
Epsilon uses Tags and Cookies to collect Pseudonymous Personal Data about the browser or device you are using, including Visitor Data and information about your browsing behaviour, such as what digital properties that you have visited and online transactions that you have made. This type of Pseudonymous Personal Data is processed whenever you visit digital properties and open emails where our Tags are implemented, including digital properties belonging to our clients and partners.
We are a part of the digital advertising ecosystem and involved in activities such as Real-Time-Bidding (“RTB”). RTB is a set of technologies and practices used in programmatic advertising that enables advertisers to compete for available digital advertising space and place online adverts on digital properties by automated means. RTB allows for certain information to be sent to participants of the digital advertising ecosystem in Bid Requests. Bid Requests normally contain information that constitutes Personal Data, such a Visitor Data. This information is used by participants to evaluate the bid opportunity and respond with a bid price to serve an advert on the digital property. We only process Pseudonymised Personal Data that we receive in Bid Requests.
We perform Cookie syncs with advertising exchanges and other partners, which means that we receive and share Cookie IDs or other pseudonymised identifiers with each other. This enables us to recognise information about the user and determine whether we want to respond to a Bid Request or not.
We also partner with third parties to receive Pseudonymous Personal Data about transactions made by individuals. This type of Personal Data is mainly Processed to enhance our understanding about what individuals are interested in and what they might purchase in the future, including to create profiles for personalised advertising and content, use such profiles to select personalised adverting and content and to measure advertising and content performance. We combine this type of Personal Data with other categories of Personal Data that we Process.
All location data we process is limited to non-precise location data.
Direct Identifiable Personal Data
Some of our clients provide Direct Identifiable Personal Data such as name, address, email address and associated transactional information, to us.
The Directly Identifiable Personal Data we receive from our clients is referred to as “Offline Data” in this Privacy Policy. We process the Offline Data in a separate environment, and it is pseudonymised before it is processed for the purposes below. We annually engage a third-party auditor to confirm this pseudonymisation process.
How Personal Data is used and lawful basis
Purpose | Description | Lawful basis |
Use limited data to select advertising | Advertising presented to you can be based on limited data, such as the website or app you are using, your non-precise location, your device type or which content you are (or have been) interacting with (for example, to limit the number of times an ad is presented to you). | Consent |
Create profiles for personalised advertising | Information about your online activity (such as forms you submit, content you look at) can be stored and combined with other information about you (for example, information on your previous activity on other websites or apps) or similar users. This is then used to build or improve a profile about you. Your profile can be used to present advertising that appears more relevant based on your possible interests. | Consent |
Use profiles to select personalised advertising | Advertising presented to you can be based on your advertising profiles, which can reflect your activity on websites or apps (like the forms you submit, content you look at), possible interests and personal aspects. | Consent |
Measure advertising performance | Information regarding which advertising is presented to you and how you interact with it can be used to determine how well an advert has worked for you or other users and whether the goals of the advertising were reached. For instance, whether you saw an ad, whether you clicked on it, whether it led you to buy a product or visit a website, etc. This is very helpful to understand the relevance of advertising campaigns. | Consent |
Use limited data to select content | Content presented to you can be based on limited data, such as the website or app you are using, your non-precise location, your device type, or which content you are (or have been) interacting with (for example, to limit the number of times a video or an article is presented to you) | Consent |
Create profiles to personalise content | Information about your online activity (for instance, forms you submit, non-advertising content you look at) can be stored and combined with other information about you (such as your previous activity on other websites or apps) or similar users. This is then used to build or improve a profile about you. Your profile can be used to present content that appears more relevant based on your possible interests, such as by adapting the order in which content is shown to you, so that it is even easier for you to find content that matches your interest. | Consent |
Use profiles to select personalised content | Content presented to you can be based on your content personalisation profile, which can reflect your online activity (for instance, the forms you submit, content you look at), possible interests and personal aspects. This can for example be used to adapt the order in which content is shown to you, so that it is even easier for you to find (non-advertising) content that matches your interests. | Consent |
Measure content performance | Information regarding which content is presented to you and how you interact with it can be used to determine whether the (non-advertising) content e.g. reached its intended audience and matched your interests. For instance, whether you read an article, watch a video, listen to a podcast or look at a product description, how long you spent on web pages you visit etc. This is very helpful to understand the relevance of (non-advertising) content that is shown to you. | Consent |
Understand audiences through statistics or combinations of data from different sources | Reports can be generated based on the combination of data sets (like user profiles, statistics, market research, analytics data) regarding your interactions and those of other users with advertising or (non-advertising) content to identify common characteristics (for instance, to determine which target audiences are more receptive to an ad campaign or to certain contents). | Consent |
Develop and improve services | Information about your activity, such as your interaction with ads or content, can be very helpful to improve our services and to build new products and services based on user interactions, the type of audience, etc. This specific purpose does not include the development or improvement of user profiles and identifiers. | Consent |
Ensure security, prevent and detect fraud, and fix errors | Your data can be used to monitor for and prevent unusual and possibly fraudulent activity (for example, regarding advertising, ad clicks by bots), and ensure systems and processes work properly and securely. It can also be used to correct any problems you may encounter in your interaction with the content and ad. | Consent or Legitimate Interest (if this basis is applicable in your jurisdiction) |
Deliver and present advertising and content | Certain information (like an IP address or device capabilities) is used to ensure the technical compatibility of the content or advertising, and to facilitate the transmission of the content or ad to your device. | Consent or Legitimate Interest (if this basis is applicable in your jurisdiction) |
In support of one or more of the purposes set out above we may use Personal Data that we hold to determine whether different devices are likely to belong to you or your household and to try and distinguish your device from other devices based on information it automatically sends, such as IP address or browser type. This helps us develop a predictive profile of your interests across these different devices, including making sure we do not show you the same advert too often.
Consent is obtained via our clients and partners, often through consent management platforms (CMPs) on their digital properties. Epsilon’s legitimate interests (if this basis is applicable in your jurisdiction) include, providing our Services and ensuring that our clients are only paying for advertising that is viewed by a natural person (e.g. not a bot).
We will also receive and save information about the privacy choices you make regarding the purposes listed above. This is necessary in order to enable us to respect such choices.
Social media
We sometimes engage social media platforms to display direct marketing to you on their platform. We use “list-based” and “look-a-like” tools to do this. Using list-based tools involves the uploading of Personal Data to the social media platform in question (such as a list of email addresses). The platform then matches the uploaded Personal Data with its own user base. Any user that matches the uploaded list is added into a group that will be sent the selected marketing message. Look-a-like tools offer the ability to build other audiences based on the characteristics of an original audience that was created using a list-based tool. These audiences generally comprise of users that have not previously engaged, but who look like the list-based audience (i.e., they are users with similar interests, behaviours or characteristics). When creating this sort of audience, the social media platform uses Personal Data it has about other users of its platform to find users who match the interests and behaviours of users that are current customers. Examples include Facebook Custom Audiences or LinkedIn Contact Targeting. We will not undertake this processing unless you have provided us with consent for the purposes set out above, and we have contractual controls in place to ensure that the social media platform can only use the Personal Data we share to enable the provision of the Services. We are not responsible for the data practices of social media platforms and recommend you read their own privacy policies.
Who do we share Personal Data with?
We share your Personal Data:
- With our Affiliates and processors that assist us in providing our Services. This includes our Affiliates in the United Kingdom, India and the United States of America.
- With our clients. For example, we may share Personal Data collected by Tags on our clients’ digital properties to help our clients learn more about their visitors, and Personal Data collected when an advert is delivered to report on the performance of advertising and to help clients understand how often they are serving an advert to the same individual and to help them optimise.
- With participants of the advertising ecosystem such as advertisers, publishers, advertising exchanges, data management platforms, demand side platforms and supply side platforms, to be able to participate in RTB activities.
- With social media platforms as described above.
- Third-parties in the event of any reorganisation, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of our business, assets or stocks (including in connection with any bankruptcy or similar proceedings).
- As we believe necessary and appropriate: (a) under applicable law; (b) to comply with legal processes and obligations; (c) to respond to requests from public and governmental authorities including public and government authorities outside your country of residence; (d) to enforce our terms and conditions; (e) to protect our operations; (f) to protect our rights, privacy, safety or property; and (g) to allow us to pursue available remedies or limit the damages that we may sustain.
We will share your Personal Data with the third parties set out above for the specified purposes set out herein and in accordance with this Privacy Policy, to the minimum extent required, and in compliance with Data Protection Laws.
How long do we keep Personal Data?
We retain all Personal Data in accordance with our data retention policy which abides by applicable law, including Data Protection Laws. The retention period depends on the type of data. For example, we retain non-transactional Pseudonymous Personal Data we collect or receive online or through Bid Requests for no more than eighteen (18) months.
Your rights
In situations when we rely on consent to process your Personal Data you have the right to withdraw your consent at any time. If you want to withdraw your consent to Epsilon, please visit our Consumer Request Portal.
If you wish to exercise any other rights you may have under Data Protection Laws (including access, deletion, rectification, portability, being informed, filing a complaint with the UAE Data Office or the Saudi Data and Artificial Intelligence Authority (SDAIA) or request compensation for material or moral damage due to violation of the applicable law, please visit our Consumer Request Portal
We will aim to comply with all requests promptly and in line with statutory deadlines. Subject to applicable laws, we may not always be able to fully address your request, for example: (a) if it would impact the confidentiality Epsilon owes to others; (b) if Epsilon is legally entitled to deal with the request in a different way; or (c) if the request involves deletion of information required to comply with legal requirements.
If any request is repetitive, manifestly unfounded, or requires disproportionate efforts, Epsilon reserves the right to refuse it, in which case we will notify you of the refusal and the reason behind it.
International transfers
In order to provide our Services, we transfer Personal Data to, and Process Personal Data in, countries outside the country in which you are residing. More specifically our servers are located in Ireland, Netherlands, Singapore and the United States, and our processors operate around the world including the United Kingdom, India, and United States.
We have taken appropriate and suitable safeguards to ensure that your Personal Data will remain protected when transferred outside any relevant country in which you are residing. This includes implementing Standard Contractual Clauses or other standard contracts with recipients in third countries adopted by the applicable data regulator, for example, the SDAIA Standard Contractual Clauses where relevant. Further information about our international transfers as well as the safeguards in place can be provided upon request.
Security
We have implemented appropriate technical and organisational security measures to protect the Personal Data in our care, both during transmission and once we receive it. This includes physical and technical security measures to protect our Personal Data from accidental or unlawful destruction, loss, or alteration, and from unauthorised disclosure or access. Although, please note that no method of transmitting information over the Internet or storing information is completely secure.
Self-regulation
Our industry has a rigorous voluntary self-regulatory regime, and we are active members of industry groups such as the Interactive Advertising Bureau (IAB), Interactive Advertising Bureau Europe (IAB EU), Interactive Advertising Bureau UK (IAB UK), Digital Advertising Alliance (DAA), European Digital Advertising Alliance (EDAA) and Digital Advertising Alliance of Canada (DAAC). These groups promulgate codes of conduct and principles that impose requirements on participating members such as transparency and choice around the use of Personal Data for interest-based advertising, and some even require regular audits of member privacy practices. Such codes and principles include the DAA Self-Regulatory Principles, the EDAA Self-Regulatory Principles, and the DAAC Self-Regulatory Principles, which we all support.
Contact Us
The Controller of the Personal Data that we process as described in this Privacy Policy is Epsilon.
Our Data Protection Officer is tasked with informing and advising us on the obligations that apply to us under Data Protection Laws, as well as monitoring our compliance with the same. If you need to contact our Data Protection Officer, please email us here. However, we respectfully ask that you only contact our Data Protection Officer regarding urgent matters relating to data protection.
If you have a complaint about Epsilon’s use of your Personal Data, you can contact us via our Consumer Request Portal or in the ways mentioned in this Section. We will look into and respond to any complaints we receive.
If you feel that Epsilon does not comply with Data Protection Law, you may have the right to report a concern to your country’s data protection authority or lodge a complaint. If you are located in the UAE, please contact the UAE Data Office. Meanwhile, if you are located in the Kingdom of Saudi Arabia, please contact the Saudi Data & Artificial Intelligence Authority’s (SDAIA) office through the address below or any other competent authority later designated as having jurisdiction to receive such complaints. SDAIA’s address: Kingdom of Saudi Arabia, Riyadh. Website: sdaia.gov.sa and National Data Governance Platform “DGP”: dgp.sdaia.gov.sa
However, we respectfully request that you contact us first so that we can assist you.
Changes to this Privacy Policy
We may occasionally make changes to this Privacy Policy. If we do, we will take appropriate measures to inform you, consistent with the significance of the changes we make, and update the “Last Modified” date above.
Definitions used in this Privacy Policy
The technical nature of our Services means we need to keep referring to complex concepts. Capitalised words have the following meanings:
“Affiliates” means any corporation which controls, is controlled by, or is under common control with Epsilon.
“Cookies” are small text files that are downloaded and stored onto your device (e.g. a computer or smartphone). Cookies allow us to recognise your device and store information about your preferences or past actions. In this Privacy Policy the definition of “Cookies” includes similar technologies that can write or read information on your device such as “Local Shared Objects” (sometimes called Flash Cookies), pixels and web-beacons. For more details on the Cookies we set for our Services, click here.
“Data Protection Laws” means (i) the UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection; (ii) the Saudi Personal Data Protection Law, implemented by Royal Decree No. M/19 of 09/02/1443H (16 September 2021) and amended by Royal Decree No. M/147 of 05/09/1444H (27 March 2023) and its Implementing Regulations, including any rules, decisions or resolutions issued by the relevant regulator from time to time (iii) any and all applicable national, federal or state data protection laws and regulations made under or pursuant to (i) or (ii); in each case as may be amended or superseded from time to time.
“Device IDs” are unique identifiers associated with your device. These identifiers are assigned by your device’s operating system, such as Apple’s iOS and Google’s Play Services for Android. Device IDs can be reset in your device settings.
“Directly Identifiable Personal Data” is Personal Data that directly identifies an individual. This type of Persona Data includes information such as full name, home address, telephone number, and email address.
“Epsilon” means for Data Subjects in the (i) United Arab Emirates, Digitas, a branch of Publicis Media FZ-LLC, licensed by the Dubai Development Authority with commercial license number 96197, and office at Dubai Properties HQ Building Floor 4 Zone C, Knowledge Village, PO Box 7534, DU, United Arab Emirates; and (ii) Kingdom of Saudi Arabia, MMS Communications Saudi Arabia Limited, a company duly incorporated and existing under the laws of the Kingdom of Saudi Arabia with company registration number 1010721229 and having its registered office at Riyadh, King Fahd Road, Al Olaya District, Al Faisaliah Tower, Riyadh 12212.
“Visitor Data” includes (i) information that is sent to us by digital properties that have our Tags implemented, such as browser type, browser time, time of access, screen resolution, IP address, hashed email, referring site URL, current site URL, and search strings; and (ii) information sent to us by advertising exchanges via "Bid Requests", which may include the information in (i) above and other information such as IP addresses, Device IDs, Cookie IDs, non-precise location data, demographic data and other information including audience segmentation. Visitor Data normally constitutes Personal Data.
“Personal Data” means any information relating to an identified or identifiable natural person. Information such as name, identification number, location data and an online identifier is considered Personal Data.
“Pseudonymous Personal Data” is Personal Data that cannot be attributed to a specific individual without the use of additional information, for example 'John Smith' converted to “#12345”. Online identifiers such as Cookie IDs and Device IDs are usually considered Pseudonymous Personal Data.
“Services” means the adverting services that we provide to our clients, including services referred to as “Discovery”, “Prospect”, “Digital Media Solutions”, “Epsilon Retail Media” and other services that utilises our identity graph/CORE ID. The definition of “Services” does not include services that Epsilon provides to its clients as a processor (as defined by Data Protection Laws), including services referred to as “Messaging”, and “Loyalty”.
“Tags” are tiny snippets of code inserted into a digital property that is used to collect data related to a visit. In this Privacy Policy, the definition of “Tags” includes the use of an SDK (Software Development Kit) to enable the same functionality in mobile applications.