At VECTAURY, the protection of personal data* is central to our mission for both strategic and ethical reasons. It has been the subject of two years’ work by our R&D team in collaboration with our legal advisors and with support from the French Data Protection Authority.
VECTAURY complies with Article 5 of the European Data Protection Regulation (GDPR), specially:
- the mobile user's right to information;
- the obligation to obtain independent, specific, informed and unequivocal consent from mobile users prior to any data processing, with consent given via clear declaration or intentional act;
- the mobile user’s right to access, right to rectification, right to object, right to data portability, right to restriction of processing, right to make a complaint to the French Data Protection Authority, and right to be forgotten;
- confidentiality and integrity of data collected;
- compliance of processing operations throughout the data life cycle.
In order to protect the privacy of mobile users, we have designed consent management tools that meet the requirements of the GDPR. The publishers with whom we work may choose to use our tools, their own consent management tools, or a tool provided by a third party as long as the tool meets GDPR requirements. VECTAURY consent management tools include:
- The VECTAURY Consent Management Platform (CMP): this free solution allows publishers to collect the consent of mobile users in a fair manner and according to the standards established by the IAB and approved by the advertising community. In compliance with the GDPR, our CMP enables mobile users to give or withdraw consent per marketing purpose and per vendor.
Our partner data providers guarantee VECTAURY that before obtaining consent they will inform mobile users about the purposes of data processing and all user rights including the right to withdraw consent at any time. Mobile users can exercise their rights through the publisher, who will pass requests to VECTAURY for implementation.
When the publisher uses a CMP, mobile users can exercise their rights in-app.
Android and Apple platforms enable mobile users to control privacy by blocking targeting ads and by resetting their advertising IDs. This disables the link between advertising history and future navigation.
Our primary data collection method is the VECTAURY proprietary SDK, the mobile equivalent of a cookie. Publishers integrating the VECTAURY SDK designate VECTAURY as the data controller in their Terms and Conditions. This gives mobile users the identity of the controller and the e-mail address email@example.com, providing a means to exercise all privacy rights through VECTAURY.
VECTAURY’s SDK also allows mobile users to withdraw consent at any time, easily and free of charge, using their smartphone settings.
Our secondary data collection method is AdRequest, which serves a consent request when a mobile application is viewed. When data are collected by AdRequest, consent is collected by the publisher, and a clickable information button visible in the advertisement sends the user to the VECTAURY privacy center. This web interface enables mobile users targeted by VECTAURY ads to exercise all their rights and withdraw consent if desired
Mobile users can also access information, request its correction or deletion, and exercise other rights concerning personal data by contacting us at: firstname.lastname@example.org.
VECTAURY respects the principle of data minimization set out in Article 5 of the GDPR, according to which:
- Data collected must be adequate, relevant and limited to what is necessary for the purposes for which they are processed.
- Data collected must be processed in a manner that is relevant, adequate and not excessive in relation to the purposes for which they were collected.
VECTAURY collects personal mobile user data, including geolocation data, for the purposes of selling targeted ads and insights to advertisers.
VECTAURY ensures that personal data are processed exclusively for the purposes for which mobile users have given consent and according to the principale of porportionality. Vectaury ensures that the use of this data by subcontractors is contractually supervised.
As a result, our campaigns do not rely on ultra-geolocation technologies or excessive collection frequency. Our intelligent data collection algorithm and filtering mechanism processes only data needed for user-approved purposes.
Our approach to collecting geolocation data gives us a better understanding of our mobile users withoutidentifying them or knowing excessive information about their movements.
VECTAURY complies with Articles 45 and 46 of the GDPR, according to which:
The controller of a processing operation may transfer personal data to a State outside the European Union only if that State ensures a sufficient level of protection of privacy with regard to an adequacy decision by the European Commission or by means of appropriate safeguards.
Vectaury does not transfer personal data outside of France. Our data are collected, processed and stored on servers in France.
Deliverables sent to our customers and partners include only anonymized statistics void of any personal characteristics, thus they are not subject to national or European laws related to the transfer of personal data.
When personal data are sent to a customer or partner in France, VECTAURY:
- Oversees its use. It cannot be used in a manner other than that for which the mobile user gave consent or reconciled with other data
- Ensures data confidentiality and integrity.
VECTAURY compolies with Articles 25 and 32 of the GDPR:
- The controller is required to implement technical and organizational measures to guarantee a level of security appropriate to the risks presented by processing; to preserve the security of the data; and, in particular, to prevent data from being distorted, damaged or accessed by unauthorized third parties.
- The controller must respect the principles of:
- Privacy by design: The data controller ensures that the objective of protecting personal data is integrated into new projects from the design stage by implementing appropriate technical and organizational measures both when determining the means of processing and at the time of processing itself.
- Privacy by default: The controller guarantees that, by default, only personal data necessary for each specific purpose are processed.
All of the obligations required by the French Data Protection Authority are clearly stated in our Information System Protection Policy and are carried out by our technical and administrative teams.
VECTAURY respects article 36 of the Data Protection Act, and article 5 of the European regulation on the protection of personal data, according to which:
Data shall be kept in a form of identifiable data for no longer than is necessary for the purposes for which the data are collected and processed.
VECTAURY permanently deletes any identifiable data as soon as it is no longer useful for the purpose for which it was collected. More specifically, all information that could be used directly or indirectly for personal identification is deleted or modified, making re-identification impossible..
Given the similarities between mobile SDKs and desktop cookies, we apply the same rules to both platforms, deleting all data within 12 months of its collection.
VECTAURY also apply European Regulation standards with respect to the right to be forgotten by allowing mobile users to request deletion of personal data at any time and for any reason by emailing: email@example.com.
Raising staff awareness of personal data protection is an essential step toward compliance, particularly for securing information systems that are used daily by employees.
Our Data Protection Officer is responsible for raising awareness and training employees internally on personal data protection issues.
VECTAURY strives to make all staff aware of the ethical issues related to data protection and privacy. Initiatives include weekly committees for all managers and regular workshops open to the entire team.
VECTAURY has been compliant with the new European Regulations since the end of 2017.
Paris, August 21, 2018.
*In accordance with law no. 78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties and the new European Regulation on the protection of personal data and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
VECTAURY, SAS company, with a mutual fund, registered under the number 799 256 730 at the Registre de commerce et des sociétés (Corporation and Trade Registry) of Paris, headquartered at 33 Rue La Fayette 75009 Paris and represented by its President, Matthieu Daguenet (TVA no. FR 42799256730).
We collect and process the personal data of mobile users, including geolocation data, for the purpose of targeting mobile advertising, profiling and analytics. Data are collected by means of third-party partners and on behalf of advertisers and media agencies.
Collection of personal data by VECTAURY is not mandatory. There is no direct consequence to the mobile user for refusing to consent to data collection.
However, the purpose of collecting of personal data is to monetize mobile applications provided free of charge to users.
VECTAURY does not transfer personal data to recipients outside of the European Union.
VECTAURY reserves the right to transfer personal data when all of the following conditions are met:
- To its customers and partners
- In keeping with the purposes for which data was collected (for example, to prove the effectiveness of an advertising campaign)
- Data is non-nominative and encrypted
- Recipients respect the user’s scope of consent
- Retention period for personal data
Data collected directly via VECTAURY technologies are deleted within 12 months of collection as required by our cookies policy.
In case of contradiction between the English and French versions of this policy, the French version shall prevail.