At VECTAURY, the protection of personal data* is central to our mission for both strategic and ethical reasons. It has been the subject of three years’ work by our R&D team in collaboration with our legal advisors and with support from the French Data Protection Authority.
VECTAURY complies with Article 5 of the European Data Protection Regulation (GDPR), specially:
- the mobile user's right to information;
- the obligation to obtain independent, specific, informed and unequivocal consent from mobile users prior to any data processing, with consent given via clear declaration or intentional act;
- the mobile user’s right to access, right to rectification, right to object, right to data portability, right to restriction of processing, right to make a complaint to the French Data Protection Authority, and right to be forgotten;
- confidentiality and integrity of data collected;
- compliance of processing operations throughout the data life cycle.
In order to comply with the requirement to obtain consent from a clear positive act of the mobile users, we have designed a consent management tool that meets the requirements of the General Data Protection Regulation. This consent management tool is a Consent Management Platform IAB (CMP) and allows data to be collected legally within applications integrating the VECTAURY SDK.
In addition, the CMP VECTAURY is accessible at any time in the settings of the application. The mobile user can therefore change his or her consent choices at any time.
If the publishers with whom we work do not wish to integrate this tool, they can use their own CMP or a third party CMP as soon as VECTAURY has audited and considered as compliant the consent management tool used.
This consent collection tool allows VECTAURY to keep a technical record of mobile users' consent called "Chain of Consent".
VECTAURY also collects data when it buys advertising space to display campaigns ordered by its customers, as part of a real-time auction system.
In this context, VECTAURY will only bid to acquire advertising space within mobile applications when it is technically possible to retrieve a "consent chain" to ensure that it is possible to collect and process mobile users' data.
As mentioned above, the mobile user is informed by means of the CMP used by our partner publishers and publishers monetizing the advertising space available in their applications via the real-time auction system. VECTAURY ensures that mobile users are properly informed so that they can give specific and informed free consent to the processing of their personal data.
Our partner data providers guarantee VECTAURY that before obtaining consent they will inform mobile users about the purposes of data processing and all user rights including the right to withdraw consent at any time. Mobile users can exercise their rights through the publisher, who will pass requests to VECTAURY for implementation.
When the publisher uses a CMP, mobile users can exercise their rights in-app.
Android and Apple platforms enable mobile users to control privacy by blocking targeting ads and by resetting their advertising IDs. This disables the link between advertising history and future navigation.
Our primary data collection method is the VECTAURY proprietary SDK, the mobile equivalent of a cookie. Publishers integrating the VECTAURY SDK designate VECTAURY as the data controller in their Terms and Conditions. This gives mobile users the identity of the controller and the e-mail address firstname.lastname@example.org, providing a means to exercise all privacy rights through VECTAURY.
VECTAURY’s SDK also allows mobile users to withdraw consent at any time, easily and free of charge, using their smartphone settings.
Our secondary data collection method is AdRequest, which serves a consent request when a mobile application is viewed. When data are collected by AdRequest, consent is collected by the publisher, and a clickable information button visible in the advertisement sends the user to the VECTAURY privacy center. This web interface enables mobile users targeted by VECTAURY ads to exercise all their rights and withdraw consent if desired
Mobile users can also access information, request its correction or deletion, and exercise other rights concerning personal data by contacting us at: email@example.com.
VECTAURY respects the principle of data minimization set out in Article 5 of the GDPR, according to which:
- Data collected must be adequate, relevant and limited to what is necessary for the purposes for which they are processed.
- Data collected must be processed in a manner that is relevant, adequate and not excessive in relation to the purposes for which they were collected.
VECTAURY collects personal mobile user data, including geolocation data, for the purposes of selling targeted ads and insights to advertisers.
VECTAURY ensures that personal data are processed exclusively for the purposes for which mobile users have given consent and according to the principal of proportionality. Vectaury ensures that the use of this data by subcontractors is contractually supervised.
As a result, our campaigns do not rely on ultra-geolocation technologies or excessive collection frequency. Our intelligent data collection algorithm and filtering mechanism processes only data needed for user-approved purposes.
Our approach to collecting geolocation data gives us a better understanding of our mobile users without identifying them or knowing excessive information about their movements.
VECTAURY complies with Articles 45 and 46 of the GDPR, according to which:
The controller of a processing operation may transfer personal data to a State outside the European Union only if that State ensures a sufficient level of protection of privacy with regard to an adequacy decision by the European Commission or by means of appropriate safeguards.
Vectaury does not transfer personal data outside of France. Our data are collected, processed and stored on servers in France.
Deliverables sent to our customers and partners include only anonymized statistics void of any personal characteristics, thus they are not subject to national or European laws related to the transfer of personal data.
When personal data are sent to a customer or partner in France, VECTAURY:
- Oversees its use. It cannot be used in a manner other than that for which the mobile user gave consent or reconciled with other data
- Ensures data confidentiality and integrity.
VECTAURY compolies with Articles 25 and 32 of the GDPR:
- The controller is required to implement technical and organizational measures to guarantee a level of security appropriate to the risks presented by processing; to preserve the security of the data; and, in particular, to prevent data from being distorted, damaged or accessed by unauthorized third parties.
- The controller must respect the principles of:
- Privacy by design: The data controller ensures that the objective of protecting personal data is integrated into new projects from the design stage by implementing appropriate technical and organizational measures both when determining the means of processing and at the time of processing itself.
- Privacy by default: The controller guarantees that, by default, only personal data necessary for each specific purpose are processed.
All of the obligations required by the French Data Protection Authority are clearly stated in our Information System Protection Policy and are carried out by our technical and administrative teams.
VECTAURY respects article 5 of the European regulation on the protection of personal data, according to which:
Data shall be kept in a form of identifiable data for no longer than is necessary for the purposes for which the data are collected and processed.
VECTAURY permanently deletes any identifiable data as soon as it is no longer useful for the purpose for which it was collected. More specifically, all information that could be used directly or indirectly for personal identification is deleted or modified, making re-identification impossible..
Given the similarities between mobile SDKs and desktop cookies, we apply the same rules to both platforms, deleting all data within 12 months of its collection.
As a result, all data collected on the basis of mobile users' consent is deleted within 12 months of collection to comply with this logic.
VECTAURY allows mobile users to easily implement their right to forget and to request the deletion of their personal data without legitimate reason by sending an email to firstname.lastname@example.org.
Raising staff awareness of personal data protection is an essential step toward compliance, particularly for securing information systems that are used daily by employees.
Our Data Protection Officer is responsible for raising awareness and training employees internally on personal data protection issues.
VECTAURY strives to make all staff aware of the ethical issues related to data protection and privacy. Initiatives include weekly committees for all managers and regular workshops open to the entire team.
VECTAURY has been compliant with the new European Regulations since the end of 2017.
Paris, August 1st, 2019.
*In accordance with law no. 78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties and the new European Regulation on the protection of personal data and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
VECTAURY, simplified joined stock company with a capital of 115 500€ registered under the number 799 256 730 at the Registre de commerce et des sociétés (Corporation and Trade Registry) of Paris, headquartered at 19, rue Martel - 75010 Paris and represented by its President, Matthieu Daguenet (TVA no. FR 42799256730).
Mrs Mathilde Ferriol, email@example.com
We collect and process the personal data of mobile users, including geolocation data, for the purposes of targeted advertising, to propose commercial offers adapted to the mobile user's location, profiling, measuring advertising campaigns and traffic at points of sale and marketing research on behalf of advertisers and media agencies.
To be able to display targeted advertising campaigns or personalized targeted commercial offers to mobile users according to their location, Vectaury uses a real time bidding system allowing it to buy advertising inventory within mobile applications in which the campaigns are displayed.
The personal data of mobile users are therefore likely to be processed within the framework of this real-time bidding system.
Collection of personal data by VECTAURY is not mandatory. There is no direct consequence to the mobile user for refusing to consent to data collection.
However, the purpose of collecting of personal data is to monetize mobile applications provided free of charge to users.
VECTAURY does not transfer personal data to recipients outside of the European Union.
VECTAURY reserves the right to transfer personal data when all of the following conditions are met:
- To its customers and partners
- To trusted third parties such as :
- In keeping with the purposes for which data was collected (for example, to prove the effectiveness of an advertising campaign)
- Data is non-nominative and encrypted
- Recipients respect the user’s scope of consent
- Retention period for personal data
Data collected directly via VECTAURY technologies are deleted within a maximum period of 12 months of collection as required by our cookies policy.
In case of contradiction between the English and French versions of this policy, the French version shall prevail.
Mobile users have a right of access, a right of rectification, a right of opposition, a right to be forgotten, a right to limit processing, a right to portability and a right of appeal to the competent supervisory authority.
Mobile users can exercise their various rights by going to the Vectaury privacy center by clicking on the (i) information contained in the advertisements displayed to them in the applications, or directly on the VECTAURY website via the following link: https://cdn.vectaury.io/vectaury/201704/campaign1/www/page/index2.html
Mobile users can also exercise their rights by writing to the following e-mail address: firstname.lastname@example.org.