Effective Date: January 1st 2020
This DoubleVerify Privacy Notice (the “Privacy Notice”) informs customers, consumers and partners (“you” and “your”) on DoubleVerify’s use, collection, and sharing of your personal information in connection with our services. This Privacy Notice will help to explain your privacy rights in relation to these activities. As used in this Privacy Notice, “Personal Information” means information that relates to an identified individual or to an identifiable individual.
DoubleVerify, Inc. (“DoubleVerify”) is the industry leader in providing transparency and accountability in online advertising. This Privacy Notice describes our practices in connection with information that we collect through the DoubleVerify Services. Our accredited technology platform provides an independent, third-party set of measurements about ad impression delivery and website traffic to help advertisers and advertising inventory sellers confirm accurate delivery characteristics, including brand safety, viewability metrics, contextual and environmental parameters (e.g., the website on which an ad appears, and where it appears on the webpage) and ad impression and website traffic quality characteristics, as well as to help ensure that advertisers and their partners are in compliance with their agreements. Additionally, advertisers use information we provide about ad impression opportunities to decide if they want their creative displayed in the available impression environment. DoubleVerify collects this data about advertising delivery and website traffic on behalf of both advertisers and sellers and shares the information we collect to drive transparency and accountability in the online advertising marketplace.
DoubleVerify uses various technologies to collect information about online advertising, website traffic, mobile app traffic, and connected device traffic in order to deliver advertising transparency and accountability services to our customers (collectively, “DoubleVerify Services”).
The purpose of this Privacy Notice is to inform you of: (1) the types of information DoubleVerify may gather about you or your device when an advertisement that is analyzed by us is delivered to you on a website you are viewing or in an app you are using, and (2) how we may use, share, and otherwise process that information.
DoubleVerify does not collect, retain or share any personally identifiable information gathered on sites or apps not owned by DoubleVerify. This includes both unique user identifiers, as well as IP addresses, except for the limited purpose of fraud prevention, geo compliance and never to create user profiles in which case we collect and retain, but do not share user IP addresses for 45 days and never correlate a user IP addresses across domains except when fraud is detected.
3. WHICH CATEGORIES OF DATA AND OF PERSONAL INFORMATION DO WE COLLECT AND FOR WHAT PURPOSES?
DoubleVerify Services do not collect and use personal information that may directly or indirectly identify you, except for providing fraud prevention services and for geography compliance services. When collecting personally identifiable information for fraud prevention and for geography compliance, the data will be used only for these purposes and will never be used for other purposes or services, unless required by law.
- Categories of data and personal information collected by the DoubleVerify Services:
- No identifiable information is collected for provisioning the services in this section (including IP addresses, device identifiers, cookies and user identifiers).
- The non-identifiable categories of data collected by DoubleVerify for the services in this section are always used either in an aggregate manner or separately from any of your identifiable information. None of the below attributes are ever tied back to any personally identifiable information and are never used to identify you or other users across websites or over time:
- Advertising campaign attributes – The identifier of the advertiser that delivers an ad, its campaign and placement identifiers, its ad-servers identifiers and the identifiers of the media property selling the inventory to the advertiser are collected and processed to identify the customer we are servicing, to apply the correct settings for the customer, to segment the customer and partners reports according to these identifiers and to bill the customer.
- Web content attributes – The web address (URL) of the page/frame where the ad is being delivered to, and the address of any referring pages/frames are collected to ensure the ads are delivered in the right context our customer has set in the profile settings in our system.
- Mobile application attributes – The mobile application name, mobile application id, app store, developer of the application, star ratings of the application, age rating of the application and other publicly available information about the mobile application where the advertisement is delivered to. This information is used to ensure the advertisements are delivered in the right context our customer has set in the profile settings in our system.
- Digital environment attributes – The type of connected device the advertisement is being delivered to: mobile, desktop, connected TV or other device, the browser type and version used to render the page where the ad appears and the operating system are collected to determine what version of our code would properly run in that environment and to properly measure if the advertisement had the chance to become viewable on the screen according to industry standards which vary between environments.
- Viewability attributes – The location of the ad on the page, the size of the ad, the size of the screen, the size of the viewport, the tab focus status, the browser focus status, the time duration the ad was in the viewable part of the webpage and the scroll position of the webpage are collected to determine and report to our customers if the advertisement had the chance to become viewable on the screen.
- Exposure and engagement attributes – Data that shows if the ad was clicked, resized, skipped, muted, paused, rotated, hovered or changed volume is collected to help our customers measure the performance of the advertisement, the advertising campaign or the media property. The data is not tied back to any personally identifiable information.
- Categories of data and personal information collected by the DoubleVerify Services solely for fraud prevention and geo compliance purposes:
- Device identifiers and attributes – IP address, user agent, advertising ID, and user ID, in order to analyze whether the device is participating in a fraudulent scheme.
- IP addresses are collected to extract geolocation information. Exact geolocation information is never collected about you. The geolocation is reported back to our customers without the underlying IP address or any other personally identifiable information.
- The information described in section 3.1 above is also used to analyze anomalies for fraud detection purposes.
- Categories of data and personal information collected by DoubleVerify for business purposes:This section outlines data collected through DoubleVerify’s sales, marketing and operations activity and not as part of the DoubleVerify Services. For avoidance of doubt, the DoubleVerify measurement tag, pixel, SDK, or any other technology of the DoubleVerify Services do not collect the information described in this section, unless disclosed in Section 3.1 or 3.2 above:
- Personal identifiers and business contact details including first and last name, email address, telephone, business address, position and title. This information is used in order to communicate with our customers, prospects and leads for sales, marketing and service activity.
- Online identifiers from pixels and cookies placed on this website are used for marketing activities (see Section 11).
- Inferences drawn from the above information.
4. HOW DO WE USE YOUR PERSONAL INFORMATION?
- Use of data and personal information, as specified in Section 3.1, by the DoubleVerify Services:
- Data reporting about the context in which advertisements are displayed, their quality, authenticity and performance. Specifically, information illustrating whether an ad being displayed is in compliance with the customer’s contractual expectations as well as profile settings our customer has established in our system.
- Preemptive decisioning of impression opportunities. DoubleVerify technology analyzes the data characteristics of an impression opportunity and determines whether the customer’s advertisement should be displayed or not.
- In working with our partners we may anonymously integrate advertising impression data with data our partners independently collect to deliver enhanced ad-measurement services such as augmented and aggregated audience demographic reporting of campaign impressions viewed or brand lift metrics.
- Use of data and personal information, as specified in Section 3.1 and 3.2, by the DoubleVerify Services solely for fraud and geolocation compliance purposes:
- Identifying specific ad impressions that are fraudulent due to being generated by bot-controlled, non-human browsers.
- Identifying invalid traffic such as traffic generated by ad injectors, traffic originated in data centers, misrepresented traffic, emulated traffic and other types of invalid traffic.
- Identifying websites, mobile and connected device apps, and media properties that have fraudulent traffic and/or generate fraudulent advertising impressions.
- Identifying traffic patterns between websites participating in fraudulent advertising activity.
- Distinguishing between traffic generated by bot-controlled, non-human browsers and human browsers.
- Determining if website visitors, mobile app users, and connected device users are being delivered by partners in compliance with contractual terms.
- Identify the geographic location of the user and determine if the user is located within the advertiser’s campaign or traffic settings.
- Determine if a middleware is attempting to misrepresent its operating characteristics to prevent the identification of fraud or other invalid traffic.
- Determine if website traffic or ad impressions are originating from a server farm unlikely to be responsible for human-generated browsing activity.
- Determine if traffic is being acquired through fraud, or regarding or other traffic acquisition practices that are out of compliance with an advertiser’s guidelines or contractual requirements.
- Use of data and personal information, as specified in Section 3.3, by DoubleVerify for business purposes:
- To protect the security of our interests, including our premises, assets and systems.
- To respond to your inquiries concerning our products and services that may be received through the DoubleVerify website.
- To comply with applicable laws and regulations.
- Auditing related to our interactions with you.
- Detecting and protecting against security incidents, fraud, and illegal activity.
- Internal research for technological improvement.
- Activities to maintain and improve our services.
- To perform sales and marketing activities and analytics
5. TO WHOM AND HOW DOES DOUBLEVERIFY DISCLOSE YOUR PERSONAL INFORMATION?
- How and to whom data and personal information, as specified in Section 3.1, is disclosed for the DoubleVerify Services:
Identifiable information is not shared with any of our customers or partners for rendering of the DoubleVerify Services, other than for fraud prevention services as will be described in Section 5.2. DoubleVerify does not create nor share non-fraudulent user profiles.
- DoubleVerify shares the collected information with our customers and partners to perform and deliver the advertising and traffic measurement services that we have been contracted to provide. The primary means by which we provide information to our customers is in aggregated reports shared via DoubleVerify’s analytics dashboards. We also use raw data feeds provided through our systems or pushed to an FTP end points and APIs.
- Non-identifiable personal information is shared separately from any identifiable information and generally in an aggregated manner.
- Data centers, cloud vendors, internet service providers are used by the DoubleVerify Services and may have access to your secured personal information. However, necessary technical safeguards and contractual requirements are in place to ensure protection of such information pursuant to applicable laws.
- Non-identifiable personal information is shared with affiliates and service providers of DoubleVerify, where the service providers are required to use the information only to perform services for DoubleVerify on your behalf.
- How and to whom data and personal information, as specified in Section 3.1 and 3.2, is disclosed by the DoubleVerify Services solely for fraud purposes:
- Detected fraud signatures are shared with clients, partners and industry organizations via reports, data feeds, APIs and dashboards in order to combat fraud. The fraud signatures are shared separately from any other personal information.
- Detected IP mismatches which indicate fraud reported to partners and customers through DoubleVerify’s web portal.
- How and to whom data and personal information, as specified in Section 3.3, is disclosed by DoubleVerify for business purposes:This section is for data collected in DoubleVerify’s sales, marketing and business operations activity and not as part of the DoubleVerify Services. For avoidance of doubt, the DoubleVerify Services do not share or disclose any information as described in this section, unless disclosed in Sections 5.1 or 5.2:
- To share amongst affiliates of DoubleVerify.
- To comply with applicable laws.
To a third party in the event of any reorganization, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of our business, assets or stock (including in connection with any bankruptcy or similar proceedings). The personal information and data would be transferred to the surviving entity in a merger or the acquiring entity in the event of an acquisition. All such transfers shall be subject to our commitments in this Privacy Notice with respect to your privacy and confidentiality.
- In aggregated formats for general corporate marketing and industry benchmarking.
6. FOR WHAT PERIOD OF TIME DO WE RETAIN INFORMATION ABOUT YOU?
- How long is the data and personal information collected by the DoubleVerify Services, as specified in Section 3.1, stored for?
- Identifiable personal information is not collected as part of the DoubleVerify Services.
- Non-identifiable personal information is stored for the period necessary to achieve the purpose of the storage, as instructed by our customers and partners and as permitted by law. After the expiration of that period, the corresponding data is routinely deleted.
- How long is the data and personal information collected by the DoubleVerify Services solely for fraud purposes, as specified in Section 3.1 and 3.2, stored for?
- The identifiable personal Information: IP addresses, device IDs and user IDs are retained for up to 45 days, except to the extent the personal identifiable information was flagged as fraudulent, which may be kept indefinitely.
- How long is the data and personal information collected by DoubleVerify, as specified in Section 3.3, for business purposes store for?
- We will process and store your data only for the period necessary to achieve the purpose of the storage, but no more than one year or as permitted by law. After the expiration of that period, the corresponding data is routinely deleted.
7. HOW IS INFORMATION ABOUT YOU SECURED?
DoubleVerify has implemented appropriate technical, physical and organizational measures designed to protect personal information against accidental or unlawful destruction or accidental loss, damage, alteration, unauthorized disclosure or access, as well as all other forms of unlawful processing.
Please be aware that the personal information we collect may be transferred to and maintained on servers or databases located outside your state, province, country, or other jurisdiction, where the privacy laws may not be as protective as those in your location. If you are located outside of the United States, please be advised that we process and store personal information in the United States.
8. WHAT ARE YOUR PRIVACY RIGHTS?
You have several rights under the applicable privacy laws and regulations including but not limited to the General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act (“CCPA”). Individuals in certain jurisdictions may have data subject rights enabling them to request:
- access to the personal information we hold about you;
- we rectify or erase your personal information;
- we restrict or block the processing of your personal information;
- under certain circumstances, to receive personal data about you that we store and transmit to another without hindrance from us, including requesting that we provide your personal information directly to another (i.e., a right to data portability); and
- where we previously obtained your consent, to withdraw consent to processing your personal information.
To exercise these rights, contact us using the “contact” section below. Please be aware that DoubleVerify may be unable to afford these rights to you under certain circumstances.
Additionally, you have the right to lodge a complaint against us. To do so, contact the supervisory authority in your country of residence.
9. WHAT ARE YOUR RIGHTS UNDER NEVADA PRIVACY LAWS?
Under Nevada law, Nevada residents may submit a request directing us not to make certain disclosures of personal information we maintain about them. To exercise these rights, contact us using the “contact” section below.
10. WHAT ARE YOUR RIGHTS UNDER THE CCPA?
This section contains disclosures required by the CCPA and applies only to “personal information” that is subject to the CCPA. DoubleVerify will respond to your request consistent with applicable law.
If you are a California resident, you may exercise the following rights regarding your personal information, subject to certain exceptions and limitations:
- The right to access the categories and specific pieces of personal information we have collected about you;
- The right to request the categories of sources from which we collected your personal information, the business and commercial purposes for collecting your personal information, the categories of your personal information that we have disclosed for a business purpose, and the categories of third parties with which we have shared personal information;
- The right to request that we delete the personal information we have collected from you or maintain about you; and
- The right to opt out of any future sale(s) of your personal information.
When DoubleVerify provides services on behalf of clients, we are considered a “service provider” under the CCPA. In those cases, our client’s private notice governs the use of personal information and your rights request should be directed to DoubleVerify’s client.
To exercise any of the above rights, you may either opt out or contact us at:
Verification Process and Required Information. Note that we may need to request additional information from you to verify your identity or understand the scope of your request. You will not be required to create an account with us to submit a request or have it fulfilled. We will require you to provide, at a minimum, your first and last name and email address so we can communicate with you.
You may designate an authorized agent to make a CCPA request on your behalf by verifying your identity and providing written permission to your agent to make the request for you.
We will not discriminate against you for exercising any of the above rights.
11. WHAT DATA IS COLLECTED FROM THIS WEBSITE?
To find out how to manage cookies on popular browsers visit the sites found at these links:
To find information relating to other browsers, visit the browser developer’s website.
12. NOTICE CHANGES
This Privacy Notice may be modified from time to time without the consent of users by providing advance notice on our Web site before implementing such modifications. Should you wish to be notified by email of material changes to this policy, please send correspondence to firstname.lastname@example.org with “PRIVACY” in the subject line or to the following mailing address:
Privacy Notice Operations
233 Spring St., 4th Floor
New York, NY 10013
13. HOW TO CONTACT DOUBLEVERIFY IF YOU HAVE QUESTIONS, CONCERNS, COMMENTS OR SUGGESTIONS?
Privacy Notice Operations
233 Spring St., 4th Floor
New York, NY 10013
Global Data Protection Officer
233 Spring St., 4th Floor
New York, NY 10013