Kargo Media Ireland Limited t/a StitcherAds (company registered in Ireland, number 476178, and StitcherAds North America LLC collectively “the Company” or “StitcherAds”) believe that protecting your privacy is crucial to our business and values. In the course of our business operations, the Company receives, collects, stores, uses and shares personal data on customers and business partners and of web and app users who may be customers or potential customers or our clients in connection with the services we offer (collectively “Data Subjects”).
The Company acts as a data controller (i.e. we decide how and for what purpose Personal Data is processed) with respect to the information the Company processes in connection with our business relationships.
On the other hand, the Company may also act as a data processor when our customers and business partners engage us to process Personal Data of their customers and potential customers on their behalf, or require us to access Personal Data held by third-party service providers (e.g. social networks such as Facebook).
In these cases, the customer is the data controller, and primarily responsible for the data processing activities, and we must process the Personal Data only on their behalf and in accordance with their instructions.
2. Our Services
The Company provides services (our “Services”) mostly to retail brands through our technology platform that is specially designed to facilitate their advertising campaigns across social networks such as Facebook, Instagram, Snapchat, Pinterest, and TikTok.
Our customers provide us with information on their product ranges. We may assist with creative services to enhance this information and design effective campaigns.
We work with the social networks to decide which types of users may be most interested in these products, and configure and buy advertising campaigns for our customers. Our customers may also in some cases provide us with information relating to their current or potential customers for inclusion in the relevant campaigns (which may include name, postal address, postal codes, email, product data, loyalty data, IP addresses, pricing and promotional data, and may be provided in hashed or encrypted form). However, normally only the social networks select and know who the audiences are for the campaigns, and neither we nor our customers see their data.
During and after campaigns we may provide our customers with reports and insights regarding the success of the campaigns or different tests carried out, and these reports and insights generally will not contain any Personal Data.
So we either process no Personal Data on behalf of our customers or, for any Personal Data that they provide us or ask us to obtain from the social networks, we are a data processor and they are the data controller. In those cases we process such Personal Data only on our customers’ instructions, in accordance with applicable privacy laws, and the data processing agreements entered into with the controllers.
In accordance with applicable laws, this Policy focuses on the processing of Personal Data where we are a data controller. Where we are a data processor, we recommend referring to the Privacy Policies of the relevant controllers for further information. The relevant data controller should enable you to exercise all the same rights as set out in this Policy, and if you contact us then we will have to forward your request to the relevant data controller.
3 Personal Data the Company collects and uses
The Personal Data of our business contacts that is processed by us is mainly obtained directly from the Data Subject. Provision of such Personal Data is necessary to use and purchase our Services, to fulfil Data Subjects’ requests for information relating to our Services, to organize communication in relation to our business events, and to purchase and pay for goods and services. The Company may not be able to provide the Services to Data Subjects that refuse the processing of their Personal Data.
The main categories of Personal Data of our business contacts collected by the Company are:
- phone number,
- e-mail address,
- usage data generated by our Services;
- device-related information from cookies or similar technologies;
- any other information provided by Data Subjects e.g. via correspondence, chat, telephone, or web forms.
- Personal Data generated from the Data Subject’s use of any third-party services and applications which are used in connection with the Services.
Personal Data may be updated and supplemented with data from private and public sources such as websites and trade directories.
The Company does not collect sensitive information (also known as special categories of Personal Data).
4 Processing of Personal Data
The Company processes Personal Data of Data Subjects to manage and promote the Services, including to provide demonstrations, to contact and market our Services to participants at our business events, and to contact and send marketing material to the visitors of our websites who submit us their information in a form or otherwise request marketing or other information from StitcherAds. For this purpose, Personal Data may be processed for market and customer analysis, reporting and statistical purposes, customised marketing, service notices, database management and maintenance, product suggestions and offers, interaction with external social networks, access to third-party services’ accounts and platforms, heat mapping and newsletters. Personal Data may be used for direct marketing, including, where applicable, by electronic means. The Company provides an easy way to cancel marketing communications, including within each email.
Further, Personal Data may be used for invoicing and to send important information to Data Subjects; this may include but not be limited to changes of applicable fees, price lists and conditions, or to contact Data Subjects and provide information customised Services according to their interests.
We also process Personal Data of staff of our suppliers (or potential suppliers) from whom we obtain goods and services, for the purposes of evaluating their supplies, managing our contracts with them, and paying their invoices.
Our legal bases for these Personal Data processing activities are that they are necessary:
- for the performance of the contract between us and the Data Subject (if our customer or supplier is an individual);
- for the purposes of our legitimate interests in operating, promoting and managing our business. This Personal Data always relates to the Data Subjects’ business life, is within the expectations of professional Data Subjects, and is kept securely, and so we have concluded that such interests are compatible with the Data Subjects’ rights and interests;
- to comply with legal obligations applicable to us, such as recordkeeping, tax, and accounting.
Where we act as a data processor, the relevant data controller will be responsible for deciding the appropriate legal basis and providing relevant information to Data Subjects. On behalf of a data controller who is our customer, we may ask for:
- the Data Subject’s consent for the processing of certain Personal Data (for example for a campaign). When collecting such consents, the Company will inform the Data Subject of the purposes of the processing, in accordance with the data controller’s instructions, and such processing is carried out only when appropriate consent is received; or
certain permissions allowing us to perform actions with the Data Subject’s social media accounts and to retrieve information, including Personal Data, from them. This allows our Services to connect with the User’s account on the social network. In the case of Facebook, the following permissions may be asked: About Me, Access Rights (including but not limited to Ad Account Access, Business Manager Access), App Notifications, Contact Email, Manage Advertisements, and Manage Pages. For more information about social network permissions, refer to the relevant permissions documentation and Data Policy (in the case of Facebook: https://www.facebook.com/about/privacy/update).
5 Disclosure of Personal Data
- Data storage;
- Image and video processing;
- System monitoring and security;
- Code development and error tracking;
- Heat maps;
- Analytics; and
- Customer Communications management.
Personal Data may be transferred outside the European Union, the European Economic Area, Switzerland and the United Kingdom (“Europe”), including but not limited to, the United States of America, South Africa, Singapore and as well as other locations and jurisdictions in which the Company conducts its business. Where the destinations are not subject to any adequacy decision from the European Commission or other authorities (like the examples given above), then we ensure such transfers outside Europe are subject to appropriate safeguards such as standard data protection clauses adopted or otherwise approved by the European Commission or other authorities.
A copy of the applicable safeguards may be made available for review if we receive a valid request.
6 Retention Period
The Company retains Personal Data for 3 years from the Data Subject’s latest purchase or contact with us. Personal Data may be, wholly or in part, retained for a longer or shorter-term if required by applicable law or if there is another justified reason to retain or delete them (e.g. for recordkeeping purposes or in line with limitation periods for legal actions). In those cases, Data Subjects’ Personal Data will be erased without delay after there is no longer any need for such retention.
The Company evaluates the necessity and accuracy of the Personal Data that it processes on a regular basis.
7 Data Subjects’ Rights
A Data Subject has a right to request from us:
- access to, correction, or erasure of such Data Subject’s Personal Data;
- to restrict or object to processing for certain purposes; and
- to receive, under certain conditions, such Data Subject’s Personal Data in a structured, commonly used and machine-readable format and to transmit that Personal Data to another controller (“Data Portability”).
You may exercise your rights by sending a written request to us. Where the processing is based on consent, you have a right to withdraw such consent at any time. Please note that this will not affect the lawfulness of processing based on consent before its withdrawal.
If you consider that your rights under the data protection laws are infringed, please always contact us in the first instance and we will assist. However, you also have a right to lodge a complaint with a competent data protection supervisory authority (e.g. in Ireland the Irish Data Protection Commissioner).
8 Security Safeguards
Securing the integrity and confidentiality of Personal Data. The Company has in place appropriate technical and organisational measures in order to keep Personal Data safe and to secure it against unauthorized access, loss, misuse or alteration by third parties, such as encryption, access controls, and firewalls.
Nevertheless, considering the cyber threats in the contemporary online environment, the Company cannot 100% guarantee that our security measures will prevent illegally and maliciously operating third parties from obtaining access to Personal Data and the absolute security of that information during its transmission or its storage on our systems.
9 US State Laws
Consumers who are resident in US states such as California, Colorado, Virginia, Connecticut, or Utah may have additional rights under state privacy legislation which defines personal information more broadly, ensures greater transparency and accountability and provides consumers with extended rights as to the collection and use of their personal information.
Your rights under US State Privacy Laws:
If you are resident in one of the states where specific privacy legislation is in effect then, depending on the particular provisions of applicable local laws, you may have some or all of the following rights:
Right to correction: Consumers have the right to request a business that possesses inaccurate personal information about the consumer to correct such inaccurate personal information, taking into the account the nature of the personal information and the purposes of the processing of the personal information.
Right to notice: Businesses must inform consumers at or before the point of collection what categories of personal information will be collected and the purposes for which these categories will be used.
Right to access: Consumers have the right to request that a business disclose the categories of personal information collected; the categories of sources from which personal information is collected; the business or commercial purpose; the categories of third parties with which the business shares personal information; and the specific pieces of personal information the business holds about a consumer. If a business sells personal information or discloses it for business purposes, consumers have the right to request the categories of information so sold or disclosed.
Right to opt out: Consumers have the right—at any time—to direct businesses that sell or share personal information about the consumer to third parties to stop such sales or sharing, known as the right to opt out. If a consumer is a minor, this becomes a right to opt in to the sale or sharing of data (exercised by the minor if the consumer is between 13 and 16 years of age, or by the minor’s parent or guardian if the consumer is under 13 years old). Businesses must wait at least 12 months before asking consumers to opt back in.
Right to request deletion: Consumers also have the right to request deletion of personal information, but only where that information was collected from the consumer. Like the right to erasure under the GDPR, this right is subject to exceptions. For instance, businesses need not delete personal information necessary for detecting security incidents, exercising free speech, protecting or defending against legal claims, or—in what is potentially a broad and likely contentious category—for internal uses reasonably aligned with the consumer’s expectations.
Right to limit use of sensitive information; Consumers have the right to restrict a business’s use of sensitive personal information e.g. to use that is necessary to provide goods or services requested, to certain business purposes, or other legally permitted purposes.
Right to equal services and prices: Businesses must not discriminate against consumers by denying goods or services, charging a different price or rate for goods or services, providing a different level or quality of goods or services, or suggesting that they will do any of these things based upon a consumer’s exercise of any of their legal rights relating to their personal information. Put differently, consumers have a right to equal services and prices.
Exercising your rights under US state laws:
If you want to make a request for exercise of any of the above rights, you (or your authorised agent) can write to email@example.com and we will respond within 45 days as per the law.
If you make such a request, including through an authorised agent, we reserve the right to verify your identity and the agent’s authorization.
However, we may not be able to respond to your request if it is not permitted or foreseen under applicable law.
(Please note that we do transfer personal information collected through our network of partners to third parties and as such are considered as having disclosed or sold or shared data over the past twelve months. Please see Section 10 below for more information).
10 Additional Information for California Consumers
1. Personal Information Collected in the past 12 months
|Category||Examples||Source||Business or Commercial Purpose||Categories of third parties disclosed to|
|Identifiers||Unique personal identifier, online identifier, Internet Protocol address (e.g. device and cookie IDs)||From partner websites and apps|
From third party data providers
From our clients
|Providing and improving our targeted advertising services which include creating and enriching profiles and audiences for our clients||– Our clients|
– Our data hosting and storage providers
– Our providers of advertising technology and services such as demand side providers, data management platforms, and ad networks
– Our data processing service providers (for purposes such as analytics, database management, customer support)
– Our other group companies
|Commercial information||Records of products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies (e.g. sites visited, apps used, searches, views, clicks, and purchases)||As above||As above||As above|
|Internet or other electronic network activity information||Information regarding your interaction with websites and applications (e.g. sites visited, apps used, searches, views, clicks, and purchases)||As above||As above||As above|
|Geolocation Data||Approximate location from information provided by your device (e.g. IP address)||As above||As above||As above|
|Inferences||Inferences drawn from any of the information above to create a profile||As above||As above||As above|
|Sensitive personal information||Personal information revealing a consumer’s racial or ethnic origin; information concerning a consumer’s health||As above||As above||As above|
*“Personal Information” does not include publicly available information, including information that we have a reasonable basis to believe is lawfully made available to the general public by you; from widely distributed media; or by a person to whom you have disclosed it and not restricted the information to a specific audience.
2. Personal Information Sold or Shared in the past 12 months
We have sold and/or shared the following categories of Personal information in the past 12 months: (a) Identifiers; (b) Commercial information; (c) Internet or other electronic network activity information; (d) Geolocation Data; and (e) Inferences.
Such information is contained in audiences or profiles that we provide to our clients.
3. Personal Information disclosed for a business purpose in the past 12 months
We have disclosed the following categories of Personal Information for a business purpose in the past 12 months: (a) Identifiers; (b) Commercial information; (c) Internet or other electronic network activity information; (d) Geolocation Data; and (e) Inferences
11 Changes to this Policy
12 Contact information
Kargo Media Ireland Limited t/a StitcherAds
(registered in Ireland, number 476178)
ArcLabs Research and Innovation Centre, Carriganore, Co.