Privacy and Security FAQs

At Promoted, we are passionate about helping companies build and scale advertising platforms. The privacy and security of our customers’ information, as well as that of their end-users, is a cornerstone of our platform. We continually implement privacy and security by design and privacy by default techniques.

Data privacy and security compliance with Promoted is easy. Generally, Promoted complies with your terms of service with your users. For internal measurement and optimization applications, any user data that you send to Promoted is used for providing services to you.

Below we answer some frequently asked questions about our approach to privacy and security.

Is Promoted a “controller” or a “processor” for purposes of data protection and privacy laws?

Promoted acts as a “processor” as defined by the GDPR and a “service provider” as defined by the CCPA as to the personal information provided by our customers. We only use the information we collect to provide our services and we never sell the information we collect or use it for cross-site or interest-based advertising purposes. We offer a standard Data Processing Addendum (DPA) as part of our sales contract that documents these commitments.

What personal information does Promoted collect through its services?

Promoted’s products are highly configurable so that our customers determine what information we collect. Data minimization is an important foundation of our products and services, and accordingly, we have designed our services to collect the least amount of personal data necessary.

Promoted only requires an anonymous user ID. Typically, we also collect a customer or user ID to enable user personalization. This is not required.

Promoted can accept potentially identifying information like location, purchase information, device metadata. These are optional and can help us improve our optimizations and reporting. When possible, send us the least identifiable information possible to accomplish your optimization and reporting needs with Promoted’s services.

Does Promoted collect identifying information?

Because data minimization is core to our philosophy as a company and because we do not need identifying information to provide our services, we ask that our customers not provide us certain identifying information such as the names or email addresses of end-users unless they are necessary for providing services to you.

If you use Promoted for cross-promotions, then Promoted may ask for user identifiers like email addresses for cross-platform user identification for use in attribution and optimization. You may already have language in your terms of service that permits this application; for example, if you use Facebook custom audiences that use emails. When enabling cross-promotions, we can help review your existing user agreement and recommend any modifications if necessary.

How does Promoted secure the information it collects?

Promoted implements robust technical and organizational security measures to ensure a level of security appropriate to the risk of processing at hand. Some of the measures we have in place include ensuring all of our servers are in a virtual private cloud, in a private subnet, with access controls in place. We also encrypt our log records and database traffic in transit and at rest. For more information, see https://www.promoted.ai/technical-and-organizational-security-measures

Does Promoted combine the user data it collects across customers?

No. We silo user data by customers.

If you have enabled cross-promotions, we can enable some information aggregation across platforms for unified reporting and optimization purposes. Any such sharing of information is controlled by originating platform, complies with all applicable user agreements and data privacy laws, and does not share personally identifiable information except where necessary to provide services. For example, if a user creates a delivery order on one platform for fulfillment on another platform, the user information necessary to fulfill that order, like mailing address or email address, may be shared as necessary.

How does Promoted help clients to meet their obligations under privacy and data protection laws?

As noted above, we act as a “service provider” as defined by the CCPA and a “processor” as defined by the GDPR. That means that when you share your customers’ personal information with us, we use it only for the purpose of providing the Promoted service and the disclosure of that information is not a “sale” as defined by the CCPA. As a result, clients do not need to build opt-outs to enable sharing personal information with us. In addition, we support customers’ obligations to provide access to and delete their own customers’ personal information.

How long does Promoted retain the information it collects?

As with every other facet of our services, this is determined by our clients. Our solutions include certain default retention periods, but clients can override these defaults to meet their retention needs.

Who are Promoted's GDPR subprocessors?

See our subprocessor list at https://dash.readme.com/project/promoted/v1.0/docs/gdpr-subprocessor-list


Did this page help you?