Privacy and Security FAQs

Please see our Trust Report at for our Technical and Organizational Security Measures as of May 16, 2023. Controlling details of how Promoted uses and secures data and cloud services are governed by your Order, Terms of Service, and DPA with Promoted.

Data privacy and security compliance with Promoted is easy. Generally, Promoted complies with your terms of service with your users. For internal measurement and optimization applications, any user data you send to Promoted is used to provide services to you.

Below we answer some frequently asked questions about our approach to privacy and security.

Is Promoted a “controller” or a “processor” for purposes of data protection and privacy laws?

Promoted acts as a “processor” as defined by the GDPR and a “service provider” as defined by the CCPA as to the personal information provided by our customers. We only use the information we collect to provide our services and we never sell the information we collect or use it for cross-site or interest-based advertising purposes. We offer a standard Data Processing Addendum (DPA) as part of our sales contract that documents these commitments.

What personal information does Promoted collect through its services?

Promoted’s products are highly configurable so that our customers determine what information we collect. Data minimization is an important foundation of our products and services, and accordingly, we have designed our services to collect the least amount of personal data necessary.

Promoted only requires an anonymous user ID. Typically, we also collect a customer or user ID to enable user personalization. This is not required.

Promoted can accept potentially identifying information like location, purchase information, device metadata. These are optional and can help us improve our optimizations and reporting. When possible, send us the least identifiable information possible to accomplish your optimization and reporting needs with Promoted’s services.

Does Promoted combine the user data it collects across customers?

No. We silo user data per customer. We do not combine user data or other confidential data across customers.

Does Promoted collect identifying information?

Because data minimization is core to our philosophy as a company and because we do not need identifying information to provide our services, we ask that our customers not provide us certain identifying information such as the names or email addresses of end-users unless they are necessary for providing services to you.

If you use Promoted for cross-promotions, then Promoted may ask for user identifiers like email addresses for cross-platform user identification for use in attribution and optimization. You may already have language in your terms of service that permits this application; for example, if you use Facebook custom audiences that use emails. When enabling cross-promotions, we can help review your existing user agreement and recommend any modifications if necessary.

How does Promoted secure the information it collects?

Promoted implements robust technical and organizational security measures to ensure a level of security appropriate to the risk of processing at hand. Some of the measures we have in place include ensuring all of our servers are in a virtual private cloud, in a private subnet, with access controls in place. We also encrypt our log records and database traffic in transit and at rest. This is a high-level description: the latest and complete description of our information and organization security policies is at

How does Promoted help clients to meet their obligations under privacy and data protection laws?

As noted above, we act as a “service provider” as defined by the CCPA and a “processor” as defined by the GDPR. That means that when you share your customers’ personal information with us, we use it only for the purpose of providing the Promoted service and the disclosure of that information is not a “sale” as defined by the CCPA. As a result, clients do not need to build opt-outs to enable sharing personal information with us. In addition, we support customers’ obligations to provide access to and delete their own customers’ personal information.

How long does Promoted retain the information it collects?

As with every other facet of our services, this is determined by our clients. Our solutions include certain default retention periods, but clients can override these defaults to meet their retention needs.

Who are Promoted's GDPR subprocessors?

See our subprocessor list