This Website may contain links to other third party websites. If you follow a link to any of those third party websites, please note that they have their own privacy policies and that we do not accept any responsibility or liability for their policies or processing of your personal information. Please check these policies before you submit any personal information to such third party websites.
Holisticads may change this policy from time to time by updating this page. You should check this page from time to time to ensure that you are happy with any changes. This policy is effective from 2017.
1. What personal information about you we may collect
2. How we may use your personal information
3. Who we may disclose your personal information to
4. How we protect your personal information
5. Contacting us & your rights to prevent marketing and to access and update your personal information
6. Our Cookies Policy
1. Information we may collect about you
1.1. We may collect and process the following data about you:
· a) Information you give us. This is information about you that you give us by filling in forms on our Website or by corresponding with us by phone, e-mail or otherwise. It includes information you provide when you register to use our Website, subscribe to our services, search for a product, place an order on our site, or other activities commonly carried out on the Website and when you report a problem with our Website. The information you give us may include your name, address, e-mail address and phone number, financial and credit card information, personal description and photograph, and any other information.
· b) Information we may collect about you. With regard to each of your visits to our Website or Platform we may automatically collect the following information:
o technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform, and other information;
o information about your visit, including the full Uniform Resource Locators (URL), clickstream to, through and from our Website (including date and time), products you viewed or searched for’, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), methods used to browse away from the page, any phone number used to call our customer service number, and other information.
o Information we receive from other sources. This is information we receive about you if you use any of the other websites we operate or the other services we provide. We are working closely with third parties (including, for example, business partners, sub-contractors in technical, payment and delivery services, advertising networks, analytics providers, search information providers, credit reference agencies). We may notify you when we receive information about you from them and the purposes for which we intend to use that information.
2. Uses made of your personal information and justification of uses
2.1. We may use your personal information in the ways listed below. Use of personal information under EU data protection laws must be justified under one of a number of legal “grounds” and we are required to set out the ground in respect of each use in this policy. These are the principle grounds that justify Our use of your information:
· a) Consent: where you have consented to our use of your information (you will have been presented with a consent form in relation to any such use and may withdraw your consent by notifying us);
· b) Contract performance: where your information is necessary to enter into or perform our contract with you;
· c) Legal obligation: where we need to use your information to comply with our legal obligations;
· d) Legitimate interests: where we use your information to achieve a legitimate interest and our reasons for using it outweigh any prejudice to your data protection rights; and
· e) Legal claims: where your information is necessary for us to defend, prosecute or make a claim against you or a third party.
2.2 We may use your personal information in the following ways. For each use, we note the grounds we use to justify each use of your personal information:
a) to on-board you onto the Platform. Where you are a designated contact of an Ad Network, you will create an account by providing the relevant information as specified in paragraph 1.1.(a) above. Where you are a representative of a Publisher, you will create an account by providing the relevant information as specified in paragraph 1.1.(b) above
Use justification: consent, contract performance, legitimate interests (to allow is to on-board you as a user);
b) as part of the on-boarding process described in paragraph 2.1(a) above, where you are a designated contact of a Publisher, we will conduct KYC, AML and other checks to decide whether to on-board you on to the Platform. We may disclose such information to third party credit reference and fraud agencies for the purposes of credit analysis and detecting and preventing fraud and crime – please see paragraph 3.5. below).
Use justification: consent, contract performance, legal obligations, legitimate interests (including to ensure you fall within our acceptable risk profile);
c) to provide you with updates and offers, where you have chosen to receive these (please see the section titled “Marketing” below)
Use justification: consent;
d) to ensure that content from our Website is presented in the most effective manner for you and for your computer
Use justification: consent, contract performance, legitimate interests (to allow us to provide you with the content and services on the Website);
e) to analyse it to develop our products, services and systems and to understand our users’ requirements
Use justification: legitimate interests (to allow us to improve our services);
f) to notify you about changes to our service
Use justification: contract performance, legitimate interests (to allow us to continuously develop our services).
We may use your information for marketing our own services to you by email, through the Platform and by post, and, where required by law, we will ask for your consent at the time we collect your data to conduct any of these types of marketing.
Use justification: consent (which can be withdrawn at any time – please see paragraph 5.1. below)
We will provide an option to unsubscribe or opt-out of further communication on any electronic marketing communication sent to you or you may opt out by contacting us as set out in paragraph 5.4. below.
3 Disclosures to third parties and justification of uses
3.1. We may permit selected third parties such as business partners, suppliers, service providers, agents and contractors to use your personal information, for the purposes set out in paragraph 2 above who will be subject to obligations to process such information in compliance with the same safeguards that we deploy.
Use justification: contract performance, legitimate interests (to enable us to effectively provide our services to you)
3.2. We may disclose your personal information to third parties, the court service and/or regulators or law enforcement agencies in connection with proceedings or investigations anywhere in the world where compelled to do so. Where permitted, we will direct any such request to you or notify you before responding unless to do so would prejudice the prevention or detection of a crime.
Use justification: legal obligation, legal claims, legitimate interests (to cooperate with law enforcement and regulatory authorities);
3.3. In the event that we (or a part thereof) are (i) subject to negotiations for the sale of its business or (ii) is sold to a third party or (iii) undergoes a reorganisation, you agree that any of your personal information which We hold may be transferred to that re-organised entity or third party and used for the same purposes as set out in this policy, or for the purpose of analysing any proposed sale or re-organisation. We will ensure that no more of your information is transferred than necessary.
Use justification: legitimate interests (to allow us to change our business).
3.4. We and other organisations may also access and use your personal information to conduct KYC checks, credit checks and checks to prevent fraud and money laundering. If false or inaccurate information is provided and fraud is identified or suspected, details may be passed to the relevant authorities including credit reference agencies and fraud prevention agencies. We will also record this. Law enforcement agencies may access and use this information. We, and other organisations that may access and use information recorded by such agencies, may do so from other countries.
Use justification: legal obligation, legal claims, legitimate interests (to assist with the prevention of crime and fraud)
4. Transmission, storage and security of your personal information
Security over the internet
4.1. No data transmission over the Internet or website can be guaranteed to be secure from intrusion; any transmission is at your own risk. However, we maintain commercially reasonable physical, electronic and procedural safeguards to protect your personal information in accordance with data protection legislative requirements.
4.2. All information you provide to us is stored on our or our subcontractors’ secure servers and accessed and used subject to our security policies and standards. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our Website, you are responsible for keeping this password confidential and for complying with any other security procedures that we notify you of. We ask you not to share a password with anyone.
Export outside the EEA
4.3. Your personal information may be accessed by staff or suppliers in, transferred to, and/or stored at, a destination outside the European Economic Area (EEA) in which data protection laws may be of a lower standard than in the EEA. Regardless of location or whether the person is an employee or contractor we will impose the same data protection safeguards that we deploy inside the EEA.
4.4. Certain countries outside the EEA have been approved by the European Commission as providing essentially equivalent protections to EEA data protection laws and therefore no additional safeguards are required to export personal information to these jurisdictions. If we decide that, staff in those countries which have not had these approvals, will have access to your personal information,, we will either ask for your consent to the transfer or transfer it subject to European Commission approved contractual terms that impose equivalent data protection obligations directly on the recipient unless we are permitted under applicable data protection law to make such transfers without such formalities.
4.6. We will retain your personal information for as long as is necessary for the processing purpose(s) for which it was collected and any other permitted linked purpose (for example certain transaction details and correspondence may be retained until the time limit for claims in respect of the transaction has expired or in order to comply with regulatory requirements regarding the retention of such data). So if information is used for two purposes we will retain it until the purpose with the latest period expires; but we will stop using it for the purpose with a shorter period one that period expires.
We restrict access to your personal information to those persons who need to use it for the relevant purpose(s). Our retention periods are based on business needs and your information that is no longer needed is either irreversibly anonymised (and the anonymised information may be retained) or securely destroyed.
5. Your rights & contacting us
5.1. You have the right to ask us not to process your personal data for marketing purposes. You can exercise the right at any time by contacting us in accordance with Section 5.4.
5.2. We will use reasonable endeavours to ensure that your personal information is accurate. In order to assist us with this, you should notify us of any changes to the personal information that you have provided to us by updating your details on the Platform or by contacting us as set out in paragraph 5.4. below.
Data Processing Agreement
This Data Processing Agreement (“DPA”) forms an integral part of, and is subject to, the Holisticads Services Agreement as the case may be (“Agreement”), entered into by and between Company (as defined under the Agreement) (hereinafter referred to as “Controller”) and Holisticads (as defined under the Agreement) (hereinafter referred to as “Processor”). Controller and Processor are hereinafter jointly referred to as the “Parties” and individually as the “Party”. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement.
1. Definitions. In addition to capitalized terms defined elsewhere in this DPA, the following terms shall have the meanings set forth opposite each one of them:
1.1 “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control” for purposes of this definition means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
1.2 "Applicable Laws" means (a) European Union or Member State laws with respect to any Controller Personal Data in respect of which Controller is subject to EU Data Protection Laws; and (b) any other applicable law with respect to any Controller Personal Data in respect of which the Controller is subject to any other Data Protection Laws
1.3 "Controller Personal Data" means any Personal Data Processed by Processor on behalf of Controller pursuant to or in connection with the Agreement;
1.4 "Data Protection Laws" means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other applicable country as agreed in writing between the Parties, including in Israel;
1.5 "EU Data Protection Laws" means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
1.6 "GDPR" means EU General Data Protection Regulation 2016/679;
1.7 "Restricted Transfer" means (i) a transfer of Controller Personal Data from Controller to Processor; or (ii) an onward transfer of Controller Personal Data from a Processor to a Sub Processor, or between two establishments of Processor, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws);
1.8 "Sub Processor" means any person (including any third party and any Processor Affiliate, but excluding an employee of Processor or any of its sub-contractors) appointed by or on behalf of Processor or any Processor Affiliate to Process Personal Data on behalf of the Controller in connection with the Principal Agreement; and
1.9 The terms, "Commission", "Controller", "Data Subject", "Member State", "Personal Data", "Personal Data Breach", "Processor", "Processing" and "Supervisory Authority" shall have the same meaning as in the GDPR.
- Processing of Controller Personal Data.
2.1 Processor shall not Process Controller Personal Data other than on the Controller’s documented reasonable and customary instructions as specified in the Agreement or this DPA, unless such Processing is required by Applicable Laws to which the Processor is subject.
2.2 Controller instructs Processor (and authorizes Processor to instruct each Sub Processor) to (i) Process Controller Personal Data; and (ii) in particular, transfer Controller Personal Data to any country or territory, all as
2.3 Furthermore, Controller warrants and represents that it is and will remain duly and effectively authorized to give the instruction set out in Section 2.2 and any additional instructions as provided pursuant to the Agreement and/or in connection with the performance thereof, on behalf of itself and each relevant Controller Affiliate, at all relevant times and at least for as long as the Agreement is in effect and for any additional period during which Processor is lawfully processing the Controller Personal Data.
2.4 Controller sets forth the details of the Processing of Controller Personal Data, as required by article 28(3) of the GDPR in Annex 1 (Details of Processing of Controller Personal Data), attached hereto.
3. Processor Personnel. Processor shall take reasonable steps to ensure that access to the Controller Personal
Data is limited on a need to know/access basis, and that all Processor personnel receiving such access are subject to confidentiality undertakings or professional or statutory obligations of confidentiality in connection with their access/use of Controller’s Personal Data.
4. Security. Processor shall, in relation to the Controller Personal Data, implement appropriate technical and organizational measures to ensure an appropriate level of security, including, as appropriate and applicable, the measures referred to in Article 32(1) of the GDPR. In assessing the appropriate level of security, Processor shall take into account the risks that are presented by Processing, in particular from a Personal Data Breach.
5. Sub Processing.
5.1 Controller authorizes Processor and each Processor Affiliate to appoint (and permit each Sub Processor appointed in accordance with this Section 5 to appoint) Sub Processors in accordance with this Section 5 and any restrictions in the Agreement.
5.2 Processor and each Processor Affiliate may continue to use those Sub Processors already engaged by Processor or any Processor Affiliate as of the date of this DPA. It is acknowledged and agreed that as of the date of this DPA Processor uses Amazon Web Services and Google Cloud Services as Sub Processors for the purpose of cloud hosting services, which use is subject to the respective Amazon and Google applicable guidelines.
5.4 With respect to each new Sub Processor, Processor shall:
5.4.1 before the Sub Processor first Processes Controller Personal Data, take reasonable steps (for instance by way of reviewing privacy policies as appropriate) to ensure that the Sub Processor is committed to provide the level of protection for Controller Personal Data required by the Agreement; and
5.4.2 ensure that the arrangement between the Processor and the Sub Processor is governed by a written contract, including terms which offer materially similar level of protection for Controller Personal Data as those set out in this DPA that meet the requirements of Applicable Laws.
6. Data Subject Rights.
6.1 Controller shall be solely responsible for compliance with any statutory obligations concerning requests to exercise Data Subject rights under Data Protection Laws (e.g., for access, rectification, deletion of Controller Personal Data, etc.). Taking into account the nature of the Processing, Processor shall reasonably endeavour to assist Controller insofar as feasible, to fulfil Controller's said obligations with respect to such Data Subject requests, as applicable, at Controller’s sole expense.
6.2 Processor shall:
6.2.1 promptly notify Controller if it receives a request from a Data Subject under any Data Protection Law in respect of Controller Personal Data; and
6.2.2 ensure that it does not respond to that request except on the documented instructions of Controller or as required by Applicable Laws to which the Processor is subject, in which case Processor shall, to the extent permitted by Applicable Laws, inform Controller of that legal requirement before it responds to the request.
7. Personal Data Breach.
7.1 Processor shall notify Controller without undue delay upon Processor becoming aware of a Personal Data Breach affecting Controller Personal Data, in connection with the Processing of such Controller Personal Data by the Processor or Processor Affiliates. In such event, Processor shall provide Controller with information (to the extent in Processor’s possession) to assist Controller to meet any obligations to inform Data Subjects or Data Protection authorities of the Personal Data Breach under the Data Protection Laws.
7.2 At the written request of the Controller, Processor shall reasonably cooperate with Controller and take such commercially reasonable steps as are agreed by the parties or necessary under Privacy Protection Laws to assist in the investigation, mitigation and remediation of each such Personal Data Breach, at Controller’s sole expense.
8. Data Protection Impact Assessment and Prior Consultation.
8.1 At the written request of the Controller, the Processor and each Processor Affiliate shall provide reasonable assistance to Controller, at Controller's expense, with any data protection impact assessments or prior consultations with Supervising Authorities or other competent data privacy authorities, as required under any applicable Data Protection Laws. Such assistance shall be solely in relation to Processing of Controller Personal Data by the Processor.
9. Deletion or return of Controller Personal Data.
9.1 Subject to Section 9.2 Processor shall promptly and in any event within up to sixty (60) days of the date of cessation of any Services involving the Processing of Controller Personal Data (the "Cessation Date"), delete or pseudonymize all copies of those Controller Personal Data, except such copies as authorized including under this DPA or required to be retained in accordance with applicable law and/or regulation.
9.2 Subject to the Agreement, Processor may retain Controller Personal Data to the extent authorized or required by Applicable Laws, provided that Processor shall ensure the confidentiality of all such Controller Personal Data and shall ensure that it is only processed for such legal purpose(s).
9.3 Upon Controller’s prior written request, Processor shall provide written certification to Controller that it has complied with this Section 9.
10. Audit Rights
10.1 Subject to Sections 10.2 and 10.3, Processor shall make available to a reputable auditor mandated by Controller in coordination with Processor, upon prior written request, such information necessary to reasonably demonstrate compliance with this DPA, and shall allow for audits, including inspections, by such reputable auditor mandated by the Controller in relation to the Processing of the Controller Personal Data by the Processor, provided that such third-party auditor shall be subject to confidentiality obligations.
10.2 Provisions of information and audits are and shall be at Controller’s sole expense, and may only arise under Section 10.1 to the extent that the Agreement does not otherwise give Controller information and audit rights meeting the relevant requirements of the applicable Data Protection Laws. In any event, all audits or inspections shall be subject to the terms of the Agreement, and to Processor's obligations to third parties, including with respect to confidentiality.
10.3 Controller shall give Processor reasonable prior written notice of any audit or inspection to be conducted under Section 10.1 and shall use (and ensure that each of its mandated auditors uses) its best efforts to avoid causing (or, if it cannot avoid, to minimize) any damage, injury or disruption to the Processors' premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection. Controller and Processor shall mutually agree upon the scope, timing and duration of the audit or inspection in addition to the reimbursement rate for which Controller shall be responsible. Processor need not give access to its premises for the purposes of such an audit or inspection:
10.3.1 to any individual unless he or she produces reasonable evidence of identity and authority;
10.3.2 if Processor was not given a written notice of such audit or inspection at least 2 weeks in advance;
10.3.3 outside normal business hours at those premises, unless the audit or inspection needs to be conducted on an emergency basis and Controller has given notice to Processor that this is the case before attendance outside those hours begins; or
10.3.4 for premises outside the Processor's control (such as data storage farms of AWS)
10.3.5 for the purposes of more than one (1) audit or inspection, in respect of each Processor, in any calendar year, except for any additional audits or inspections which:
10.3.5.1 Controller reasonably considers necessary because of genuine concerns as to Processor’s compliance with this DPA; or
10.3.5.2 Controller is required to carry out by Data Protection Law, a Supervisory Authority or any similar regulatory authority responsible for the enforcement of Data Protection Laws in any country or territory, where Controller has identified its concerns or the relevant requirement or request in its prior written notice to Processor of the audit or inspection.
11. General Terms
11.1 Governing Law and Jurisdiction.
11.1.1 The Parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity; and
11.1.2 This DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Agreement.
Subject to this Section 11.2, with regard to the subject matter of this DPA, in the event of inconsistencies between the provisions of this DPA and any other agreements between the Parties, including the Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the Parties) agreements entered into or purported to be entered into after the date of this DPA, the provisions of this DPA shall prevail.
11.3 Changes in Data Protection Laws.
11.3.1 Controller may by at least forty-five (45) calendar days' prior written notice to Processor, request in writing any variations to this DPA if they are required, as a result of any change in, or decision of a competent authority under any applicable Data Protection Law, to allow Processing of those Controller Personal Data to be made (or continue to be made) without breach of that Data Protection Law; and
11.3.2 If Controller gives notice with respect to its request to modify this DPA under Section 11.3.1:
188.8.131.52 Processor shall make commercially reasonable efforts to accommodate such modification request, ; and
184.108.40.206 Controller shall not unreasonably withhold or delay agreement to any consequential variations to this DPA proposed by Processor to protect the Processor against additional risks, or to indemnify and compensate Processor for any further steps and costs associated with the variations made herein.
11.4 If Controller gives notice under Section 11.3.1, the Parties shall promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in Controller's notice as soon as is reasonably practicable. In the event that the Parties are unable to reach such an agreement within 30 days, then Controller or Processor may, by written notice to the other Party, with immediate effect, terminate the Agreement to the extent that it relates to the Services which are affected by the proposed variations (or lack thereof).
11.5 Severance. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall either be (i) amended as necessary to
ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
IN WITNESS WHEREOF, this DPA is entered into and becomes a binding part of the Agreement with effect from the later date set out below.
Annex 1: Details Of Processing Of Controller Personal Data
This Annex 1 includes certain details of the Processing of Controller Personal Data as required by Article 28(3) GDPR.
The types of Controller Personal Data to be Processed are as follows:
The categories of Data Subject to whom the Controller Personal Data relates to are as follows:
Controller's personnel and natural persons Data Subjects who are end users of the Controller's mobile application services.
The obligations and rights of Controller. The obligations and rights of Controller and Controller Affiliates are set out in the Agreement and this DPA.