Liftoff is GDPR Compliant

By Morgan Friberg | May 22, 2018

Liftoff spent the last several months preparing to meet the requirements of the GDPR, the new data protection law coming into force on 25 May 2018. GDPR affects European and non-European businesses using online advertising and measurement solutions when their sites and apps are accessed by users in the European Economic Area.

In preparation of the GDPR, Liftoff has updated our Privacy Policy, changed our commercial contract terms, implemented new internal policies and made changes to our products to help Liftoff meet the new requirements.

Updated Privacy Policy
Liftoff’s Privacy Policy is updated to reflect the new legal requirements of the GDPR. It describes who we are and the data and information that we are collecting, the cookies that are being collected and our basis for international data transfers. It also outlines how we are sharing your personal information and who we are sharing it with. The policy also includes updates to our security processes and our policies on data retention. It provides guidance on your rights and your options to opt out of these practices. The updated Privacy Policy is live on our website and implemented within our services prior to the May 25, 2018 deadline.

Contract Updates
The latest updates to our commercial contractual terms reflect Liftoff’s status as a Data Controller under the new law. We are also issuing a Data Processing Addendum to clients and partners (exchanges, MMPs, DMPs, etc..) which once again sets out our position as a Data Controller for the purposes of processing data pursuant to the GDPR. Liftoff is establishing the position of Data Controller on the basis that we utilize the data we collect solely for the purposes of providing our services, as well as to benefit all clients. Being a data controller allows Liftoff to define the purpose and usage of the data we collect, thus allowing Liftoff to develop better machine learning (ML) models quicker on a shared data pool, which drastically improves mobile marketing campaign performance and in turn increases spend on exchanges and the amount of data handled by data partners.

These commercial contract changes clarify that Liftoff will act as a “controller” of personal data that is received by Liftoff and will also provide clarity and protections around that controller status. Through these contract changes, Liftoff is establishing our commitment to comply with our obligations under GDPR when we process any personal data in connection with our services.

Product Updates

Liftoff has implemented the following changes, prior to May 25, 2018:

  • Display AdChoices icon our HTML creatives for EU users which links to our opt-out page
  • Built tools and processes to verify and support the user’s requests to show and/or delete personal data

If you have any questions about these updates, please don’t hesitate to contact us at [email protected].


Below are answers to commonly asked questions about GDPR.

What is the GDPR?
The General Data Protection Regulation (GDPR) is a new European privacy law due to become enforceable on May 25, 2018. The GDPR will replace the EU Data Protection Directive, also known as Directive 95/46/EC, and is intended to harmonize data protection laws throughout the European Union (EU) by applying a single data protection law that is binding throughout each member state.

When will Liftoff be updating its legal documentation (Insertion Orders, Privacy Policy, and Data Processing Agreement)?
We have already updated our Insertion Order, Data Processing Agreement, and Privacy Policy, before the May 25, 2018 date.

Who does the GDPR apply to?
The GDPR applies to all organizations established in the EU and to organizations, whether or not established in the EU, that process the personal data of EU data subjects in connection with either the offering of goods or services to data subjects in the EU or the monitoring of behavior that takes place within the EU. Personal data is any information relating to an identified or identifiable natural person.

Does the GDPR require personal data be stored in the EU? What does Liftoff do to ensure lawful data transfers from the EU?
No. There is no obligation under the GDPR for data to be stored in the EU and the rules regarding transfer of personal data outside the EU remain largely unchanged. The GDPR permits transfers of personal data outside of the EU subject to certain conditions. The EU-U.S. Privacy Shield continues to be one valid way to ensure adequate safeguards are in place for personal data transfer from the EU to the U.S. The EU model clauses also remain a valid mechanism to lawfully transfer personal data. Liftoff will offer a Data Processing Agreement to our EU/EEA customers. We are also Privacy Shield certified.

Will Liftoff be able to comply with the right to erasure (right to be forgotten)?
Yes. When end users (i.e. data subjects) ask us to delete them from our records, we will do so within 30 days.