Monetize DPA

Monetize DPA

Monetize Data Privacy Addendum

This Data Privacy Addendum (“Addendum“) forms part of the Monetize IO (“IO”) in place between LMI, Inc. (“Liftoff”) and the company identified as the “Developer” in the IO.  The terms of the Addendum shall only apply to the extent a Party processes Personal Data protected by Data Protection Laws under or in connection with the IO which incorporates these Addendum terms by reference. Capitalized terms used in this Addendum shall have the same meaning given to them in the main body of the IO unless otherwise defined in this Addendum.

IT IS AGREED:

1.          Definitions:

Ad Data” has the meaning given to it in Section 2 of this Addendum.

 

Demand Partners” means Liftoff’s media buying clients, including but not limited to Advertisers and attribution partners, demand side platforms, ad exchanges, agencies, agency trading desks and ad networks who submit “bids” for Liftoff Ad inventory.

 

Data Protection Laws” means all data protection and privacy laws and regulations in any relevant jurisdiction relating to the use or processing of personal data including, including (a) EU Regulation 2016/679 (“GDPR“); (b) GDPR as it forms part of the law of England and Wales by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR“); (c) any laws or regulations ratifying, implementing, adopting, supplementing or replacing the GDPR; (d) in the UK, the Data Protection Act 2018 (“DPA“); (e) any laws and regulations implementing or made pursuant to EU Directive 2002/58/EC (as amended by 2009/136/EC); (f) in the UK, the Privacy and Electronic Communications (EC Directive) Regulations 2003; in the USA, (g) Children’s Online Privacy Protection Act; (h) California Consumer Privacy Act; and (i) California Privacy Rights Act, in each case, as updated, amended or replaced from time to time and the terms “data subject”, “processing”, “personal data breach”, “Commissioner”, “processor” and “controller” referred to in this Addendum shall have the meanings set out in the UK GDPR;

 

EEA” means the European Economic Area .

 

EEA Standard Contractual Clauses” means the Module One standard Controller to Controller contractual clauses for the transfer of EEA Personal Data to Controllers established in Third Countries set out in the European Commission Decision 2021/914 dated 4 June 2021 (and for these purposes, the provision relating to Modules 2, 3 and 4 of the standard contractual clauses are deleted) as amended or replaced from time to time;

 

Enquiry” means any request, complaint, investigation, notice or communication from an data subject or a governmental or regulatory body or authority with responsibility for monitoring or enforcing compliance with the Data Protection Laws.

 

Ex-EEA Transfer” means a transfer of Personal Data subject to GDPR by a Party, to a Party (or its premises) in a Restricted Country;

 

Ex-UK Transfer” means a transfer of Personal Data subject to UK GDPR by a Party, to a Party (or its premises) in a Restricted Country;

 

Parties” means the Developer and Liftoff;

 

Personal Data” means any information relating to an identified or identifiable natural person (which shall include for the avoidance of doubt, any personally identifiable information) or as otherwise defined in applicable Data Protection Laws.

 

Restricted Country” means (a) any country outside the UK or EEA which is not deemed adequate by (for Personal Data subject to GDPR) the European Commission pursuant to article 45 of GDPR or by (for Personal Data subject to UK GDPR) the Secretary of State in accordance with the relevant provisions of the UK GDPR and the DPA, or an adequacy decision recognised pursuant to paragraphs 4 and 5 of Schedule 21 of the DPA.

 

Tracking Technologies” means mobile SDKs, unique identifiers, pixels, and similar tracking technologies.

 

UK” means the United Kingdom.

 

UK Addendum” means the International Data Transfer Addendum to the Standard Contractual Clauses, as may be amended, replaced or superseded by the UK’s Information Commissioner’s Office (“ICO“) from time to time (including as formally issued by the ICO under section 119A(1) DPA).

 

Privacy Notice” means the privacy notice available (the latest version of which is available here: https://liftoff.io/privacy-policy/), as updated from time to time.

 

2.         Scope of Processing:

2.1                 Developer acknowledges and agrees that in connection with the Monetize Platform and Vungle SDK:

2.1.1              Liftoff may collect or otherwise receive data (including Personal Data) relating to end users of the Developer Apps (such as App Data), including unique device identifiers, log information, as well as usage data (such as Performance Data), including information about ads viewed or clicked, post-install data, geo-location of an end user’s device (as may be enabled by the Developer App) and streaming data, all as more particularly described in the Privacy Notice (collectively “Ad Data“); and

2.1.2             Liftoff and its Demand Partners use Tracking Technologies to collect certain Ad Data.

 

2.2               Developer grants Liftoff a perpetual, irrevocable, worldwide, sublicensable right and license to use, copy, modify, distribute and otherwise  process Ad Data for the following purposes:

2.2.1            accessing or calling the Developer Apps, or the servers that make them available, to cause the routing, serving, displaying, targeting, and tracking the performance of Liftoff Ads on the Developer Apps;

2.2.2          building and storing profiles of end users;

2.2.3          using Ad Data for Liftoff’s (or its group companies’) internal business purposes, including to develop and improve the Vungle SDK and Monetize Platform or any other products or services operated by Liftoff or any of its group companies;

2.2.4          for any other purposes identified in the Privacy Notice; and

2.2.5          disclosing Ad Data: (i) to third parties (including Demand Partners) as reasonably necessary to operate the Monetize Platform or any platform or offering operated by Liftoff or any of its group companies; (ii) to third parties (including Demand Partners) to allow such third parties to undertake statistical analysis for their own internal business purposes only (for example; to help determine the amount to bid on the Developer’s inventory or inventory similar to it); (iii) if required by any court order, process, law or governmental agency; and/or (iv) generally when it is aggregated, such that the specific information relating to Developer or any underlying end user is not directly identifiable  (“Permitted Purposes“).

 

3.         Relationship between the Parties and Controller Terms:

 

3.1                 The Parties acknowledge and agree that for the purposes of Data Protection Laws, each Party is an independent controller with respect to their processing of Personal Data. Each Party will determine their legal basis for processing Personal Data independently.

 

3.2               Each Party must at all times:

 

3.2.1             process Personal Data in accordance with Data Protection Laws; and

3.2.2           not cause or permit anything to be done which may result in a breach by the other Party of Data Protection Laws.

 

3.3               Liftoff shall process Personal Data only for the Permitted Purposes. Nothing in the IO (including this Addendum) shall limit or prevent Liftoff from collecting or using data that Liftoff would otherwise collect and process independently of Developer’s use of the Monetize Platform and Vungle SDK.

 

3.4               Each Party is responsible for responding to any Enquiries independently of the other Party.

 

3.5               If either Party receives an Enquiry which relates to the other Party’s: (i) processing of Personal Data; or (ii) potential failure to comply with Data Protection Laws in respect of the Personal Data, that Party must, without undue delay, notify the other Party of such Enquiry and direct the person making the Enquiry to the other Party.

 

3.6               If a Party needs assistance from the other Party to respond to an Enquiry, the other Party shall co-operate and provide such information and assistance as the other Party may reasonably require to enable the other Party to comply with its obligations under Data Protection Laws in respect of such Enquiry.

 

3.7                Each Party shall as soon as reasonably practicable after discovering any Personal Data breach notify the other Party of the same and, at its own expense, shall use its reasonable endeavours to:

3.7.1             minimise the impact of such Personal Data breach and prevent such Personal Data breach recurring; and

3.7.2            provide all reasonable assistance as the other Party shall require to provide such notifications as may be required in accordance with Data Protection Laws.

 

4.         Developer’s Responsibilities:

4.1                Notice Requirements

4.1.1              Developer represents and warrants that it shall conspicuously post, maintain, and abide by a publicly accessible privacy notice within the Developer App that satisfies the transparency and information requirements of the Data Protection Laws and this Addendum. If notice cannot be provided in or around Liftoff Ads, then Developer should make arrangements to provide notice within the Developer App or on the landing page of the Liftoff Ad.

 

4.1.2             Without prejudice to the generality of the foregoing, such notice shall, at a minimum, include the following: (i) the fact that Liftoff and its Demand Partners use Tracking Technology to collect use and share Ad Data; (ii) a conspicuous  link to or description of how and where end users can opt-out of collection and use of their information for ad targeting, including a link to the Liftoff opt-out (https://vungle.com/opt-out/); (iii) a description of the types of Ad Data that are collected and how and for what purposes the Ad Data will be used or transferred to third parties, including the fact that third parties may process Ad Data to provide measurement services and targeted ads; and (v) where EU Data Protection Law applies, the identity of the Controller(s) of Ad Data.

 

4.2               Notice and Consent.  Developer represents and warrants it has provided (and shall maintain) all required notices and obtained all necessary permissions and consents in accordance with the Data Protection Laws from the relevant data subjects (including any parental consent required by applicable Data Protection Laws) on behalf of Liftoff and all applicable Demand Partners to lawfully permit:

4.2.1             Liftoff and all applicable Demand Partners to collect, process and share Ad Data for the Permitted Purposes; and

4.2.2           deploy Tracking Technologies in order to collect Ad Data from the devices of end users served with Liftoff Ads.

 

4.3               Consent Mechanism.  Where consent is the lawful basis for processing Personal Data collected via Developer Apps by either party and/or where consent is required for the use of Tracking Technologies pursuant to Data Protection Laws, Developer represents and warrants that it shall, at all times, make available, maintain and make operational on the Developer Apps:

4.3.1            a mechanism for obtaining such consent from data subjects in accordance with the requirements of the Data Protection Laws; and

4.3.2           a mechanism for data subjects to withdraw such consent (opt-out) in accordance with the Data Protection Laws.

 

4.4               Consent Records.  Developer shall maintain a record of all consents obtained pursuant to Section 4.3 (above) from data subjects as required by the Data Protection Laws, including the time and date on which consent was obtained, the information presented to data subjects in connection with their giving consent, and details of the mechanism used to obtain consent. Developer shall maintain a record of the same information in relation to all withdrawals of consent by data subjects. Developer shall make these records available to Liftoff promptly upon request.

 

4.5               Non-compliance. If Developer is unable to comply with its notice and consent obligations under this Addendum, Developer shall promptly notify Liftoff and Liftoff may elect to perform any one or all of the obligations provided Developer does not prevent Liftoff from performing such obligations. In the event neither party is able to perform such obligations, Liftoff shall have the right to terminate the IO without liability upon written notice.

 

4.6               Prohibited Data Sharing.  Developer shall not:

 

4.6.1            share with Liftoff any Personal Data that allows users of Developer Apps to be directly identified (for example, by reference to their name or email address); and

4.6.2           pass to Liftoff any personal data of children (as such term is defined under applicable Data Protection Laws), unless expressly agreed in writing and as permitted under Data Protection Laws. Upon request, Liftoff shall provide Developer with such reasonable assistance as Developer may require to enable Developer to provide such notice and obtain such consents.

 

5.         International Transfers:

5.1                Neither Party shall process any Personal Data, or transfer the Personal Data (nor permit any Personal Data to be processed) in connection with the IO to any Restricted Country unless it has taken such measures as are necessary to ensure there is adequate protection and appropriate safeguards for such Personal Data in accordance with Data Protection Laws. Such adequate protection and appropriate safeguards may include entering into the EEA Standard Contractual Clauses and/or UK Addendum.

 

5.2               The Parties agree that in the event of an Ex-EEA Transfer, the transferring Party shall comply with the data exporter’s obligations in the EEA Standard Contractual Clauses and the receiving Party shall comply with the data importer’s obligations in the EEA Standard Contractual Clauses, and the EEA Standard Contractual Clauses are deemed to have been executed by the Parties and incorporated into (and form part of) this Addendum, with the following amendments:

 

5.2.1            Clause 7 (docking clause) of the EEA Standard Contractual Clauses shall be included;

5.2.2           the optional language in Clause 11 shall apply;

5.2.3           the governing law for the purposes of Clause 17 (governing law) of the EEA Standard Contractual Clauses shall be the law of Ireland;

5.2.4           the relevant courts for the purposes of Clause 18 (choice of forum and jurisdiction) of the EEA Standard Contractual Clauses shall be the courts of Ireland;

5.2.5           Annexes IA, IB and IC to the EEA Standard Contractual Clauses shall be deemed to have been completed with the information in Appendix A to this Addendum;

5.2.6           Annex II to the EEA Standard Contractual Clauses shall be deemed to have been completed with the information in Appendix B to this Addendum. The security measures listed in Appendix B shall be put in place even if the Parties are both in the EEA or UK.

 

5.3               The Parties agree that in the event of an Ex-UK Transfer, such transfer shall be conducted pursuant to the EEA Standard Contractual Clauses as supplemented and amended by the UK Addendum, which will be deemed to be executed by the Parties and incorporated into and form part of this Addendum, with the Part 1 tables to the UK Addendum completed as follows:

 

5.3.1            Table 1 shall be deemed completed with the information from Appendix A to this Addendum, and the start date shall be the Effective Date of the IO;

5.3.2           In Table 2, the first option shall be selected and the relevant version of the “Approved EEA Standard Contractual Clauses” referenced in that option shall be the EEA Standard Contractual Clauses referenced in Clause 3.2 above (as amended in accordance with Clause 3.2);

5.3.3           Table 3 shall be deemed completed with the information from Appendix A and Appendix B to this Addendum;

5.3.4           Table 4 shall be deemed completed such that the Importer has the right to end the UK Addendum as set out in Section 19 of Part 2 of the UK Addendum; and

5.3.5           the transferring Party shall comply with the data exporter’s obligations in the UK Addendum and the receiving Party shall comply with the data importer’s obligations in the UK Addendum, and if there is any conflict between this Addendum and the UK Addendum, the UK Addendum shall prevail.

 

5.4               in the case of any transfers of Personal Data protected by Data Protection Laws applicable to Switzerland, (i) general and specific references in the Standard Contractual Clauses to GDPR (or any predecessor to the GDPR) shall have the same meaning as the equivalent reference in Data Protections Laws of the Switzerland; (ii) any obligation in the Standard Contractual Clauses determined by the Member State in which the data exporter or data subject is established shall refer to an obligation such aforementioned Data Protection Laws; and (iii) references to the “competent supervisory authority” and “competent courts” shall be replaced with “the Swiss Federal Data Protection and Information Commissioner ” and “relevant courts in Switzerland”.

 

6.         Miscellaneous:

 

6.1                Liftoff reserves the right to modify, suspend or terminate the IO should Developer violate or breach this Addendum.

 

6.2               This Addendum shall survive termination or expiry of the IO.  Upon termination or expiry of the IO, Liftoff may continue to process the Personal Data provided that such processing complies with the requirements of this Addendum.

 

6.3               Notwithstanding anything to the contrary in the IO and without prejudice to Section 2 above, Liftoff may periodically make modifications to this Addendum as may be required to comply with the Data Protection Laws.

 

Appendix A

Details of the Transfer

Annex 1(A) List of Parties:

Data Importer

Name: The Liftoff group entity specified in the IO

Address: As specified in the IO

Official registration number (if any):

Contact person’s name, position and contact details: DPO, [email protected]

Activities relevant to the data transferred: SSP services

Signature and date: As per the IO

Role (Controller/Processor): Controller

 Data Exporter

Name: Developer, as identified in the IO

Address: As specified in the IO

Official registration number (if any):

Contact person’s name, position and contact details: As specified in the IO

Activities relevant to the data transferred: See Annex 1(B) below

Signature and date: As per the IO

Role (Controller/Processor): Controller

Annex 1(B) Description of processing/ transfer:

Categories of data subjects whose personal data is transferred:

  •       End users of the Developer Apps or end users viewing ads delivered to the Developer Apps (“End Users“).
  • Developer employees and other personnel authorized to use the Monetize Platform (“Developer Users“)

Categories of personal data transferred:

 End Users

·           Identifiers: cookie and mobile Ad identifiers (such as IDFA, ADID, GPID etc.,), IP address, data that could be used for fingerprinting, latitude and longitude, GPS location;

·           Demographic information: location,  age range, gender, other publisher-specified demographics (tied to an identifier);

·           User agent or such device information.

·           Behavioral data:

Developer Users

Contact details (name, email, telephone) and professional details (role)

Sensitive data transferred:

None.

If sensitive data, the applied restrictions or safeguards

N/A

Frequency of the transfer:

Data is transferred on a continuous basis.

Nature, subject matter and duration of processing:

 Processing of Personal Data to provide the Liftoff Services pursuant to the Agreement. The subject matter of the processing is the Personal Data described in this Annex.

Purpose(s) of the data transfer and further processing:

 End Users: For the Permitted Purposes (as defined in the Addendum).

Developer Users: For business relationship, marketing and account management purposes.

Period for which the personal data will be retained, or if that is not possible the criteria used to determinate that period, if applicable

Liftoff will not retain the personal data for longer than the period during which Liftoff has a legitimate need to retain the personal data for purposes it was collected or transferred in accordance with the Addendum.

Annex 1(C) Competent supervisory authority:

The competent supervisory authority, in accordance with Clause 13 of the New SCCs

The competent supervisory authority shall be determined in accordance with GDPR and the UK GDPR.

 

 

 

Appendix B

Technical and Organizational Security Measures

 

Introduction

Each party employs a combination of policies, procedures, guidelines and technical and physical controls to protect the personal data it processes from accidental loss and unauthorised access, disclosure or destruction.

 

Governance and Policies

Each party assigns personnel with responsibility for the determination, review and implementation of security policies and measures.

Each party:

 

         has documented the security measures it has implemented in a security policy and/or other relevant guidelines and documents;

         reviews its security measures and policies on a regular basis to ensure they continue to be appropriate for the data being protected.

 

Each party establishes and follows secure configurations for systems and software, and ensures that security measures are considered during project initiation and the development of new IT systems.

 

Breach response

Each party has a breach response plan that has been developed to address data breach events. The plan is regularly tested and updated no less than once per year.

 

Intrusion, anti-virus and anti-malware defences

Each party’s IT systems used to process personal data have appropriate data security measures, including: (a) physical access controls; (b) remote access control includes firewalls on the internal network; (c) user access is logged and monitored for unusual and unauthorized access; (d) threat assessment and vulnerability scanning; (e) data is encrypted at rest.

 

Access controls

Each party limits access to personal data by implementing appropriate access controls, including: (a) limiting administrative access privileges and use of administrative accounts; (b) changing all default passwords before deploying operating systems, assets or applications; (c) requiring authentication and authorisation to gain access to IT systems (i.e. require users to enter a user id and password before they are permitted access to IT systems); (d) only permitting user access to personal data which the user needs to access for their job role or otherwise limited to the purpose for which they are given access (i.e. Service Provider implements measures to ensure least privilege access to IT systems); (e) appropriate procedures for controlling the allocation and revocation of personal data access rights, including procedures for revoking employee access to IT systems when they leave their job or change role; (f) encouraging users to use strong passwords, such as passwords with over fourteen characters, combination of upper and lower case letters, numbers and special characters; (g) automatic timeout and locking of user terminals if left idle; (h) monitoring and logging access to IT systems.

 

Availability and Back-up personal data

Each party has a documented disaster recovery plan that ensures that key systems and data can be restored in a timely manner in the event of a physical or technical incident. The plan is regularly tested and updated. Service Provider regularly backs-up information on IT systems and keeps back-ups in separate locations.  Back-ups of information are tested periodically.

 

Segmentation of personal data

Each party separates and limits access between network components and, where appropriate, implements measures to provide for separate processing (storage, amendment, deletion, transmission) of personal data collected and used for different purposes.

 

Disposal of IT equipment

Each party has in place processes to securely remove all personal data before disposing of IT systems, and uses appropriate technology to purge equipment of data and/or destroy hard disks.

 

Encryption

Each party uses encryption technology where appropriate to protect personal data held electronically, including encryption of data where appropriate and encryption of company issued portable devices used to process personal data. Encryption keys are stored separately from the encrypted information, and are subject to appropriate security measures.

 

Transmission or transport of personal data

Appropriate controls are implemented by each party to secure personal data during transmission or transit, including, but not limited to: use of VPNs; SSL in transit; logging personal data when transmitted electronically; ensuring physical security for personal data as appropriate when transported.

 

Asset and Software management

Each party maintains an inventory of IT assets and the data stored on them, together with a list of owners of the relevant IT assets. Service Provider: documents and implements rules for acceptable use of IT assets; proactively monitors software vulnerabilities and promptly implements any out of cycle patches.

 

Physical security  

Each party implements physical security measures to safeguard personal data. This may include  deployment of appropriate building security, including visitor logs, ID card access for staff, logs of staff access to buildings, and CCTV.

Staff training and awareness

Each party’s agreements with staff and contractors and employee handbooks set out its personnel’s responsibilities in relation to information security.

 

Each party requires:  staff training on data security and privacy issues relevant to their job role and ensures that new starters receive appropriate training before they start their role (as part of the on boarding procedures); appropriate screening and background checks on individuals that have access to sensitive personal data; that Staff are subject to disciplinary measures for breaches of such party’s policies and procedures relating to data privacy and security.

 

Selection of service providers and commission of services

Each party assesses service providers’ ability to meet their security requirements before engaging them.  Each party has written contracts in place with service providers which require them to implement appropriate security measures to protect the personal data they have access to and limit the use of personal data in accordance with Service Provider’s instructions.

 

Each party audits service providers (including subprocessors) that have access to such party’s data either through physical inspection by appropriately qualified security auditors or by reviewing its service providers’ security accreditation (such as ISO 27001 or SOC II) reports. Each party’s breach response protocol and agreements with its service providers provide for the audit of such service providers (and subprocessors) following receipt of any notice of a security incident from that service provider.

 

Assistance with Data Subject Rights Requests

Each party has implemented appropriate policies and measures to identify and address data subject rights requests, including: (a)  maintaining accurate records to enable it to identify quickly all personal data processed on behalf of the other party; (b) ensuring deletion and rectification requests are fully actioned.