1. Introduction

Fifty Technology is committed to your privacy. This policy aims to explain how Fifty collects and processes, uses and protects personal data. All data we have access to will be collected, processed and protected according to existing data protection laws, including the General Data Protection Regulation. We may change this privacy policy from time to time, due to changes in our business, technology or evolving laws, regulations or interpretations. We recommend that you consult this page from time to time in order to be aware of any updates we might make to the privacy policy.

2. Who we are

The organisation that defines how and for what purposes data are processed (the "data controller") is Fifty Technology Limited (trading as Fifty & Fifty Media). Our registered office address is 24 Hanover Square, London, W1S 1JD, United Kingdom. Our company number is 09476244 and our VAT number is GB 216562221.

Fifty Technology is a company operating in the field of analytics and advertising technology. We have three main activities:

• Fifty Intelligence and insights conducts bespoke studies of user audiences for our clients by processing data from several online platforms such as Twitter, and helps clients understand their segments, analyse trends, shed light on new products, services, emerging categories etc.
• Fifty Data collects data from various data partners through the Fifty data network, and segments, models, processes and packages such data into unbranded and branded segments before making them available onto DMPs (data management platforms) and DSPs (demand side providers, which provide platforms for purchasing of ad placements) for targeted advertising purposes.
• Fifty Media will use understanding of the user audiences and the various data sets to build out custom cookie-based segments and run digital advertising campaigns.

We can be contacted at privacy@fifty.io.

In accordance with applicable data protection legislation, we have appointed a Data Protection Officer, whose contact details are the following:

Vincent Potier c/o Fifty Technology Ltd
31A Great Sutton Street
London
EC1V 0NA
Email: dpo@fifty.io

3. Industry involvement

Fifty Technology is involved in the following organisations:

• It is a member of IAB UK
• It is part of Your Online Choices
• It is part of the IAB Europe global vendor list
• It is a signatory to the IAB Europe transparency and consent framework.

4. Data collection

The data we collect about you depends on whether you are an internet or social media end user or a Fifty client and the Services that you use and how you use them.

4.1. Fifty Intelligence: end-user data

Fifty Intelligence is a specialist in insights and analytics derived from the collection and processing of data from the Twitter platform, as well as other online platforms. We currently use or have used in the past data from platforms such as Klout, Instagram, and Facebook. We rely on the terms and conditions between users and the social media platforms along with our own relationship with those platforms. For example, with Twitter, we have access to the public API, which allows us to access different data points which Twitter users have chosen to make public. We recommend that you also visit from time to time the privacy policies of the social media platforms you currently use. At Fifty Intelligence, we are interested in the connections that users have between themselves (the “follows”), as we are mainly trying to build insights about audience segments and not about individuals.

We may also receive data from other partners to assist us in completing our understanding of the behaviour and interests of our segments, which may include email addresses and other data. Normally email addresses are provided to and processed by us in hashed or encrypted form, so they are unusable for sending emails, but still help us recognise similar users in order to generate insights.

These insights help clients understand their segments, analyse trends, shed light on new products, services, emerging categories, etc. Thanks to this intelligence, clients then have a better understanding of their users and customers’ needs and respond through market improvements of their products and services, and more relevant advertising.

We rely on these legitimate interests of our clients and ourselves in order to process this data. Our processing is non-intrusive, secure, and within the expectations of internet and social media users. We rely on our data partners also to provide relevant information on these data uses to the relevant end users – for example, if you are a Twitter user, then Twitter would need to explain in its privacy notices and terms which data may be shared with partners like Fifty.

4.2. Fifty Media: end-user data

Fifty Technology insights are used by Fifty Media to build out custom cookie-based segments and run digital advertising campaigns. Segments and data products are used by our teams and clients to run targeted social and programmatic advertising. Thanks to URL white lists and our targeting cookies placed on users’ computers, we are in a position to build audiences that we will serve ads to. We will then refine the targeting based on the response to those ads, and prioritise ads to those user segments who seemingly respond better and engage with them. This is how we always enhance the relevance of the advertising we serve. In order for us to process your data, you will have consented to data processing and accepted cookies or similar technologies from publishers which we obtain data from. Remember you can change your preferences at any time and you can also exercise your rights by writing to privacy@fifty.io with your specific request and any relevant details.

Although the legal basis that Fifty Media and Fifty Technology rely upon for targeted advertising is consent, we have also determined that we have a legitimate interest to collect and process personal data for the following purposes which have minimal effects on your privacy:

• Frequency measurement / capping (counting the number of times ads have been seen): this is necessary if we want to make sure ads are not shown more than a certain number of times to the same user
•  Viewability measurement (understanding if ads are seen by users, often related to their placement on a publisher page); this is needed to optimise advertising investment and therefore protect publisher revenue which the publisher needs to produce the content seen by the user
• Click count (counting the number of times ads seen have been clicked on); this is necessary to understand which creative formats generate interest and engagement and which ones don’t
• Understanding browsing behaviours of aggregated users
• Testing ads
• Conversion tracking (counting the number of times users who have seen ads have proceeded to buy a product or service); this is necessary to understand the overall return on investment of that ad and therefore whether the investment on that campaign is worthwhile and whether publishers will receive more or less investment

4.3. Platform users

If you register as a user of any of our Services, we may ask you to provide your name, email address, contact telephone number (landline and/or mobile), the company you work for, job title, professional address, a username and password, and other data relevant to the Services we provide. If you are not an administrative user for your account, the same data about you may be provided by a colleague or other third party. We may also collect other data directly from you, from time to time.

We collect data about you when you use any part of our Services. For example, if you are logged in to your Fifty account, we will collect data as to how often you use Analytics, what queries you created or amended, and other data about how you interact with the product. We may also collect data about how you interact with messages we send to you, for example whether you opened an email or read an in-app message.

For the same reason, we may obtain information about your general internet usage by using a cookie file which is stored on your browser or the hard drive of your computer. Cookies contain information that is transferred to your computer’s hard drive. They help us to measure site use, improve our site and to deliver a better and more personalised service. Some of the cookies we use are essential for the site to operate.

We rely on the legal bases that processing this data is necessary for the performance of our contracts with our users, or for our legitimate interests in operating our Services and site. This type of processing is typical for providers of services similar to ours, and within the expectations of professional users of our Services or visitors to our site.

4.4. Business contacts data

We may also hold your personal data if you have a business relationship with Fifty or if you or we have been considering entering into some form of business relationship. You could be a client (agency, advertiser…) and we will need that data in order to communicate, invoice, manage contracts and products and services we offer to you. You could be a publisher, a data provider or a social media platform and we would need your personal data in order to communicate, invoice, manage the relationship. You could be a supplier, a partner with whom we have a regular business relationship or with whom we are considering having one. Or you could be a prospect, industry partner, former colleague, journalist or influencer, or business acquaintance with whom we have regular relationships.

The personal data we hold about you refers to your professional life (name, email address, billing address, office address, phone numbers, title, employer, etc.). We would have obtained that information from exchanging emails or business cards, meeting at industry events or at client meetings, etc.

We rely on our legitimate interests in managing and developing our business in order to hold and carry on processing this data. Still, you can always exercise your data subjects’ rights and ask for removal, erasure, portability, etc. of that personal data by writing to us at privacy@fifty.io with your specific request and any relevant details.

Finally, our retention policy for this data is as follows, i.e. we will delete your data:

• Two years after the last contact
• Six years after the end of the contractual relationship

4.5. Employee data

If you are an employee at Fifty Technology, please refer to our HR policy and any clauses regarding data protection on your employment contract. It is available with our HR department.

5. Types of data collected and processed

Fifty collects multiple data sets from social media platforms and from our partners (or Fifty) including by placing cookies on users’ computers when those browse or navigate the Internet:

Twitter

• Data points about Twitter users from the public Twitter API used for displaying information; some of the fields may contain data such as demographic, location and interest
• Follow connection data (Twitter) IDs that a user is following via the public Twitter API used for connection data as the basis of our intelligence network analysis and visualisations
• Tweet data

Other social media platforms

We also collect data from other social media platforms (Facebook and Instagram) in order to enrich our reporting and services.

Other sources

• Cookies and IP addresses collected throughout your browsing activity on our publisher partners
• Campaign data (ads seen by each individual user, engagement with those ads, clicks etc.)
• Domain whitelists indirectly derived in part from analysis of the personal data obtained from the social media networks (URLs targeting)
• hashed email addresses provided by other data partners

We do not collect nor hold any information such as full email address, address, phone number, credit card information etc. The cookie data we hold about you is not data which allows us to know you are. From the public Twitter API, we only collect name, handle, and follows data which you have chosen to make public through social media platforms. We do not collect anything private.

We do not process any data which could be used, with the help of a third party, to determine the real-life identity of users. We do not know who you are and we do not wish to know. We do not need to know who you are in order to run our business effectively.

6. Cookies

A cookie is a small text file composed of alpha-numeric characters which is created on your computer when your browser accesses a web site that uses cookies. These files are used to help your browser navigate the website and make full use of all its functionalities, such as identifiers, preferences, linguistic parameters, themes, among other common functionalities. In no case will the Fifty Technology cookie give us access to other information contained on a device or to identify you by name. They may also help recognise your device as belonging to a unique or returning user and enable personalisation of ads or content.

There are numerous types of cookies:

• Session cookies which make it easier for you to navigate on websites; they expire when you close your browser
• Persistent cookies which enable us to track and target interests of users to improve the user experience on publishers’ websites; persistent cookies do not expire when you close your browser; they stay for a certain period of time in order to recognise user identifiers and serve relevant ads to them.

7. Managing your cookies

If you no longer wish to receive personalised ads run by Fifty Media, you can manage your choices by using Your Online Choices

Important: when you choose to opt out from receiving cookies, a cookie will still be set in your browser. This is only by maintaining a cookie in your browser that we will be able to recognise you have made the choice of opting out of cookies.

8. Data retention

We hold your personal data according to the highest security and encryption standards, and we only do so for a minimal period of time, the time necessary to run our business. We delete cookie data after 13 months and refresh the data obtained from social media platforms every 6 months.

9. Data transfers

Fifty Technology is based in the UK. With the United Kingdom having left the European Union, we will still transfer personal data from the UK to the European Union and the EEA. For any transfers from the European Union or the EEA to the United Kingdom that are not automatically permitted by law, we will rely on the standard contractual clauses. When our services involve the storage and/or processing of Personal Data involving transfers of personal Data out of the European Economic Area or the UK to a jurisdiction that is not the object of an EU “adequacy” decision, then we will also rely on the standard contractual clauses.

Like all companies operating in the complex landscape of advertising technology and insights and analytics, we work with multiple partners. Whether it be social media platforms (such as Twitter), server providers (Google), data providers, demand-side platforms (AppNexus, TubeMogul…), data management platforms, etc. — they are reputable partners adhering to the highest industry standards in security, encryption, data protection. Our most important data partners are listed in Section 13 below.

In order to operate our business efficiently, we have to store and process transferred Personal Data in the United States of America, the United Kingdom, the European Union and/or any other country where our partners, processors or subprocessors maintain facilities. We will only do so as long as those partners, processors and subprocessors transfer data via a valid legal mechanism such as the European Commission Standard Contractual Clauses which commit them to similar data protection standards as in the EU/UK.

10. Personal sensitive data

Under the GDPR, personal sensitive data (also known as “special categories of data”) is any personal data revealing racial or ethnic origin, political opinions, religious and philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation.

Fifty Technology does not collect any personal sensitive data, except when it has manifestly been made public by the data subject (e.g. in their social media bios, photos or posts), as per article 9(2)(e) of the GDPR.

11. Children’s data

Fifty Technology does not collect any children’s data. It does not want to collect any and applies all precautions and filters not to collect any. If you are a parent/guardian and you believe that Fifty may be processing data from someone that you have parental responsibility for, please contact us at privacy@fifty.io with your specific request and any relevant details.

12. Data subjects’ rights

• The GDPR lists the following rights:
• The right to be informed
• The right of access
• The right of rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to object to certain processing
• The right not to be subject to automated decision-making

Fifty Technology has a process in order to deal with requests for exercise of your rights which can be made by writing to us at privacy@fifty.io with your specific request and any relevant details.

You can always withdraw your consent at any time. You can do so by either using Your Online Choices (for cookies), contacting the individual publishers or social media platforms you have been using or contacting us directly in order to exercise your right to erasure for example.

On the right to erasure, the main means of fulfilling that right is for us to delete personal data so that the data is permanently anonymised and cannot be de-anonymised, i.e. cannot be re-identified.

As we do not know your names, full email addresses, addresses, postcodes, we don’t know who you are, where you live, what you do, it might be hard to identify your personal data, or we might not be in a position where we can technically locate it. As we apply techniques such as data minimisation (not processing more data than what is needed), we consider it would be against the spirit of the law to hold data allowing us to identify you in case you want to exercise your right to erasure. Where we do not have the ability to identify individuals, we will be unable to address individual requests for erasure. Under the GDPR we would not be obligated to collect more data about the data subject for the sole purpose of responding to a request for erasure in order to comply with the law.

We are always happy to help with any inquiries regarding protection of your data and privacy. If you are still not satisfied for any reason, you have a right to ask the data protection supervisory authority in your country (in the UK, the Information Commissioner’s Office, www.ico.org.uk) for a decision.

13. US State Privacy Laws

Consumers who are resident in US states such as California, Colorado, Virginia, Connecticut, or Utah may have additional rights under state privacy legislation which defines personal information more broadly, ensures greater transparency and accountability and provides consumers with extended rights as to the collection and use of their personal information.

Your rights under US State Privacy Laws:

If you are resident in one of the states where specific privacy legislation is in effect then, depending on the particular provisions of applicable local laws, you may have some or all of the following rights:

• Right to correction: Consumers have the right to request a business that possesses inaccurate personal information about the consumer to correct such inaccurate personal information, taking into the account the nature of the personal information and the purposes of the processing of the personal information.
• Right to notice: Businesses must inform consumers at or before the point of collection what categories of personal information will be collected and the purposes for which these categories will be used.
• Right to access: Consumers have the right to request that a business disclose the categories of personal information collected; the categories of sources from which personal information is collected; the business or commercial purpose; the categories of third parties with which the business shares personal information; and the specific pieces of personal information the business holds about a consumer. If a business sells personal information or discloses it for business purposes, consumers have the right to request the categories of information so sold or disclosed.
• Right to opt out: Consumers have the right—at any time—to direct businesses that sell or share personal information about the consumer to third parties to stop such sales or sharing, known as the right to opt out. If a consumer is a minor, this becomes a right to opt in to the sale or sharing of data (exercised by the minor if the consumer is between 13 and 16 years of age, or by the minor’s parent or guardian if the consumer is under 13 years old). Businesses must wait at least 12 months before asking consumers to opt back in.
• Right to request deletion: Consumers also have the right to request deletion of personal information, but only where that information was collected from the consumer. Like the right to erasure under the GDPR, this right is subject to exceptions. For instance, businesses need not delete personal information necessary for detecting security incidents, exercising free speech, protecting or defending against legal claims, or—in what is potentially a broad and likely contentious category—for internal uses reasonably aligned with the consumer’s expectations.
• Right to limit use of sensitive information; Consumers have the right to restrict a business’s use of sensitive personal information e.g. to use that is necessary to provide goods or services requested, to certain business purposes, or other legally permitted purposes.
• Right to equal services and prices: Businesses must not discriminate against consumers by denying goods or services, charging a different price or rate for goods or services, providing a different level or quality of goods or services, or suggesting that they will do any of these things based upon a consumer’s exercise of any of their legal rights relating to their personal information. Put differently, consumers have a right to equal services and prices.

Exercising your rights under US state laws:

If you do not want to receive ads based on your usage data, you can opt out from our services by clicking on the opt out button on our Do Not Sell page.

If you want to make a request for exercise of any of the above rights, you (or your authorised agent) can write to privacy@fifty.io or call us toll free at +1-833-335-0880 and we will respond within 45 days as per the law.

If you make such a request, including through an authorised agent, we reserve the right to verify your identity and the agent’s authorization.

However, we may not be able to respond to your request if it is not permitted or foreseen under applicable law.

(Please note that we do transfer personal information collected through our network of partners to third parties and as such are considered as having disclosed or sold or shared data over the past twelve months. Please see Section 16 below for more information).

Statistics of data subject requests for the year 2020 (CCPA)

• The number of requests to know that the business received, complied with in whole or in part, and denied: 6
• The number of requests to delete that the business received, complied with in whole or in part, and denied: 8
  
• The number of requests to opt-out that the business received, complied with in whole or in part, and denied: 13
• The median or mean number of days within which the business substantively responded to requests to know, requests to delete, and requests to opt-out.
  13.47 days

Statistics of data subject requests for the year 2021 (CCPA)

• The number of requests to know that the business received, complied with in whole or in part, and denied: 16
• The number of requests to delete that the business received, complied with in whole or in part, and denied: 33
  
• The number of requests to opt-out that the business received, complied with in whole or in part, and denied: 27
• The median or mean number of days within which the business substantively responded to requests to know, requests to delete, and requests to opt-out.
  13.17 days

14. Lei Geral de Proteção de Dados Pessoais (LGPD)

The Lei Geral de Proteção de Dados Pessoais (LGPD) applies to any resident or any company collecting or/and processing data in Brazil. Fifty Technology collects data based on a valid legal basis such as consent (consentimento) or legitimate interests (interesses legítimos) as per article 7.1 of LGPD. Fifty is in the process of appointing a Data Protection Officer ("Encarregado"). It will follow the guidance of the ANPD as soon as it is provided.

Data subjects have the following rights under the LGPD (as per article 18):

• confirmation of processing: ask Fifty to confirm your data is being processed
• access: you can request Fifty to provide the personal data it has about you
• correction: you can ask for correction or supplementation of your personal data
• anonymisation or deletion: you can request Fifty to delete, block, anonymise your personal data
• portability: you can request Fifty to port your personal data to another service provider. In addition, with the constitution of the National Data Protection Authority (ANPD), you will also have the right to petition in relation to your data before the national authority
• elimination: you can request the deletion of your personal data
• request information: information about public and private entities with which the controller has shared data
• request information: information about the possibility of denying consent and the consequences of such denial
• revocation of consent: if consent you gave was the legal basis we used in order to process your personal data, this means we will have to stop the processing

15. List of our key data partners

AWS: Amazon Web Services, Inc. 410 Terry Ave North, Seattle, WA 98109-5210 , US

Google: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

Twitter: Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, Ireland

Xandr Inc: 28W 23rd street, 4th floor, New York, NY, 10010, USA

Avocet: Avocet Systems Limited, 100 Clifton St., London, EC2A 4TP

The Trade Desk Inc: 42 N. Chestnut St, Ventura, CA 93001, USA

16. Additional Information for California Consumers

1. Personal Information Collected in the past 12 months

2. Personal Information Sold or Shared in the past 12 months

We have sold and/or shared the following categories of Personal information in the past 12 months: (a) Identifiers; (b) Commercial information; (c) Internet or other electronic network activity information; (d) Geolocation Data; and (e) Inferences.

Such information is contained in audiences or profiles that we provide to our clients.

3. Personal Information disclosed for a business purpose in the past 12 months

We have disclosed the following categories of Personal Information for a business purpose in the past 12 months: (a) Identifiers; (b) Commercial information; (c) Internet or other electronic network activity information; (d) Geolocation Data; and (e) Inferences.

These business purposes comprise:

• Auditing related to counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards.
• Helping to ensure security and integrity.
• Debugging to identify and repair errors that impair existing intended functionality.
• Performing services on our behalf, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on our behalf.
• Undertaking internal research for technological development and demonstration.
• Undertaking activities to verify or maintain the quality or safety of our services, and to improve, upgrade, or enhance our services.