Last updated: April 1, 2020
Effective Date: January 1, 2020
Exponential Interactive, Inc. (“we”, “us” or “our”) is an advertising media services company whose clients and customers are online advertisers (“Advertisers”) and digital content providers (“Digital Content Providers”) (collectively, our “Partners” or “affiliates”). We help our Partners reach their target audiences and grow through ad sales. Learn more about us at exponential.com.
Please read this Policy carefully. When you use this Site, you consent to our collection, use, and disclosure of your information as described in this Policy. If you do not agree with the terms of this Policy, do not use this Site.
TABLE OF CONTENTS
- INFORMATION WE COLLECT AND HOW WE USE IT
- THIRD PARTIES
- DATA RETENTION
- CHILDREN’S PRIVACY
- CONTACT INFORMATION
- CHANGES TO THIS POLICY
- CALIFORNIA RESIDENT PRIVACY RIGHTS
- NEVADA RESIDENT PRIVACY RIGHTS
- EUROPEAN RESIDENT PRIVACY RIGHTS
- INTERNATIONAL DATA TRANSFER: PRIVACY SHIELD CERTIFICATION
INFORMATION WE COLLECT AND HOW WE USE IT
We may collect, transmit, and store your information provided to us from various sources – directly from you, from online technology, and from other sources.
Directly from You
We collect your information directly from you and for the following purposes when you:
- submit a job application, a resume, cover letter, or social media profile to a job vacancy, or interview with us;
- enter into an employment contract with us;
- complete forms, conduct searches, post content on our Site, respond to surveys, or use any features on our Site;
- provide feedback to us by phone, email, or physical mail;
- interact with us on our social media accounts, including LinkedIn, Twitter, and Facebook;
- subscribe to any marketing materials; and
- participate in contests sponsored by us.
We may automatically collect certain information when you use our online technology. Such information includes:
- Internet Protocol (“IP”) Address: An address provided by your internet service provider to connect you to the internet and enable delivery of all online requests precisely as you requested.
- Cookie Identifier: A cookie – or data file – with a unique identifier that we set from our webpage “tribalfusion.com”.
- User Agent: A software such as a web browser that acts on your behalf and enables your interaction with web content.
- Clickstream Data: Information about your interaction with a webpage (e.g., time and date you visited the page; page web address; title of ad shown; topics (such as “beach” or “Caribbean”) that we interpret (as “summer vacation”) from the page.
Other information that may be collected includes browser session location information, internet service provider (“ISP”), pages that you visit before, during and after using our Site, information about the links you click, and other information about how you use our online technology. Information we collect may be associated with other similar devices.
Our Partners receive your information when you visit or use their services or through third parties they work with. We require our Partners to have lawful rights to collect, use and share your information before giving us any of your information. A list of Partners we receive data from is available at our Partnerships page.
We may also partner with analytics vendors such as Google Analytics to allow tracking technologies and remarketing services on this Site through the use of first- and third-party cookies to analyze and track users’ use of this Site, determine the popularity of certain content, and better understand online activity.
Other Third Party (Non-Partner) Websites
Our Site may also contain links to third party (non-Partner) websites, including ads and external services, that are not affiliated with us. Once you have used these links to leave this Site, any information you provide to these third parties is not covered by this Policy. Before visiting and providing any information to a third party (non-Partner) website, please inform yourself of the privacy policies and practices (if any) of the third party responsible for that website. We are not responsible for the content or privacy and security practices and policies of any third parties, including other sites, services or applications that may be linked to or from this Site. For more information about opting-out of interest-based ads, visit the Digital Advertising Alliance Opt-Out Tool or the Networking Advertising Initiative Opt-Out Tool.
We and our Partners may use web beacons, tags, advertising identifiers, and similar technology (“cookies”) in relation with your use of this Site and in the provision of our services. Such cookies may contain unique identifiers and reside on your web-connected device(s), in emails we send you, and on our Site. Cookies may transmit information about you and your use of this Site, such as your browser type, search preferences, IP address, data relating to ads displayed to you or that you have interacted with, and the date and time of your use. Cookies may be persistent or stored only during an individual session.
- Legal obligations: We may share your information as permitted or required by any applicable law, rule, or regulation if we believe your information is necessary to respond to legal process, to investigate or remedy potential violations of our policies, or to protect our rights, property, or safety or to protect the rights, property, or safety of others.
- Provide measurement, analytics, and other business or commercial services: We use the information we collect about you to help Partners measure the effectiveness and distribution of their ads and digital content, and understand the consumers who use their services, including how people interact with their websites and services.
- Troubleshoot problems to increase the efficiency and operation of this Site: We monitor and analyze usage and trends internally to improve your experience with this Site.
- Communicate with you: We use your information to respond to you when you contact us.
If you do not want cookies on your device, you can change the settings on your browser or device to reject cookies. For more information about how to reject cookies using your internet browser settings please consult the “Help” section of your internet browser or visit About Cookies. If you reject cookies, you may still use our Site, but your ability to use some features or areas of our Site may be limited.
Generally, we are not responsible for the actions of third parties that you share personal or sensitive data, and we have no authority to manage or control any solicitations from non-Partner third parties (e.g., third parties we are not affiliated with). If you do not want to receive emails or other communications from third parties, you are responsible for contacting each third party directly.
The categories of third parties that may receive information about you are:
- Partners: We may share your information with our Partners for the purpose of conducting general business analysis. We may also share your information with such third parties for marketing purposes, as permitted by law. We adhere to the Digital Advertising Alliance’s Self-Regulatory Principles for Online Behavioral Advertising, as amended from time to time. Third parties may be able to associate the information they collect with other information they have about you from other sources. We do not necessarily have access to or control over the cookies they use, but you may be able to opt out of some of their practices by contacting the responsible third-party vendor or the Digital Advertising Alliance Opt-Out Tool or the Networking Advertising Initiative Opt-Out Tool.
Please note that even after you withdraw your consent, we may continue to process your personal information when required or permitted by law such as exercising and defending our legal rights or meeting our legal and regulatory obligations.
- NAI Health-Related Targeting Segment Notice: As an NAI member, Exponential is required to fully and publicly disclose health-related audience segments for tailored advertising and provide a representative sample of custom audience segments used for the same purposes. Exponential does not receive, use, or transmit personally identifiable health information but does use aggregated and deidentified data to help determine health-related audience segments (i.e., wellness, beauty, fitness, etc.). A representative sample of health-related audience segments for advertiser targeting (i.e., inferred from user interaction with related ads or sites) is available on our NAI Healthcare Targeting Segment Declaration page at https://exponential.com/nai-health-targeting-segment-declaration/.
- Aggregate or Deidentified Information: We receive and share information in the aggregate with third parties in connection with advertising programs and data analytics. For example, we may provide our Partners with the number of users who have been exposed to or interacted with certain ads.
- Investigations and Legal Disclosures: We may investigate and disclose your information if we have a good faith belief that such investigation or disclosure: (i) is reasonably necessary to comply with legal, regulatory or law enforcement processes, such as a search warrant, subpoena, statute, judicial proceeding, or other legal or regulatory process or law enforcement request; (ii) is helpful to identify, investigate or prevent possible wrongdoing related to our Site or Partners; or (iii) is necessary to protect our rights, or reputation.
- Links: The Site may link to the websites of third parties that we are not affiliated with. We do not share your information with non-affiliated third parties and are not responsible for their privacy practices.
- Third Party Integrations: If you use your account with a third party service such as LinkedIn, Facebook, or other similar third party service to connect with us via our company third party services page or profile, we may receive information about you from such third party service. If you post content to your third party service account to our company third party service page or profile, that third party service will also receive the content you posted, which will also be visible to anyone that has access to it through that third party service.
You can request removal of your information by contacting us as outlined in Section 7 (Contact Information) below. We may retain your information as necessary for the purpose(s) for which we collected it and in accordance with our legal obligations and legitimate business interests. We may also maintain residual copies of your information in our backup systems as required by law.
Our Site and services are not intended for children. We do not knowingly collect, maintain, or sell the personal information of children under the age of 13, and in some jurisdictions the personal information of children under the age 16. If you are under the age of 13 (or under the age of 16 in some jurisdictions), please do not access our Site or use our services. If we learn that we have inadvertently collected personal information of children under the age of 13 or 16 (as applicable), we will delete such information unless otherwise required by applicable law, regulation, or rule.
We use commercially reasonable administrative, technical, and physical security measures to safeguard your information. However, no means of security is ever absolutely secure as all information transmitted over the internet or via any device is vulnerable to interception and misuse by unauthorized parties. As such, we cannot guarantee total security of your information.
Please contact us with any questions or concerns about this Policy using the information below:
United States Address
Exponential Interactive, Inc.
Attn: Legal Department
5858 Horton Street, Suite 300
Emeryville, CA 94608
United Kingdom Address
Exponential Interactive, Inc.
Attn: Data Privacy Officer
30 Stamford Street
To protect the security of your information, we will take steps as we deem necessary to confirm your identity before completing your request or sharing any personal information with you.
CHANGES TO THIS POLICY
We reserve the right to update this Policy at any time and for any reason. Any changes or modifications will be effective as of the “Effective Date” at the top of this Policy. We will notify you about any changes to this Policy by updating the “Last updated” date at the top of this Policy. In some cases, we may also notify you of updates by adding a statement to our Site homepage or via email.
We encourage you to review this Policy from time to time to stay informed about our privacy practices and your options. By continuing to access or use this Site after those updates become effective, you agree to the terms of the then-current Policy.
CALIFORNIA RESIDENT PRIVACY RIGHTS
Under the California Consumer Privacy Act of 2018 (“CCPA“), California residents have certain rights around the collection, use, and sharing of their personal information.
Disclosure or Sale of Personal Information
We have not disclosed or sold any personal information to third parties for any business or commercial purpose in the preceding twelve (12) months. We do not disclose or sell your personal information and will not disclose or sell your personal information in the future without giving you notice and an opportunity to opt out of such sale as required by law.
We do not offer financial incentives associated with our collection, use, or disclosure of your personal information.
We collect various categories of personal information when you use this Site or Partner sites, including identifiers, commercial information, internet or other electronic network or device activity information, geolocation data, and professional information. A detailed description of the information we collect and how we use it is provided above in Section 1 (Information We Collect and How We Use It). Section 3 (Third Parties) describes the categories of third parties with whom we share personal information, and what information may be shared and when.
Information We Collect
We collect information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device (“personal information”). In particular, we have collected the following categories of personal information from consumers within the last twelve (12) months:
A real name, alias, postal address, unique personal identifier, online identifier, IP address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers.
B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e))
A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Some personal information in this category may overlap with other categories.
C. Protected classification characteristics under California or federal law
Age (forty (40) years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information).
D. Commercial information
Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
E. Biometric information
Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data.
F. Internet or other similar network activity
Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement.
G. Geolocation data
Physical location or movements.
H. Sensory data
Audio, electronic, visual, thermal, olfactory, or similar information.
I. Professional or employment-related information
Current or past job history or performance evaluations.
J. Non-public education information (Family Educational Rights and Privacy Act (20 U.S.C. § 1232g, 34 C.F.R. Part 99))
Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.
K. Inferences drawn from other personal information
Profile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
Under the CCPA, personal information does not include:
- Publicly available information from government records;
- De-identified or aggregated consumer information;
- Health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended, and the California Confidentiality of Medical Information Act (“CMIA”) as amended, or clinical trial data; or
- Sector-specific privacy laws, including the Fair Credit Reporting Act (“FRCA”), the Gramm-Leach-Bliley Act (“GLBA”) or California Financial Information Privacy Act (“FIPA”), and the Driver’s Privacy Protection Act of 1994, each as amended from time to time.
We receive the categories of personal information listed in the chart above from the following categories of sources:
- Directly from you;
- Partners or their agents (e.g., information that our Partners give to us related to the services for which they engage us); and
- Directly and indirectly from activity on our Site, such as Site usage details collected automatically.
Use of Personal Information
We may use or disclose the personal information we collect for one or more of the following business purposes:
- To fulfill or meet the reason for which the information is provided;
- To provide you with information, products or services that you request from us;
- To improve our Site and its contents to you;
- For testing, research, analysis and product development;
- As necessary or appropriate to protect the rights, property or safety of us, our Partners or others;
- To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations;
- As described to you when collecting your personal information or as otherwise set forth in the CCPA; or
- To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by us is among the assets transferred.
We will not collect additional categories of personal information or use the personal information we collected for materially different, unrelated, or incompatible purposes without providing you notice.
Sharing Personal Information
We may disclose your personal information to a third party for a business purpose. When we disclose personal information for a business purpose, we enter a contract that describes the purpose and requires the recipient to both keep that personal information confidential and not use it for any purpose except performing the contract.
In the preceding twelve (12) months, we have disclosed the following categories of personal information (listed above) for a business purpose:
- Category A: Identifiers;
- Category B: California Customer Records;
- Category C: Protected classification characteristics under California or federal law;
- Category D: Commercial information;
- Category F: Internet or other similar network activity;
- Category G: Geolocation data;
- Category I: Professional or employment-related information; or
- Category K: Inferences drawn from other personal information.
We disclose your personal information for a business or commercial purpose to the following categories of third parties:
- Our Partners;
- Service providers; and
- Third parties to whom you or your agents authorize us to disclose your information in connection with our products or services.
Your Rights Under CCPA
If you are a California resident, you have the following rights:
Information About and Access to Your Personal Information
You have the right to request the following information for the twelve (12) months immediately preceding the date you submit your request to us:
- Categories of information we collect about you (e.g., identifiers such as your name, Social Security number, IP address, email address, postal address, commercial information such as purchasing histories, geolocation data, biometric information, internet activity such as web browsing histories, and professional or employment-related information);
- Sources from which we collected your information (e.g., cookies, pixels, web beacons, marketing companies, or recruiters);
- Categories of your information sold to third parties;
- Categories of your information disclosed for business purposes;
- Categories of third parties to whom your information was sold or disclosed (e.g., advertising partners, affiliates, social media websites, or service providers);
- Business or commercial purposes for which your information was collected or sold (e.g., fraud prevention, marketing, improving customer experience); and
- Specific pieces of information collected about you.
The CCPA also requires that if you request access to your information, we provide you with responsive materials in a readily usable format that allows you to transmit your information from one entity to another without hindrance.
Deletion of Your Personal Information
The CCPA generally permits you to request that we and our direct service providers delete your personal information. However, we are not required to delete your personal information for any of the following reasons:
- if we need your information to complete the transaction for which it was collected;
- to comply with a legal obligation;
- to comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 seq.), as amended;
- to detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities;
- to identify and repair errors that impair existing and intended functionality; or
- to make other internal and lawful uses of your information that are compatible with the context in which you provided it.
Once we receive and confirm your request, we will delete (and direct our service providers to delete) your information from our records, unless an exception applies.
Opt Out of the Sale of Your Information
Under the CCPA, you may opt out of the sale of your personal information to third parties. To help you exercise this right, a Digital Advertising Alliance (“DAA”) “CA Do Not Sell My Info” link is available on our homepage. Clicking on the link will allow you to opt out of the sale of your personal information, including its use for interest-based advertising, across all companies participating in the DAA’s mechanism.
We will not discriminate against you for exercising any of your CCPA rights. Unless allowed by the CCPA, we will not:
- Deny you services;
- Charge you different prices or rates for services, including through granting discounts or other benefits, or imposing penalties;
- Provide you a different level or quality of services; or
- Suggest that you may receive a different price or rate for services or a different level or quality of services.
Who May Exercise Your CCPA Rights
Only you or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your information. You may also make a verifiable consumer request on behalf of your minor child.
Verifying Consumer Requests
We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you.
A verifiable consumer request must: (i) provide sufficient information that allows us to reasonably verify you are in fact the California resident about whom we collected personal information or an authorized representative; and (ii) describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it. Making a verifiable consumer request does not require you to create an account with us. We will only use personal information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.
Response Timing, Format, and Fees
We will respond to a verifiable consumer request within forty-five (45) days of its receipt or as permitted by law. If we require more time (up to ninety (90) days), we will inform you of the reason and extension period in writing (including email).
Any disclosures we provide will only cover the twelve (12)-month period preceding the verifiable consumer request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable.
We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive or manifestly unfounded. If we reasonably determine that the request requires a fee, we will tell you why we made that decision and give you a cost estimate in writing before completing your request.
How to Submit Requests
Submit your requests to the information listed in Section 7 (Contact Information) above.
Shine The Light Law
Separate from the CCPA, California Civil Code Section 1798.83, as amended, also known as the “Shine The Light” law gives California residents the right to request and obtain what personal information we share with third parties for those third parties’ direct marketing purposes. We do not disclose your personal information to third parties for such third parties to directly market their services to you. If you have any questions about our Shine The Light Law practices, please contact us as outlined in Section 7 (Contact Information) above.
Do Not Track
California law requires us to tell you know how we respond to web browser Do Not Track (“DNT”) signals. DNT allows users a way to inform websites and services that they do not want certain information about their webpage visits collected over time and across websites or online services. We do not respond to or honor DNT signals or similar mechanisms transmitted by web browsers.
NEVADA RESIDENT PRIVACY RIGHTS
Nevada law (SB 220), as amended, requires website operators to give Nevada residents a way to opt out of the sale of certain information that a website operator may collect about them. We do not sell your personal information to third parties as defined Nevada law, and will not do so in the future without giving you notice and an opportunity to opt-out of such sale as required by law. If you have any questions regarding our compliance with Nevada data privacy law, please contact us listed above in Section 7 (Contact Information).
EUROPEAN RESIDENT PRIVACY RIGHTS
This section applies to European Residents only. A “European Resident” is a resident of a country in the European Economic Area (“EEA”) or Switzerland.
European Union (“EU”) data protection rules, also known as the EU General Data Protection Regulation (“GDPR”), describe different situations when a company like ours is allowed to collect or reuse your personal information.
Our legal basis for collecting and using your information depends on the specific information concerned and the context in which we collect it. We collect your personal information only with your consent or where the processing is in our legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms. We may also have legal obligations to collect your information or may otherwise need your information to protect your vital interests or those of another person. If we ask you to provide personal information to comply with a legal requirement, we will notify you of the legal requirement and the information we require. If we collect and use your information in reliance on our legitimate interests (or those of any third party), our legitimate interest will usually involve operating and improving this Site, communicating with you, marketing purposes, or detecting or preventing fraud. For more information about GDPR, please visit the EU’s “Data protection and online privacy” page. If you have any questions about our compliance with GDPR, please contact us as outlined above in Section 7 (Contact Information).
INTERNATIONAL DATA TRANSFER: PRIVACY SHIELD CERTIFICATION
We are committed to subjecting all personal information received from the EEA, United Kingdom and Switzerland (“Privacy Shield Covered Data”), respectively, in reliance on each Privacy Shield Framework, to the Framework’s applicable Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement and Liability, including the supplemental principles described in each Privacy Shield Framework (collectively, the “Privacy Shield Principles”).
We have certified to the U.S. Department of Commerce that we adhere to the Privacy Shield Principles. To learn more about the Privacy Shield Framework and to view our certification, please visit the U.S. Department of Commerce’s Privacy Shield List. If there is any conflict between the terms of the Privacy Shield Principles and this Policy, the Privacy Shield Principles will govern.
Under the Privacy Shield Framework, we collect, use, and disclose Privacy Shield Covered Data for the purposes described in this Policy. Additionally, the Privacy Shield Framework enables you to ask us if we process personal information about you, request access to your information, and ask that we correct, amend, or delete your information where such information is inaccurate or processed in violation of the Privacy Shield Principles. We are responsible for the processing of personal information under each Privacy Shield Framework, and subsequently transfers to a third party acting as an agent on its behalf. The Privacy Shield requires that we remain liable if third parties process your information in a manner inconsistent with the Privacy Shield Principles.
With respect to Privacy Shield Covered Data received or transferred pursuant to the Privacy Shield Framework, we are subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (“FTC”). The FTC governs our compliance with the Privacy Shield Framework. In certain situations, we may be required to disclose personal information in response to lawful requests by the FTC or similar public authorities to meet national security or law enforcement requirements. You may, subject to certain conditions, request free binding arbitration from JAMS Mediation, Arbitration and ADR Services (dispute resolution provider) when other dispute resolution procedures are exhausted by visiting the JAMS EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield Frameworks page. If your request remains unresolved, you may contact the national data protection authority for your EU Member State.
If you reside in the European Union, your personal information may be processed outside of EEA. We take all necessary steps to ensure that your information is adequately protected and processed in accordance with this Policy, including:
- only transferring data to countries approved by the European Commission as providing an adequate level of protection for personal information;
only transferring data to U.S.-based providers who utilize the EU-U.S. Privacy Shield – which requires them to provide similar protection to personal information shared between the Europe and the U.S.; and
using (where applicable) the European Commission’s Standard Contractual Clauses – contracts approved by the European Commission that affords personal information the same protection it has in Europe.