We obtain a variety of information (collectively the “Information”) from trusted third-party data partners such as mobile application developers. We collect this Information primarily through APIs, which are interfaces through which these app developers can provide us with information about their users. We sometimes collect the Information through other delivery methods, such as software development kits (“SDKs”) that are embedded directly into mobile apps. We collect the following Information from these apps:
We sometimes also collect:
SafeGraph aggregates the Information collected from these mobile apps, i.e., our data partners, and provides the Information to our customers. Our customers – a variety of companies and organizations – in turn use the Information for a variety of commercial and research purposes, including ad targeting (for instance, building models of inferred audience preferences), traffic analysis (for instance, tracking which parts of a city or neighborhood are most busy, at what times), retail site selection (for instance, determining where to open a new restaurant) and market research (for instance, tracking consumer shopping trends based on foot traffic concentration).
Sometimes the Information is used to build models that connect different devices. For instance, some of our customers may create “cross device” capabilities to enable marketers to target specific sets of users across various channels and devices. SafeGraph also uses the Information to develop derivative products, such as determining whether a certain device visited a certain retail store at a given time.
SafeGraph may also use the Information for our internal and operational purposes, such as to consider or make internal service improvements or quality checking, or for our own sales and marketing purposes, and more generally to operate, maintain and improve the services we offer. We may also use and share the Information for legal, auditing and accounting purposes, such as (a) in good faith compliance with a request from law enforcement or a governmental agency, (b) protect or enforce our rights or those of others, (c) to evaluate or enhance the security or quality of our Information, or (d) to investigate potential wrongdoing. Likewise, in the event of any potential merger or acquisition, any Information we hold (including information collected on our website) will likely be transferred to the successor entity, and shared with others in preparation or anticipation of such an event (e.g., during due diligence).
To avoid having your device’s mobile advertising identifiers (and location data associated with it) used for our services, including for interest-based advertising, you may adjust the settings on your mobile device. For iOS mobile devices, you can do so as follows: go to “Settings” from your device’s home screen; scroll down to “Privacy”; select “Advertising”; and turn on “Limit Ad Tracking.” For Android mobile devices: go to “Google Settings” on your Device; select “Ads”; and check or toggle the setting labeled “Opt Out of Interest-Based Ads” or “Opt Out of Ads Personalization.” These platform providers may change these options in the future, and the instructions may be slightly different for certain, particularly older, devices. We therefore provide the above purely for informational purposes, but the settings on your device may be slightly different.
You also can use your device settings to specifically control whether your location data is collected. However, if you do so, certain services that rely on location data to function may be affected.
SafeGraph is a member of the Network Advertising Initiative (NAI) and adheres to the NAI Code of Conduct as described on the NAI website. NAI is a non-profit organization that is the leading self-regulatory association dedicated to responsible data collection and its use for digital advertising.
In addition, when you visit our website, we or third party platforms we work with may automatically collect other information from your desktop computer, laptop, mobile phone, tablet, or other consumer electronic device that you use to access the website. This information may include pseudonymized information, such as a unique browser identifier, technical information about your device (such as the device type, operating system, settings and system configurations, IP address, other unique device identifiers, and mobile network information) and your activity on our website, as well as data about the webpages you access, traffic to and from websites, the dates and times associated with transactions, and web log data. We refer to this as “Site Data.”
We use this Site Data for our commercial purposes, such as marketing, analytics, research, and improving our websites and services. This Site Data may be correlated with more personal information such as name or email address.
Our Use of Web Beacons. Web beacons are electronic images that may be used on the SafeGraph website or in emails we send to you. We use web beacons to deliver cookies, count visits, understand usage and effectiveness of offers, and tell whether you open an email and act upon it.
Our products are not intended to collect Information from children under the age of 16. If you believe we have collected Information from a person under the age of 16, please contact us at the below contact information.
SafeGraph protects Information in our possession against unauthorized access, disclosure, alteration, or destruction. We regularly review our physical security, storage, and processing to ensure compliance with industry best practices. However, as no physical or technological safeguards are 100 percent secure, we do not guarantee the security of any particular elements of data that we hold.
Information we collect is retained indefinitely provided that we will comply with the opt-out procedures described in Section 3 above, and will likewise comply with our representations in Section 10 regarding Information collected from devices located in EEA countries (and Switzerland).
As of May 25, 2018, a new data privacy law known as the EU General Data Protection Regulation (or the “GDPR”) will be in effect through the EEA countries. The GDPR requires Safegraph and those using our services to provide users with certain information about the processing of their “Personal Data.” “Personal Data” is a term used in Europe that means, generally, data that identifies or can identify a particular unique user or device – for instance, names, addresses, cookie identifiers, mobile device identifiers, precise location data and biometric data.
To comply with the GDPR (and Swiss data protection laws), we provide the below representations and information, which are specific to persons located in EEA countries or Switzerland (so please don’t rely on the below, if you’re not):
a. Legal grounds for processing your Personal Data
The GDPR requires us to tell you about the legal basis we’re relying on to process any Personal Data about you. The legal basis for us processing your Personal Data for the purposes set out in Section 2 above (and Section 5 as to our corporate customer and marketing data) will typically be because:
You provided your consent. In order to provide our services that involve use of precise location information related to or in combination with other Personal Data and the other Information described in Section 1 (and to obtain access to and store information that is kept on your device such as mobile advertising IDs), we rely on your consent. To obtain this consent, we rely on our own compliance steps and our mobile application and platform partners’ compliance steps, designed to ensure that consent is collected and passed on to partners, and to ensure that we only facilitate the collection of legally obtained data. We may choose to obtain consent in other cases as well, in which case we will adhere to applicable laws relating to such consent and its withdrawal.
The processing is in our legitimate interest. In some cases, we use legitimate interest as a legal basis for processing Personal Data. For instance, we rely on legitimate interest when we use Personal Data to maintain the security of our services, such as to detect fraud or to ensure that bugs are detected and fixed. We also rely on legitimate interest when we use our own customers’ data to communicate with them about our services.
Contractual Relationships. Sometimes, we process certain data as necessary under a contractual relationship we have (such as our customer records and contact information).
Legal Obligations. Finally, some processing of data may be necessary for us to comply with our legal or regulatory obligations.
b. Transfers of Personal Data
As SafeGraph works with global companies and technologies, we may need to transfer your Personal Data outside of the country from which it was originally provided. For instance, we may transfer your data to third parties we work with that may be located in jurisdictions outside the EEA or Switzerland, and that have either few data protection laws or laws that are less strict compared with those in Europe.
When we transfer Personal Data outside of the EEA or Switzerland, we take steps to make sure that appropriate safeguards are in place to protect your Personal Data. Our data transfers of our Personal Data are safeguarded by European Standard Contractual Clauses and Data Processing Agreements where this is required by European data protection laws. You may contact us at the contact information below for more information about the safeguards we have put in place to protect your Personal Data and privacy rights in these circumstances.
c. Personal Data Retention
As a general matter, we retain your Personal Data for as long as necessary to provide our Services, or for other important purposes such as complying with legal obligations, resolving disputes, and enforcing our agreements. We generally retain mobile advertising IDs and Personal Data for 13 months (in EEA countries and Switzerland) from receipt of consent (including any “refreshed” or updated consent provided) for the purposes set forth in the Section titled “How We Use And Share The Information We Collect” above. We may retain this (and other) Information whenever and so long as we have a legal or significant operational need to do so, such as for auditing, corporate record-keeping, compliance accounting or security and bug-resolution purposes.
If you are a customer of ours and thus have an account with us, and you have requested that your account be closed or if your account has been inactive for 3 months, we will retain your Personal Data only as long as we have a legitimate reason to retain it for legal, accounting, marketing or auditing purposes.
d. Your Rights as a Data Subject
The GDPR provides you with certain rights with respect to the Personal Data that data controllers hold about you, including certain rights to access Personal Data, to request correction of the Personal Data, to request to restrict or delete Personal Data, and to object to or withdraw your consent from our processing of your Personal Data (including profiling for online or mobile app-based ad targeting).
Right to Access: If you wish to exercise your right to access Personal Data we process as a data controller, you can do so by requesting access through the e-mail address email@example.com. When we receive your request, we will provide you with current, step-by-step instructions to follow in order to obtain access. Please note that we are required under applicable European laws to use all reasonable measures to verify the identity of a requester before providing the Personal Data that we process. Because improper disclosure would likely adversely affect the privacy rights and freedoms of the data subject, we may in some cases limit the Personal Data we make available.
Please note that we will only grant requests for access for Personal Data for which we are a data controller, as explained further in sub-section (e) below. Where we act as a processor for one of our customers, we will refer your request to that customer. Please identify the customer your request refers to (if possible), to simplify this process.
Right to Correct: If you wish to exercise your right to correct Personal Data, you may do so by contacting us at the contact information below.
Right to Erasure: You also have the right to obtain the erasure of Personal Data concerning you that we hold as a controller. The above opt-out process satisfies this right. When a user opts-out through our partners (or through mobile device settings), and we receive this signal, we no longer use Personal Data for commercial purposes. We will also manually delete your Personal Data if you prefer that we do so; please contact us at firstname.lastname@example.org for further instructions if you wish to exercise this right manually. Please note, however, that we may retain copies of certain Personal Data on inactive or back-up files, for our own internal and necessary purposes, such as auditing, accounting and billing, legal or bug-detection.
Right to Lodge Complaints: You have the right to lodge a complaint with a supervisory authority. However, we hope that you will first consult with us, so that we may work with you to resolve any complaint or concern you might have.
e. SafeGraph as a data controller and a data processor
EU data protection law makes a distinction between organisations that process Personal Data for their own purposes (known as “data controllers”) and organisations that process Personal Data on behalf of other organisations (known as “data processors”). As noted above, we are not always a data controller of the data in our possession, but are sometimes a data processor for other companies such as our customers. In such cases, we may direct your inquiry to the relevant data controller, since data controllers are the ones with primary responsibility for your Personal Data.
Attention: Data Privacy Officer
182 Howard Street, Suite 842
San Francisco CA 94105