Brainlabs understands that your privacy is important to you and that you care about how your personal data is used. We respect and value the privacy of all of our customers, subscribers, and website visitors and will only collect and use personal data in ways that are described here, and in a way that is consistent with our obligations and your rights under the law.
1. Information about us
We are Brain Labs Digital Ltd (“we“, “us“, “our“). We are registered in England under company number 07903451 and our registered address is Building 4, 2 Old Street Yard, London, EC1Y 8AF. We are registered with the Information Commissioner’s Office as a data controller.
We use personal data for our own purposes such as learning about visitors to our own website.
We provide media and creative services to our customers. Whilst we provide a number of services, one of our key offerings to customers is the placement of digital adverts on advertising space made available by website owners and publishers (the “Publishers“). When providing these services, our aim is to help our customers to provide you with digital adverts that you want to see and this allows our customers to promote their products and services. We process some personal data as part of the delivery of these services but only ever on behalf of our customers.
2. What does this policy cover?
We have also included information to help you to understand the part that we play in the wider digital advertising industry (which, for ease, we have referred to collectively as “Adtech” within this policy) (at Part 3 below).
Where we are involved in the service of digital adverts to you on behalf of a customer, our customer is the data controller and we act as our customer’s data processor (as further described in Part 3 below). If you have seen a digital advert served or arranged to be served by us on behalf of one of our customers, you should contact our customer for more information about how they process your personal data.
3. How does Adtech work and what is our role in it?
You may not have given any thought to how digital adverts appear on the websites and Publisher sites you visit, but behind the scenes is a sophisticated system that delivers digital advertising in milliseconds. A number of adverts you see have been specifically selected for you, based on your interests and browsing activities, but you could also be presented with adverts that have no personalised content but simply reflect, for example, current product or market trends.
In order to provide you with specifically selected adverts the parties involved in the advert-serving process require information to be collected and processed. This commonly includes information about the devices you use (such as mobile phones and laptops), your location and information obtained from your browsing activities. This information is used within the Adtech industry to try and determine and understand things that interest you.
This information is collected using cookies and other similar technologies such as tag pixels and device identifiers which are deployed on, or collected from, your device when you land on a website or through a mobile app.
There are a number of organisations that play a part in the Adtech industry, from the advertisers and the brands (our customers) on one side, to the Publishers on the other.
In the course of providing our services to our customers we do not determine or influence how your personal data is processed, and we only process your data on the instructions of our customers or other parties in the Adtech process. Our customers will often have a legitimate interest in serving adverts to you or may have obtained your consent to certain data uses.
For the purposes of data protection law, when we process your data on the instructions of our customers we act only as data processors. Our customers will always act as data controllers and they may provide us with information about you or otherwise give us instructions to target you with advertising in order to enable the delivery of digital adverts to you. Our customers either provide us with wholly anonymised (or ‘hashed’) data, or our technology ‘hashes’ that data immediately on receipt from our customers. This means we can’t identify you from the information that we use to serve adverts on behalf of our customers, nor could we ever take any action in relation to you (e.g. we would never be able to serve an advert to you without the instruction of our customer).
We may also collect, use and share aggregated data such as statistical or demographic data on behalf of our customers for a number of purposes including for example calculating how many times an advert has been viewed. Aggregated data does not directly or indirectly reveal your identity. However, our customer may be able to combine or connect aggregated data with your personal data so that our customer can directly or indirectly identify you.
4. What is personal data?
Personal data is defined by the General Data Protection Regulation (EU Regulation 2016/679) (the “GDPR”) as ‘any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier’.
Personal data is, in simpler terms, any information about you that enables you to be identified. Personal data covers obvious information such as your name and contact details, but it also covers less obvious information such as identification numbers, electronic location data, and other online identifiers (such as your IP address).
The personal data that we use for our own purposes as a data controller is set out in Part 6 below.
5. What are my rights?
Under the GDPR, you have the following rights about the personal data that we process about you as a data controller, which we will always work to uphold:
- The right to access the personal data we hold about you. Part 13 will tell you more about this and how to do it in more detail.
- The right to have your personal data rectified if any of your personal data held by us is inaccurate or incomplete.
- The right to be forgotten, i.e. the right to ask us to delete or otherwise dispose of any of your personal data that we have.
- The right to restrict (i.e. prevent) the processing of your personal data.
- The right to object to us using your personal data for a particular purpose or purposes.
- The right to data portability. This means that, if we are processing personal data about you by automated means, you can ask us for a copy of that data or to transfer that data to another organisation. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
- The right not to be subject to decisions made solely on the basis of ‘automated processing’ (i.e. the right not to be subject to decisions made solely by algorithms or computers without input from a human) in certain circumstances.
For more information about our use of your personal data or exercising your rights as outlined above, please contact us using the details provided in Part 17.
Further information about your rights can also be obtained from the Information Commissioner’s Office or your local Citizens Advice Bureau.
If you have any cause for complaint about our use of your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office. You can contact the Information Commissioner’s Office at telephone number 0303 123 1113 or https://ico.org.uk/.
6. What personal data do you collect?
We may collect some or all of the following personal data (this may vary according to your relationship with us):
- Email address;
- Telephone number
- Business name;
- Job title;
- Technical information, including the Internet protocol (IP) address used to connect your device to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, device types, operating system
- Information about your visit to our website, including the full Uniform Resource Locators (URL), clickstream to, through and from our site (including date and time), products you viewed, searched for or purchased, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), methods used to browse the website
- Time-zone settings;
- Your social media handle/user name details if you engage with us on social media or if we engage with you; and
- any other information that you choose to give to us via our website
When you have received an advert of one of our customers that was served by us, you should note that we don’t collect or access any personal data about you to serve that advert. As we have set put in Part 2 above, we only process ‘hashed’ data about you. Other than where you comment on a post we have served on behalf of our customers, this means that we don’t know anything about you as an individual nor do we even know that we have served an advert on you on behalf of our customers!
7. How do you collect my personal data?
We may collect your personal data when you:
- Contact us by post, phone, email or otherwise
- Access and interact with our website
- Ask us to provide you with services and use our services
- Sign up to receive our newsletter
- Engage with us on social media (for example by mentioning/tagging us or by contacting us directly)
- Interact with functionality where you provide us with data on our website
We may also obtain information about you from publicly available sources of information, such as your organisation’s website or from social media (e.g. LinkedIn).
8. How do you use my personal data and what are your justifications for doing so?
Under the GDPR, we must always have a lawful basis for processing your personal data.
|How and why we use your personal data||What is our legal justification for processing your personal data|
|To provide you with the information and services that you request or purchase from us (i.e. to complete certain tasks, processes, and to communicate with you regarding those services that you purchase or request from us and respond to your questions and comments).||
We rely on our contractual arrangements with you as the lawful basis on which we collect and process your personal data in relation to an order for products and services.
Alternatively, in some scenarios, we rely on our legitimate interests as a business (for example, it is in our interests to troubleshoot customer issues or deal with your specific queries on social media). Where we rely on our legitimate interests, we will always make sure that we balance these interests against your rights.
|To measure how satisfied our customers are and provide customer service (including troubleshooting in connection with purchases or your requests for services or when you ask us questions on social media);|
We may use your personal data to tell you about relevant products/services and offers (“marketing”).
If you have opted in to receive cookies from our website then, depending on your interaction with our website, we may target you with targeted text ads on Google or Bing search results pages and/or targeted display ads, served via the Google Display Network on websites which have opted to display such ads.
We can usually only use your personal data to send you marketing messages if we have consent from you to do so or, in some cases, we can rely on a legitimate interest.
You can ask us to stop sending you marketing messages by contacting us at any time at the contact details set out at Part 17 below.
To monitor the use of our website and ensure that it is presented in the most effective and relevant manner for you and your device.
We have a legitimate interest to ensure that our website works properly and that our products and services are high quality and efficient.
|To ensure that the personal and financial information that you provide to us is accurate||In some cases we will use your personal data because it’s necessary for us to comply with a legal obligation (such as if we receive a legitimate request from a law enforcement agency). In other cases (such as the detection of fraud or ensuring security of the site) we will rely on our legitimate interests as a business to use your personal data in this way. Where we rely on our legitimate interests, we will always make sure that we balance these interests against your rights.|
|To detect, investigate, report, and seek to prevent financial crime or other illegal activity|
|To manage risk for us and our customers.|
|To fulfil our legal and compliance-related obligations|
|For administrative or business purposes, where you contact us for a particular reason other than those set out above, such as to report problems with our website.||
We have a legitimate interest to respond to your contact for the purposes of administering our business.
Where we rely on our legitimate interests, we will always make sure that we balance these interests against your rights.
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
9. How long will you keep my personal data?
We will not keep your personal data for any longer than is necessary in light of the reason(s) for which it was first collected, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. The applicable retention periods will always be linked to our purposes for processing your personal information. This means that the retention periods will vary according to the type of personal information.
10. How and where do you store or transfer my personal data?
We may transfer your personal data outside of the UK and the European Economic Area (EEA) where local laws may not provide legal protection for your information in the same way as is applicable in the UK or the EEA.
Whenever we send (or permit a third party to send) your personal data outside of the UK and the EEA, we will make sure that we take steps necessary to protect your data as required by applicable laws. For example, we may require the overseas recipient to enter into particular contract terms.
Please contact us using the details below in Part 17 for further information about the particular data protection mechanism used by us when transferring your personal data to a third country.
11. How do you keep my personal data secure?
We take the security of your information very seriously and have put physical, technical, operational and administrative strategies, controls and measures in place to help protect your personal information from unauthorised access, use or disclosure as required by law and in accordance with accepted good industry practice. Access to personal data is always restricted to our employees for whom it is necessary to have such access. We will always keep these under review to make sure that the measures we have implemented remain appropriate.
12. Do you share my personal data?
We may share your personal data with other companies in our group for marketing purposes where we are legally permitted to do so. This includes subsidiaries.
In order for us to provide our services to you, we share your personal data with our trusted third-party service providers as detailed below. Whenever we share your personal data, we put safeguards in place which require these other organisations to keep your data safe and to ensure that they do not use your personal data for their own marketing purposes unless you have given us your consent to do so. We will never sell your personal data to a third party.
To provide services
We work with a number of trusted service providers who carry out services on our behalf. These may include payment processing, delivery, and marketing. In some cases, those third parties may require access to some or all of your personal data that we hold.
If any of your personal data is required by a third party, as described above, we will take steps to ensure that your personal data is handled safely, securely, and in accordance with your rights, our obligations, and the third party’s obligations under the law. It is in our legitimate interests as a business to work with these service providers since we may not have the capabilities to provide these services ourselves.
If any personal data is transferred outside of the EEA, we will take suitable steps in order to ensure that your personal data is treated just as safely and securely as it would be within the UK and under the GDPR, as explained above in Part 10.
Sharing data to prevent crime and otherwise comply with laws:
In some limited circumstances, we may be legally required to share your personal data if we are involved in legal proceedings or complying with legal obligations, a court order, or the instructions of a government authority or in order to prevent or detect crime. We will only ever disclose your personal data to these third parties to the extent we are required to do so by law.
Where our group structure changes
We may also share your personal data if we choose to sell, transfer, or merge parts of our business and/or group, or our assets in the future. Or we may seek to acquire other businesses or merge with them. During any such process, we may share your data with other parties. We will only do this if they agree to keep your data safe and private. If a change to our group happens, then other parties may use your data in the same way as set out in this notice.
Subprocessors that may be used to deliver services.
13. How can I access my personal data?
If you want to know what personal data we have about you, you can ask us for details of that personal data and for a copy of it (where any such personal data is held). This is known as a “subject access request”.
All subject access requests should be made in writing and sent to the email or postal addresses shown in Part 17. To make this as easy as possible for you, a Subject Access Request Form is available for you to use which can be found here. You do not have to use this form, but it is the easiest way to tell us everything we need to know to respond to your request as quickly as possible.
There is not normally any charge for a subject access request. If your request is ‘manifestly unfounded or excessive’ (for example, if you make repetitive requests) a fee may be charged to cover our administrative costs in responding.
We will respond to your subject access request within one calendar month of receiving it. Normally, we aim to provide a complete response, including a copy of your personal data within that time. In some cases, however, particularly if your request is more complex, more time may be required up to a maximum of three months from the date we receive your request. You will be kept fully informed of our progress.
14. Special category data
We do not knowingly process any special category data (unless you give it to us), such as:
- ethnic origin;
- trade union membership;
- sex life; or
- sexual orientation.
15. Criminal offence data
We do not knowingly process any data about criminal convictions or offences (unless you give it to us).
16. Children’s data
We do not actively seek to collect information about children aged 16 or under. If we become aware that we have unknowingly collected information about a child under the age of 16, we will delete it. If you have any concerns about your child’s privacy in relation to our services, or if you believe that your child may have shared personal information via this website, please contact us at email@example.com. We will delete such information from our records with a reasonable time.
17. How do I contact you?
To contact us about anything to do with your personal data and data protection, including to make a subject access request, please use the following details:
Email address: firstname.lastname@example.org.
Telephone number: +44 (0)203 880 8503.
Postal address: Brainlabs, Building 4, 2 Old Street Yard, London, EC1Y 8AF.
18. Changes to this privacy notice
We may change this Privacy Notice from time to time. This may be necessary, for example, if the law changes, or if we change our business in a way that affects personal data protection.
This policy was last updated on November 24, 2020.