Company
Privacy & Guidelines
Adara’s Privacy Promise
Updated January 18, 2023
Adara’s Privacy Promise
Adara is committed to your privacy. Adara’s Privacy Promise explains in a transparent way, what data, including personal data, is used in our business, how we process and share it, and your rights in relation to such data.
Adara is a business-to-business company that offers a technology platform (“Adara Platform” or “Platform”) which provides products and services enabling our clients to buy advertising space online and measure and analyze their campaigns.
All data we have access to will be collected, processed and protected consistent with applicable data protection laws, including where applicable the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), and this Privacy Promise.
We may update this Privacy Promise, in order to align with evolving laws and regulations or due to changes in our business and technology. We’ll notify you of any material changes posting them clearly on our website or by other appropriate means. You should consult this page from time to time in order to be aware of any updates.
Who We Are
Adara is a technology company, headquartered in Palo Alto, California, and operating globally, with offices in Chicago, New York, Durham, Dubai, Barcelona, London, Paris, Dublin, Hong Kong, Singapore, Tokyo, and Sydney.
The entity that decides how and for what purposes personal data is processed is Adara, Inc. We have appointed a data protection officer to advise us and respond to data processing related inquiries (please see Section below entitled “Contacting Us”).
Adara adheres to the Internet Advertising Bureau Europe’s Good Practice Principles for Online Behavioral Advertising as well as the European Interactive Digital Advertising Alliance’s principles.
For What Purposes Do We Process Personal Data?
Adara provides digital advertising and analytics services for the benefit of our business customers, giving them the ability to reach and understand Internet users and consumers (like you) who are most likely to be interested in their respective products and services. Adara provides these services to customers such as website operators and mobile application developers (“Partners”). Consumers (like you) also benefit from Adara’s technology by receiving more relevant online marketing content: without our services you would still see ads online, but they would be less relevant to your interests.
Here is a common example of how the Adara Platform can benefit you and our Partners: if you visit an airline or hotel website to book a flight or a hotel room and the airline or hotel website is an Adara Partner, then we will receive your search or booking travel intent about the destination including some related information (dates, class of travel, number of people traveling with you – for a full list see the Section below entitled “What Personal Data Does Adara Collect?”). We do not collect your name or your email, or anything that tells us who you are “in the real world.” If we receive any email addresses then they are always in “hashed” (encoded) form so we never hold the actual email address.
Without knowing who you are, our Platform can automatically recognize that a user it has seen before is visiting another Adara Partner site, based on a random unique identifier we call an “Adara Recognized Traveler ID”. Information about travel interests and bookings are linked to the Adara ID and analyzed using proprietary algorithms to understand the user’s likely interests and travel activity.
Our Platform may use automated decision-making tools to seek to understand what type of traveler you are and allocate you a “score” or to a category with other travelers with similar interests, characteristics, and needs. This may enable us to create profiles which allow our Partners to provide more tailored offers or levels of customer service (but not to take decisions that have legal or similar significant effects on any user).
This improves our, and our Partners’ ability, to display relevant advertising to those with an interest in travel. In summary our purposes for processing data are the following:
Online advertising: We will use the collected data to make decisions or buy, monitor, or report on the delivery of online advertising for our advertiser via ad exchanges. We may also share performance data (i.e. relating to viewability of the ad, clicks and any subsequent purchases) with advertisers and ad agencies. We may overlay third-party data collected from third-party data providers to enhance our decision making. We may also use data to target ads on other devices which we infer belong to the same user.
Measurement and Analytics: Adara collates and classifies data in our database in aggregated form, which may then be made available via reporting or via the Adara Platform for high level trend analysis. We may also use the data to create analytics about travel industry trends, effectiveness of media, or for content marketing.
Traveler Intelligence: Adara may share pseudonymous data, always aggregated to not identify one Partner or brand, with our Partners or clients for the purposes of enhancing their CRM for personalization or merchandising optimization.
Data may also be transferred in encrypted format to our vendors and suppliers; including cloud data centers and hosting providers. The data will also be used for specific internal Adara operations including troubleshooting, data analysis, testing, research, and statistical or survey purposes.
For purposes of GDPR, our legal basis for this data processing is your consent: all users must have notice of and consent to use of cookies or similar technologies by our Partners and to the provision of their data to Adara for processing as explained in this Privacy Promise. Cookie consents can be managed as set out in the Section below entitled “How to Change Interest-Based Advertising Preferences”, and other user rights are explained in the “What Are Your Rights?” Section. We may also process some data to further our and our Partners’ legitimate interests but only where such interests are not overridden by your interests or fundamental rights and freedoms.
What Do We Mean By Personal Data?
“Personal Data” covers more than just personally identifiable information such as name, address, email or phone numbers.
Under the GDPR, personal data is any information relating to an identified or identifiable natural person, i.e. it can be a name or address, but also IP addresses and other “unique identifiers” such as device or cookie IDs.
Under the CCPA (implemented in the State of California on January 1, 2020), personal information is information that identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household. Concretely, that would include names, email addresses, IP addresses, cookie IDs, device ID’s.
We also refer in this Privacy Promise to “pseudonymous” or “pseudonymized” personal data. We use this to refer to data that cannot be associated with an identifiable person, without the use of additional information which is kept separately. Normally, this means that such identifiable information is not available to Adara (so in Adara’s hands individuals are not identifiable).
What Personal Data Does Adara Collect?
The Adara Platform may collect personal data directly and receives personal data from our Partners that they have collected from their digital properties. The data processed on the Adara Platform (currently and over the last 12 months) is broken down into three trusted data sources about the travelers:
- Technical identifiers and hashed or pseudonymized data as follows:
-
- cookie identifier;
- hashed email address;
- postal address;
- mobile device identifier;
- hashed CRM identifier;
- passenger number record;
- approximate location data about the individual (e.g. the country they are located in when accessing an Adara Partner site)
-
- Interests for products and services; and
- Measurement statistics on the performances of Adara services.
Note that the Adara Platform cannot identify a user by name or their home address, but instead we try to understand users’ online travel behavior demographic characteristics, such as frequented destinations, type of trip (business vs leisure) and the types of travel, products and services they are interested in). Adara ensures that no information that can identify a user in the real world is stored on the Adara Platform, by requiring all such data to be hashed before it is transmitted to us.
We do not collect or categorize users based upon sensitive data or ‘special categories of data’, such as racial or ethnic origins, political or religious beliefs, information about health conditions or treatments or other similar or related information.
Neither do we intentionally collect information from, nor target any services to, or create any categories or profiles of, children under 16 years of age. If you believe that we may have collected information of a child under 16, please contact us as set out in the “Contacting Us” Section below.
Business Contact Data
Adara may hold your personal data if you or your employer has a business relationship with us or if you or we are considering entering some form of business relationship.
You could be a client (e.g. an advertiser), a publisher, a data provider or other supplier, and we would need to process your personal data in order to communicate with you, invoice our services, and manage the relationship. The personal data we hold about you refers to your professional life (name, business email address, billing address, office address, business phone numbers, title, qualifications, employer etc.). For potential clients or suppliers, we need to process similar data in order to grow and manage our business and evaluate products and services. In addition, if you visit our website, we may collect data using cookies and other technologies.
We obtain this information directly from you or your employer, or otherwise from exchanging emails or business cards, meeting at industry events, business networking, or at meetings etc. The legal basis for our processing of this data is that we have a legitimate interest in doing so (i.e. in managing and developing our business) for which this data processing is necessary, and which does not have a negative impact on your privacy (as this is professional data only). We may also process this personal data where such processing is necessary for the performance of a contract. We do not have to obtain your consent in order to hold and carry on processing this data. Nevertheless, you can exercise your data subjects’ rights in relation to your personal data (see Section below entitled “What are your rights?”).
We store this data for as long as necessary to fulfill the purposes for which it was collected, pursue legitimate business purposes, enforce our agreements, and comply with applicable laws.
From What Sources Do We Collect Personal Data?
When a user visits one of our Partner’s digital properties they are provided notice of and/or asked to agree to the collection and analysis of information about individual consumer interests by way of “pixels” that we provide to our Partners.
A Partner pixel assigns a unique identifier (a random, unique string of characters) to the user, a “cookie”. A pixel collects and stores information about what the user does on the Partner website or application, and which Partner sites or apps the user visits as well as how the users view and interact with the online ad (for instance the time it is viewable by the user, whether they click on the ad). Similar technologies are used when a user views an email from a Partner with an Adara tag, uses an app with an Adara SDK installed, or sees or interacts with an online advertisement which has been placed through our Platform.
Adara may engage in cross-device data collection and targeting. This means we use third party providers to determine the likelihood that a given user on a desktop browser is the same user on a mobile or other device, and then we link the information we have on their different devices. Adara may also engage in cross-app data collection and targeting.
Where permitted, some Partners use hashed emails as identifiers and Adara may sync hashed emails received from other Partners in order to gain a fuller picture of the user’s travel preferences. We can then build segments, or receive segment data from our Partners and clients, to understand better the data associated with that unique ID. In this case the hashed email is used in a similar way to a cookie ID –Adara does not know the real email address nor can we send emails using it.
The Security of Your Personal Data
Adara cares about your privacy and employs industry standard administrative, physical and technical measures designed to protect your personal data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.
Is Your Personal Data Transferred Internationally?
Adara’s headquarters are in California. All of our data is ultimately sent to the United States, after being collected via our data centers in Amsterdam, Netherlands, Singapore, and South Carolina/Oregon, United States.
As we process data outside the European Economic Area (“EEA” – which in this Privacy Promise includes the UK), we may transfer Personal Data to any other country where our partners, processors or sub-processors maintain facilities.
When our services involve the storage and/or processing of Personal Data outside of the EEA in a jurisdiction such as the US that is not the object of an EU “adequacy” decision or UK adequacy regulations, as applicable, then we only do so on the basis of protective contracts and agreements along with legally required transfer mechanisms, which commit recipients to similar data protection standards as in the EEA, such as the standard contractual clauses (SCC) issued by the European Commission, the UK and/or other responsible Supervisory Authorities.
Where Adara uses this transfer mechanism, Adara ensures, and also requires its data processors to ensure, that sufficient legal and practical safeguards are in place to permit the transfers for the relevant purposes.
In addition, although the EU-US Privacy Shield does not by itself permit international transfers of personal data, Adara also adheres to the Privacy Shield principles of notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access and recourse, enforcement and liability.
In this Privacy Promise, we have set out the categories of personal data that we may receive in the US, as well as the purposes for which we use personal data. We will not use your personal data for a purpose that is incompatible with the purpose we collected it for or that you later authorized, except in accordance with applicable laws and regulations. Adara maintains reasonable procedures to help ensure that personal data is reliable for its intended use, accurate, complete, and current. We have also set out above the relevant security provisions and access rights available to you.
Who Else May Receive Your Personal Data?
We also engage other companies to provide data processing services including, among other things, data storage, maintenance services and the provision of support services. With these data processors we enter into contracts that require them to adhere to security standards as stringent as ours. A list of our principal data processing partners is set out in the Annex at the end of this Privacy Promise.
Adara is responsible for the processing of personal data it receives, and subsequently transfers to a third party acting as an agent on its behalf. We enter into written agreements with those third-party agents and service providers requiring them to provide the same level of protection and we follow appropriate transfer mechanisms such as the standard contractual clauses and limiting their use of the data to the specified services provided on our behalf. We take reasonable and appropriate steps to ensure that third-party agents and service providers process personal data in accordance with our contracts, data processing addenda and the standard contractual clauses. Adara remains liable if third-party agents that we engage to process such personal data on our behalf do so in a manner inconsistent with our data processing addenda and the standard contractual clauses. Please click HERE for more information on our third-party partners.
We may access, preserve, and disclose any data we store in association with you to external parties if we, in good faith, believe doing so is required or appropriate to: (i) comply with law enforcement or national security requests and legal process, such as a court order or subpoena; (ii) protect your, our, or others’ rights, property, or safety; (iii) enforce our policies or contracts; (iv) collect amounts owed to us; or (v) assist with an investigation and prosecution of suspected or actual illegal activity.
If we are involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, purchase or sale of assets, or transition of service to another provider, then data we hold may be sold or transferred as part of such a transaction, as permitted by law and/or contract.
Transfers of personal data out of the EEA are normally based on EU model clauses, otherwise known as Standard Contractual Clauses, issued by the European Commission or other responsible Supervisory Authorities (please see the previous Section). If we receive a valid request, then we may make available a copy of the safeguards applicable to relevant international transfers.
How Long Do We Process Personal Data For?
Adara will never store personal data for longer than necessary for the purpose for which it was collected, and always in accordance with data privacy laws and regulations. We expire cookie data after 13 months for targeting purposes and delete personal data after 24 months for insights and analytics purposes.
For online identifiers like Mobile IDs that remain active indefinitely for the use of the device, Adara dissociates the data after the same data retention periods stated above.
Please note that we may sometimes need to retain data for longer where necessary to comply with our legal obligations and enforce our agreements, in which case we will only process it for those restricted purposes.
What Are Your Rights? (for European Residents)
The GDPR lists various rights in connection with your personal data including:
- The right to be informed
- The right of access
- The right of rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object to particular processing activities (e.g., marketing or profiling)
In particular, in relation to personal data relating to you that we process:
- You may request access to the personal data we hold about you (including categories or scores allocated).
- You may be entitled to request that we erase the personal data concerned (or at least have us restrict its processing), subject to any legal requirements that require us to keep it.
- Where we are processing personal data relating to you on the basis of your prior consent to that processing, you may withdraw your consent at any time (although this will not affect the legality of any processing based on consent that was carried out before the consent was withdrawn). Normally you will do this through the Partner website, after which we will be notified, or you can contact us directly to withdraw your consent.
In order to process your request we may need to confirm that the identifier we hold matches the information you provide. This request can be made and carried out HERE. Alternatively, you can also email privacy@adara.com.
We will respond to each request within 30 days.
Please note that we may be required to ask you for further information in order to confirm your identity before we provide or make other changes relating to the personal data requested.
If you have a complaint about any processing of your personal data conducted by us, you can contact us at privacy@adara.com or dpo@adara.com and we will do our best to resolve the issue. If you believe we have not done so properly, you also have the right to lodge a formal compliant with the relevant Supervisory Authority in your country or to use the mechanisms referred to in the Section below entitled “Contacting Us”.
The Data Protection Commission (for European Residents)
As our EU operations are controlled from Ireland, the Data Protection Commission (which is the Supervisory Authority in Ireland) can provide further information about your rights and our obligations in relation to your personal data, as well as deal with any complaints that you have about our processing of your personal data. You can consult their website for more information: https://www.dataprotection.ie
Our DPO (data protection officer) is registered with the DPC.
New US State Privacy laws
Consumers who are resident in US states such as California, Colorado, Virginia, Connecticut, or Utah may have additional rights under state privacy legislation which defines personal information more broadly, ensures greater transparency and accountability and provides consumers with extended rights as to the collection and use of their personal information.
Your rights under US State Privacy Laws:
If you are resident in one of the states where specific privacy legislation is in effect then, depending on the particular provisions of applicable local laws, you may have some or all of the following rights:
- Right to correction: Consumers have the right to request a business that possesses inaccurate personal information about the consumer to correct such inaccurate personal information, taking into the account the nature of the personal information and the purposes of the processing of the personal information.
- Right to notice: Businesses must inform consumers at or before the point of collection what categories of personal information will be collected and the purposes for which these categories will be used.
- Right to access: Consumers have the right to request that a business disclose the categories of personal information collected; the categories of sources from which personal information is collected; the business or commercial purpose; the categories of third parties with which the business shares personal information; and the specific pieces of personal information the business holds about a consumer. If a business sells personal information or discloses it for business purposes, consumers have the right to request the categories of information so sold or disclosed.
- Right to opt out: Consumers have the right—at any time—to direct businesses that sell or share personal information about the consumer to third parties to stop such sales or sharing, known as the right to opt out. If a consumer is a minor, this becomes a right to opt in to the sale or sharing of data (exercised by the minor if the consumer is between 13 and 16 years of age, or by the minor’s parent or guardian if the consumer is under 13 years old). Businesses must wait at least 12 months before asking consumers to opt back in.
- Right to request deletion: Consumers also have the right to request deletion of personal information, but only where that information was collected from the consumer. Like the right to erasure under the GDPR, this right is subject to exceptions. For instance, businesses need not delete personal information necessary for detecting security incidents, exercising free speech, protecting or defending against legal claims, or—in what is potentially a broad and likely contentious category—for internal uses reasonably aligned with the consumer’s expectations.
- Right to limit use of sensitive information; Consumers have the right to restrict a business’s use of sensitive personal information e.g. to use that is necessary to provide goods or services requested, to certain business purposes, or other legally permitted purposes.
- Right to equal services and prices: Businesses must not discriminate against consumers by denying goods or services, charging a different price or rate for goods or services, providing a different level or quality of goods or services, or suggesting that they will do any of these things based upon a consumer’s exercise of any of their legal rights relating to their personal information. Put differently, consumers have a right to equal services and prices.
Exercising your rights under US state laws:
If you want to make a request for exercise of any of the above rights, you (or your authorized agent) can write to privacy@adara.com and we will respond within 45 days as per the law.
If you make such a request, including through an authorized agent, we reserve the right to verify your identity and the agent’s authorization.
However, we may not be able to respond to your request if it is not permitted or foreseen under applicable law.
(Please note that we do transfer personal information collected through our network of partners to third parties and as such are considered as having disclosed or sold or shared data over the past twelve months. Please see Section 16 below for more information).
What Are Your Rights? (for Brazil Residents)
The Lei Geral de Proteção de Dados Pessoais (LGPD) applies to any resident or any company (located in Brazil or abroad) collecting or/and processing data from Brazilian residents. A data protection authority will soon be established and will offer guidelines and guidance with regards to compliance. Adara collects data based on a valid legal basis such as consent (consentimento) or legitimate interests (interesse legítimo) as per article 7.1 of LGPD. Adara is in the process of appointing a Data Protection Officer (“Encarregado”).
Data subjects have the following rights under the LGPD
- confirmation of processing
- access
- correction
- anonymization or deletion
- portability
- elimination
- information
- revocation of consent
- opposition
- rectification
How to Change Interest-Based Advertising Preferences and Your Opt Out Choices
Adara provides several mechanisms for users to change their preferences in relation to Adara’s advertising and analytics services:
- using Adara’s mechanism provided here on adara.com,
- clicking on the relevant link on the advert itself, or
- using browser based or mobile based cookie and privacy management settings
In all cases, all these choices will be recorded and/or honored by Adara.
Mobile Opt-Out
To change consents for the collection and use of data for interest-based advertising on your mobile device, you can modify the settings on your mobile device. To reset your mobile advertising ID or to prevent receipt of interest-based ads in mobile apps, please follow your mobile device maker’s most current published instructions, such as the examples linked below (current as of the date of this version of our Privacy Promise):
For Android Devices (version 8.0 and higher): Open the Settings app, Select Google, Select Ads, and enable the “Opt Out of Ads Personalization” setting.
For Apple Devices: Devices with iOS 6 and above use Apple’s Advertising Identifier. To learn more about limiting ad tracking using this identifier, visit the Settings menu on your device as follows: Go to Settings, Select Privacy, Select Advertising, and enable the “Limit Ad Tracking” setting. For more information about different iOS versions, please see: https://support.apple.com/en-ie/HT202074.
When you have changed these settings on a device, and when Adara receives this signal, Adara will not use in-app information collected from that device to infer your interests or serve ads to that device that are targeted based on your inferred interests.
Note: The specific settings instructions for each device may differ slightly depending on which version of the operating software you are running.
In addition, as noted above, we participate in the DAA’s Ad Choices program. So, each of our mobile ads includes the AdChoices Icon, on which you can tap to go to a preferences page.
To learn more about how to use platform controls in relation to mobile devices, please visit this link: http://www.networkadvertising.org/mobile-choice.
Additional Information for California Consumers
- Personal Information Collected in the past 12 months
Category | Examples | Source | Business or Commercial Purpose | Categories of third parties disclosed to |
Identifiers |
Unique personal identifier, online identifier, Internet Protocol address (e.g. device and cookie IDs) |
From partner websites and apps From third party data providers From our clients |
Providing and improving our targeted advertising services which include creating and enriching profiles and audiences for our clients |
– Our clients – Our data hosting and storage providers – Our providers of advertising technology and services such as demand side providers, data management platforms, and ad networks – Our data processing service providers (for purposes such as analytics, database management, customer support) – Our other group companies |
Commercial information |
Records of products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies (e.g. sites visited, apps used, searches, views, clicks, and purchases) |
As above |
As above |
As above |
Internet or other electronic network activity information |
Information regarding your interaction with websites and applications (e.g. sites visited, apps used, searches, views, clicks, and purchases) |
As above |
As above |
As above |
Geolocation Data |
Approximate location from information provided by your device (e.g. IP address) |
As above |
As above |
As above |
Inferences drawn from any of the information above to create a profile |
As above |
As above |
As above |
|
Sensitive personal information |
Personal information revealing a consumer’s racial or ethnic origin; information concerning a consumer’s health |
Inferred from the above information |
As above |
As above |
*“Personal Information” does not include publicly available information, including information that we have a reasonable basis to believe is lawfully made available to the general public by you; from widely distributed media; or by a person to whom you have disclosed it and not restricted the information to a specific audience. |
|
|
|
|
- Personal Information Sold or Shared in the past 12 months
We have sold and/or shared the following categories of Personal information in the past 12 months: (a) Identifiers; (b) Commercial information; (c) Internet or other electronic network activity information; (d) Geolocation Data; and (e) Inferences.
Such information is contained in audiences or profiles that we provide to our clients.
- Personal Information disclosed for a business purpose in the past 12 months
We have disclosed the following categories of Personal Information for a business purpose in the past 12 months: (a) Identifiers; (b) Commercial information; (c) Internet or other electronic network activity information; (d) Geolocation Data; and (e) Inferences.
These business purposes comprise:
- Auditing related to counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards.
- Helping to ensure security and integrity.
- Debugging to identify and repair errors that impair existing intended functionality.
- Performing services on our behalf, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on our behalf.
- Undertaking internal research for technological development and demonstration.
Undertaking activities to verify or maintain the quality or safety of our services, and to improve, upgrade, or enhance our services.
4. Statistics of data subject requests for the year 2022 (CCPA)
The number of requests to know that the business received: 2, complied with in whole or in part: 2, and denied 0
The number of requests to delete that the business received: 1, complied with in whole or in part: 1, and denied 0
The number of requests to opt out that the business received: 19,183, complied with in whole or in part: 19,183, and denied 0
The median or mean number of days within which the business substantively responded to requests to know: 20 days, requests to delete: 20 days and requests to opt out: 4 days
Enforcement
Adara is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC). Under certain circumstances, you may invoke binding arbitration.
Contacting Us
The “data controller” for your data is:
Adara, Inc.
2625 Middlefield Road #827
Palo Alto, CA 94303
USA
We have appointed a Data Protection Officer, whose contact details are:
Data Protection Officer
Adara, Inc.
2625 Middlefield Road #827
Palo Alto, CA 94303
Email: dpo@adara.com
Our EU representative is Adara Media UC, Fumbally Square, Fumbally Lane, Dublin 8, Ireland.
Annex: List of Key Data Processing Partners
- Adobe
- Amobee
- Google DV360
- The Trade Desk
- LiveRamp
- Oracle
- Salesforce
- Google Cloud Services
- Google Analytics
- Google reCAPTCHA
- Amazon Cloud Services
- YouTube
- AdapTV
- OpenX
- Pubmatic
- IndexExchange
- Rubicon
- IAS
- DoubleVerify
- Moat
- AT&T