End User Website Privacy Notice

Who are we?

Illuma Technology Ltd (the “Organisation”, “we”, “us” and “our”) based at 1st Floor, 5 Sycamore Street, London, EC1Y 0SG, United Kingdom (email: privacy@weareilluma.com) provides expertise to our clients (“Clients”) on media and advertising campaigns to advertise their products or services online. To run our digital advertising campaigns, we use our in-house technology platform (the “Platform”).

We respect your privacy and are committed to protecting your personal data and being transparent about how we collect and use the data and to meeting our data protection obligations.

For the purposes of what we do and our interactions with you, we are a ‘processor’ of your personal data, and we are appointed as a processor, by our Client. Our Client is the ‘controller’, who is ultimately responsible for your personal data and deciding how it is used.

What do we do?

We use our Platform to help our Clients place online display advertising on websites (“Website”) that are typically owned by publishers or online service providers (“Website Owners”). Tailoring which advertisements are displayed is known as ‘targeted advertising’.

By providing targeted online advertising, it is more likely to: (a) make the advertising you see more relevant and useful to you; (b) make the advertising more effective for our Clients; and (c) allow the Website Owner to sell the advertising space for a higher price and increase the flow of funding from advertisements that it receives.

Targeting

In order to try to ‘target’ the most appropriate advert to the most appropriate audience, we typically employ ‘Contextual Targeting’. This is where we show advertisements on a specific Website, because we believe it will be relevant to the type of audience that may be visiting the Website (“Contextual Targeting”). For example, we might show an advertisement for skiwear on a winter sports website.

Contextual Targeting does not specifically target you or your device and all visitors to the Website could receive the same advertisement.

What information do we collect?

We process limited data when employing targeted advertising for our Clients. Our Clients provide this information to us and they have collected it from you. This information includes

  • online identifiers such as cookie ID, web beacons, mobile device identifier and IP addresses;
  • geo-location information; and

This information is connected to the identity of your device (not necessarily you). This information is considered personal data under the UK General Data Protection Regulation (also known as “UK GDPR”) and therefore we protect and use it in a way that complies with data protection laws.

We do not know your name, address, phone number, email address or other contact information. We do not knowingly collect any special categories of personal data about you (this includes details about your race or ethnic origin, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.

We do not knowingly use or collect data to target advertising to children under the age of 17.

In some cases, we may collect personal data about you from third parties or publicly available sources, such as associated information about weather conditions or device location.

We may also create, use and share aggregated data such as statistical or demographic data. Aggregated data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate data relating to the advertisements we have placed on behalf of our Clients.

How do we collect personal data?

We do not have any direct interaction with you or your device and do not collect any personal data directly from you.

Why do we process personal data?

We act as a processor of your personal data as we follow the instructions of our Client in relation to how your personal data may be used.

We are an advertising intermediary and do not have a direct relationship with you or other users. Our Client is responsible for your personal data and we expect that they will only pass us your personal data if they have a legitimate interest in processing this data or have obtained your full, unambiguous and informed consent. The collection by our Clients of your personal data is outside the scope of this Privacy Notice and the Client will be operating under their own privacy notice or policy.

Where we are relying on legitimate interests as a reason for processing data, we have considered whether those interests are overridden by your rights and freedoms and have concluded that they are not as we cannot identify a specific individual by using this information alone.

Who has access to data?

We limit access to your personal data to those of our personnel and third parties who have a genuine business need to know it.

We share your data with demand-side platforms who allow us to buy space on websites to place our Client’s advertisements and we will also share your data with publishers where we contract with them directly.

Many of the Website Owners are based outside of the European Union or host their servers outside of the European Union (e.g. in the United States of America) which may require us to transfer your personal data (such as cookie ID) outside of the European Union.

Where we are transferring your data outside of the European Union, we rely on one of the European Commission’s adequacy decisions (for example, relying on a Privacy Shield certification where the transfer contains a United States entity) or we will use reasonable efforts to put in place appropriate safeguards to cover transfers of your personal data including, for example, signing standard contractual clauses/data protection clauses adopted by the European Commission. Please click here for a link to the standard contractual/data protection clauses and click here for more information about the Privacy Shield for United States companies.

How do we protect data?

We take the security of your data seriously. We have internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the performance of their duties.

For example, access to data is limited to personnel who have genuine business need to use it. Only personnel with access to the Platform can see any data; this access is frequently reviewed by the Controller to ensure that it is suitable and that those using the Platform are adequately trained in data protection.

We also have procedures in place to deal with any data security breach. Where legally required to do so, we will inform you and any applicable regulator of any data security breaches. However, the nature of the personal data that we process means that it is unlikely we will be able to identify and contact you directly.

For how long do we keep data?

We will hold your personal data for as long as necessary to fulfil the purposes it was transferred to us, including satisfying any legal, accounting or reporting requirements. Cookies will last for a maximum of 120 days. In practice, we may delete cookies sooner as they are only used for specific advertising campaigns. As such, a cookie will typically be valid for 14 days.

Please note that third parties (including, for example, advertising networks and providers of external services like web traffic analysis services and our Clients) may also use cookies, over which we have no control.

Your rights

As a data subject, you have a number of rights. You can:

  • access and obtain a copy of your data on request;
  • require the organisation to change incorrect or incomplete data;
  • require the organisation to delete or stop processing your data, in certain circumstances, for example where the data is no longer necessary for the purposes of processing;
  • withdraw your consent to our using your data;
  • ask the organisation to stop processing data for a period if data is inaccurate or there is a dispute about whether or not your interests override the organisation’s legitimate grounds for processing data; and
  • right to data portability, in certain circumstances.

However, given the nature of the personal data that we may process about you, it is unlikely that we would be able to link you as an individual to a device that we have data about. You are more likely to be able to control, restrict or amend your personal data by opting out of advertising or by contacting the Client.

If you would still like to exercise any of these rights, please contact us using the details below. This may mean that you will have to provide us with further personal data about yourself so that we can identify the device connected with you.

Can I delete my data?

Under data protection laws (such as UK GDPR), you may have the right to ask us to suspend the processing of your personal data. However, as explained above, we are unlikely to be able to identify you from the device-specific personal data we may process about you and therefore, you would need to provide further personal data to allow us to identify you as the individual using a specific device and therefore we recommend you take the opt-out steps set out above first.

Changes to this Notice

We reserve the right to update this Privacy Notice at any time, and we will post a new version of this Privacy Notice on our website when we make any substantial updates.

Illuma Technology contact information

To get in touch with us with regards to privacy and your personal data or in connection with the advertising services we manage for our Clients, you may contact us by email on privacy@weareilluma.com

How to complain

We hope that we can resolve any query or concern you raise about our use of your information.

UK GDPR also gives you right to lodge a complaint with a data protection supervisory authority, in particular in the European Union state where you work, normally live or where any alleged infringement of data protection laws occurred. The supervisory authority in the United Kingdom is the Information Commissioner who may be contacted at https://ico.org.uk/concerns/ or telephone: 0303 123 1113.

The wording in this document reflects the requirements of the UK General Data Protection Regulation, which came into effect in England and Wales on 1 January 2021.