Last Updated: 01/23/2019
Bombora, Inc., its global subsidiaries (collectively, “Bombora”, “we”, “us”, or “our”) value the privacy of the persons (“you” or “your”) whose information we collect or receive. This privacy notice (“Notice“) explains who we are, how we collect, use and share personal information about you, and how you can exercise your privacy rights.
The Notice covers personal information we collect:
a) When providing information to the Bombora hosted platform and related analytics products.
b) When you visit one of our corporate websites (such as such as https://bombora.com, https://www.signal-hq.com/, https://www.netfactor.com/)) (“Website“) and/or over the usual course of our business practices, such as in connection with our events, sales and marketing activities (see ‘privacy for our websites’).
We recommend that you read this Notice completely to ensure you are fully informed. However, to make it easier for you to review those parts of this Notice which apply to you, we have divided up the document into the following sections:
1. Who we are
One of the primary ways Bombora collects data is from a proprietary data cooperative (“Data Co-op”). The Data Co-op consists of business to business (“B2B”) websites of publishers, marketers, agencies, technology providers, research and event firms that contribute content consumption data to a massive pooled data set that details buyer intent. Data Co-op members provide consent-based brand-anonymous data including Unique IDs, IP address, page URL and referrer URL, browser type, operating system, browser language, and engagement data such as dwell time, scroll velocity, scroll depth and time between scrolls. Engagement data validates that the reader is actually consuming the content and not quickly bouncing from the website. Bombora collects all event data and dynamically indexes the content consumed to the Bombora topic taxonomy and aggregates that data at the company level. The full data set is refreshed weekly.
Bombora provides the following hosted platform and related analytics products (collectively the “Services”) to its Clients.
1.1 Company Surge® Analytics
An analytics report listing company name, topic and Company Surge® score. To create the score Bombora collects, stores, organizes, uses and erases data which is anonymized and aggregated such that no personal data exists. Bombora will not disclose any data to a company other than company name, topics searched, and Company Surge® score. These reports are created by collecting data from tags on publisher websites. The tag collects IP address (which is anonymous and converted to company URL), engagement metrics, and topics (which are determined by real time algorithm). The topics (based on Bombora’s B2B taxonomy) are attributed to company name. Comparing topic interest over 30B interactions using our proprietary algorithms leads to a score. That score is the company’s interest level in the topics compared over time.
1.2 Audience Solutions
Audience Solutions and measurement products append data to and share a cookie id in the audience segment. The data Bombora appends to the cookie id is firmographic and demographic data at the domain and company level only. The firmographic and demographic data may include industry, functional area, professional group, company revenue, company size, seniority, decision maker and predictive signals. Bombora does not share any data which could be used to identify an individual data subject. In addition, Bombora prevents co-mingling of attributes that might have the effect of identifying an individual, such as a c-suite job level at a company size less than 10 people.
- Facebook integration: as more fully described in ‘‘what we do and collect and why’. Through the Bombora integration with Facebook, Bombora uploads audiences associated with domains into Facebook. Facebook matches these hashed emails against their database of users to create a custom audience for targeting.
- LinkedIn integration: Through the LinkedIn Marketing Developer Platform API, Bombora sends Company Surge® Intent data as a list of domains into LinkedIn. LinkedIn matches its users to domains to create a matched audience for targeting within the LinkedIn Ad Platform.
1.3 Measurement Products
The following Measurement suite of products collect demographic and firmographic information:
- Audience Verification. With our Audience Verification product, a client places a tag on their campaign creative. The audience verification tag is able to collect the following data insights on visitors that click the advertisement: Unique cookie IDs, IP address and information derived such as geography, User agent: browser type and operating system (OS).
- Visitor Insights: With our Visitor Insights product, a partner places a tag on their website (Bombora has our tag on our Websites). The visitor insights tag is a able to collect insights about website visitors, including but limited the following data (i) Overall visitor engagement segmented by high, medium, and low percentages; (ii) Overall visitor engagement compared to previous date ranges; (iii) Total companies, unique users, sessions and page views; (iv) Total companies, unique users, sessions and page views compared to previous date ranges; (v) Engagement by company domain segmented by high, medium, and low and (vi) Unique users, sessions, and page views by company domain. This data can be delivered through the Bombora interface, from a daily feed, or directly from the Google Analytics platform.
Through the Services, Bombora provides data to our Clients to help them better connect and target organizations they want to reach (we refer to the individuals in those organizations as “End Users“). Bombora and its partners engage in tracking End Users’ interactions with business-to-business content across various digital properties like web registration forms, widgets, websites and webpages (whether accesses via computer, mobile or tablet device or other technologies) (“Digital Properties“). We then take this data and aggregate the information collected into demographic segments, such as company revenue and size, functional area, industry, professional group, and seniority. This helps Clients customize engagement based on topics that organizations are interested in and the intensity of that consumption.
2. Privacy for our services
This section describes how we collect and use information we receive or collect from End Users through the Services (we refer to this collectively as “Service Information“). This includes details about the type of information we collect automatically, the types of information we receive from other sources and the purposes of those collections.
2.1 What information do we collect and why?
Information we collect automatically
We use and deploy various cookies and similar tracking technologies (see ‘cookies and similar technologies’ ) to automatically collect certain information about your device when you interact with Digital Properties that use our technology. Some of this information, including your IP address and certain unique identifiers, may identify a particular computer or device and may be considered “personal data” in certain jurisdictions including in the European Economic Area (“EEA“). However, Bombora does not collect any information that enables us to identify you personally such as your name, mailing address or email address.
We collect this information by assigning a random unique identifier (“UID“) to your device the first time you interact with a Digital Property that uses our technology. This UID is then used to associate you with information we collect about you.
The information we automatically collect may include:
- Information about your device such as the type, model, manufacturer, operating system (e.g. iOS, Android), carrier name, time zone, network connection type (e.g. Wi-Fi, cellular), IP address and unique identifiers assigned to your device such as its iOS Identifier for Advertising (IDFA) or Android Advertising ID (AAID or GAID).
- Information about your online behavior such as information about the activities or actions you take on Digital Properties we work with. This may include time spent on a web page, whether you scroll or click on an ad or a web page, session start/stop time, time zone, your referring website address, and geo-location (including city, metro area, country, zip code and potentially geographic co-ordinates if you have enabled location services on your device) pages and times visited.
- Information about ads served, viewed, or clicked on such as the type of ad, where the ad was served, whether you clicked on it and the number of times you have seen the ad.
Information we receive from other sources
We may also combine, merge, and/or enhance the information we collect about you. This can include the information we collect about you with information collected from third parties such as other web-based and mobile networks, exchanges and websites (“Partners“) or our Clients (for example, they may upload certain “offline” data into the Services). View a list of our current partners. In addition, the Service Information we automatically collect may be combined and associated with business profile information that we infer about you, such as: age, domain, functional area, household income, income status & changes, language, seniority, education, manufacturing, professional group, industry, company revenue, net-worth.
This information may include hashed identifiers derived from other information such as email addresses, mobile device IDs, demographic or interest data (like your industry, employer, company size, job title or department) and content viewed or actions taken on a Digital Property.
We use the Services Information as follows:
- To provide the services to our Clients. Generally we use the Service Information to help Clients better understand their current and prospective customers and market trends. This enables Clients to better target and customize websites, content, other general marketing efforts and to measure and optimize the performance of their marketing.
- To build various inferenced data segments (“Data Segments”). We may use the Service Information to build Data Segments related to, for instance, the industry you are in or the type of content you or the organization you work for appear to be interested in. We use these Data Segments to help our Clients understand their own customers, evaluate customer and market trends and create reports and scoring regarding their customer’s behavior. The Data Segments also may be associated with UIDs, cookies and/or mobile device advertising IDs.
- To do “interest-based advertising”. We sometimes use or work with Clients and Partners that use UIDs or other information derived from information such as email hashes. This information in turn may be associated with cookies and may be used to target ads to you that are based on “offline” interest-based segments – such as your interests, transactions or demographic information – or used by Clients that target and analyze such ads. This is often known as “interest-based advertising.” You can find out more about this type of advertising at the DAA’s website.
- To do cross-device tracking. We (or our Partners and Clients we work with) may use the Service Information (e.g. the IP addresses and UIDs) to try to locate the same unique users across multiple browsers or devices (e.g. smartphones, tablets or other devices), or work with providers that do this in order to better target ad campaigns to common sets of End Users. For example, a brand may wish to target customers that it usually recognizes on web browsers through mobile apps.
- To do “user matching”. We (or our Partners) may use the Services Information, in particular various UIDs, to sync cookies and other identifiers with other Partners and Clients (i.e. to do “user matching“). For example, in addition to the UID’s an End User has been assigned in our system, we may also receive a list of UIDs our Partners or Clients have assigned to an End User. When we identify matches, we then let our Clients and Partners know in order to help them do any of the above, including enhancing their own data and Data Segments, to do interest-based advertising or provide insights to other customers. For instance, we use Facebook Custom Audiences to do user matching
- As we believe to be necessary or appropriate:
a) under applicable law including laws outside your country of residence
b) to comply with legal processes
c) to respond to requests from public and government authorities including authorities outside your country of residence
d) to enforce our terms and conditions
e) to protect our operations or those of any of our affiliates
f) to protect yours, our affiliates and/or our rights, privacy, safety or property
g) to allow us to pursue available remedies or limit the damages that we may sustain.
- To evaluate, operate or improve the Services.
2.2 Cookies and similar technologies
Our Partners, our Clients and we use various UIDs, cookies and similar tracking technologies to automatically collect information from End Users across various Digital Properties (as previously described above). Please review our Cookie Statement for further information.
2.3 Legal basis for processing personal information (EEA residents only)
If you are an individual from the EEA, our legal basis for collecting and using personal information described above will depend on the personal information concerned and the specific context in which we collect it. However, we normally rely on our legitimate interests to collect personal information from you, except where such interests are overridden by your data protection interests or fundamental rights and freedoms. Where we rely on our legitimate interests to process your personal information, they include the interests described in the ‘what information do we collect and why’ section above.
In some cases, we may rely on our consent or have a legal obligation to collect personal information from you or may otherwise need the personal information to protect your vital interests or those of another person. If we rely on consent to collect and/or process your personal information, we will obtain such consent in compliance with applicable laws.
If you have questions about or need further information concerning the legal basis on which we collect and use your personal information, please contact us using the contact details provided under the ‘contact us section below.
3. Privacy for our websites
This section describes how we collect and use information from users of our Websites, visitors to our Websites and in the usual course of our business in connection with our events, sales and marketing activities.
3.1 Information we collect
3.2 Information you provide to us
Certain parts of our Websites may ask you to provide personal information voluntarily. For example, we collect personal information when you register for a Bombora account, apply for a job at Bombora, request a demo, express an interest in obtaining additional information about Bombora or our Services, subscribe to marketing emails or otherwise contact us.
The personal information we collect may include contact information (e.g. your name, mailing address, telephone number or email address) and contact preferences. It may also include professional information (e.g. your job title, department or job role) as well as the nature of your request or communication.
3.3 Information we collect automatically
3.4 Information we collect from third party sources
We may partner with certain third parties to collect information on our Websites to engage in analysis, auditing, research, reporting and to deliver advertising that we believe may interest you based on your activity on our Websites and other websites over time. These third parties may set and access cookies on your computer or other device and may also use pixel tags, web logs, web beacons, or other similar technologies. For more information about these practices and how to opt out, please see our Cookie Statement.
3.5 How we use the information we collect
We will use your personal information for the following purposes:
- To respond to or provide you with information you request
- To provide and support our Websites and Services
- If you have an account with Bombora, to send administrative or account related information to you
- If you have applied for a role with Bombora, for recruitment related purposes
- To post testimonials with your prior consent
- To communicate with you about our events or our partner events
- To provide you with marketing and promotional communications (where this is in accordance with your marketing preferences). For more information about managing your marketing preferences, please see ‘your data protection rights’ below.
- To comply with and enforce applicable legal requirements, agreements and policies
- To prevent, detect, respond and protect against potential or actual claims, liabilities, prohibited behavior and criminal activity
- For other business purposes such as data analysis, identifying usage trends, determining the effectiveness of our marketing and to enhance, customize and improve our Websites and Services
4. General information
4.1 How do we share your information
Your personal information collected from our Services and Websites may be disclosed as follows:
- Clients and Partners. If you are an End User, we share Service Information with Clients and Partners for purposes relevant to our business relationship with them and for purposes described in this Notice. Our Clients and Partners are obligated to use the information they receive in compliance with applicable laws.
- Vendors, consultants and service providers. We also share the Service Information with a variety of third party service providers to help us to operate, secure, monitor, operate and evaluate the Services. Examples of this include to assist with technical, operational, or hosting support, software and security services or to enable other services that we offer.
- Website advertising partners. We may partner with third party advertising networks and exchanges to display advertising on our Websites, or to manage and serve our advertising on other sites and may share your personal information with them for this purpose.
- Vital interests and legal rights. We may disclose information about you if we believe it necessary to protect the vital interests or legal rights of Bombora, you or any other person.
- Corporate affiliates and transactions. We may provide your information to our affiliates (meaning any subsidiary, parent company or company under common control with Bombora). Our affiliates such as Signal HQ and netFactor will use your information only for the purposes described in this Notice.
- Potential acquirers of our business. If Bombora is involved in a merger, acquisition or sale of all or a portion of its assets, your information may be shared or transferred as part of that transaction with the relevant potential buyer, its agents and advisors, as permitted by law. Please note that any potential buyer will be informed that they should use your information only for the purposes disclosed in this Notice.
- Compliance with laws. We may disclose your information to any competent law enforcement body, regulator, government agency court or other third party where we believe disclosure is necessary:
i) as a matter of applicable law or regulation
ii) to exercise, establish or defend our legal rights
iii)to protect your vital interests or those of any other person.
4.2 Cookies and other tracking technologies
5. Managing your personal information with us
It’s important to us that you know that you have the right to access, manage the data that we may have collected about you from third parties. We strive to be as transparent as possible this section describes your data protection rights.
You have the right to access this data at any time. It’s important that we provide you with tools to object and, restrict the sale of your data, or withdraw consent (where applicable) for the use of data that we may have on you. Please note, to help protect your privacy and maintain security, we take steps to verify your identify through OneTrust. OneTrust is the secure administrative software that we use to manage privacy request.
5.1 Data subject requests and your data protection rights
Please complete the data subject request form to request a copy of your Platform and/or Business data from Bombora. The information you supply in this form will only be used to identify the platform and/or business data you are requesting and responding to your request. Once you submit a subject access request form we will endeavor to respond to you within 72 hours of receipt of your request. Please allow Bombora 40 days to process your request. You can also email firstname.lastname@example.org with any questions or queries you have regarding your data.
Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer requests. The response we provide will also explain the reasons we cannot comply with a request, if applicable. Please note that because most of the information we store can only identify a particular browser or device, and cannot identify you individually. To help protect your privacy and maintain security, we take steps to verify your identify in OneTrust. Making a verifiable consumer request does not require you to create an account with us. Before granting you access to your personal information or complying with deletion, portability, or other related requests, you will need to provide us with some additional information to enable us to identify the personal information we hold about you and ensure that we accurately fulfill your request.
You have the following data protection rights:
- You can request access to, or that we change, update or delete your personal information, at any time by completing the above form. Please note that we may impose a small fee for access and disclosure of your personal information where permitted under applicable law which will be communicated to you.
- In addition, if you are a resident of the European Economic Area, you can object to processing of your personal information, ask us to restrict processing of your personal information or request portability of your personal information. To exercise these rights please complete the above form.
- You can opt-out of receiving promotional emails from us by clicking the “unsubscribe” link in the email or by completing the above form. Please see ‘your choices’ below for further information about your opt-out choices. If you choose to no longer receive marketing information, we may still communicate with you regarding your security updates, product functionality, responses to service requests, or other transactional, non-marketing, or administrative related purposes.
- If we have collected and processed your personal information with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds
other than consent.
- You have the right to complain to a data protection authority about our collection and use of your personal information. Click here to access contact details for data protection authorities in the EEA. If you are a consumer and wish to open an EU-U.S. Privacy Shield or Swiss-U.S. Privacy Shield case, please click here to file a claim.
Opting-out of the sale of personal information
In addition to the data protection rights grated in this Notice, If you are a California resident the California Consumer Privacy Act of 2018 (“CCPA”) provides California residents with the right to opt-out of the sale of their personal information, view the data Bombora may have collected over the past 12 months, and to know the following:
- The categories of personal information we have collected about you;
- The categories of sources from which the personal information is collected;
- The business or commercial purpose for collecting your personal information;
- The categories of third parties with whom we have shared your personal information;
- The specific pieces of personal information we have collected about you.
In accordance with the Website, these are the categories of information we may have collected on you and the purposes we may have used. The categories of personal information we may have collected about you or your use of our Website over the past twelve (12) months:
- Identifiers such as a real name, unique personal identifier, online identifier, Internet Protocol address, email address, job position, and company name.
- Personal: such as a name, education, employment information
- Protected classification characteristics: such as age and gender
- Internet or other similar network activity such as browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement
- Geo location data such as metro area, country, zip code and potentially geographic co-ordinates if you have enabled location services on your device.
You can obtain more information on the categories of personal information in ‘what we do and collect and why’.
We obtain the categories of personal information listed above from the following categories of sources:
- Directly from you. For example, from forms you complete;
- Indirectly from you. For example, from observing your actions on our Website;
- From third party sources as set-forth in the
You can obtain more information on the sources of personal information in ‘information we collect’. These are the business or commercial purposes for which the personal information was collected
- To fulfill or meet the reason you provided the information. For example, if you share your name and contact information to request a demo, quote or ask a question about our products or services, we will use that personal information to respond to your inquiry.
- To provide, support, personalize, and develop our Website, products, and Services.
- To personalize your Website experience and to deliver content and product and service offerings relevant to your interests, including targeted offers and ads through our Website, third-party sites, and via email (with your consent, where required by law)
- For testing, research, analysis, and product development, including to develop and improve our Website, products, and Services.
You can obtain more information on the Business or Commercial purposes for which the personal information was collected in the sections, ‘what we do and collect and why’ and ‘how we use the information we collect’.
The categories of third parties with whom we have shared your personal information;
- Data aggregators.
You can obtain more information on the third parties with whom we have shared your data with in ‘how do we share your information’. In the previous (12) months, Bombora may have sold the following categories of personal information:
- Protected classification characteristics
- Internet or other similar network activity
- Geo location
You have the right to request certain information about our disclosure of personal information to third parties for their own direct marketing purposes during the preceding calendar year. This request is free. You also have the right not to be discriminated against for exercising any of the rights listed.
CA residents may also designate an agent to make requests to exercise your rights under CCPA. As noted above Bombora will take steps both to verify the identity of the person seeking to exercise their rights, and to verify that your agent has been authorized to make a request on your behalf through providing us with a signed Power of Attorney You may only make a verifiable consumer request for access or data portability twice within a calendar year.
California residents may exercise your rights described in this section by visiting a privacy request form to exercise and the right to know (the data we may have on you) and the request to delete (the data we may have on you) . Click here to opt-out of the sale of your personal information. You can also exercise these rights by emailing email@example.com with the subject “CA Privacy Rights”.
5.2 Your choices
Opting-out of Bombora cookies
If you wish to opt-out of being tracked by us using cookies (including to opt-out of receiving interest-based advertising from us), please go to our opt-out page.
Opting-out of interest-based advertising from cookies
You may opt-out of interest-based advertising from numerous companies that enable such advertising on those associations’ websites. Please access the DAA’s opt-out portal to do this. You may also opt-out of some of the interest-based advertising Partners that we work with by going to the Network Advertising Initiative (NAI) consumer choice page.
You may opt-out of ad targeting that is based on your activities across mobile applications and over time, through your device ‘settings’.
Opting-out of interest-based advertising in mobile applications
Our Clients and Partners may display interest-based advertising to you in mobile applications based on your use of these over time and across non-affiliated apps. To learn more about these practices and how to opt out, please visit https://youradchoices.com/, download the DAA’s AppChoices mobile app and follow the instructions provided in the AppChoices mobile app.
Back to top
6. Other important information
6.1 Data security
Bombora takes precautions to protect data and information under its control from misuse, loss or alteration. Bombora has put in place appropriate technical and organizational measures to protect the information it collects through its Services and Websites. Bombora’s security measures include technology and equipment to help protect our information, and Bombora maintains security measures regarding who may and may not access our information. Of course, no system or network can ensure or guarantee complete security, and Bombora disclaims any liability resulting from use of the Service or from third party hacking events or intrusions.
Our Websites and Services are not intended for children under 18 years old. If you are aware of personal information we have collected from a child under 18, we ask that you ‘contact us’ located in the below section. If you are 16 years of age or older and a California Resident, you have the right to direct us to not sell your personal information at any time (the “right to opt-out”). We do not sell the personal information of consumers we actually know are less than 16 years of age.
6.3 Other websites
The Services or Websites may contain links to or integrations with other sites that Bombora does not own or operate. This includes links from Clients and Partners that may use the Bombora logo in a co-branding agreement, or websites and web services that we work with in order to provide the Services. For example, we might sponsor an event, or provide services in conjunction with other businesses. Bombora does not control, is not responsible for these parties’ sites, services, content, products, services, privacy policies or practices.
Likewise, if you permit Service Information to be collected and used through a website using the Services, you are choosing to disclose information to both Bombora and the third party with whose brand the website is associated. This Privacy Notice only governs Bombora’s use of your Service Information not the use of any information by any other party.
6.4 International data transfers
Our servers and facilities that maintain our Websites, Services and the information we collect are operated in the United States. With that said, we are an international business, and our use of your information necessarily involves the transmission of data on an international basis. If you are located in the European Union, Canada or elsewhere outside of the United States, please be aware that information we collect may be transferred to and processed in the United States and other applicable territories in which the privacy laws may not be as comprehensive as or equivalent to those in the country where you reside and/or are a citizen.
However, we have taken appropriate safeguards to require that your personal information will remain protected in accordance with this Notice. This includes implementing the European Commission’s Standard Contractual Clauses for transfers of personal information between our group companies, which require all group companies to protect personal information they process from the EEA in accordance with European Union data protection law. Our Standard Contractual Clauses can be provided upon request. We have implemented similar appropriate safeguards with our third party service providers and partners and further details can be provided upon request.
6.5 Data retention and deletion
We retain personal information we collect from you where we have an ongoing legitimate business need to do so (e.g. to comply with applicable legal, tax or accounting requirements, to enforce our agreements or comply with our legal obligations).
When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it. If this is not possible (e.g. because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
California “Do Not Track”
California law requires that operators of websites and online services disclose how they respond to a Do Not Track signal. Because there is not yet a common understanding of how to interpret Do Not Track signals, we do not currently respond to Do Not Track signals. However, we provide you with the ability to opt-out of the use of tracking technologies used to send you interest-based advertising as described above.
6.6 Changes to our Privacy Notice
We may revise this Privacy Notice from time to time to reflect changes in our practices or in the applicable law. When such changes are material in nature we will notify you either by prominently posting a notice of such changes prior to implementing them or by directly sending you a notification. We encourage you to review this Privacy Notice periodically. We will always show the date of the latest modification date of the Privacy Notice at the top of the page so you can tell when it has last been revised.
6.7 Contact us
If you have any questions about this Notice or Bombora’s privacy practices, please contact our Data Protection Office by submitting the above form, or by mail using the details provided below:
|US and EEA Residents|
|Attn: Havona Madama, Chief Privacy Officer
419Park Avenue South, Floor 12
New York, NY, United States 10016
If you are resident in the EEA, your data controller is Bombora, Inc.
7.0 IAB Europe Transparency & Consent Framework
Bombora participates in the IAB Europe Transparency & Consent Framework and complies with its Specifications and Policies. Bombora’s identification number within the framework is 163.