Bombora | GDPR
General Data Protection Regulation
Last updated: June 10, 2021
Data privacy requests
Submit requestWhat is the GDPR?
The General Data Protection Regulation (‘GDPR”) is a European law which regulates the data of individuals in the European Economic Area. GDPR went into effect on May 25, 2018. GDPR marks the most significant reform of European data protection law .
The Purpose of the GDPR
The GDPR’s purpose is to create a universal data protection law across the Europe Union. The goal of the law is to protect individual rights and freedoms regarding the use of their personal data. EEA citizens enjoy a fundamental human right to privacy of their personal data.
The Scope of the GDPR
Any business that provides goods and services into the European Economic Area, or that otherwise monitors the behavior of individuals in the European Economic Area (e.g., the use of analytics or ad tech technologies), will be subject to data protection law. Organizations that do not comply with GDPR face potential regulatory fines of up to 4% of annual worldwide turnover, in addition to civil suits from affected individuals.
Bombora’s approach to the GDPR
Bombora recognizes the significance of these reforms both to our clients and to the services we provide. Our customers expect to work with partners who commit to ethical data practices, compliant data protection and information security standards when handling their data. Bombora has adapted the concept of privacy by design and incorporated privacy in every aspect of our organization from the development of our products; to delivering our product and services; to ensuring continued use of adequate security measures to safeguard any data collected and processed on systems owned or managed by Bombora.
Data Collection
How does Bombora create its products?
Bombora creates services from data collected by its proprietary Bombora Data Cooperative. Each member of the Data Co-op (“Co-op Member”) contributes data by deploying a javascript or pixel tag provided by Bombora (“Bombora Tag”) on their web properties. A web property is a point of presence (e.g., a website, advertisement, blog) on the web that is an asset of a company used for the purpose of representing a brand.
What data does Bombora collect?
Bombora collects unique identifiers, such as cookie ID or hashed email; IP address and information derived from the IP address, such as city and state; engagement level data, such as dwell time, scroll depth, scroll velocity, and time between scrolls; page URL and information derived therefrom such as content, context and topics; referrer URL; browser type and operating system.
Does Bombora collect Personal Data?
Bombora profiles Companies, not individuals. Bombora does not collect any Personal Data that directly identifies an individual. Bombora collects Cookie IDs and IP addresses, including engagement metrics. The data Bombora collects is not Personal Data because at collection the data is aggregated to create a profile of a company, not an individual.
How is consent collected?
- Bombora has implemented the concept of privacy by design. Bombora has adopted the Interactive Advertising Bureau (IAB) Transparency and Consent Framework (TCFv2) and encourages all Co-op Members to participate.
- Pursuant to TCF protocols, the Bombora Tag sits behind the Consent Management Platform (“CMP”) on each Co-op Member web property. When you visit a Co-op Member web property, the Co-op Members’ CMP collects your explicit informed consent or offers an opt-out. After you provide consent, , the Co-op Member passes the consent string to Bombora, for the purposes you have granted. You can revoke your consent to Bombora for any or all purposes previously granted at anytime HERE. Bombora is member #163 of the IAB Transparency and Consent Framework. For more information, here is an IAB TCF factsheet.
- Co-op Members agree to present their website visitors with the option to consent (and, in some jurisdictions, opt-out) when each visitor lands on the Co-op Member’s web property.
- The Bombora Tag does not collect data unless it receives the appropriate consent signal (where applicable). The Co-op Member collects and records consent from the user in a consent-based model including Bombora and its purposes. Bombora logs the consent from the hosting site via the IAB Transparency & Consent Frameworks as registered vendor #163. This could involve including Bombora’s Purposes in a Consent Management Platform and privacy policy.
- Bombora’s contractual relationships with Co-op Members incorporate the Model Contractual Clauses defining the obligations of Processor and Controller.
Bombora’s Purposes Declarations
- Consent
- Store and/or access information on a device (Purpose 1)
- Create a personalized ads profile (Purposes 3)
- Legitimate Interest
- Measure ad performance (Purpose 7)
- Apply market research to generate audience insights (Purpose 9)
- Develop and improve products (Purpose 10)
- Special Purposes
- Special Purpose 1 – Ensure security, prevent fraud, and debug
- Special Features
- Feature 1 – Match and combine offline data sources
- Feature 3 – Receive and use automatically-sent device characteristics for identification
Data Subject Access Request
It’s important to us that you know that you have the right to access, manage the data that we may have collected about you from third parties. We strive to be as transparent as possible. You have the right to request access to this data at any time. It’s important to us that we provide you with tools to object and restrict the sale of your data, or withdraw consent (where applicable) for the use of data that we may have on you.
You have the following data protection rights:
- You can request access to, or that we change, update or delete your personal information, at any time by completing the above form. Please note that we may impose a small fee for access and disclosure of your personal information where permitted under applicable law which will be communicated to you.
- In addition, if you are a resident of the European Economic Area, you can object to processing of your personal information, ask us to restrict processing of your personal information or request portability of your personal information. To exercise these rights please complete the above form.
- You can opt-out of receiving promotional emails from us by clicking the “unsubscribe” link in the email or by completing the above form. Please see ‘your choices’ below for further information about your opt-out choices. If you choose to no longer receive marketing information, we may still communicate with you regarding your security updates, product functionality, responses to service requests, or other transactional, non-marketing, or administrative related purposes.
- If we have collected and processed your personal information with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds
other than consent. - You have the right to complain to a data protection authority about our collection and use of your personal information. Click here to access contact details for data protection authorities in the EEA.
Please note, to help protect your privacy and maintain security, we take steps to verify your identity through OneTrust. OneTrust is the secure administrative software that we use to manage your privacy request.
Please complete the data subject request form to request a copy of your business data from Bombora. The information you submit in this form will only be used to:
identify the platform and/or business data you are requesting, and respond to your request.
Once you submit a data subject access request form we will endeavor to respond to you within 72 hours of receipt of your request. After receipt of your request, please allow Bombora 27 days to process your request. You can also email privacy@bombora.com with any questions or queries you have regarding your data.
Any disclosures we provide will only cover the 12-month period preceding the verifiable Consumer request. The response we provide will also explain the reasons we cannot comply with a request, if applicable. Please note that because most of the information we store can only identify a particular browser or device, and cannot identify you individually. To help protect your privacy and maintain security, we take steps to verify your identity in OneTrust. Making a verifiable consumer request does not require you to create an account with us. Before granting you access to your personal information or complying with deletion, portability, or other related requests, you will need to provide us with some additional information to enable us to identify the personal information we hold about you and ensure that we accurately fulfill your request.