MEDIAMATH USER POLICY
Your use of any services (“Services”) provided by MediaMath, Inc. (“MediaMath”, “we”, “us”) is subject to the following policies (“Policies”). We reserve the right to change or modify any portion of these Policies at any time without notice. Please periodically visit this page to review the current Policies so you are aware of any revisions to which you are bound.
- Your use of the Services must comply with all applicable laws, regulations, and self-regulatory group guidelines, including but not limited to, the Network Advertising Initiative (“NAI”) Code of Conduct, the Digital Advertising Alliance (“DAA”)’s Self-Regulatory Principles for Online Behavioral Advertising and Application of Self-Regulatory Principles to the Mobile Environment (“DAA Principles”), the DAA’s Application of the Self-Regulatory Principles of Transparency and Control to Data Used Across Devices, the DAA’s Application of the Self-Regulatory Principles of Transparency & Accountability to Political Advertising, European Interactive Digital Advertising Alliance (“EDAA”) guiding principles set out in the European Industry Self-Regulatory Framework for Data-Driven Advertising and the Best Practice Recommendation for Online Behavioural Advertising of the European Advertising Standards Alliance (“EASA”), the Digital Advertising Alliance of Canada (DAAC) Self-Regulatory Principles of Online Behavioural Advertising and Transparency for Political Advertising, the Interactive Advertising Bureau (“IAB”) Europe EU Framework for Online Behavioral Advertising, the Australian Digital Advertising Alliance’s (“ADAA”) Best Practice Guideline for Interest Based Advertising, and the Asia-Pacific Economic Cooperation (“APEC”) PrivacyFramework, regardless of your membership status with any of these organizations.
- Your use of the Services must comply with all applicable requirements and guidelines provided by the exchanges or media supply sources from which you purchase media inventory through the Services. For examples of such polices, please visit the Knowledge Base.
MediaMath Creative Policy
The following categories of Creative are prohibited when using the Services. “Creative” refers to ad units, landing pages, or any other content related to or used in connection with the serving of ads using the Services.
|Category||Description and Examples|
|Ad Fraud||Creative associated with any activity designed to sell advertising under fraudulent pretenses, including but not limited to non-human traffic, tag hijacking, hidden ads, domain spoofing, cookie stuffing, generating fake impressions or clicks, misrepresenting advertiser characteristics (such as the landing page URL, advertiser vertical, etc.), reselling of ads under false pretenses, (e.g., misrepresenting the publisher or the type of ad unit), etc. MediaMath reserves the right to identify novel categories and types of Ad Fraud as they emerge.|
|Auto-audio||Creative that automatically initiates audio without the user’s explicit engagement or action|
|Auto-downloads||Creative that contains, or provides access to any files that execute or download software without intentional user interaction. Clicking on an ad must also not initiate a download of any type of file.|
|Auto-redirects||Creative that automatically redirects a user to other sites or applications, without the user’s explicit engagement or action.|
|Deceptive or Misleading||Creative that attempts to trick or deceive a user into taking some action (e.g., “click bait” Creative, Creative that resemble user interface elements, Creative that displays fake errors or warnings, such as warnings about viruses, missing codecs, or corrupt disks, etc.) or markets false or unrealistic promises such as extreme weight loss, anti-aging, etc.|
|Defamation||Creative that depicts, contains, or provides access to material that is damaging to the reputation of another.|
|Delayed Load||Creative consistently taking more than two seconds to initiate the user ad experience.|
|False Claims and Disinformation||Creative that makes a verifiably false or otherwise misleading claim is strictly prohibited.|
|Government Forms or Services||Creative that depicts, contains, or provides access to offers that charge for government forms or services that are available for a lesser charge or free from the government.|
|Hate Speech||Creative that depicts, contains, or provides access to content that incites violence or prejudicial action towards a protected individual or group; or content that disparages or intimidates a protected individual or group.|
|Illegal||Creative that is, or that MediaMath reasonably believes is, likely to be in violation of any applicable law, regulation or court order.|
|Illegal Drugs||Creative featuring or promoting the sale of illegal drugs, pharmaceuticals, or drug paraphernalia. Select creative featuring cannabis-related products may be acceptable where compliant with local law and the “Cannabis Products” section of this User Policy.|
|Implied Knowledge||Creative that implies knowledge of personally identifiable information or any of the following sensitive characteristics about the user to whom the Ad was targeted:
For example, an Ad may not state “Explore your Jewish heritage” because this implies knowledge of the user’s religion. An Ad stating “Learn about Judaism” would be allowed. Similarly, an Ad for coffee may be delivered when a consumer is near a coffee shop, but the Ad may not state “Coffee is just a few steps away” because this implies knowledge of the user’s precise location at that moment.
|Interferes with User Navigation||Creative that disrupts the user’s ability to navigate their experience, e.g., by preventing a user from leaving a page by opening modal dialogs or pop-up windows.|
|Interferes with Another Party’s Content||Creative that obscures, replaces, or modifies another party’s ads or content.|
|Invalid or Improper Classification||Creative that is improperly classified with respect to its characteristics, including but not limited to:
|Lost Video Impression Opportunities||Video creatives where an auction is won but the impression does not serve / creative does not load (e.g., because the VAST is blank or the ad server opts out after winning the impression).|
|Malware||Creative that contains, installs, links to, or prompts the download of any malware, Trojan horse, virus, or any other malicious code. MediaMath reserves the right to identify novel malware types as they emerge.|
|Morally Reprehensible||Creative that MediaMath reasonably deems to be morally reprehensible or patently offensive, and without redeeming social value.|
|Phishing||Creative designed to obtain information from a user under false pretenses (e.g., attempting to extract financial information by posing as a legitimate company, etc.).|
|Piracy||Creative that MediaMath reasonably believes (a) contains content that does, or is likely to, infringe or misappropriate a copyright, trademark, trade secret, or patent of a third party or (b) promotes or induces infringement or misappropriation of a copyright, trademark, trade secret, or patent of a third party.|
|Pornography and Adult Content||Creative that depicts, contains or otherwise advertises pornography, nudity, obscenity, and other material of a sexual nature.
Materials of a sexual nature may include, but are not limited to:
This policy may be applied along additional factors that may vary by jurisdiction, context and cultural sensitivities.
|Reselling||Creative involved in any transaction in which the buyer of an impression triggers a subsequent external auction or creative where the original restrictions and constraints of the seller/publisher are not respected (e.g., buying a display creative and reselling as video creative).|
|Violence||Creative that depicts, contains, or provides access to violent content or content that glorifies human suffering, death, self-harm, violence against animals, or contains graphic or violent images.|
|Weapons||Creative that features the sale of, or instructions to create, bombs, guns, firearms, ammunition or other weapons or weapons accessories.
Examples of weapons and weapon accessories include, but are not limited to:
The following categories of Creative are restricted when using the Services:
|Cannabis||Cannabis-related advertising (advertising products derived from the cannabis plant, including the compounds THC or cannabidiol, as well as any other hemp-derived products; hereafter “Cannabis Ads”) is permitted in select jurisdictions, only.
Advertisers who wish to serve Cannabis Ads must complete an intake questionnaire and submit their creative to MediaMath for approval. Only approved advertisers may serve Cannabis Ads, provided they and their creative comply with the Advertising Standards published by the National Association of Cannabis Businesses, available at https://www.nacb.com/advertising in addition to the remainder of the MediaMath User Policy. Due to the evolving nature of the regulatory landscape around cannabis products, MediaMath reserves the right to reject advertisers or creative for any reason.
Regardless of jurisdiction, targeted audiences for cannabis products may not include users based on any knowledge or inferences about substance abuse, rehab, depression, or other sensitive factors. This prohibition includes geofencing locations associated with sensitive health conditions, such as drug rehabilitation services. Before retargeting based on site visits, clients must receive confirmation that users are above the legal age in the applicable jurisdiction. This can take the form of a dialogue box where a user must indicate their age before entering the site.
Advertisers may only run cannabis ads on MediaMath-approved publishers and exchanges. Not all website and app publishers or exchanges accept Cannabis Ads. Publishers and exchanges may further restrict Cannabis Ads beyond this policy. If you are unsure whether a publisher or exchange will accept Cannabis Ads, please contact your MediaMath account representative.
|Downloads||Where Creative links directly or indirectly to a site that contain software, the software must:
|Political||For the purpose of this Policy, Political Ads shall include any paid-for communications that promote or oppose a political party, a candidate at any level of government for public office, or a ballot initiative, or that attempt to influence political opinion or actions including advertising that takes a position on an issue associated with a registered party or candidate, even if the name of that party, candidate, or initiative is not explicitly mentioned.
The following requirements apply to Clients using the Services to run Political Ads:
|Tobacco, E-Cigarettes, and Related Products||MediaMath clients must comply with all applicable laws and industry self-regulations related to tobacco or e-cigarette advertising in the jurisdictions that they operate, collect data, and serve ads. This includes any laws or regulations related to creative content and the minimum age of targeted or prospected users.
MediaMath’s supply sources may have their own policies and may be more restrictive than this Policy. Clients are responsible for ensuring their ads are compliant with suppliers’ policies.
This Policy also applies to non-tobacco products or products that only contain nicotine. MediaMath considers these types of products as tobacco products and thus subject to all laws and regulations applicable to the jurisdictions in which the client will be operating.
Clients are responsible for ensuring that they target this content properly, including any necessary targeting to avoid underage users. Please reach out to your MediaMath account representative with any questions.
MediaMath Pixeling Policy
The following policies apply to your placement of MediaMath pixels on digital properties, including on Web sites, in emails, and in mobile applications (“Digital Properties”). MediaMath may remove pixels that do not comply with this policy.
|General Requirements||1. You may place MediaMath pixels only on those Digital Properties for which you have the necessary rights and authorizations to do so.
2. Where data is collected by a third party from your Digital Properties for Interest-Based Advertising (“IBA”), Cross-App Advertising (“CAA”), or Retargeting (“Retargeting”), you must provide notice of this data collection and the choices available to users. IBA refers to the collection of data across web domains owned and operated by different entities for the purpose of delivering Ads based on preferences or interests known or inferred from the data collected. CAA refers to the collection of data through applications owned or operated by different entities on a particular device for the purpose of delivering Ads based on preferences or interests known or inferred from the data collected. Retargeting is the practice of collecting data about a user’s activity on one Digital Property for the purpose of delivering an ad based on that data on a different, unaffiliated Digital Property.
3. Consistent with the DAA Principles, you may not place MediaMath pixels in toolbars or other locations such that data may be collected from all or substantially all URLs traversed by a web browser across Web sites or all or substantially all applications on a device for IBA, CAA, or Retargeting without MediaMath’s prior review and approval of your consent mechanism. Clients interested in having MediaMath review such a mechanism should reach out to their MediaMath account manager.
4. Sites on which you place MediaMath pixels must comply with all other aspects of this User Policy.
|Children||MediaMath pixels may not be placed on Digital Properties directed at Children (“Child-Directed Digital Properties”).|
|Sensitive Health Conditions||MediaMath pixels may not be placed on Digital Properties related to sensitive health conditions for IBA, CAA, or Retargeting purposes without the user’s specific opt-in consent. MediaMath must review and approve your consent mechanism before you may place MediaMath pixels for such purposes.
Clients may place MediaMath pixels on Digital Properties related to sensitive health conditions for other purposes, such as Ad Delivery and Reporting (“ADR”) without the user’s opt-in consent. ADR is separate and distinct from IBA, CAA, and Retargeting and refers to the collection of data from a computer or device to (i) facilitate the delivery of an ad, or (ii) provide advertising-related services that are not tied to the end user’s known or inferred interests (e.g., frequency capping).
For more information on what constitutes a sensitive health condition, please see MediaMath’s Targeting Policy below.
MediaMath Targeting Policy
The following policies apply to your targeting of ad units (“Ads”) to users through the Services. The policies listed below apply whether you are targeting users based on data collected from Digital Properties (IBA, CAA, or Retargeting) or through data collected about the user offline (“User-Matched Ads”).
|General Requirements||1. You must provide notice of IBA, CAA, and Retargeting data collection and use practices, and the choices available to users, in or around Ads that are informed by IBA (“IBA Ads”), CAA (“CAA Ads”), or Retargeting (“Retargeting Ads”). You can meet your notice and choice obligations by placing the AdChoices Icon on each such Ad you serve using the Services. MediaMath will add the AdChoices icon on behalf of any client who does not opt out of this service and provide written confirmation of their compliance via an alternate mechanism. A small fee will apply.|
|Alcohol||Ads that promote alcohol or alcoholic beverages are restricted by region and may only be targeted to users that (i) reside in a jurisdiction where alcohol advertising is permitted, and (ii) are of the legal age to purchase alcohol within that jurisdiction. Alcohol-related Ads must not be designed, or appear to be designed, to appeal to underage purchasers.|
|Buying Power||You may not target Ads on the basis of negative aspects of that user’s financial status. Examples of prohibited practices include targeting:
You are also not permitted to use data collected from IBA, CAA, or Retargeting to determine a user’s credit eligibility.
|Children||In connection with your use of the Service, you may not:
|Criminal Actions||You may not target Ads on the basis of knowledge or inference of the user’s commission or alleged commission of any crime, such as information indicating that a user has a criminal record.|
|Gambling||For purposes of this Targeting Policy, a gambling-related Ad (“Gambling Ad”) means the following:
Gambling Ads may be targeted to users in jurisdictions where such Ads are not prohibited so long as you comply with the following requirements:
|Health||Health-related advertising (advertising health-related products and services or targeting advertisements based on health-related data) is highly regulated by government and industry. Given the large number of jurisdictions in which MediaMath operates and the myriad of health products and services that exist, it is beyond the scope of this Targeting Policy to define on a jurisdiction-by-jurisdiction basis what constitutes acceptable health advertising. Rather, the guidelines below should be considered a US baseline for use of the Services, with other jurisdictions generally being more restrictive. In particular, please note that under the IAB UK’s “Digital advertising guidance: special category data under the GDPR”, a company seeking to create or use such OBA segments relying on use of special category personal data as defined under Article 9.2 of GDPR must ensure it has “met all other relevant requirements for processing special category data including having a process for obtaining explicit consent (in addition to any consent you may need to obtain to process personal data under Article 6 of the GDPR, and/or to meet the requirements in PECR) before doing so”. As always, clients assume all responsibility for ensuring their advertising is legal in all jurisdictions and acceptable on all exchanges where they intend to advertise. You may not target IBA, CAA, Retargeting, or User-Matched Ads to users on the basis of sensitive health information (“Sensitive Health Data”) without their specific opt-in consent. MediaMath must review and approve your consent mechanism before you may target such Ads to those users on the basis of Sensitive Health Data. Per the NAI Code, Sensitive Health Data includes: (i) information about any past, present, or potential future health or medical conditions or treatments, including genetic, genomic, and family medical history, based on, obtained, or derived from pharmaceutical prescriptions or medical records, or similar health or medical sources that provide actual knowledge of a condition or treatment (the source is sensitive) and (ii) information, including inferences, about sensitive health or medical conditions or treatments (the condition or treatment is sensitive regardless of the source). The relevant factors in determining whether a health condition is sensitive include:
Examples of sensitive health conditions include:
You may target IBA, CAA, Retargeting, or User-Matched Ads to users on the basis of their known or inferred interest in a non-sensitive health condition. Per the NAI Code, examples of non-sensitive health conditions include:
You may target IBA, CAA, Retargeting, or User-Matched Ads concerning all health conditions to users on the basis of demographic data (e.g., age, gender).
You may also serve Contextual Ads concerning all health conditions. Contextual Ads are Ads that are targeted on the basis of the content of the digital property the user is currently visiting.
If you are unsure of whether a particular health condition or treatment is sensitive, contact your MediaMath account representative before targeting users on the basis of their interest in that condition or treatment.
MediaMath clients may not serve ads in any jurisdictions where sanctions imposed by the US Office of Foreign Assets Control (OFAC) would prohibit such advertising. At the time of the publication of this Targeting Policy, that list, which OFAC may update from time to time, includes:
Consistent with the NAI Code, you are permitted to target Ads based on the precise location of the device at the time the Ad is served (“geofence”) so long as you do not store the precise location once the ad is served or delivered. Such geofencing may not target:
The above limitations do not apply to more general targeting that includes sensitive locations by nature of its breadth. For example, clients may target New York City, even though there are sensitive health facilities in New York City.
MediaMath reserves the right to require a client to broaden or discontinue its targeting if MediaMath in its sole discretion determines that the targeting may create a negative user experience or is otherwise inappropriate.
Targeting Ads Based on Historic Precise Location Data
For jurisdictions outside the US, you must contact your MediaMath representative before serving IBA, CAA, Retargeting, or User-Matched Ads on the basis of Precise Location Data.
|Political Affiliation or Beliefs||Political Ads in the United States may not be targeted at audiences smaller than the following number of devices according to the scope of the applicable candidate or initiative:
Political Ads in other countries must not be targeted at audiences smaller than comparably sized audiences relative to the population.
Political Ads in other countries must not be targeted at audiences smaller than comparably sized audiences relative to the population. For the purposes of this Targeting Policy, Ads related to a user’s political affiliation or beliefs (“User-Targeted Political Ads”) shall include IBA, CAA, Retargeting, or User-Matched Ads that promote: (i) political figures, opinions, or issues, such as Digital Properties for political candidates, (ii) political groups, (iii) political cause awareness, (iv) advocacy groups, or (v) union memberships.
You may not target User-Targeted Political Ads to users that reside in the European Union or the United Kingdom. You must contact your MediaMath representative before serving User-Targeted Political Ads to users that reside in other non-US jurisdictions.
User-Targeted Political Ads are generally permissible in the US. MediaMath reserves the right to limit or prohibit User-Targeted Political Ads involving particularly sensitive issues (e.g., abortion, sexual orientation, etc.). MediaMath reserves the right to review, request modifications to, or reject any User-Targeted Political Ad at its sole discretion. However, such discretion will not be exercised with the intent to favor or disfavor any particular candidate or political party.
|Race & Ethnicity||In the US, you may serve IBA, CAA, Retargeting, or User-Matched Ads to users on the basis of their known or inferred race or ethnic origin.
In the European Union and the United Kingdom, you may not serve such Ads to users.
|Religion||In the US, you may serve IBA, CAA, Retargeting, or User-Matched Ads to users on the basis of their known or inferred religion or religious beliefs.
In the European Union and the United Kingdom, you may not serve such Ads to users.
|Sexual Orientation||You are not permitted to target IBA, CAA, Retargeting, or User-Matched Ads to users based on their known or inferred sexual orientation, including indirect inference (e.g., donation to LGBT advocacy groups), without their specific opt-in consent. MediaMath must review and approve your consent mechanism before you may target such Ads. Clients interested in having MediaMath review such a mechanism should reach out to their MediaMath account manager.|
Thank you for your interest in the MediaMath Beta Program. Participation in a Beta Program is voluntary and allows you to test and provide feedback on developing/pre-release features, products, and services which shall be designated as “beta” (the “Beta Services”). Participation in the Beta Program includes early access to beta product functionality, the opportunity to gain knowledge of performance impact and develop best practices ahead of others and the ability to influence the early development and direction of a product. By accessing or using Beta Services, you agree to be bound all of the terms and conditions described in this Beta Policy and to actively engage in the testing and feedback process.
NO OBLIGATIONS: You acknowledge and agree that a Beta Service may contain features that will be altered in the final release of the same or similar Service and that availability of any Beta Services during the course of a Beta Program shall not create any obligation for MediaMath to continue to develop, productize, support, repair, offer for sale or in any other way continue to provide or develop any Beta Service. While we may intend to release a final version of a certain Beta Service, we reserve the right to never make any particular Beta Service generally available. You further acknowledge the duration of the beta phase and any features and functions of a Beta Service are subject to change at any time at MediaMath’s discretion.
FEEDBACK: An essential function of the Beta Program is to gather feedback from participants. We value all input from all participants in the Beta Program. You agree that you will use reasonable commercial efforts to use the Beta Services, notify MediaMath of all errors and problems you identify through your use of any Beta Services and that you will attempt to ascertain steps leading to reproduction of any such errors. You also agree that you will communicate to MediaMath any suggestions or requests for enhancements relating to the operation or further development of a Beta Service and that by doing so you assign all right, title and interest in and to any resulting intellectual property based upon such suggestions or requests, including without limitation all patent, copyright, trade secret, trademark or other intellectual property rights. You acknowledge that MediaMath is not obligated to accept and implement any feedback provided by you and that the use of such feedback is solely in MediaMath’s discretion.
OWNERSHIP: Subject to the limited rights expressly granted hereunder, MediaMath reserves all rights, title and interest in and to the Beta Services and any anonymized aggregated data resulting from your use of the Beta Services, including all related intellectual property rights therein and thereto. No rights are granted to you other than the right to access and use the Beta Services for the purposes of testing and evaluation. You may not create any derivative works from the Beta Services or modify, reuse, disassemble, decompile, reverse engineer or otherwise translate any Beta Services or any portion thereof. You also may not access the Beta Services in order to build a competitive product or service.
MARKETING: You agree that MediaMath may use your name and associated marks in its marketing materials solely with respect to marketing Beta Services used by you, which shall include white papers, case studies and press releases.
PAYMENTS & PRICING: Certain Beta Services may incur a fee, which will be invoiced to you in accordance with your Master Services Agreement with MediaMath. You agree and acknowledge that you shall be liable for all fees incurred in connection with your use of a Beta Service even in the event of an error in the Beta Services affecting the performance of the Beta Service (other than a billing error), or Other than a billing error or tracking error resulting in an erroneous fee, you shall remain liable for all fees incurred with your usage of the Beta Service, including in the event of an error in the Beta Services that affects the performance or outcome of the Beta Service. Unless otherwise agreed to by you and MediaMath, fees for any Beta Service are subject to change during the beta period and after such beta period.
CONFIDENTIALITY: You agree to treat all Beta Services, as well as the nature and content of the Beta Program, as confidential information and will not without our express written authorization: (i) demonstrate, copy, market, sell or otherwise commercially exploit any features or functions of any Beta Services to any third party; (ii) publish or otherwise disclose information relating to performance or quality of any Beta Services to any third party; or (iii) remove or alter any trademark, logo, copyright or other proprietary notices, legends, symbols or labels in the Beta Services.
NO WARRANTY: THE BETA SERVICES BEING ACCESSED BY YOU CONSIST OF PRE-RELEASE CODE, MAY CONTAIN ERRORS, BUGS OR DEFECTS AFFECTING PROPER OPERATION OR FULL FUNCTIONALITY, MAY EXPERIENCE PERFORMANCE ISSUES, CRASHES, OR DATA LOSS, AND IS NOT AT THE LEVEL OF PERFORMANCE OF A GENERALLY AVAILABLE SERVICE. BY USING THE BETA SERVICES, YOU ACKNOWLEDGE YOUR UNDERSTANDING THAT A PRIMARY PURPOSE OF THIS BETA PROGRAM IS TO OBTAIN FEEDBACK ON PERFORMANCE AND IDENTIFY DEFECTS. YOU ARE ADVISED TO SAFEGUARD IMPORTANT DATA, AND NOT TO RELY IN ANY WAY ON THE CORRECT FUNCTIONING OR PERFORMANCE OF BETA SERVICES. BETA SERVICES ARE provided “AS IS” without warranty of any kind AND ANY WARRANTIES TO THE EXTENT AUTHORIZED BY LAW, WHETHER EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT OR FITNESS FOR A PARTICULAR PURPOSE. In no event shall MEDIAMATH be liable for any damage whatsoever arising out of the use of or inability to use THE BETA SERVICES, even if YOU HAVE been advised of the possibility of such damages.
DATA PROTECTION POLICY
This policy takes effect on the Effective Date below and shall be incorporated by reference into and form an integral part of your agreement with MediaMath, Inc. or any of its Affiliates (“MediaMath”) (the “Agreement”) unless a separate data processing agreement has been agreed between the parties. In the event of any conflict, ambiguity or inconsistency between the terms of this Policy including its Schedule A and the Agreement, Schedule A then this Policy then the Agreement shall take precedence with respect to the subject matter herein.
- Definitions: The following terms shall have the following meanings in this Policy:
“Ad(s)” means the advertising content, including text, graphics, rich media, video and/or audio material (and combination thereof), that is displayed on digital media inventory.
“Ad Tag” means software code (e.g., HTML5) or a web beacon (e.g., pixel tag, clear GIF) that (i) collects data regarding a user’s actions in or on a Site or a user’s interaction with an Ad or (ii) requests the delivery of an Ad to a Site.
“Advertiser Data” means Client Data.
“Affiliate” means, with respect to a party, an entity that directly or indirectly controls, is controlled by or is under common control with such party. “Control” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the economic or voting interest of an entity.
“Applicable Laws” means all laws and regulations which apply to each party in connection with the Agreement, the performance and receipt of the Services, the use of the Service Platform and the processing of Client Data, MediaMath Data and any related personal data, to include without limitation European Law, Section 5 of the FTC Act, California Consumer Privacy Act (“CCPA”) and any applicable industry self-regulatory regulations, to include without limitation the NAI Code and the DAA Code.
“Client Data” means all electronic data which is provided to MediaMath by Client as part of the Services or which is provided or made available to Client by MediaMath or its Affiliates through Client’s use of the Services, including personal data contained therein (including any data which is specific to Client), but excluding the MediaMath Data.
“Controller Purposes” means Client Controller Purposes or MediaMath Controller Purposes as defined in Schedule A.
“DAA Code” means the set of Digital Advertising Alliance Self-Regulatory Principles for Multi-Site Data posted at http://www.aboutads.info/msdprinciples (or any successor site) such as the Application of the Self-Regulatory Principles of Transparency and Control to Data Used Across Devices, and its applicable regional counterpart, if any.
“Deletion Request” means a request received by MediaMath from an individual requesting deletion of their personal data held by MediaMath.
“EEA” means the European Economic Area (which shall be deemed to include the United Kingdom throughout the term of the Agreement).
“Effective Date” means the 27 June 2021.
“European Law” means Regulation 2016/679 (GDPR); (iii) Directive 2002/58/EC (as amended or replaced from time to time) and applicable laws implementing that directive in Member States; and, (iv) any data protection and privacy laws in the United Kingdom from time to time. References in this Policy to “controller“, “data subject“, “personal data“, “process“/”processed“/processing“, “processor” and “special categories of personal data” shall have the meanings given in European Law.
“Licensee Data” means Client Data.
“MediaMath Data” means all data generated from Client’s use of the Services (and other clients and partners of MediaMath and its Affiliates) (including any MMUIDs) that does not specifically identify or relate to Client; any data made available by MediaMath for targeting users; the data relating to any error by, issue with, or enhancement to the operation of the Services and the data that MediaMath would have regardless of Client’s use of the Services.
“MediaMath Controller Purposes” means as defined in Schedule A.
“MMUID” means any unique identifier which is created, assigned or retained by MediaMath in respect of each user who interacts with a Site.
“NAI Code” means the Code of Conduct promulgated by the Network Advertising Initiative (“NAI”), located at the following website, or any successor website: https://www.networkadvertising.org/sites/default/files/nai_code2018.pdf, including any official guidance provided by the NAI such as the NAI 2015 Guidance on Determining Whether Location is Imprecise.
“PII” means information that identifies or could be used to identify a particular individual as compared to a particular device such as name, address, telephone number, email address, financial account number, government-issued identifier or date of birth.
“Processing Activities” means as defined in Schedule A.
“SAR” means a request received by MediaMath which does not specifically refer to Client from an individual for a copy of their personal data held by MediaMath.
“Security Incident” means in relation to Client Data or MediaMath Data a breach of security resulting in (i) accidental or unlawful destruction or loss, or (ii) unauthorized disclosure or access.
“Sensitive Information” means: (i) any information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; (ii) genetic data; (iii) biometric data for the purposes of uniquely identifying a natural person; (iv) data concerning sensitive health conditions; (v) data concerning a natural person’s sex life or sexual orientation; (vi) any personal data about a minor under the age of 13; (vii) any financial account numbers or insurance plan numbers that can be used to identify an individual; (viii) any government-issued identifiers; or (ix) characteristics deemed sensitive under the NAI Code. In Schedule A the definition of Sensitive Information shall be as above, except that it will also include any personal data about minors between the ages of 13 and 16.
“Service Platform” means MediaMath’s proprietary software known as Future Proofed Platform™ or any other software platform MediaMath may make available to Client.
“Services” means all services available on the Service Platform or otherwise agreed to by MediaMath pursuant to an applicable Order Form or SOW.
“Site” means a digital property that is accessible by users (including websites, mobile sites and software applications).
2. Client Security. Client shall be responsible for maintaining the confidentiality of any login credentials, of appropriately limiting dissemination of the login credentials to its employees, contractors or agents, and for using commercially reasonable efforts and appropriate technological and organizational measures to prevent unauthorized access to the Service Platform. Client shall maintain current records of all individuals to whom it allows access to the Service Platform and shall provide identifying information regarding such individuals to MediaMath upon request.
4. This Policy shall be governed, construed and enforced in accordance with the laws of the Agreement.
European Law Requirements
- Definitions. As used in this Schedule A, the following terms shall have the following meanings:
“Client Controller Purposes” means for the purposes of receiving the Services; and as is more particularly described at www.mediamath.com/legal/processingpurposes.
“Model Clauses” means the SCCs populated with the information described in the Annex to this Schedule A. References to “Module One” and “Module Two” have the meaning outlined in the Model Clauses.
“MediaMath Controller Purposes” means improving and enhancing the Services, including identifying, blocking and removing data considered to be unlawful or fraudulent; the bidding process; and as is more particularly described at www.mediamath.com/legal/processingpurposes.
“Privacy Shield” means the EU-US Privacy Shield and the Swiss-US Privacy Shield as applicable.
“Processing Activities” means processing Ad Tags placed by or on behalf of Client and as more particularly described at www.mediamath.com/legal/processingpurposes.
“SCCs” means: (i) the standard contractual clauses and its appendices in European Commission Implementing Decision (EU) 2021/91 of 4 June 2021 relating to transfers of personal data to third countries pursuant to Regulation (EU) 2017/679 and any successor clauses issued from time to time by the European Commission, any applicable data protection authority, or other body with competent authority and jurisdiction, in each case, in relation thereto (the “EU SCCs”) and (ii) standard data protection clauses specified in regulations made by the Secretary of State under section 17C(b) of the 2018 Data Protection Act and for the time being in force in the United Kingdom (the “UK SCCs”).
- Scope. The rights and obligations in this Schedule A apply to the collection, processing and sharing of personal data originating in the EEA by and between MediaMath, Client and certain third parties (e.g. subprocessors including Affiliates of MediaMath). For the purposes of this Schedule A references to Client Data shall mean any personal data incorporated in Client Data and references to MediaMath Data shall mean any personal data incorporated in MediaMath Data.
- General Obligations.
a. Both parties will comply with all applicable requirements of European Law.
b. Client will ensure that it has all necessary and appropriate consents and notices in place to enable the lawful transfer of Client Data to MediaMath for the duration and purposes of this Agreement.
- Appointment of MediaMath as Client’s Processor.
- The parties acknowledge that for the purposes of European Law, Client is the data controller of Client Data and appoints MediaMath as its data processor for the Processing Activities.
- MediaMath shall, in relation to any Client Data processed for the Processing Activities in connection with the performance by MediaMath of its obligations under this Agreement:
- process that Client Data only in accordance with the Processing Activities (or as otherwise agreed in writing);
- ensure that all personnel who have access to and/or process Client Data are obliged to keep Client Data confidential;
- process Client Data transferred out of the EEA in accordance with the Privacy Shield principles;
- assist Client, at Client’s cost, in responding to any request from a data subject received directly by the Client or received by MediaMath which explicitly refers to the Client and in ensuring compliance with its obligations under European Law with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
- notify Client without undue delay upon becoming aware of any confirmed Security Incident relating to Client Data;
- upon written request of Client, delete or return Client Data and copies thereof to Client on termination of the Agreement unless required by a judicial or other governmental order or by applicable law to retain some or all Client Data. This requirement shall not apply to Client Data MediaMath has archived on back-up systems; and
- maintain accurate records and information to demonstrate its compliance with this clause 4(b) of this Schedule A.
- Client consents to MediaMath appointing subprocessors to process Client Data, such subprocessors will be listed at www.mediamath.com/legal/subprocessors which MediaMath shall update with any details of any changes at least 10 days prior to the change. MediaMath confirms that it has entered or (as the case may be) will enter with the subprocessor into a written agreement requiring it to protect Client Data to the standard required by European Law. As between Client and MediaMath, MediaMath shall remain fully liable for all acts or omissions of any subprocessor appointed by it pursuant to this clause 4(c) of this Schedule A. Client may object to the replacement of a subprocessor provided such objection is on reasonable grounds. If Client objects to such appointment and is unable to select an alternative subprocessor then Client may terminate the applicable Services provided in the EEA without prejudice to Client’s obligations to pay any fees under this Agreement due up to the date of termination of such Services (or subsequent pro-rated fees).
- MediaMath uses external auditors to verify the adequacy of its security measures, including the security of the physical data centres from which the Services are provided. The audit: (a) will be performed at least annually; (b) will be performed according to SSAE 16 audit standard or such other alternative standard that is substantially equivalent to SSAE 16; (c) will be performed by independent third party security professionals at MediaMath’s selection and expense; and (d) will result in the generation of an audit report which will be MediaMath’s Confidential Information. MediaMath shall provide Client with a copy of the report upon written request.
- Notwithstanding the commitment provided by MediaMath in clause 4(b)(iii) above, MediaMath and Client agree that for the purposes of any transfer of Client Data out of the EEA and/or the UK, to MediaMath to process for the Processing Activities:
- the Module Two Model Clauses shall be incorporated into this Agreement between them; and
- the Module Two Model Clauses shall be interpreted in accordance with the details provided in the Annex to this Schedule A.
- Sharing of Personal Data between Client and MediaMath as Controller.
a. Client shall disclose Client Data to MediaMath on an independent controller to controller basis for the MediaMath Controller Purposes.
b. MediaMath shall, in relation to any Client Data processed for MediaMath Controller Purposes:
- process Client Data only for the MediaMath Controller Purposes (or as otherwise agreed in writing) and in respect of any Client Data transferred out of the EEA, in accordance with the Privacy Shield principles;
- promptly inform Client of any request from a supervisory authority or regulator related to the processing of Client Data conducted by MediaMath and cooperate as necessary to respond to such correspondence and fulfil each parties’ respective obligations under European Law;
- notify Client without undue delay on becoming aware of any confirmed Security Incident relating to Client Data; and
- maintain accurate records and information to demonstrate its compliance with this clause 5(b) of this Schedule A.
c. Notwithstanding the commitment provided by MediaMath in clause 5(b)(i) above, MediaMath and Client agree that for the purposes of the transfer of Client Data outside of the EEA and/or the UK, to MediaMath to process for the MediaMath Controller Purposes:
i. the Module One Model Clauses shall be incorporated into this Agreement between them; and
ii. the Module One Model Clauses shall be interpreted in accordance with the details provided in the Annex to this Schedule A.
- Sharing of Personal Data between MediaMath and Client as Controller.
- MediaMath will through performance of the Services make available MediaMath Data to Client on an independent controller to controller basis for Client Controller Purposes.
- Client shall, in relation to any MediaMath Data processed for Client Controller Purposes:
- process MediaMath Data only for Client Controller Purposes (or as otherwise agreed in writing) and in accordance with the level of protection required by the Privacy Shield principles (and if Client fails to do so, it will promptly notify MediaMath in writing and remedy the breach or MediaMath will have the right to suspend the Services and/or terminate the Agreement);
- maintain appropriate technical and organizational measures and commercially reasonable and appropriate administrative and physical, measures for the security and confidentiality of MediaMath Data from a Security Incident;
- ensure that all personnel who have access to and/or process MediaMath Data are obliged to keep such MediaMath Data confidential;
- not process any MediaMath Data in a territory outside of the EEA unless it has taken such measures as are necessary to ensure the transfer is in compliance with European Law;
- promptly inform MediaMath of any request from a data subject, supervisory authority or regulator related to the processing conducted by Client and cooperate as necessary to respond to such correspondence and fulfil each parties’ respective obligations under European Law;
- notify MediaMath without undue delay on becoming aware of any confirmed Security Incident involving MediaMath Data; and
- maintain accurate records and information to demonstrate its compliance with this clause 6(b) of this Schedule A.
c. MediaMath and Client agree that for the purposes of any processing of MediaMath Data outside of the EEA and/or the UK, by Client for Client Controller Purposes:
- The Module One Model Clauses shall be incorporated into this Schedule A between them; and
- The Module One Model Clauses shall be interpreted in accordance with the details provided in the Annex to this Schedule A.
- Privacy Shield.
MediaMath shall be entitled to provide a copy of this Schedule A and any other provisions of this Agreement to the US Department of Commerce, the Federal Trade Commission, any supervisory authority or regulator on their request (notwithstanding any other provision of this Agreement).
Annex to Schedule A
Interpretation of Model Clauses
- This Annex sets out the parties agreed interpretation of their respective obligations under the applicable Module One and Module Two Model Clauses for transfers incorporated between them by Schedule A (together the “Model Clauses”).
- In the event that a competent supervisory authority or court of competent jurisdiction determines that any provision of this Annex conflicts with the requirements of the applicable Model Clauses, then the terms of the applicable Model Clauses shall prevail.
- As between MediaMath and Client, any claims brought under the applicable Model Clauses or Schedule A shall be subject to the terms of the Agreement, including but not limited to, the exclusions and limitations set forth in the Agreement. In no event shall either MediaMath or Client limit or exclude its liability with respect to any data subject rights under the applicable Model Clauses.
- The parties agree that for the purposes of transfers of Client Data to MediaMath under the Module One and Module Two transfers, in particular Annex I, Annex II and Annex III, the following details shall apply:
|Data exporter:||Client, Contact details: as specified in an Order Form or SOW|
|Data exporter role:||Controller – as specified in the Processing Purposes Table.|
|Data importer:||MediaMath, Contact: DPO, Contact Details: 4 World Trade Center, New York, New York 10007, USA, +1 646-840-4200; firstname.lastname@example.org|
|Data importer role:||Controller and Processor – as specified in the Processing Purposes Table.|
|Categories of data subjects:||Individuals who visit Client’s digital properties (websites or mobile advertising platforms) or are served with digital advertising on behalf of the data exporter through the use of MediaMath’s advertising technology platform.|
|Categories of data transferred:||As described in Column 3 of MediaMath’s processing purposes table https://www.mediamath.com/legal/processingpurposes/ (the “Processing Purposes Table”) (no special category or sensitive data).|
|Purposes of the transfer(s):||The activities undertaken by MediaMath on behalf of the Client are set out in column 4 and 5 of the Processing Purposes Table.|
|Frequency||Daily in response to Client site and impression events.|
|Retention||Retained in accordance with Client and MediaMath’s respective data retention policies.|
|Governing law and Competent Supervisory Authority:||The competent supervisory authority, in accordance with Clause 13 of the EU SCCs will be, for Data protected by the EU GDPR the Berlin Commissioner for Data Protection and Freedom of Information of the German Data Protection Authorities (German DPAs) and for Data protected by the Swiss DPA, the Federal Data Protection and Information Commissioner (FDPIC). With respect to UK data, the competent supervisory authority is the Information Commissioners Office (the “ICO”).|
|Technical and organisational security measures:||A description of the technical and organisational security measures implemented by the MediaMath are set out at https://www.mediamath.com/legal/terms/information-security/|
|Recipients and Subprocessors||MediaMath, its affiliates and its subprocessors engaged by the data importer to support its digital advertising services in accordance with Article 28 GDPR and its partners where necessary in connection with its digital advertising services. Additional subprocessors as listed at https://www.mediamath.com/legal/subprocessors/|
5. The parties agree that for the purposes of transfers of MediaMath Data to Client under the Module One Model Clauses, in particular Annex I, Annex II and Annex III, the following details shall apply:
|Data exporter:||MediaMath, Contact: DPO, Contact Details: 4 World Trade Center, New York, New York 10007, USA, +1 646-840-4200;
|Data exporter role:||Controller – as specified in the Processing Purposes Table.|
|Data importer:||Client, Contact details: as specified in an Order Form or SOW|
|Data importer role:||Controller – as specified in the Processing Purposes Table.|
|Categories of data subjects:||Individuals who visit the digital properties (websites or mobile advertising platforms) of MediaMath’s clients or served ads through the data exporter’s advertising technology platform.|
|Categories of data transferred:||As described in Column 6 of the Processing Purposes Table (no sensitive or special category data).|
|Purposes of the transfer(s):||For Client to process the MediaMath Data as an independent controller for certain Client Controller Purposes as more particularly described in Column 7 of the Processing Purposes Table.|
|Retention||Retained in accordance with Client and MediaMath’s respective data retention policies.|
|Competent Supervisory Authority:||The competent supervisory authority, in accordance with Clause 13 of the EU SCCs will be, for Data protected by the EU GDPR the Berlin Commissioner for Data Protection and Freedom of Information of the German Data Protection Authorities (German DPAs) and for Data protected by the Swiss DPA, the Federal Data Protection and Information Commissioner (FDPIC). With respect to UK data, the competent supervisory authority is the ICO.|
|Recipients and Subprocessors||Client, its affiliates and its subprocessors engaged by the Client to support its digital advertising services in accordance with Article 28 GDPR and its partners where necessary in connection with its digital advertising services.|
6. In addition to the above, the parties agree that the Model Clauses for Module One and Module Two transfers will be interpreted as follows:
a. In Clause 7, the optional docking clause will apply;
b. in Clause 9, Option 2 will apply, and the time period for prior notice of sub-processor changes shall be 30 days;
c. in Clause 11, the optional language will not apply;
d. in Clause 17, Option 1 will apply, and the EU SCCs shall be governed by the laws of Berlin, Germany;
e. in Clause 18(b), disputes shall be resolved before the courts of Berlin, Germany;
f. For the purposes of Clause 8.5(a), (b) and (c), as well as Annex II of the EU SCCs, the parties agree to the security measures described in the relevant table above.
g. For the purposes Clause 8.6(a), as well as Annex II of the EU SCCs, the parties agree to the security provisions contained in the relevant table above.
h. For the purposes of Clause 8.5 (d), (e) and (f), where MediaMath is required by a respective clause in the EU SCCs or is otherwise legally compelled to notify the data subjects or the competent supervisory authority of a personal data breach, MediaMath will first provide Client with the details of the notification permitting Client to have prior written input into the respective notification, where Client desires to do, and without delaying the timing of the notification unduly.
7. In relation to MediaMath Data or Client Data that is protected by the UK GDPR, the EU SCCs as implemented in accordance with Schedule A above shall apply provided that:
a. references to “Regulation (EU) 2016/679” shall be interpreted as references to the UK GDPR, references to “EU”, “Union” and “Member State law” shall be interpreted as references to English law, and references to the “competent supervisory authority” and “competent courts” shall be interpreted as references to the relevant data protection authority and courts in England;
b. to the extent and for so long as the EU SCCs as implemented in accordance with paragraph (i) above cannot be used to lawfully transfer the Data protected by the UK DPA and the UK GDPR to MediaMath, the UK SCCs shall be incorporated into and form an integral part of this Agreement and shall apply to such transfers; an
c. for the purposes of the UK SCCs (where applicable) the relevant Appendices of the UK SCCs shall be deemed completed using the information contained in this Annex A
8. In relation to Data that is protected by the Swiss Federal Data Protection Act of 19 June 1992 and its corresponding ordinances (“Swiss DPA”), the EU SCCs as implemented in accordance with Schedule A above will apply provided that references in the EU SCCs to “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss DPA, references to “EU”, “Union” and “Member State law” shall be interpreted as references to Swiss law, and references to the “competent supervisory authority” and “competent courts” shall be interpreted as references to the relevant data protection authority and courts in Switzerland.
9. Additional Organizational safeguards and measures. MediaMath are not subject to EO 12333, because EO12333 only applies to US federal agencies. However, like all businesses that provide computer processing services anywhere in the world and that are subject to the jurisdiction of the United States, MediaMath is subject to FISA Section 702, which the US government relies upon to access data related to national security issues without regard to the physical location of the data (for example, data stored in the EU is subject to disclosure under FISA Section 702). Although the US government in theory could seek access to data by serving a FISA warrant on MediaMath, the US government typically serves FISA warrants on telecommunications companies or providers of services or equipment designed specifically to facilitate communications (for example, AT&T, Verizon, Facebook, Twitter, etc.). To that point, MediaMath have never received a FISA warrant and does not anticipate being compelled to disclose any data pursuant to FISA Section 702. MediaMath hereby confirms that due to the nature and architecture of its Platform, it is not feasible to limit processing services to a data centre located in the EU. MediaMath will monitor updated guidance from data protection authorities and incorporate such guidance as appropriate into a robust privacy and security program that evolves with the changing legal and regulatory landscape.
10. The Model Clauses shall be treated as Confidential Information for the purposes of this Agreement, and may not be disclosed by MediaMath or Client to any third party except where and to the extent permitted by the Agreement. This shall not prevent disclosure of the Model Clauses to a data subject or a supervisory authority pursuant to the Model Clauses.
11. In the event that Client wishes to terminate the Model Clauses, then Client shall endeavour to provide notice to MediaMath and provide MediaMath with thirty (30) days to cure the non-compliance (“Cure Period”). If after the Cure Period, MediaMath has not or cannot cure the non-compliance, then Client may terminate the Agreement immediately in accordance with the termination provisions of this Agreement. Client shall not be required to provide such notice in circumstances where it considers there is a material risk of harm to data subjects or their personal data.
12. The audit provisions at section 4(d) of Schedule A (“Audit Provisions”), shall also govern audit rights under the Model Clauses. In the event that Client wishes to exercise its audit rights under the Model Clauses, provided that this section does not conflict with Clause 13(b) of the Model Clauses for Module One and Module Two, then the Audit Provisions will exclusively govern Clients’ and MediaMath’s obligations with respect to such audits
13. The sub-contracting provisions set out in Schedule A (“Sub-Contracting Provisions”), shall also govern subcontracting rights under the Model Clauses. In the event that MediaMath wishes to engage a sub-processor under the Model Clauses then, provided that MediaMath complies with the requirements of the Sub-Contracting Provisions, Client shall deem MediaMath to have complied with its sub-processing obligations of the Model Clauses.
14. MediaMath shall be deemed to have complied with the Model Clauses to the extent that it shall (on a confidential basis), if requested by Client, provide to Client all information it reasonably can in connection with any onward subprocessing agreement it concludes under the Model Clauses.
15. For the purposes of the Model Clauses, the parties acknowledge that Client Data may be archived by MediaMath on back-up systems for security and business continuity purposes. Deletion of such archived Client Data shall be in accordance with MediaMath’s standard archival procedures, provided that MediaMath warrants that it will guarantee the confidentiality of the relevant Client Data and will not actively process it anymore.
Last Revised: November 20, 2021