Services Privacy Notice

This Services Privacy Notice (“Notice”) describes how Vistar Media, Inc. (“Vistar”) processes personal information when providing advertising, measurement, and related services to our clients. This Notice also describes your choices over such processing.

This Notice applies to only our core services, which help clients identify where and when to place advertisements on mobile and digital-out-of-home (“DOOH”) media to reach target audiences (“Services”). This Notice does not describe how we process personal information in relation to our websites, platforms, and other digital properties (“Sites”). You can read more about how we process personal information in relation to our Sites by reading our Website Privacy Notice.

“Personal information” is information that identifies or can be reasonably linked, directly or indirectly, with an individual. This Notice does not apply to anonymous, de-identified, or aggregate personal information as defined under applicable law.

This Notice addresses the following topics:

1. How We Collect Personal Information
2. How We Use Personal Information 
3. How We Disclose Personal Information
4. Your Rights Over Your Personal Information  
5. Contact Us 
6. Changes To The Policy 
7. Additional Information For UK & European Residents 
8. Your California Privacy Rights 
9. Your Virginia & Other State Privacy Rights

1. How We Collect Personal Information

We provide the Services using personal information obtained from third parties, such as our clients, data suppliers, and measurement partners. We may process the following types of personal information in the course of providing the Services:

• Device Information: We may receive information such as device identifiers, mobile advertising identifiers, and device type. We may also receive information regarding devices that presented or were near Vistar-facilitated advertisements.
• Demographic Information: We may receive demographic information, such as information about income or age range and household locations, associated with device identifiers.
• Device Location Histories: We may receive device location histories associated with device identifiers.
• Commercial Activity and Preferences: We may receive information about commercial activity, such as preferences such as buying preferences, associated with device identifiers. We may also receive survey responses tied to device or other unique identifiers.
• Publicly Available Information: We may also collect publicly available information, such as point of interest information.

The Services do not require – and we do not aim to collect – information that directly reveals an individual’s identity, such as name or email address.

Our clients and data suppliers may collect the information above from individuals using a variety of technologies, including cookies, software development kits, and other digital trackers deployed on websites, mobile applications, or other digital services. They might collect device location information via GPS, WiFi, or other location-based features. You may be able to modify or disable the sharing of device location in your device settings. 

2. How We Use Personal Information

We use the information we collect to provide services to our clients. That includes:

• Learning where to place DOOH ads to best reach defined audiences;
• Delivering ads to DOOH or mobile devices;
• Learning how individuals respond to ads;
• Analyzing device movement patterns;
• Learning whether devices that are exposed to ads are more likely to visit certain locations; and
• Providing clients with reports illustrating how ad exposure may influence consumer outcomes.

We may use or disclose information that is anonymous, de-identified, or aggregated for any purpose. We do not, and will not attempt to, re-identify de-identified information. Where permitted by law, we use the information we collect to improve our products and services.

We act as a “data processor” when providing the Services in the European Economic Area (“EEA”) and the United Kingdom, which means that we process personal information at the direction and for the benefit of our clients, who are “data controllers” or who act on behalf of other “data controllers.” Please visit “Additional Information for European Visitors” for more information about what this means for you.

3. How We Disclose Personal Information

We disclose personal information to the following categories of persons and in the following circumstances:

• Clients: To clients or their agents for their own purposes. The information we disclose may include, for example, information about the devices exposed to Vistar-facilitated advertisements and reports about the impact that Vistar-facilitated advertisements had on consumer preferences and activities. We do not share device location histories with clients.
• Advertising Intermediaries and Market Research Companies: To advertising intermediaries and market research companies involved in the delivery and measurement of advertisements on behalf of our clients. We do not share device location histories with advertising intermediaries and market research companies.
• Service providers: To service providers that process or collect personal information on our behalf, for example to provide services such as marketing support, technical assistance, data hosting, payment processing, customer service support, and data analytics.
• Legal Compliance and Protection of Our Rights: To regulators, law enforcement, government authorities, and other third parties where we believe it necessary to comply with a legal or regulatory obligation, including a court order, subpoena, and regulatory request. We may also disclose information when we believe in good faith that such disclosure will help us protect our rights, interests, or safety, the rights, interests, or safety of third parties, or detect, prevent, or respond to fraud, intellectual property infringement, cybersecurity intrusions, or other illegal activities.
• Transfer of Business Assets: To a third party involved in the consideration, negotiation, or completion of a merger or sale (including transfers made as part of insolvency or bankruptcy proceedings) involving all or part of Vistar or as part of a corporate reorganization or stock sale or other change in corporate control.
  

We may disclose information that is anonymous, de-identified, or aggregated to any recipient for any purpose.

4. Your Choices

There are many ways to opt out of receiving targeted advertising that our clients may facilitate using our Platform or other technology. Different devices use different technologies and identifiers, so users must separately opt out from each browser and device. Once you opt out of targeted advertising, your personal information will no longer be processed for targeted advertising on that device or browser.

Mobile Apps and Location Data

Your mobile device may give you the ability to opt out of the use of information regarding the apps that you use for targeted advertising. You may opt out of the collection of location information by specific apps or from your entire device at any time by changing your preferences on your mobile device. For more information regarding your preferences and options, please see the link found here http://www.networkadvertising.org/mobile-choice and in the Cookies, Tracking, and Interest-Based Advertising section below.

• Cookies, Tracking, and Interest-Based / Targeted Advertising

If you would like to stop or restrict the placement of cookies or flush any cookies that may already be on your computer or device, please refer to and adjust your web browser preferences. Further information on cookies is available at www.allaboutcookies.org. By deleting cookies or disabling future cookies, you may not be able to access certain areas or features of certain services or some of its functionality may be affected. 

For clarity, cookie-based opt-outs must be performed on each device and browser that you wish to have opted out. For example, if you have opted out on your device browser, that opt-out will not be effective on your mobile device. Additionally, if you opt out on one of your devices, that opt out may not be effective on all of your devices. You must separately opt out on each device. 

Please note that cookie-based opt-outs are not effective on some mobile services. Users may opt out of certain advertisements on mobile applications or reset advertising identifiers via their device settings.  To learn how to limit ad tracking or to reset the advertising identifier on your iOS and Android device, click on the following links: 

iOS - https://support.apple.com/en-us/HT202074

Android - https://support.google.com/ads/answer/2662922?hl=en

You may also download and set your preferences on the DAA’s App Choices mobile application(s) provided by the Digital Advertising Alliance (DAA) available in Google Play or the Apple App stores to opt-out of behavioral advertising from DAA members.

• Do Not Track

Some browsers have a “do not track” (also known as DNT) feature that lets you tell websites that you do not want to have your online activities tracked. Please note that, unless required by law, we do not respond to or honor DNT signals or similar mechanisms transmitted by web browsers. However, we treat Global Privacy Control signals as opt-out of sharing of personal information for cross-context behavioral advertising requests under the California Consumer Privacy Act/California Privacy Rights Act, and as opt-out of processing for targeted advertising requests under the Virginia Consumer Data Protection Act.

Subject to local law, you may have certain rights over your personal information. These rights may include, depending on the circumstances, the rights to:

• access your personal information;
• delete personal information collected from you;
• receive additional information regarding the sources from which we collect personal information, the purposes for which we collect and share personal information, the personal information of yours we hold, and the categories of parties with whom we share your personal information;
• not be subject to unlawful discriminatory actions based on exercising your rights;
• stop certain disclosures of your personal information; and
• withdraw any consent you have given to such processing.

If you would like exercise your rights under local law, please contact us at Privacy@VistarMedia.com, or using updating Your Privacy Choices, or at 1-833-202-5126 to leave us a message, or send a letter to our Data Protection Officer at 149 Fifth Avenue, Sixth Floor, New York NY 10010.

California residents should consult the “Additional Information for California Residents” section for more information about their rights and additional disclosures.

5. Contact Us

If you have questions or concerns regarding the way in which we process your personal information, please contact us at Privacy@VistarMedia.com.

6. Changes to the Policy

We may modify or update this Notice from time to time. Any modifications or updates that we post will be effective immediately except where prohibited by law or as we otherwise indicate. We will notify you of changes to this Notice by updating the date at the top of this Notice or by providing notice by other means as may be appropriate.

7. Additional Information for UK & European Residents

The Services may be provided to clients subject to the United Kingdom and/or European Union’s General Data Protection Regulation (“GDPR”). When providing Services to such clients, Vistar operates as a “data processor,” which means that we collect personal information related to individuals in the EEA and the United Kingdom only on behalf of and pursuant to the instructions of our clients, who are “data controllers” or who act on behalf of other “data controllers.”

In practice, this means we do not collect, use, or retain personal information subject to the GDPR for our own purposes. At the end of an engagement, we follow our client’s instructions on how to use and retain personal information subject to the GDPR that we collected on that client’s behalf. 

8. Your California Privacy Rights

In the course of providing the Services, Vistar processes device location histories as a “business” under the California Consumer Privacy Act (“CCPA”) and California Privacy Rights Act (“CPRA”), and, collectively, the “California Consumer Privacy Laws”, which means that we decide how to collect, use, and retain device location histories of California residents. Vistar provides other aspects of the Services, such as advertisement measurement, as a “service provider,” which means that we collect, use, disclose, and retain personal information relating to California residents on behalf of and pursuant to the instructions of our clients.

The rest of this section relates to our processing of personal information as a “business.”

These provisions apply only to California consumers and supplement this Notice. This California Privacy Rights section describes your rights under the California Consumer Privacy Laws, explains how you may exercise your rights, and provides an overview on the types of personal information we collect.

California Consumer Privacy Laws provide you with the following rights:

• • Right to know. You have the right to know what categories and specific pieces of personal information we collect about you, the sources from which we collect personal information, our business or commercial purpose for the collection, use, and sharing of your personal information, and any categories of third parties to whom we sell or with whom we share your personal information.  
  • Right to data portability. You have the right to request a copy of personal information we have collected and maintained about you in the past 12 months. California Consumer Privacy Laws allow you to request your information from us up to twice during a twelve (12) month period.  We will provide our response in a readily usable format, which is usually electronic.
  • Right to delete. You have the right to request that we delete the personal information that we have collected from you and maintained, subject to certain exceptions. Please note that if you request deletion of your personal information, we may deny your request or may retain certain elements of your personal information if it is necessary for us or our service providers to:
    • Complete the transaction for which the personal information was collected, provide a good or service requested by you, or reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform a contract between our business and you.
    • Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity.
    • Debug to identify and repair errors that impair existing intended functionality.
    • Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law.
    • Comply with the California Electronic Communications Privacy Act pursuant to Chapter 3.6 (commencing with Section 1546) of Title 12 of Part 2 of the Penal Code.
    • Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the deletion of the information is likely to render impossible or seriously impair the achievement of such research, if you have provided informed consent.
    • To enable solely internal uses that are reasonably aligned with your expectations based on your relationship with us.
    • Comply with a legal obligation.
    • Otherwise use the personal information, internally, in a lawful manner that is compatible with the context in which you provided the information.
  • Right to opt out of selling or sharing. At the time this Notice was last updated, we do “sell” and “share” (as defined in the CCPA) personal information.

  You have the right to opt out of the sale or sharing of your personal information, along with the right to later opt in to the sale of such information. If we sell or share any of your personal information, you may, at any time, tell us not to sell or share your personal information. You can make this request by clicking here. We will also treat Global Privacy Control (“GPC”) browser signals as opt-out of sale/share requests.

  • Right to correct. You have the right to request the correction of any personal information we maintain about you.
  • Right to nondiscrimination. You have the right not to receive discriminatory treatment by us for the exercise of your CCPA privacy rights. Unless permitted by the CCPA, we will not:
    • Deny you goods or services.
    • Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
    • Provide you a different level or quality of goods or services.
    • Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

We disclose the following categories of personal information to third parties for our business purposes:

As described in “Your Rights Over Your Personal Information,” California residents have rights relating to their personal information, including the rights to know and to deletion. Please contact us at Privacy@VistarMedia.com, or by updating Your Privacy Choices, or at 1-833-202-5126 to leave us a message, or send a letter to our Data Protection Officer at 149 Fifth Avenue, Sixth Floor, New York NY 10010.

Except with respect to opt out requests, we will need to verify your identity and that the information you requested relates to you before completing your rights request. We will make every effort to respond to your request within forty-five (45) days from when you contacted us. If you have a complex request, the California Consumer Privacy Laws allow us up to ninety (90) days to respond. We will still contact you within forty-five (45) days from when you contacted us to let you know we need more time to respond.

CALIFORNIA “SHINE THE LIGHT”

Under California Civil Code Section 1798.83 (“Shine the Light”), California residents have the right to request in writing from businesses with whom they have an established business relationship: (a) a list of the categories of personal information, as defined under Shine the Light, such as name, email address, and mailing address, and the type of services provided to the customer that a business has disclosed to third parties (including affiliates that are separate legal entities) during the immediately preceding calendar year for the third parties’ direct marketing purposes; and (b) the names and addresses of all such third parties. To request the above information, please contact us by email at  Privacy@VistarMedia.com. If you do not want your personal information shared with any third party who may use such information for direct marketing purposes, then you may opt out of such disclosures by sending an email to us at Privacy@VistarMedia.com.  

We generally do not associate personal information (such as device history) with identified individuals when providing the Services, meaning we generally do not have information such as names or email addresses connected to device location histories. We use device identifiers (such as mobile advertising identifiers) instead, so please submit your device identifiers with your request. This will help us determine whether we process information about your device, though we may require additional steps to prove that you own the device to which the identifier relates.

If you are submitting a request through an authorized agent, the authorized agent must provide your signed permission alongside the request. We may also request that authorized agents verify their identity, and we may ask you directly to confirm your identity and that you have authorized the agent to submit the request on your behalf.

8. Your Virginia & Other State Privacy Rights

Virginia law provides Virginia residents with the rights listed below, subject to applicable law. To the extent your home state has a similar law that Vistar is subject to, we will provide these same rights to you. Virginia residents may exercise these rights as detailed below or by updating Your Privacy Choices.

The categories of personal information we process, our purposes for processing your personal data, the categories of personal data that we share with third parties and the categories of third parties with whom we share it are detailed above in this Notice.

Certain rights that you may have concerning your personal data are set forth in this Notice. The VCDPA provides you with the following additional rights:•    Right to know. You have the right to know and see what personal data we have collected about you.

• Right to data portability. You have the right to obtain a copy of your personal data that you previously provided to us in a portable and, when feasible, readily usable format, where the processing is carried out by automated means.
• Right to delete. You have the right to request that we delete the personal data we have collected about you.
• Right to opt out of selling or sharing. You have the right to opt out of the sale of your personal data and/or the processing of your personal data for purposes of (i) targeted advertising or (ii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning you. As of the latest date of the Notice:
  • We  do engage in profiling decision based on your personal information that produce legal or similarly significant effects concerning you.
  • If you wish to opt out of the processing of your personal information for any of the purposes set forth in this sub-section, please click here.
• Right to correct. You have the right to request that we correct inaccurate personal data.
• Right to nondiscrimination. You have the right not to receive discriminatory treatment by us for the exercise of your VCDPA privacy rights. Unless permitted by the VCDPA, we will not:
  • Deny you goods or services.
  • Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
  • Provide you a different level or quality of goods or services.
  • Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

Exercising Your Virginia Privacy Rights 

If you wish to opt out of the processing of your personal information for targeted advertising, please update Your Privacy Choices.

To exercise any of your Virginia privacy rights, or if you have any questions about your privacy rights, you may contact us by:

• Calling us at 1-833-202-5126
• Emailing us at Privacy@VistarMedia.com

Verification of Your Identity. After submitting a request, we will take steps to verify your identity in order for us to properly respond and/or confirm that it is not a fraudulent request. In order to verify your identity, we will request, at a minimum, that you provide your name, email address, phone number, address, and relationship to us, so that we can seek to match this information with the information existing in our systems. When providing us this information, you represent and affirm that all information provided is true and accurate. If we are unable to verify using reasonably commercial efforts that the consumer submitting the request is the same individual about whom we have collected personal information, then we are not required to comply with the request; we may contact you for more information reasonably necessary to authenticate the request, but ultimately we may not be able to meet your request.

Only you may make a verifiable request related to your personal information. If you are making a request as the parent or legal guardian of a known child regarding the processing of that child’s personal information, we may ask you to submit reliable proof of your identity.

Our Response Time to Your Request

We will make every effort to respond to your request within forty-five (45) days from when you contacted us. If you have a complex request, the VCDPA allows us up to ninety (90) days to respond. We will still contact you within forty-five (45) days from when you contacted us to let you know we need more time to respond and the reason for the extension.

Your Right to Appeal

If we decline to take action regarding a request that you have submitted, we will inform you of our reason for declining to take action and provide instructions for how to appeal the decision. In the event that we do not respond to a request that you make pursuant to one of the privacy rights set forth in this Virginia Privacy Rights section, you have the right to appeal our refusal to take action within a reasonable period of time after you receive our decision. Within 60 days of our receipt of an appeal, we will inform you in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, we will also provide you with an online mechanism, if available, or other method through which you may contact the Attorney General to submit a complaint.

Your Nevada Privacy Rights 

If you are a resident of Nevada, you have the right to opt-out of the sale of certain personal information to third parties who intend to license or sell that personal information. You can exercise this right by updating Your Privacy Choices or email us at Privacy@VistarMedia.com with the subject line “Nevada Do Not Sell Request” and providing us with your name and the email address associated with your account.