Semasio, a Fyllo Company (“we,” “our,” “us”) provides a variety of consumer data, marketing analytics, and related products and services designed to help our business customers (“clients”), and companies that work with them, market their goods and services to consumers in a relevant and efficient way, generally through using online advertising intelligence and information (the “Services”).
Our Services, many of which are described on this website, and many of which focus on advertising technologies which utilize personal data, are principally employed by our clients for digital marketing and advertising (including mobile, CTV, and other digital channels), but may also be used for other marketing channels.
This privacy policy explains the types of personal data we may collect or receive about individuals in connection with our Services, how we use, process and share that personal data, and your rights and choices regarding your personal data. When we say “you” we are referring to individuals whose personal data we process in connection with our Services, including on our advertising technology platform. The term personal data as used in this privacy policy has the meaning ascribed to it under applicable laws.
Semasio is the controller of the processing of your personal data described in this privacy policy. Our contact details can be found in Section 16 below.
This privacy policy applies only to consumer data products and services offered by our Semasio-branded divisions. For consumer data products and services operated by our Fyllo-branded divisions, please visit the Fyllo Marketing Services Privacy Policy.
We also operate corporate websites, designed for our own clients and prospective clients, and others who want to learn about our Services. We address personal data we collect on our corporate website and personal data we collect for business-to-business purposes in our Website and Corporate Privacy Policy. Data collected on our corporate websites is not incorporated into our Services. Please visit our Website and Corporate Privacy Policy if you wish to opt-out of any data collected on through your visit to our corporate webpages.
Semasio operates globally, including in Europe and the United States, and processes personal data in accordance with this privacy policy. The General Data Protection Regulation (“GDPR”) sets standards for data protection in Europe. In the United States, the California Consumer Privacy Act as amended (“CCPA”) provides certain rights to residents of California. Other states’ laws (upon becoming effective) provide similar (though not identical) rights to their own residents. Semasio closely follows the development of data protection regulation in Europe, the United States, and in the rest of the world.
Please note that this privacy policy does not apply to your personal data when we act as a service provider or processor on our clients’ behalf. When we are in this role, our clients decide how and why your personal data should be used and you should contact our client directly regarding your privacy choices. Additionally, our clients may have privacy obligations in connection with personal data they share with our Services or process on our Platform. Information about these circumstances is set forth in Section 6 below.
The Semasio Platform (the “Platform”) enables our clients to understand consumers and the webpages they visit. Through natural language processing and advanced semantic targeting, the Platform utilizes advanced semantic understanding of page and content meaning.
The Platform also ingests personal data collected from individuals’ online activities. This personal data may be collected through Semasio’s own tracking technologies (“Tracking Points”), or the data may be sourced from tracking points maintained by third parties. From these data points information may be derived and stored using a cookie set in the user's browser or identifier in a mobile device for identification. Semasio collects and stores online identifiers (“Cookie IDs”) and mobile advertising identifiers ("MAIDs”). Cookies are small files that enable Semasio to store information related to an internet user, on a personal computer or another device from visits to websites, and to “remember” a particular individual, on a particular web browser. Similarly, a MAID is a unique identifier that iOS or Android assigns to each mobile device and that can be used to connect mobile activity back to a specific individual.
Semasio synchronizes these identifiers with additional personal data associated with the same individual which is shared with Semasio by its commercial data sources or clients. This process may constitute profiling as defined by applicable law in certain territories. Semasio does not, however, carry out profiling in furtherance of automated decisions that produce legal or similarly significant effects or automated decision-making as defined under the GDPR (Art. 22 GDPR).
As further described in Section 5 below, the Platform enables our clients to create audience segments which are used by our clients to deliver online advertising to specific users (targeted advertising) or to create contextual segments which are used by our clients to deliver online advertising to specific websites (contextual advertising). Semasio also licenses (or “sells” as defined under certain US state privacy laws) the personal data it collects, for targeted advertising, and for various data modeling, research, and analytics purposes.
Semasio is inspected and certified by ePrivacy GmbH and adheres to the Principles of the EDAA Online Behavioural Advertising (OBA) Framework.
Semasio is a member of the Network Advertising Initiative (NAI).
Semasio participates in the IAB’s global privacy platform which is designed to transmit consumer choice signals (e.g., opt-out or consent) between sites, apps and adtech providers in applicable territories, including in the United States and Europe (collectively, the “IAB Framework”) and complies with its Specifications and Policies in these territories. Semasio’s identification number within the IAB’s Transparency & Consent Framework is #84.
The Services do not utilize directly identifiable data such as your name, home address, phone number, or government identifiers such as your social security number. When our commercial sources share personal data that originated in directly identifiable form, it is pseudonymized before we process the data for the purposes described in Section 5 below. This means the directly identifiable information is removed and replaced with identifiers. This process allows us to connect your identifiers to other pseudonymous data about you in our databases.
From our commercial sources, we collect and store the following categories of personal data:
Inferences
Our commercial sources also share inferred data, which means they have made certain inferences about a consumer’s preferences, interests, characteristics, or attitudes prior to sharing the personal data with us. Inferred data may also include inferences regarding your general (not precise) location based on IP address. Using our technology and data in the Platform, users of our Platform can also create similar inferences inside our Platform, provided that in processing personal data in the Platform, users are prohibited from creating sensitive inferences that could be deemed to be sensitive personal data.
Children
We do not knowingly collect personal data of individuals under the age of 18. We use reasonable efforts to remove the data of such individuals from our databases based on the applicable laws in the relevant jurisdiction. If you are a parent or guardian and believe we have collected data of a minor under the legal age in a particular jurisdiction, please contact us at privacy@semasio.com. If we learn we have inadvertently collected such data, we will promptly delete the data.
Special or Sensitive Categories of Personal Data
Except as otherwise described in this privacy policy (see Section 5), we do not knowingly collect personal data deemed “sensitive” or a “special category of personal data” where not permitted to do so under applicable privacy laws in the relevant jurisdictions where the Services operate (“sensitive personal data”). The meaning of sensitive personal data differs by jurisdiction, but often means data that reveals your race, religion, ethnicity, sexual orientation, gender identity, political or philosophical beliefs, or a medical condition or diagnosis; it sometimes includes any information about health or sexuality, or trade union membership. These categories sometimes overlap with characteristics of protected classifications under California or other US law.
Semasio uses and sells personal data to enable our clients (and their end clients) to perform, analyze and measure online marketing campaigns. Personal data is used to create audience segments, for consumer insights for digital and other advertising purposes, and to model contextual segments. Advertising campaigns are delivered by third party platforms. For targeted advertising delivery, lists of Cookie IDs/MAIDs are sent via our data centers to real-time bidding or other platforms that activate on audience segments to deliver advertising campaigns.
We have included a detailed description of these purposes in the following. We have also included references to our purposes under the IAB Framework.
The commercial purposes for which we use personal data
a. For Interest Based Advertising
Our Services include creating data products and providing datasets to our clients and making such datasets available to other advertisers or agencies for purchase via third party platforms, generally regarding which consumers are most likely to be interested (or disinterested) in certain offers.
Where our clients operate the Platform in a self-service capacity and create custom audience segments, our clients are required to comply with applicable contract terms and policies, and they are responsible (as a data controller) for the audience segments they create.
Under the IAB Framework, we pursue the following purposes for the processing activities described in this section: “Create profiles for personalized advertising”.
b. For Matching or Linking Personal Data from Different Sources.
Under the IAB Framework, we pursue the following purposes for the processing activities described in this section: “Understand audiences through statistics or combinations of data from different sources”.
c. For Insights or Analytics Purposes.
Under the IAB Framework, we pursue the following purposes for the processing activities described in this section: “Understand audiences through statistics or combinations of data from different sources“.
d. For Modeling Contextual Segments.
Under the IAB Framework, we pursue the following purposes for the processing activities described in this section: “Create profiles for personalized advertising”, “Understand audiences through statistics or combinations of data from different sources“.
The business purposes for which we use personal data
e. To Develop and Improve our Services.
We also use your personal data for our own internal purposes, such as to operate, analyze, improve, test, update and verify our Services; and develop new products.
Under the IAB Framework, we pursue the following purposes for the processing activities described in this section: “Develop and improve services“.
f. For Other Internal Purposes.
We also may use personal data for auditing for legal and other compliance purposes, aiding in ensuring security and integrity to the extent the use of personal data is reasonably necessary and proportionate for such purposes, debugging to identify and repair errors that impair existing intended functionality, short-term and transient use, and for the establishment, or the exercise or defence of legal claims.
Our clients often include advertisers and agencies who act on behalf of advertisers.
Our clients are responsible for their own personal data processing activities, including when they operate our Services through self-service access to our Platform or when they supply personal data to the Platform for their advertising and marketing purposes.
While we generally act as a data controller, in limited circumstances we may act as a data processor or service provider to our clients in accordance with the client’s instructions and use that personal data only for the client.
Semasio discloses personal data in the form of audience segments to third party marketing services providers and platforms such as demand side platforms that activate on the data to deliver advertisements for their clients, as well as service providers that help us provide the Services we have described above (or other Services we may add in the future). Semasio may also disclose personal data as further described in this privacy policy, including this Section 7.
Our disclosure, share and sale of personal data under the State Privacy Laws
In the United States, the California Consumer Privacy Act as amended (“CCPA”) provides certain rights to California residents. Other states’ laws provide similar (though not identical) rights to their own residents (collectively, the “State Privacy Laws”). For state residents in jurisdictions where the State Privacy Laws apply, we may disclose, sell and/or share (as those terms are defined under the State Privacy Laws), personal data collected from and about you.
Our Platform is frequently used to share audience segments (whether as part of our own syndicated taxonomy or as custom audience segments created by our clients) for targeted advertising (also known as cross-context behavioral advertising). Accordingly, all of the categories of personal data described in Section 4 above may have been shared or sold for interest-based advertising or related commercial purposes as described in Section 5 above with the categories of third-party recipients identified in the last column of the chart below. Provided, however, that personal data provided to Semasio from its clients or commercial sources for the purpose of modeling Contextual Segments as described in Section 5.d. is not shared or sold. Additionally, we do not knowingly share or sell sensitive personal data.
Information about which category of personal data is shared with whom
The chart describes how and with whom we disclose, sell and/or share personal data, and whether (based on the definition of sell or share in the State Privacy Laws) we believe we have sold or shared a particular category of personal data in the prior 12 months. Where we have sold or shared a particular category of data, it is most frequently in the form of audience segments which include only inferred information and not actual information.
For transparency, we’ve been deliberately inclusive in our terminology, by including within categories both types of third parties (e.g., “clients”) and types of platforms through which clients and other third parties might access data (e.g., “advertising networks”).
Category of personal data
Categories of service providers to whom we have shared this category of personal data for the purposes described in Section 5
Categories of third parties to whom we “sold” or “shared” this category of personal data in the last 12 months for the purposes described in Section 5
Online Identifiers
Note Data used for modeling contextual segments as described in Section 5(d) above is NOT accessible outside the Platform and is not “sold” or “shared” under the State Privacy Laws.
Internet or other electronic network activity information
Note Data used for modeling contextual segments as described in Section 5(d) above is NOT accessible outside the Platform and is not “sold” or “shared” under the State Privacy Laws.
Commercial or transactions information
Note Data used for modeling contextual segments as described in Section 5(d) above is NOT accessible outside the Platform and is not “sold” or “shared” under the State Privacy Laws.
Professional or employment-related information
Note Data used for modeling contextual segments as described in Section 5(d) above is NOT accessible outside the Platform and is not “sold” or “shared” under the State Privacy Laws.
Inferences from any of the categories of personal data identified in Section 4
Note Data used for modeling contextual segments as described in Section 5(d) above is NOT accessible outside the Platform and is not “sold” or “shared” under the State Privacy Laws.
Demographic characteristics, including of protected classifications under California or US law (inferenced or actual)
Note Data used for modeling contextual segments as described in Section 5(d) above is NOT accessible outside the Platform and is not “sold” or “shared” under the State Privacy Laws.
a. Our legal bases for processing personal data collected in the EEA.
In the European Economic Area (EEA) and the United Kingdom, the Platform operates on the basis of user consent, generally obtained through the IAB Frameworks in applicable jurisdictions, to store and process personal data. Therefore, the legal basis for the commercial purposes set out in Section 5 is your consent, Art. 6 (1) (a) GDPR.
The chart below describes in further detail the legal basis for the processing activities set out in Section 5 and references the categories of personal data (described in Section 4) processed in this respect as well as the legitimate interests pursued (as far as the legal basis is Art. 6 (1) (f) GDPR).
Purpose as described in Section 5
Legal Bases (and legitimate interests pursued, if applicable)
Category of personal data
Interest Based Advertising
Consent
(Art. 6 (1) (a) GDPR
Matching or Linking Personal Data from Different Sources
Consent
(Art. 6 (1) (a) GDPR
Insights or Analytics Purposes
Consent
(Art. 6 (1) (a) GDPR
Modeling Contextual Segments
To Develop and Improve our Services
Consent
(Art. 6 (1) (a) GDPR)
Other Internal Purposes: aiding in ensuring security and integrity, and repairing errors
Legitimate interests
(Art. 6(1) (f) GDPR).
We have a legitimate interest in operating our Services, databases and servers in a secure manner, and in auditing our processes for legal and other compliance purposes, in ensuring security and integrity, in debugging our Services to identify and repair errors that impair existing intended functionality and for short-term and transient use
Other Internal Purposes: for the establishment, exercise or defence of legal claims
Other Internal Purposes: for legal and other compliance purposes
b. Personal Data collected by our Commercial Sources.
Depending on jurisdiction, some of Semasio's clients or other commercial sources may collect personal data under an opt-out or other framework under observance of all applicable laws. Semasio coordinates with our clients and other commercial sources on requirements under relevant data protection regulations and has detailed contractual agreements. Specific business terms may seek to ensure that data protection regulations are understood, openly communicated and followed. However, clients and other commercial sources are themselves responsible for adhering to the applicable data protection requirements under their own privacy policies. Semasio does not take any responsibility and/or liability for the acts or omissions of its clients or other commercial sources.
a. Semasio Opt-Out.
Regardless of where you are located or what jurisdiction’s laws apply, we offer all individuals a right to opt-out of our databases if you do not want your online activity to be collected by the Platform for any of the purposes described in this privacy policy, including use of your personal data for profiling or targeted advertising.
b. AdTech Industry Opt-Outs.
Separately from the Semasio opt-out page, if you wish to opt out of online targeted ads in general (“interest-based” or “personalized” advertising), you can also visit the opt-out portals operated by various industry groups or other adtech participants. You can visit those opt-out pages here.
c. Additional Opt-Out rights.
Certain state privacy laws in the United States require us to provide state residents with specific opt-out options. While we utilize the same opt-out functionality for all opt-out requests which we apply to all processing activities in our databases (subject to the limited exceptions described in this privacy policy), we have described the rationale behind each specific opt-out right below.
d. Right to Withdraw Consent.
In situations where we rely on consent to process your personal data, you likewise may withdraw your consent at any time by visiting our United States Opt-out Page or International Opt-Out Page to submit an opt-out request. You may also contact us toll-free at 833 367-8688. Please be aware that withdrawing your consent does not affect the lawfulness of the processing of your personal data based on consent before its withdrawal.
e. Opt-Out Instructions.
Please note that our online opt-outs are cookie-based. Thus, if you browse the web from multiple browsers or devices, you may need to opt out from each browser and/or device, and for the same reason, if you change browsers or clear your browser cookie cache, you may need to perform this opt-out function again.
Under the General Data Protection Regulation (“GDPR”) and other privacy laws depending on where you reside, you may have certain additional rights regarding your personal data as summarized below, subject to certain restrictions and variations under applicable local laws. This section describes how to exercise those rights and our process for handling your requests. We may withhold these rights to the extent that the law in your country or state of residence does not recognize or no longer recognizes these rights. To the extent permitted by applicable law, we may charge a reasonable fee to comply with your request.
a. Right to request deletion of your personal data.
We interpret deletion requests as “opt out” requests and ask that you visit by visiting our United States Opt-out Page or International Opt-Out Page. We manage deletion requests in this way because under certain laws, deletion requests require identity verification which would require us to request additional personal data from you. Accordingly, for purposes of data minimization, we manage deletion requests as opt-out requests which are functionally equivalent in our databases to deletion requests (and what individuals requesting “deletion” typically desire to occur). If you have a different deletion request, please contact us using the contact information provided in Section 16.
b. Right to request access to your personal data.
Depending on what law applies, you may request information about your personal data in our databases. Additionally, under certain state privacy laws in the United States, applicable residents may request we disclose the categories of personal and the specific pieces of personal data that we have collected about you over the past 12 months, generally meaning which audience segments we believe to be connected to your personal data in our databases.
c. Rights to object.
If you reside in the European Economic Area (EEA), the following applies: You can object to processing of your personal data where we are relying on the legitimate interest legal basis (Art. 6 (1) (f) GDPR) at any time. If you object, we must stop that processing unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or we need to process the personal data for the establishment, exercise or defence of legal claims. Where we rely upon legitimate interest as a basis for processing, we believe that we can demonstrate such compelling legitimate grounds, but we will consider each case on an individual basis. To access this right, please contact us at privacy@semasio.com.
d. Additional privacy rights.
If you wish to exercise any other rights you might have under applicable data protection laws, including as appliable and subject to certain conditions in some cases, individual rights of correction/rectification, data portability, or restriction of processing, please contact us at privacy@semasio.com or contact us toll-free at 833 367-8688.
e. Right to lodge complaint.
Additionally, EEA residents have the right to lodge complaints or report concerns to a data protection authority, in particular in the Member State of their residence, place of work or of an alleged infringement of the GDPR (a list of these data protection authorities can be found here, a list of the data protection authorities of the German States (Länder) can be found here). UK residents can report a concern to the Information Commissioner’s Office. However, we respectfully request that you contact us first.
f. Authorized agents.
Under certain privacy laws, you may also designate an agent to make requests to exercise your rights on your behalf. As required by law, we will verify that your agent has been authorized to make a request on your behalf through providing us with a signed written authorization or a copy of a legally sufficient power of attorney, depending upon the request made. We likewise may require that you verify your own identity, depending on the type of request you make. Please note, however, that because we are a cookie-based service, we are unable to process requests made through designated agents who do not have access to cookies on your devices.
g. Right to appeal.
In the event that we inform you that we will not, or believe we cannot, honor a particular (consumer or other data subject) request (for instance, if we have determined we cannot verify your identity, or if we believe you are not entitled to the scope of deletion you request), you may appeal our determination by emailing us at privacy@semasio.com.
h. Right of nondiscrimination.
To the extent applicable, we will not deny, charge different prices for, or provide a different level of quality of goods or services if you choose to exercise these rights.
We retain personal data in accordance with requirements of applicable laws as long as it is necessary for the purposes we pursue (set out in Section 5) or we have a legal or compliance reason to do so. As a general matter, cookie data is refreshed and updated automatically 90 to 180 days from the time of initial collection unless you opt out from the Services. If we receive an opt-out request from you/if you withdraw your consent, we delete your personal data immediately. We may, however, retain information following your opt-out/withdrawal where legally permitted or required (e.g., for a legal compliance, auditing, or accounting reason). Personal data supplied by our commercial sources is deleted once both the contractual relationship and any applicable statutory storage periods have ended, unless we receive an opt-out request from you/if you withdraw your consent prior to this.
We have implemented appropriate security measures to protect the personal data in our databases against any unauthorized access, use or disclosure. However, regardless of any technical and organizational measures Semasio has put in place to assure that data in its custody is secured, no such steps are foolproof, we therefore cannot guarantee that such data will not or cannot be subject to breach or to hackers.
Semasio maintains data centers in the United States and Denmark. Please visit this page for a list of our service providers.
In some cases, we or our clients may transfer personal data of individuals residing in the European Union (EU) respectively the European Economic Area (EEA) to recipients located outside of the EEA, namely the United States.
Where a transfer of personal data to such third countries is taking place this happens only to countries in which the EU Commission has confirmed an adequate level of protection (a list of these countries and the respective adequacy decisions is available here) or where Semasio can reasonably ensure the secure handling of personal data by means of contractual agreements (standard contractual clauses in the meaning of Art. 46 GDPR, Module 1 for controller-to-controller transfers) or other suitable guarantees, including certifications or proven compliance with sufficient security standards. We apply these same standards to other jurisdictions that require similar protections.
You have the right to ask us for more information about the safeguards we have put in place as mentioned above. Please contact us using the contact information provided in Section 16 if you would like further information or to request a copy where the safeguard is documented (which may be redacted to ensure confidentiality).
Metrics on opt out and information requests under CCPA can be accessed via the following page: CCPA Metrics
Semasio may change or update this privacy policy at any time in accordance with any new applicable data protection regulations or new relevant information achieved. Any changes or updates we may make will be posted on this website.
Semasio has a designated privacy contact. If you have questions related to this privacy policy, or regarding our products or services, please contact us at privacy@semasio.com or info@semasio.com. We appreciate your comments and questions regarding Semasio’s privacy practices.
Postal addresses
Semasio GmbH
Mönkedamm 11
20457 Hamburg
Germany
Semasio Inc.
c/o Casters Holdings, Inc.
433 West Van Buren Street, Suite 200, Chicago, IL 60607
Controller
If you are based in the European Union (EU) or the United Kingdom, the controller of your personal data is Semasio GmbH.
European data protection officer (DPO)
If you are a based in the European Union (EU) or the United Kingdom, you may contact our data protection officer and state in your request that your concern relates to Semasio GmbH. However, we respectfully ask that you only contact our Data Protection Officer regarding urgent matters relating to data protection.
Prof. Dr. Christoph Bauer
ePrivacy GmbH
Große Bleichen 21
20354 Hamburg
Germany
Representative of controllers or processors not established in UK (Article 27 UK GDPR)
UK Representative Service for GDPR Ltd.
7 Savoy Court
London WC2R0EX
United Kingdom