Index Exchange is a global digital advertising marketplace. Our technology (the Index Exchange Platform) helps our clients deliver advertising to you. The Index Exchange Platform hosts digital auctions that help our clients buy and sell online ads (collectively, our Platform Services). These ads can be found on websites, mobile applications (Apps), or video programming services, such as streaming apps on Smart TVs (collectively, Digital Properties).
As with any exchange platform, we act as an intermediary between buyers and sellers. Throughout this Policy, we refer to our clients that sell ad space as Publishers. Publishers own or operate the Digital Properties you may use or visit. We refer to clients that buy ad space (for example, advertisers) as Buyers. Buyers may include Demand-Side Platforms (DSPs), Data Management Platforms (DMPs) and other partners (collectively, Demand-Side Partners). Demand-Side Partners act as additional intermediaries in the digital advertising supply chain that connect advertisers to Index Exchange to serve relevant ads to you on the Publisher Digital Properties you visit. Demand-Side Partners liaise with other Buyers, which also include advertisers (for example, brands), advertising agencies, and ad networks (collectively, Ad Partners). In summary, Index Exchange and Demand-Side Partners act as intermediaries that connect Ad Partners with Publishers to deliver relevant digital ads to you.
On the Index Exchange Platform, we Process your Personal Data when you visit a Publisher’s Digital Properties. Index Exchange Processes your Personal Data to provide our Platform Services if we have permission from Publishers to do so.
Below are the main types of Personal Data we may Process on the Index Exchange Platform for the provision of our Platform Services. The information we receive is predominantly determined by each Publisher that you interact with. We are not able to determine your name, email address, or other similarly identifying information based on the Personal Data we Process on the Index Exchange Platform.
Digital identifiers (Digital IDs): we may Process unique identifiers that are associated with the Digital Properties you are using. Digital identifiers include:
- cookie IDs: unique identifiers assigned to cookies (small text file stored on your web browser when you visit a website);
- device advertising IDs: unique identifiers used for advertising purposes on various devices, including mobile devices, Connected TV (CTV) devices, and others. Some examples of device advertising IDs (not an exhaustive list) are the following:
- Identifier for Advertisers (IDFA) is used on Apple devices running iOS,
- Android Advertising ID (AAID) is used on Android devices,
- Google Advertising ID (GAID) is a unique advertising ID assigned to Android devices by Google Play services,
- Roku Advertising ID is a unique identifier assigned to Roku devices,
- LG Smart TV Advertising ID is a unique identifier assigned to LG smart TVs, and
- Samsung Smart TV Advertising ID is a unique identifier assigned to Samsung smart TVs; and
- third-party IDs: unique identifiers that belong to third parties. Third-party IDs may be associated with broad aggregate audience segments and shared with Buyers to serve more relevant ads to you based on your interests (for example, ads related to sports or fashion).
Browser and device information: information including, but not limited to, the type and version of your browser, browser settings (such as language and local time), user agent, your IP address, device type (for example, laptop, mobile, TV), model, manufacturer, operating system, and time zone.
Location information: imprecise geolocation information such as city, country, zip code/postal code, and/or longitude and latitude with less than 2 decimal places. Publishers may provide us with precise geolocation information in the form of longitude and latitude with three or more decimal places.
Other data provided to Index Exchange: additional information provided to us by, or for, our Publishers to improve Publisher advertising. For example, a Publisher may include information about your interests or broad demographic information.
We Process your Personal Data to provide our Platform Services when it is permitted by law and supported by a valid legal justification (Legal Basis). We rely on the Legal Basis of consent for the following Processing activities:
- Ad delivery: to deliver ads to you on Publishers’ Digital Properties;
- Ad reporting: to verify an ad was delivered to you with accuracy;
- Cookie syncing: to match our cookie IDs with third-party IDs to provide more effectively deliver relevant ads to you. When we are authorized to use a cookie ID, we try to match it against third-party IDs and third-party cookie IDs. Cookie syncing enables the sharing and use of Personal Data between Buyers and Demand Side Partners that are involved in buying and selling digital ad space; and
- Impression Counting: to count the number of times ads are displayed against a Digital ID.
We rely on the Legal Basis of legitimate interests for the following Processing activities:
- Ad vetting: to prevent fraud, malware, and other unacceptable behavior; and
- Troubleshooting, optimizing, and product improvement: to improve our Platform Services and ensure ads are delivered correctly to you.
We rely on the Legal Basis of legal obligations for the following Processing activity:
- Privacy Rights: to view and enforce your opt-out choices, and honor your privacy choices/rights. For example, if you make a request to delete your Personal Data, we will use your Personal Data to search, identify, and delete your Personal Data.
We may disclose, share, or sell (collectively, Share) your Personal Data with the following partners for the purpose of delivering ads to you:
- Buyers: we Share your Personal Data with Buyers to source ads that may be relevant to your interest(s). Buyers may Share Personal Data with their clients and partners for the provision of their services. Each Buyer Processes and Shares Personal Data in accordance with their own privacy policies, which may differ from the information found in this Policy. To help protect your Personal Data, Index Exchange contractually requires Buyers to comply with applicable data protection and privacy laws, and implement user-centric privacy practices;
- Identity Partners: On the instruction of Publishers, your Personal Data may be Processed by and Shared with Identity Partners, independent companies that Process online identifiers which they have collected independently from Index Exchange. For example, they may use online identifiers to group you into broad based, aggregated audience segments (for example, age range: 25-35; interests: cars). We do not actively create audience segments about you; however, our technology facilitates the delivery of these audience-based identifiers to Buyers;
- Vendors and service providers: Our third-party vendors may help us provide our Platform Services. For example, we use third-party vendors for fraud detection, load balancing, and content delivery network (CDN); and
- Legal requirements: We may be required to disclose your Personal Data to comply with our legal obligations, or in cases where we believe in good faith that such disclosure is required by law.
Index Exchange is a global company with headquarters in Canada and data centers in Canada, Europe, Asia, and the United States. To provide our Platform Services, we may transfer your Personal Data internationally to any of our data center locations, or to any Buyer’s international data center locations. We respect the security and confidentiality of your data while effecting these international transfers. We ensure any international transfers of your Personal Data are compliant with applicable data protection and privacy laws.
When we transfer Personal Data outside of the European Economic Area, UK, or Switzerland we ensure that appropriate legal protections are in place. These protections may include a transfer mechanism such as the Standard Contractual Clauses approved by the European Commission. In the event of any conflict between the terms of this Policy and such transfer mechanism, the terms of the transfer mechanism will govern.
Index Exchange complies with the EU-U.S. Data Privacy Framework (DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF as set forth by the U.S. Department of Commerce. We have certified to the U.S. Department of Commerce that we adhere to the EU-U.S. DPF Principles, the UK Extension to the EU-U.S DPF and the Swiss-U.S. DPF Principles (collectively, the Principles) with regard to the Processing of Personal Data received from the European Union, the United Kingdom (and Gibraltar), and Switzerland. If there is any conflict between the terms in this Policy and the Principles, the Principles shall govern.
Index Exchange is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC). We may be liable if we fail to meet the requirements of the DPF in the onward transfers of Personal Data to third parties. To learn more about the DPF program, and to view our certification, please visit https://www.dataprivacyframework.gov/. For unresolved EU-U.S, the UK Extension to the EU-U.S. or Swiss-U.S. DPF complaints or concerns that we have not addressed satisfactorily or in a timely manner, you may contact the International Centre for Dispute Resolution/American Arbitration Association (ICDR/AAA) at https://go.adr.org/dpf_irm.html. Binding arbitration may be available for complaint resolution under certain circumstances. Learn more about the binding arbitration scheme for the EU-U.S. DPF at https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf and for the Swiss-U.S. DPF at https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-sw-dpf.
Index Exchange supports efforts for self-regulation in the digital advertising industry. We are a member of several industry groups or initiatives, including: the Network Advertising Initiative (NAI) and the Interactive Advertising Bureau (IAB); all of which help set industry standards for the ethical processing of your Personal Data. We adhere to the NAI Code of Conduct and also participate in the IAB’s Transparency & Consent Framework and comply with its specifications and policies. Our identification number within the framework is: Vendor ID 10.
We retain Personal Data only for as long as necessary to fulfill the purposes described in this Policy or as required to meet legal or regulatory requirements. At your request, we will delete your Personal Data unless we are required to retain it to meet our legal or regulatory obligations. We may also create and retain anonymized information, and continue to use this information in accordance with this Policy.
To learn more about your privacy rights and how you can exercise them, such as your right to access, correction, erasure, limitation, and object to the processing of your Personal Data, please visit Your privacy rights and how to exercise them.
We understand that the security, integrity, and confidentiality of Personal Data is a critical issue and we are committed to safeguarding your Personal Data. We have implemented a comprehensive security program that includes technical, administrative, and physical security measures to protect your information from unauthorized access, disclosure, use, and modification. Such measures include but are not limited to: encryption, controls that limit the access of your data, both technically and at our physical data center locations, and also by enabling information security practices such as employee training on the safe handling of Personal Data. We regularly review our security policies and procedures to ensure the protection of your information. Please keep in mind that, despite our best efforts, no security measures are perfect or impenetrable.
We may update this Policy from time to time to accommodate new technologies, industry practices, regulatory requirements or for other purposes. The date at the top of this Policy reflects the most recent changes made. If any changes to this Policy are significant, we may take additional measures to inform you, as required by applicable data protection and privacy laws. We encourage you to review this Policy for the latest information on our privacy practices and to contact us if you have any questions or concerns.
Privacy team at Index Exchange
If you have any questions, concerns, or complaints about the above or our privacy practices, please contact us at privacy@indexexchange.com or at:
Attn: Index Exchange c/o Privacy
8 Spadina Avenue, Suite 2600, Toronto, Ontario
M5V0S8 Canada
Data Protection Officer
You can also contact our DPO at gdpr@legalarmy.net or at:
Attn: Index Exchange Data Protection Officer
Legal Army, S.L., B88103700
Calle Princesa 31, Piso 5, Puerta A1, Madrid, Spain, 28008
Navigate
- About Us
- Personal Data we collect, use, and share (Process)
- Purposes and Legal Bases for Processing Personal Data
- Sharing Personal Data
- International Transfers of Personal Data
- Data Privacy Framework
- Self-regulation initiatives
- Data Retention
- Your privacy rights and how to exercise them
- Data security
- Changes to this Policy
- Contact us