OC GROUP Privacy Policy

General Information

The OC Group Privacy Policy (hereinafter “Blue”) is intended to clarify our policy on data processing by the company.

Blue is a technology company specializing in retargeting services. The provision of the retargeting service consists of displaying advertisements with products and/or services that suit the interest of the potential consumer.

To provide this type of service, Blue uses an artificial intelligence algorithm that allows identifying the interests of potential consumers based on their browsing behavior and consumption patterns. Such data are collected without identifying any personal user data.

Based on these data, Blue's customers (“Advertisers”) can offer targeted media to their end customer based on the user's browsing behavior. Through Blue, Advertisers can display ads in spaces located on internet portals, blogs and partner websites (“Publishers”).

Blue's algorithm does not collect personally identifiable data, such as full name, gender, document numbers, mailing, e-mail or IP address, nor bank details or geolocation. The data collected relate to how an end user browses websites, as well as their preferences. These data are collected by assigning an identifier to ensure the user's anonymity.

A user identifier is randomly assigned to an internet user, so that it is possible to identify that user has a certain behavior pattern. However, due to the randomness of this process, it is not possible to identify their personal data or reverse the anonymization.

In addition, the technical data collected, related to the navigation of the possible consumer, are processed only by Blue, without intermediary third parties and with emphasis on the anonymization of personally identifiable information.

That's why we prioritize transparency and accessibility so that the terms of our relationship are available and understandable for our customers, partners and visitors.

Service

Blue offers the retargeting service to its Advertisers as described above.

How our service works

Blue performs an internet advertising service called retargeting. To this end, users' navigation data are collected when they browse within a partner website. Such collection is carried out by means of tags, a set of programming code added to the partner website, which triggers and works behind the navigation environment, without the user's knowledge. In this process, it is important to emphasize that no data are collected that allows the identification of a user.

From this, the user may be impacted by advertising from the partner, through Blue's retargeting services, with the aim of making the user return to the partner's website to purchase the product or service of interest in the partner website.

Collection and use of personal data

Blue does not collect personally identifiable data when a user accesses any Publisher or Advertiser website. That is, we do not collect any data that make it possible to identify a user while browsing a website.

Users' personal data will only be collected by Blue with consent, except in the other cases provided for in this Privacy Policy and in cases of legal requirements.

Legal basis: Art. 7, item I of Law No. 13.709/18

What data do we collect from users?

By means of tags (a set of programming code added to the website of a Publisher and Advertiser, which triggers and works behind the scenes, without the user's knowledge), Blue collects data related to the user's navigation (completely anonymous), such as:

What website the user came from; How long this user remains on each page of the partner environment; What was the last page visited in the partner environment before leaving it; If you have visited a product, we collect the visited product identifier (ID’s); If you have added products to the cart on a website, we collect the ID’s of the products added there; and If you made the purchase, we collect the ID’s of the products purchased, the total value of that sale and the transaction ID.

Why do we collect this data?

The data collected are used to display extremely relevant advertisements to users who have expressed an interest in making a purchase on the website of one of Blue's partners.
The algorithms used by Blue also assign different amounts related to the purchase steps carried out by the user in order to carry out this ad display service. The closer the user gets to the end of a purchase process, the more relevance the ad will have for them.

Product identifiers (ID’s) allow Blue to relate products of interest to a user with products of similar categories and prices, in order to offer, through online advertising, products with a high probability of interest by the user.

How long and where are these data kept at Blue?

All collected data are stored for 180 days on our fully encrypted servers in AWS cloud computing services (Amazon Web Services). There are no physical Blue servers to store such data. For this reason, access to the servers is done only through password and encryption.

How do Blue employees handle data?

The browsing data of the Advertisers and Publishers website user collected by Blue are used by the artificial intelligence algorithms of Blue's retargeting product.

These data are used in aggregate form to direct content according to the preferences that a set of users presented through the identifiers randomly assigned to them by the Blue system. Therefore, there is no individualization of users during the retargeting service.

In this way, Blue employees do not have access to navigation data or perform any analysis on these data. Navigation data are used by the artificial intelligence algorithm to carry out a classification process and assign each identifier of a product to the identifier of a user who has expressed interest in that product.

Data storage

All data collected are stored on encrypted servers, password protected, accessed only by the company's technical manager (CTO) or Blue professionals with technical capacity to do so, whose access is also controlled by the company's CTO. All servers are in the cloud and are used as a service offered by AWS (Amazon Web Services).

Such data remains stored for a maximum of 180 days and is then permanently deleted from the servers. From that moment on, Blue's retargeting service is unable to direct new advertisements to a user, unless this user returns to Blue's Partner Advertiser portal. In the event that the user returns to the Advertiser's portal, the storage process is renewed and follows the same pattern described in this paragraph.

We only keep data required by law or by any authority with competence to make such a request.

How Google uses information from sites

https://policies.google.com/technologies/partner-sites

International data transfer

The servers used by Blue are distributed in 4 regions of the world, namely Brazil, United States, Germany and Singapore. All servers in each location have other identical servers, for the purpose of redundancy, and the exchange of information only takes place within the environment of the servers themselves, so that there is no data processing carried out in jurisdictions other than Brazil.
Continuous use information therefore remains in the location of the service provided, in order to minimize latency in response to requests made by any user to these servers.

Information security

All information collected is stored and treated within an environment with maximum security. The entire environment is encrypted, password protected, directly controlled by the company's technical manager (CTO). These servers also have redundancy so that there is no loss of data in the event of a collapse or any other threat situation.

The browsing data collected in the retargeting process is stored on our servers, following strict encryption control. Only the person technically responsible for the company (CTO) has access to these servers. Such data remain stored for a maximum of 180 days.

Access to any database mentioned above is done through passwords and with people responsible for each of the platforms for storing and processing information.

Processing of personal data

The company complies with the principles of GDPR and has a lawful basis for processing Personal Data in accordance with article 6 GDPR. The purposes of the processing are the following:

Ensure security, prevent and detect fraud, and fix errors:

This purpose is to be used by third parties operating on digital property, and it does not affect publishers’ ability to run fraud checks outside of the TCF and independently.

This purpose is intended to enable processing activities such as:

• Monitoring, preventing ex and post ante:
• General Invalid Traffic Detection and Blocking
• Sophisticated Invalid Traffic Detection and Blocking
• Automated Browsing, Dedicated Device
• Automated Browsing, Non-Dedicated Device
• Incentivized Human Activity
• Manipulated Human activity
• Falsified Measurement Events
• Domain Misrepresentation
• Hidden Ads
• Advertising Spam
• Process of identifying product errors - making products work (not improving them)
• Ensuring operability of the system/platform

Deliver and present advertising and content

This purpose is intended to enable processing activities such as:

• Receiving and responding to ad or content requests
• Delivering of ad-files or content files to an IP address
• Using information received automatically to deliver compatible ads or content, such as:
• User Agent type
• Supported language
• Connection type
• Size and type of the ad or content requested
• Respond to a user’s interaction with ad or content by sending the user to a landing page
• Logging that an ad was delivered, without recording any personal data about the user
• Logging that content was delivered, without recording any personal data about the user

The legal bases we rely on for processing the Personal Data are the following:

• The data subject has given consent to the processing of their personal data;
• Processing is necessary for the performance of a contract to which the data subject is party;
• Processing is necessary for Blue’s legitimate interests or for a third party’s;
• The legitimate interests pursued by the Company override the interests or fundamental rights and freedoms of the data subjects.
• Blue is required to comply with a legal or statutory obligation in the EU or a Member State

Rules for Advertisers and Publishers

We only accept as advertisers/partners companies that are committed to a minimum standard of privacy.
This means that our Advertisers or Publishers:

(i) must have a privacy policy, which is requested when contracting with an Advertiser or Publisher;

(ii) may not use any Blue product to violate users' privacy rights;

(iii) may not use personal or sensitive data for processing without prior consent of the holders of personal data or without any other legal basis for doing so.

Cookie Policy

We use some internal cookies to address, assign an identifier and store a user's browsing data in our environment, such as:

ckid		This cookie is an identifier (ID) provided by the user's internet browser and is used to match the user with relevant products in marketing campaigns.
hash		is a randomly generated identifier (ID) that ensures the impossibility of identifying a user, precisely to maintain their anonymity. The ID is generated from the ckid.
BLUEID		Identifier (ID) generated by Blue to ensure that a user is not identified more than once and generates duplication in the system, even if he/she leaves the internet browser and generates another browsing session.

Benefits of using Cookies?

Cookies save certain browsing information. Thus, when you visit a Blue partner website again, it will recognize your browser and will be able to keep your options and preferences previously marked, mainly in relation to your preferences when searching for products and services.

What happens if Cookies are not accepted?

Once we trigger our tags within the environment of a partner website, the responsibility for the notice regarding the use of cookies is of the partner.

If the user rejects the use of Cookies, our tags will not be triggered and the anonymous information of that user will not be collected. In this way, our retargeting service will not work for that user, referring to that partner website visited.

Thus, the user no longer receives advertisements relevant to their purchasing behavior.

I don't want ads!

If you do not want Blue-targeted ads to appear, a user can access the link http://www.getblue.io/optout/ to disable the service and prevent cookies from directing ads based on your browsing information.

Deletion of personal data

The deletion of data will only occur when there is an explicit request from a data subject and if Blue has collected any personal data. As a business rule, focusing on the principle of privacy by design (privacy from the origin and conception of the product), Blue does not collect personal data. The data it holds on internet users are anonymized through the process explained at the beginning of this policy.

Therefore, there is no possibility of identifying a user and, therefore, the rules of the General Data Protection Law do not apply to users who somehow provide information to Blue.

Legal basis: Art. 12 of Law 13.709/18

If a holder of personal data wants to make any request, verification, request for alteration or deletion of personal data, he/she may communicate directly with an Advertiser or Publisher who is a Blue customer. The holder of personal data may also ask Blue for confirmation on the existence of collection and processing of personal data and, if confirmed, the alteration and/or deletion will be carried out.

The deletion request made directly to Blue must be done by accessing the link http://www.getblue.io/dataremoval. Remembering that said collection and processing of data will not be carried out due to the use of Blue's retargeting product, but for any other business reason that leads to the collection and processing of a holder's personal data.

Amendments

Blue may amend this Policy at any time. Each of the versions of the Privacy Policy will contain the effective date and version information at the beginning of the document to facilitate the identification of users. You can also request an older version of the privacy policy for your reference, should you need it.

Any changes to the Privacy Policy will be communicated to users and, in order to continue using the services provided by Blue, this Policy must be accepted.

Requests about personal data

Any situation relating to personal data must be communicated to the email dpo@getblue.io

Officer (DPO): Gabriella Pontes Garcia dpo@getblue.io

Conflicts

This Privacy Policy is governed by the laws of the Federative Republic of Brazil. All controversies in this Privacy Policy will be resolved by the jurisdiction of the District of São Paulo, State of São Paulo, Brazil, to the exclusion of any other, however privileged it may be or become.

Blue contact details:

OC GROUP TECNOLOGIA DA INFORMAÇÃO LTDA

Rua Alvorada nº 1289, suite 1210

Vila Olímpia, São Paulo - SP

CNPJ [National Register of Legal Entities] 27.036.715/0001-50.

Phone:(11) 3846-6784