Notice at Collection and Privacy Policy

Last Updated: November 3, 2023

We at Digital Turbine, with the companies described in the table below (collectively, “DT,” “we,” “us,” or “our”), put great efforts into making sure that we secure personal information and use it properly.

The notice at collection (the “Notice at Collection”) and Privacy Policy (the “Policy”) explain to end-users (“Users”) of the applicable service described in the table below (collectively, the “Services”) that are either residents of certain US States or of other countries (“Customers”) our privacy practices for processing personal information related to them when they use any of the Services.

The Services are operated by us as a business (within the meaning of US Privacy Laws) or as a controller (within the meaning of the GDPR, UK GDPR, or the LGPD).

The term “personal information” refers to information that identifies an individual or relates to an identifiable individual or as otherwise defined under applicable data protection and privacy laws of the United States (“US Privacy Laws”), or to “personal data” as defined under the General Data Protection Regulation (“GDPR”) and under the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”), or the Brazil’s data protection law (“Lei Geral de Proteção de Dados Pessoais”, or “LGPD”), as applicable.  This Notice also explains certain rights that Consumers have under US Privacy Laws and how they may exercise them.

The general part of this Policy applies to all end users of our Services, regardless of where they use our Services from. Annex 2 includes supplemental terms regarding our processing of personal information under the GDPR and UK GDPR, and Annex 3 includes supplemental terms about our processing of personal information under the LGPD.

Please take the time to read our full Notice and Policy. If you disagree with our Notice and/or the following Privacy Policy, please do not access or otherwise use our Services.

The Policy Summary below will give you a quick and clear view of our practices. The first six headings in the summary also serve as the Notice at Collection.

Notice at Collection and A Summary of the Policy

Categories of personal information

We only collect your mobile device Advertiser ID (AAID) to count unique active users on mobile devices. Our third-party adverting partners may use “cookies” or other tracking technologies to obtain personal information about you when your browser interacts with the Services. Read More

Categories of sensitive personal information

The Services are not intended to collect sensitive personal information (within the meaning of US Privacy Laws). We do not knowingly collect sensitive personal information, we do not process sensitive personal information for the purpose of inferring characteristics about you, and we do not sell or share sensitive personal information for cross-context behavioral advertising. Read More

What do we do with personal information?

We use personal information to maintain the Services, make them better and continue developing them, and to protect us and the Services from misuse and law violations. Read More

Who do we disclose, share, or sell personal information with?

We use service providers and other third parties to support the Services, for example, to store data and for analytics on the Services. We also allow our Ad monetization partners to collect personal information on the Services using cookies or other tracking technologies. These third parties do not pay us to collect information. Still, their collection of personal information may be considered as disclosure for the purpose of sale or sharing for cross-context behavioral advertising.

At any time, you can opt-out of the collection of personal information by our service providers and ad monetization partners by visiting our Do Not Sell or Share My Personal Information page.

We will transfer information when we change our corporate structure, and we will share the information with our affiliate entities. We will obey orders and other lawful requirements by authorities to disclose information.

These Ad monetization partners are independent businesses that place their cookies on our Services to provide personalized ads and content. Their privacy practices may differ from ours, and they also collect and process personal information for their own purposes, subject to their privacy notices, links to which are available under ANNEX 1. Read More

How long do we retain personal information?

We retain personal information for the length of time required to provide the Services and for legitimate and lawful purposes. Read More

Your choices and rights

You have several opt-out options with respect to our processing of personal information related to you. For example, you may opt-out of using the Services by terminating your access to the Services or via the Android standard setting.

You also have privacy rights under applicable US Privacy Laws, which you can contact us to exercise.

You can also exercise your right to opt-out of selling or sharing personal information by visiting our Do Not Sell or Share My Personal Information page. Read More

Children

We do not knowingly sell or share personal information related to children, as such term is defined under applicable US Privacy Laws. Read More

Exercising your choices and rights

You can stop using the Services at any time, and thereafter, we will stop collecting personal information related to you. You may request to exercise the rights detailed under the “Your Choices and Rights” section by submitting your request to us by emailing: privacy@digitalturbine.com. You may also control what personal information we collect from your device by changing the permissions settings on your browser or mobile device. Read More

Transfer of personal information outside your territory

We keep personal information related to you in the United States and will store them at additional sites at our discretion. Our service providers provide us with adequate security and confidentiality commitments. Read More

Cookies and similar tracking technologies

Cookies are small files that a web server sends to a user’s device when the user browses online. Your device removes session cookies when you close your browser session. Persistent cookies last for longer periods. Our Services use both types of cookies. To opt out of the collection of personal information related to you by some of these cookies, you can use the Services’ cookie management tool. You can also manage your cookie preferences in your browser settings. Read More

Aggregated and analytical information

Aggregated data is not identifiable and, therefore, not personal information. We use it for legitimate business purposes and standard analytical tools. Read More

Information security

We implement systems, applications, and procedures to secure personal information related to you, to minimize the risks of theft, damage, loss of information, or unauthorized access or use of information. Read More

Dispute resolution

Contact us at: privacy@digitalturbine.com or write us for every request and complaint. We will make good-faith efforts to resolve any existing or potential dispute with you. Read More

Changes to this policy

We will update our policy from time to time after giving proper notice. Read More

Contact us

Please contact us at: privacy@digitalturbine.com for further information. Read More

The Digital Turbine Privacy Policy

When you (“you”) use some of our Services, our third-party ad monetization partners use “cookies” and obtain information when your browser interacts with their ads or sponsored content available via the Services. For further information about cookies, please see the “Cookies and Similar Tracking Technologies” section under this Policy.

Examples of the information we or our third-party ad monetization partners collect may include your device advertising ID (AAID), your cookie ID, your browser type, version, and time zone setting, browser plug-in types and versions, and operating system.

When you use the Services, we and/or our ad monetization partners also collect information about your activities on the Services, for example, the duration of time you spend on the Services’ sessions and the content that you have viewed or engaged with.

Accordingly, in the preceding 12 months, we have collected the following categories of personal information:

• Identifiers and Personal information categories listed in the applicable US Privacy Laws, such as the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).
• Commercial information, including services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies, and app installations.
• Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding your interaction with the Services.
• We obtain the categories of personal information related to you listed above from the following categories of sources:
• Directly and indirectly from you and your activity on the Services.
• Third parties such as reliable service providers and ad monetization partners.

Note that our third-party ad monetization partners are independent businesses that place their own cookies on our Services for the purpose of providing you with personalized ads and content.

Their privacy practices may differ from ours, and they collect and process personal information also for their own purposes, subject to their applicable privacy notices.

Please see the table attached to this privacy policy as ANNEX 1 for additional information on these third-party Ad monetization partners and links to their privacy notices.

The Services are not intended to collect sensitive personal information (within the meaning of US Privacy Laws). We do not knowingly collect sensitive personal information and require you not to provide us with any such information, we do not process sensitive personal information for the purpose of inferring characteristics about you, and we do not sell or share sensitive personal information for cross-context behavioral advertising.

We use personal information related to you for the following purposes:

• to provide you and other Customers with the Services and to enable specific features of the Services, such as those detailed under the table above titled “The Services”;
• to provide you with notifications related to your use of the Services;
• where the provision of feedback is available, to provide your feedback;
• to provide you with technical support related to our Services;
• to maintain the Services and to make them better for you and other Customers using it; and,
• to continue developing the Services.
• to provide you with content and/or experience that may include targeted ads made available on the Services by third parties.

We obey the law and expect you to do the same. If necessary, we will use personal information related to you to enforce our terms, policies, and legal agreements, to comply with court orders and warrants, and assist law enforcement agencies, to collect debts, prevent fraud, misappropriation, infringements, identity thefts and any other misuse of the Services, and to take any action in any legal dispute and proceeding.

We commit to only process personal information related to you for the purposes described in this policy.

Personal information related to you is disclosed to certain members of our staff who receive appropriate information security and privacy training, external consultants, and to our affiliates, who are all governed by this Policy.

We also disclose personal information related to you to our agents worldwide and to third-party service providers that process personal information about you on our behalf. Such agents and service providers will be contractually bound to keep personal information related to you confidential and appropriately secure.

A merger, acquisition, or any other structural change will require us to transfer personal information related to you to another entity as part of the structural change, provided that the receiving entity will comply with this Policy.

We may engage third parties to provide us with services such as analytics, marketing automation, and user experience, and for these purposes only, we may allow them to collect personal information on our Services.

Additionally, as detailed above, we allow ad monetization partners to collect and use personal information for the purpose of providing content, including sponsored and promoted content and contextual or personalized ads. For additional information, see ANNEX 1  and visit our Ad monetization partners’ applicable privacy policies linked from ANNEX 1.

The categories of personal information collected by these third parties in the preceding 12 months include identifiers, online activities, and inferences drawn from such activities.

These third parties do not pay us for collecting such information, but the right granted to them to collect personal information may be considered as disclosure for the purpose of sale or sharing for cross-context behavioral advertising. At any time, you can opt-out of the collection of personal information by our service providers and Ad monetization partners by visiting our Do Not Sell or Share My Personal Information Page.

We will also need to disclose personal information related to you in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

We will disclose, share, or sell personal information related to you only subject to the terms of this Policy or subject to your prior consent.

We retain different types of personal information related to you for different periods, depending on the purposes for processing the information, our legitimate business purposes, and pursuant to legal requirements under applicable law.

We may maintain your contact details to help us stay in contact with you in case such information was provided to us by you. You can contact our privacy team at: privacy@digitalturbine.com and request to delete your contact details. Note that we will keep your details without using them if necessary, and for the necessary period of time, for legal requirements and proceedings.

We may retain personal information related to you after you have terminated your use of the Services, if retention is reasonably necessary to resolve disputes between our users, to prevent fraud and abuse, or to enforce this policy.

We will keep aggregated non-identifiable information without limitation and to the extent reasonable, we will delete or de-identify potentially identifiable information, when we no longer need to process the information.

In any case, we will keep information about you for as long as you use the Services unless applicable law requires us to delete it or if we decide to remove it at our discretion, according to the terms of this policy.

We do not knowingly sell or share personal information related to children, as such term is defined under applicable US Privacy Laws.

• Access. You have the right to confirm whether we are processing personal information about you and to access such information, including to request to know:
  • what personal information we have collected about you;
  • the categories of personal information;
  • the categories of sources from which the personal information is collected;
  • the business or commercial purpose for collecting, selling, or sharing such information;
  • the categories of third parties to whom we disclose personal information; and,
  • the specific pieces of personal information we have collected about you.
• Correction. You have the right to request that we correct inaccurate personal information that we maintain about you.
• Deletion. You have the right to request that we delete personal information related to you that we have collected from you, subject to certain exceptions under applicable US Privacy Laws. Accordingly, note that when we delete personal information related to you that we have collected from or about you, it will be deleted from our active databases, but we will keep a reasonable number of copies in our archives. We will continue to retain the personal information related to you for legitimate business purposes as set forth above.
• Portability. When exercising your right of access detailed above, you also have the right to obtain the personal information in a portable and, to the extent technically feasible, readily usable format that allows you to transmit the information to another entity without hindrance. Note that you may only exercise this right no more than two times per calendar year. Also note that when responding to your request, we will omit any information that would disclose our trade secrets, as permitted by US Privacy Laws. You may also have the right to obtain a representative summary of personal data information that you previously provided to us.
• Opt-out rights. You have the right to opt-out of the sale or sharing of personal information related to you by us, or otherwise the use of such information for targeted advertising or profiling for the purpose of making decisions that produce legal or similarly significant effects concerning you. As detailed above, we allow our service providers and third-party Ad monetization partners to collect personal information related to you and to provide you with personalized ads and content. Under some US Privacy Laws, such activity may constitute sharing or selling (within the meaning of US Privacy Laws) of personal information related to you. Accordingly, you have the right to request to opt-out of such third parties’ collection of personal information as further detailed below under the section titled “Exercising your choices and rights”. For additional information see ANNEX 1 and visit our Ad monetization partners’ applicable privacy policies linked from ANNEX 1.
• Non-discrimination. You have the right not to receive discriminatory treatment by us for exercising your privacy rights detailed in this Policy.
• If you are in the European Economic Area (EEA), you might have additional rights under the General Data Protection Regulation (GDPR). Please read our Supplemental Terms for Processing Personal Data Under the GDPR in ANNEX 2 attached hereto.
• If you are a resident of Brazil, you might have additional rights under the LGPD (Lei Geral de Proteção de Dados Pessoais), the Brazil’s data protection law. Please read our Supplemental Terms for Processing Personal Data Under the LGPD in ANNEX 3 attached hereto.

We will give you choices about the ways we use and share personal information related to you, and we will respect the choices you make.

We collect and receive personal information related to you that we need for the purposes described in this Policy. You can stop using the Services at any time, thereafter we will stop collecting personal information related to you. However, we will store and continue to use or make available certain personal information related to you as detailed above.

You may also control what personal information we collect from your device by changing the permissions settings on your browser or mobile device.

You may request to exercise the rights detailed by submitting your request to us:

Delete My Data
Give Me My Data

Only you or a person authorized to act on your behalf may make a request related to personal information related to you. A request for access can be made by you only twice within a 12-month period.

The verifiable consumer request must provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative and describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

We cannot respond to your request or provide you with the requested personal information if we cannot verify your identity or authority to make the request and confirm the personal information related to you. We will only use the personal information provided in your request to verify your identity or authority to make the request.

We will do our best to respond to your request within 30 days of its receipt. If we require more time (up to additional 30 days), we will inform you of the reason and extension period in writing. We will deliver our written response by mail or electronically, at your option.

Any disclosures we provide will only cover the 12-month period preceding receipt of your request. The response we provide will also explain the reasons we cannot comply with a request, if applicable.

We do not charge a fee to process or respond to your request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will inform you of the reasons for such a decision and provide you with a cost estimate before completing your request.

We will not require that you create an account in order to exercise your rights under this Policy and we will not increase the cost or decrease the availability of the Services based solely on the fact that you have chosen to exercise one of your rights under the CPRA or other US Privacy Laws.

After receiving our reply, you can appeal against our decision by contacting us. We will review your appeal and provide you with our answer and our explanation of the reasons for our decision(s) within 60 days of receiving it. We will also provide you with a link (to the extent available) to submit a complaint with the relevant Attorney General.

We store and process information, including personal information, either directly or by using third parties such as data hosting service providers, in the US.

If you are a resident in a jurisdiction where transfer of personal information related to you to another jurisdiction requires your consent, then you provide us your express and unambiguous consent to such transfer.

We make sure that our third-party service providers, provide us with adequate confidentiality and security commitments and we will take all steps reasonably necessary to ensure that personal information related to you is treated securely and in accordance with this policy.

Cookies are small files that a web server sends to a user’s device when the user browses online. Your device removes session cookies when you close your browser session. Persistent cookies last for longer periods. You can view the expiry date of each cookie through your browser settings.

Google Analytics places its own cookies to provide us with its analytics services. We do not control these cookies. Please read the Choices section in this policy for opt-out options from Google Analytics.

From time to time, we will use session and persistent cookies and other web-tracking technologies, such as pixel tags and local storage objects, to facilitate the use of the Service’s features and tools and to improve users’ experience with our Services.

You can use the Services’ cookie management tool to opt-out of certain cookies that are not essential for the provision of the Services. In addition, every browser allows you to manage your cookie preferences. You can block or remove certain or all cookies through your browser settings. Here are some links to some commonly used web browsers: (a) Google Chrome; (b) Microsoft Edge; (c) Mozilla Firefox; (d) Microsoft Internet Explorer; (e) Opera; (f) Apple Safari.

To find out more about cookies, including how to see what cookies have been set, you can visit the following websites: www.aboutcookies.org and www.allaboutcookies.org.

We use anonymous, statistical, or aggregated information and will share it with our partners for legitimate business purposes. It has no effect on your privacy, because there is no reasonable way to extract data from the aggregated information that we or others can associate specifically to you.

We are committed to ensuring the security of personal information. We and our hosting services implement systems, applications, and procedures to secure personal information related to you, to minimize the risks of theft, damage, loss of information, or unauthorized access or use of information. These measures provide sound industry standard security. However, please understand that no security system is impenetrable, and although we make efforts to protect your privacy, we cannot guarantee that the Services will be immune from any wrongdoings, malfunctions, unlawful interceptions or access, or other kinds of abuse and misuse.

We do periodical assessments of our data processing and privacy practices, to make sure that we comply with this policy, to update the policy when we believe that we need to, and to verify that we display the policy properly and in an accessible manner. If you have any concerns about the way we process personal information related to you, you are welcome to contact our privacy team at: privacy@digitalturbine.com, or write to us.

We will look into your query and make good-faith efforts to resolve any existing or potential dispute with you.

From time to time, we will update this policy. If the updates have minor if any consequences, they will take effect 14 days after we post a notice on the Services. Substantial changes will be effective 30 days after we initially posted the notice.

Until the new policy takes effect, if it materially reduces the protection of your privacy under the then-existing policy you can choose not to accept it and terminate your use of the Services. Continuing to use the Services after the new policy takes effect means that you agree to the new policy. Note that if we need to adapt the policy to legal requirements, the new policy will become effective immediately or as required by law.

Please contact us at: privacy@digitalturbine.com

Supplemental Terms for Processing Personal Data Under the GDPR

We at DT describe our privacy practices and our relevant Services, on our Notice at Collection and Privacy Policy above (the “General Policy”). Please take the time to read our General Policy.

These terms supplement and are not a substitute for our General Policy. They add terms specifically related to our privacy practices associated with processing personal data under European data protection laws, namely the General Data Protection Regulation (EU) 2016/679 (“GDPR”).

You should read both documents to understand the full scope of our privacy practices. If there are any overlapping provisions, these supplemental terms will prevail for our processing of personal data under the GDPR.

These terms use certain defined terms under the GDPR, such as “personal data”, “processing”, “consent”, “data controller” and “lawful grounds of processing”. If you are not familiar with these terms, please seek further guidance or contact our privacy team at: privacy@digitalturbine.com with any questions that you may have about these terms.

Lawful Grounds of Processing

We process personal data related to you as a data controller when you use any of our Services based on the following lawful grounds:

• We provide you with our Services subject to the contracts that govern them (such as our Services Terms of Use or Terms and Conditions that you opted in to in order to use such services). We will process personal data related to you, which is necessary to perform our contract with you.
• We will process personal data related to you to comply with our legal obligations and where necessary, to protect your and others’ vital interests.
• We will rely on our legitimate interests, which we have a good-faith belief that is not overridden by your fundamental rights and freedoms, for the following purposes:
  • To protect our Services and our networks and systems, including cyber security measures.
  • To provide support, customer relations, and for service operations.
  • To enhance and improve your and other users’ experience with our Services.
  • To detect, contain, prevent, and handle cases of fraud and misuse of our Services.
• We will also rely on your consent for processing personal data related to you. Where consent is applicable, we will present you with an option to provide and withdraw it.

Your Rights Under the GDPR

In addition to your applicable rights, as described under our General Policy, you have the following rights:

• AT ANY TIME, YOU CAN CONTACT US AND REQUEST TO WITHDRAW YOUR CONSENT TO THE PROCESSING OF PERSONAL DATA RELATED TO YOU. EXERCISING THIS RIGHT WILL NOT AFFECT THE LAWFULNESS OF PROCESSING BASED ON CONSENT BEFORE ITS WITHDRAWAL.
• Request to access personal data that we keep about you and receive further information as described under the GDPR. If you find that the personal data related to you is not accurate, complete or up to date, please provide us the necessary information to correct it.
• Request to delete or restrict access to personal data related to you. We will review your request and use our judgment, pursuant to the provisions of the applicable law, to reach a decision about your request.

If we need to delete personal data related to you following your request, it will take some time until we completely delete residual copies of personal data related to you from our active servers and from our backup systems.

• If you exercise one (or more) of the above-mentioned rights, in accordance with the provisions of applicable law, you may request to be informed that third parties that hold personal data related to you, in accordance with this policy, will act accordingly.
• You may ask to transfer personal data related to you in accordance with your right to data portability.
• You may object to the processing of personal data related to you for direct marketing purposes, such as by unsubscribing from our newsletters and distribution lists. Additional information about this right is available under the choice section in this policy.
• You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affecting you.
• You have a right to lodge a complaint with a data protection supervisory authority of your habitual residence, your place of work or the place of an alleged infringement of your rights under the GDPR.

Please note that when you send us a request to exercise your rights, we will need to reasonably authenticate your identity and location. We will ask you to provide us credentials to make sure that you are who you claim to be and will ask you further questions to understand the nature and scope of your request.

If you have any concerns about the way we process personal data related to you, you are welcome to contact our privacy team at: privacy@digitalturbine.com. We will investigate your inquiry and make good-faith efforts to respond promptly. If we are unable to help, you also have the right to make a complaint to the applicable data protection supervisory authority, as aforementioned.

Our DPO and Representatives

Our Data Protection Officer can be reached at: privacy@digitalturbine.com.

Our EEA designated representative is: Rickert Rechtsanwaltsgesellschaft mbH and can be reached at: Colmantstraße 15, 53115 Bonn, Germany, art-27-rep-digitalturbine@rickert.law.

Transfer of Personal Data Outside the EEA

Our Services are either provided via a mobile application installed on your mobile device, or web-based service that is available on your mobile device. We store and process information in the U.S. From time to time, we will make operational decisions which will have an impact on the sites in which we maintain personal data.

We make sure that our third-party service providers provide us with adequate confidentiality, data protection and security commitments in accordance with the GDPR, and we will take all steps reasonably necessary to ensure that personal data related to you is treated securely and in accordance with our General Policy and these supplemental terms.

We may transfer personal data related to you to other countries. Some of them are not recognized by the European Commission as providing adequate protection to personal data, and some of them, although recognized, required additional safeguards. We will use appropriate safeguards, in particular, by way of entering into the European Union (EU) Standard Contractual Clauses with the relevant recipients, by relying on self-certifications, or by complying with equivalent data transfer mechanisms. You can contact our privacy team at: privacy@digitalturbine.com to receive more information related to our data transfer practices.

Please also see the section below titled “US Transfers” for additional information regarding our transfers of Personal Data outside the EEA to the US.

U.S. Transfers

We participate in the EU-US Data Privacy Framework (“EU-US DPF”), the UK Extension to the EU-US DPF (“UK Extension”), and the Swiss-US Data Privacy Framework (“Swiss-US DPF”), as set forth by the US Department of Commerce.

Specifically, our following entities are covered by the EU-US DPF, UK Extension, and Swiss-US DPF: (1) Digital Turbine USA, Inc., (2) Digital Turbine Media, Inc., and (3) Mobile Posse, Inc. d/b/a “Digital Turbine”. Accordingly, in this chapter, the term ‘we’ refers to the above three entities.

You can review our Data Privacy Framework registration at: https://www.dataprivacyframework.gov/s/participant-search.

We have certified to the US Department of Commerce that we adhere to the EU-US Data Privacy Framework Principles (“EU-US DPF Principles”) with regard to the processing of personal information received from the European Union in reliance on the EU-US DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-US DPF.

We have certified to the US Department of Commerce that we adhere to the Swiss-US Data Privacy Framework Principles (“Swiss-US DPF Principles”) with regard to the processing of personal information received from Switzerland in reliance on the Swiss-US DPF.

If there is any conflict between the terms in this notice or our policy with the EU-US DPF Principles (including the UK Extension) or the Swiss-US DPF Principles, the Principles will govern. To learn more about the Data Privacy Framework (“DPF”) program, visit the data privacy framework website here.

In accordance with the EU-US DPF, we commit to resolving DPF Principles-related complaints about our collection and use of personal information related to you. If you have any inquiries or complaints about our handling of personal information received in reliance on the EU-US DPF, the UK Extension to the EU-US DPF, and the Swiss-US DPF (as applicable), please contact us at: privacy@digitalturbine.com. We will do our best to respond to your inquiry as soon as we can.

In accordance with the EU-US DPF, the UK Extension to the EU-US DPF, and the Swiss-US DPF, we commit to cooperate (respectively) with the advice of the panel established by the EU data protection authorities (DPAs), the UK Information Commissioner’s Office (ICO) and the Gibraltar Regulatory Authority (GRA), and the Swiss Federal Data Protection and Information Commissioner (FDPIC), as applicable, with regard to unresolved complaints concerning our handling of personal information received in reliance on the EU-US DPF, the UK Extension to the EU-US DPF, and the Swiss-US DPF.

You may also decide to invoke the arbitration option under the DPF, under certain conditions detailed here. For additional details.

As explained under the section titled “Who do we disclose, share, or sell personal information with?” in our policy, we share personal information with third parties to perform services on our behalf.

When we share personal information received under the Data Privacy Framework with a third party, the third party’s access to, and use and disclosure of such personal information, must also comply with our obligations under the Data Privacy Framework. We will remain liable under the Data Privacy Framework for any failure to do so by such a third party, unless we can demonstrate that we are not responsible for the event giving rise to the damage.

We are subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).

Note that, as detailed above, we may be required to disclose personal information related to you in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

We already adhere to the required commitments under the UK Extension to the EU-US Data Privacy Framework and the Swiss-US Data Privacy Framework. We will rely on the UK Extension and the Swiss-US Data Privacy framework for applicable data transfers as of the date that they take effect.

Supplemental Terms for Processing Personal Data Under the LGPD

We at DT describe our privacy practices and our relevant services on our Notice at Collection and Privacy Policy (the “General Policy”). Please take the time to read our General Policy.

These terms supplement our General Policy. They add terms specifically related to our privacy practices associated with processing personal data under Brazilian data protection laws, namely the Brazilian General Data Privacy Law (Lei Geral de Proteção de Dados Pessoais). We will refer to them as the “LGPD”).

You should read both documents to understand the full scope of our privacy practices. If there are any overlapping provisions, these supplemental terms will prevail, for our processing of personal data under the LGPD.

These terms use certain defined terms under the LGPD, such as “personal data”, “processing”, “consent”, “data controller” and “lawful grounds of processing”, as translated from the official version of the LGPD in Portuguese. If you are not familiar with these terms, please seek further guidance or contact our privacy team at: privacy@digitalturbine.com with any question that you may have about these terms.

Lawful Grounds of Processing

We process personal data related to you as a data controller when you use any of our Services based on the following lawful grounds:

• We provide you with our Services subject to the contracts that govern them (such as our Services Terms of Use or Terms and Conditions that you opted in to in order to use such services). We will process personal data related to you which is necessary to perform our contract with you.
• We will process personal data related to you to comply with our legal obligations and where necessary, to protect your and others’ vital interests.
• We will rely on our legitimate interests, which we have good-faith belief that they are not overridden by your fundamental rights and freedoms, for the following purposes:
  • To communicate with you, including for direct marketing purposes.
  • To protect our services and our networks and systems, including by using cyber security measures.
  • To provide support, customer relations and for service operations.
  • To enhance and improve yours and other users’ experience with our services.
  • To detect, contain, prevent and handle cases of fraud and misuse of our services.
• We will also rely on your consent for processing personal data related to you. Where consent is applicable, we will present you with an option to provide it and an option to withdraw it.

Your Rights Under the LGPD

In addition to your applicable rights, as described under our General Policy, you have the following rights in relation to personal data related to you:

• Confirmation of the existence of the processing;
• Access to the personal data related to you (i.e., obtain a copy);
• Correction of incomplete, inaccurate or out-of-date personal data related to you;
• Anonymization, blocking or deletion of unnecessary or excessive personal data related to you or personal data related to you processed in noncompliance with the provisions of the LGPD;
• Portability of the personal data related to you to another service or service provider, by means of an express request and subject to commercial and industrial secrecy, pursuant to the regulation of the controlling agency;
• Deletion of personal data related to you processed with your consent, except in the situations provided under the LGPD;
• Information about public and private entities with which we shared personal data related to you;
• Information about the possibility of denying consent and the consequences of such denial;
• Revocation of your consent as provided under the LGPD.

Please note that when you send us a request to exercise your rights, we will need to reasonably authenticate your identity and location. We will ask you to provide us credentials to make sure that you are who you claim to be and will ask you further questions to understand the nature and scope of your request.

If you have any concerns about the way we process personal data related to you, you are welcome to contact our privacy team at: privacy@digitalturbine.com. We will investigate your inquiry and make good-faith efforts to respond promptly. If we are unable to help, you also have the right to make a complaint to the applicable data protection supervisory authority, as aforementioned.

Our DPO

Our Data Protection Officer can be reached at: privacy@digitalturbine.com.

Transfer of Personal Data Outside Brazil

Our Services are either provided via mobile application installed on your mobile device, or web-based service that is available on your mobile device. We store and process information within the U.S. From time to time, we will make operational decisions which will have an impact on the sites in which we maintain personal data.

We make sure that our third-party service providers provide us with adequate confidentiality, data protection and security commitments in accordance with the LGPD, and we will take all steps reasonably necessary to ensure that personal data related to you is treated securely and in accordance with our General Policy and these supplemental terms.

We will transfer personal data related to you to other countries. Some of them provide a degree of protection of personal data appropriate to the provisions the LGPD. In other cases, we will use appropriate safeguards by way of entering into standard data transfer agreements with the relevant recipients, or by relying on other applicable data transfer mechanisms. You can contact our privacy team at: privacy@digitalturbine.com to receive more information related to our data transfer practices.