Service privacy policy
Scope
Remerge GmbH and its subsidiaries (collectively, “Remerge”) adhere to strict privacy principles and comply with this policy and privacy regulations. This privacy policy outlines the primary privacy principles applied to the data received from advertisers (the “Controller” under applicable data protection regulations) and processed through the service, where Remerge functions as a data processor.
Remerge Service Description
Remerge specializes in retargeting, which involves showing ads to users who have already interacted with the advertiser's app or website, encouraging them to return and complete desired actions. It also helps mobile app developers by displaying ads and user acquisition campaigns in other apps. Instead of collecting user data directly, Remerge receives this data from the advertiser (the Controller) who wants to promote their product. Remerge bids on ad spaces in other apps to show the advertiser's ads. The revenue from these ads helps app publishers and developers to offer their apps or services for free or at reduced cost.
__________________________________________________________________________________
Processor Information:
Remerge Processor entity is defined according to the service specification:
remerge GmbH (Germany)
remerge Inc. (United States)
remerge K.K.(Japan)
remerge Pte. Ltd.(Singapore)
remerge Ltd. (South Korea)
HQ Location: imprint
Website privacy policy: here.
Data Privacy Officer
For EEA/Europe:
Ilan Leonard Selz
Am Hamburger Bahnhof 4,
10557 Berlin, Germany
privacy@remerge.io and berlin@isico-datenschutz.de
For other regions:
Julie Armindo Kremp
Heidestraße,9
10557, Berlin Germany
privacy@remerge.io.
Identifying the Controller
The Controller is typically the advertiser whose advertisement was shown on the user’s device or the app developer of the app where the advertisement appears.
__________________________________________________________________________________
Data Processing Agreement
Advertisers intending to do business with Remerge in the EU should utilize the Data Processing Agreement (“DPA”) template available at EU DPA template. Advertisers based outside of Europe should utilize the Non-EU DPA template.
__________________________________________________________________________________
Legal Basis for Processing
Remerge’s legal basis for processing data in this context is to execute a contract (art. 6 (1) (b) of the GDPR). Remerge processes data on behalf of the Controller under the terms of a contractual agreement. The Data Processing Agreement, in combination with the Insertion Order (or similar document), outlines the purposes and means of data processing, ensuring compliance with GDPR and other relevant privacy regulations.
__________________________________________________________________________________
Purpose of Data Processing
Remerge processes information received from the Controller to display interest-based advertising tailored to users' inferred interests or preferences. Remerge’s activities are restricted to executing, optimizing, and reporting on ad campaigns to fulfill the advertiser's objectives, not for our own or independent use.
Anonymized aggregated information is used for analysis to improve services and technologies, provide targeting options for Controllers, and serve relevant advertisements to app users. Additionally, aggregated data is used to analyze the performance of advertising campaigns and provide Controllers with performance reports. Remerge cannot combine this data to identify users personally and does not combine it with any third-party data for this purpose.
__________________________________________________________________________________
Data Collection and Use
No user data is collected or sold directly by Remerge. The Controller determines the purposes and means of data processing and ensures user consent. Remerge processes data provided by the Controller.
The categories of data subjects to be provided include:
- End users of the apps of the Controller, its affiliates, and counterparties
Data Typically Received:
- Mobile identifiers (e.g., IDFA for iOS, Google Advertising ID)
- IP addresses
- Click ID
- specified URL, and
- User Agent (when clicking on an ad)
Additional Data (may include):
- App installation and first opening
- User interactions within the app (e.g., in-app purchases, registration)
- Information on ads viewed or clicked
- Metadata (e.g., timestamp, device type and model, app version, country)
User data is not shared or disclosed except in response to lawful requests by public authorities, including national security or law enforcement. Data is stored only as long as the Controller has appointed Remerge to deliver services or until the Controller informs Remerge of the user's consent withdrawal.
Data of different Advertisers/Controllers is segregated in different silos each and never mixed.
__________________________________________________________________________________________
Sensitive Data Handling - Exclusion
Remerge does not work with or knowingly receive sensitive personal data, including health data, data from children under 13, sensitive financial data, data related to adult-oriented products or services, and highly accurate location data (e.g., GPS). Any sensitive data received inadvertently is promptly deleted, as only whitelisted data types specified by the Controller are processed.
__________________________________________________________________________________
Data Security - Technical Organizational Measures
Remerge is committed to data security and has implemented industry-standard technical and organizational measures (TOMs). You can find detailed information about these measures by downloading the Technical Organizational Measures document linked below or in our Data Processing Agreement (DPA) template.
While no transmission or electronic storage method can be completely secure, in a general conception, we ensure an appropriate level of data protection.
Data from the Controller is received through our client dashboard or API in encrypted form. Our security measures include, but are not limited to:
- Pseudonymization and Encryption: Protecting data by making it anonymous and encrypting it.
- Confidentiality: Ensuring that data is accessible only to authorized personnel.
- Integrity: Maintaining the accuracy and consistency of data.
- Availability: Ensuring that data is accessible when needed.
- Resilience: Building robust systems to withstand and recover from disruptions.
- Segregation: Data of each Advertiser/Controller is segregated and processed in isolated silos. Data from one Controller is not mixed with data from another Controller.
- Restoration Capability: The ability to quickly restore data access and availability in case of an incident.
- Regular Testing and Evaluation: Continuously testing and assessing the effectiveness of our security measures.
Because we use pseudonymized identifiers, such as ADIDs (Advertising IDs), in our services, and because our security measures ensure that these identifiers cannot be traced back to a personal identity by us, the security risk level associated with our services is generally considered low.
For further inquiries about data security, please contact your sales representative or our Data Privacy Team.
__________________________________________________________________________________
International Data Transfers - Subprocessors
Transfers are limited to pseudonymous and encrypted mobile identifiers (e.g., IDFA, Google Advertising ID). Data is stored on dedicated servers at data center providers meeting the highest security standards, with GDPR-compliant data processing agreements in place.
A list of Remerge GmbH subprocessors can be downloaded from the Subprocessors link below, and they are also available in Annex IV of our EU DPA template.
As a Data Processor under GDPR, Remerge uses Standard Contractual Clauses to legally transfer personal data from the EEA unless the country has an Adequacy Decision. These clauses ensure our commitment to privacy and data protection when processing and transferring data outside the EEA while providing services to our customers.
It is important to note that Remerge GmBH is the subprocessor for its subsidiaries outside of the EEA.
__________________________________________________________________________________
Data Retention and Deletion
The collected data is retained as long as the Controller’s account is active or as needed to provide services, whichever is shorter. Personal data is deleted immediately after termination or upon notification of user consent withdrawal.
Information may also be retained as necessary to comply with legal obligations, resolve disputes, and enforce agreements.
How to Opt-out
If you, as an end-user, want to opt out of our services, please follow the instructions below:
Android Users (version 2.3 and above): To opt out of interest-based advertising, follow the instructions provided by Google here (“https://support.google.com/googleplay/answer/3405269”) in “Google Play Help.”
iOS Users (version 6 and above): To use the “Limit Ad-Tracking” option, follow the instructions provided by Apple here (http://support.apple.com/kb/HT4228 ) “Apple Support Center.”
These settings will disable interest-based ads from all providers, not just Remerge. This method is the most efficient for users who prefer to opt out of interest-based advertising entirely. While it is possible to opt out of Remerge's processing specifically, other providers may still deliver the same ads.
__________________________________________________________________________________
Data Subject Rights
Remerge is committed to assisting Controllers in fulfilling data subjects’ rights under GDPR, CCPA, and similar privacy regulations. As a data processor under GDPR, Remerge processes data on behalf of Controllers. Therefore, users wishing to exercise their rights under GDPR should contact the relevant Controller directly. Remerge will assist the Controller as needed and upon their request.
Controllers can access a dashboard and API to enter the user’s advertising identifier and delete the identifier and associated information from Remerge's systems. Users can also contact Remerge for assistance in identifying and contacting the Controller to request access, deletion, or correction of personal data.
Since Remerge does not store or associate advertising identifiers with personal information, users must provide their advertising identifier (accessible via their mobile device) and evidence that it belongs to them. Additionally, users must specify the app or the advertised brand/product when requesting deletion from Remerge. Requests are documented to ensure data protection.
Users should contact the Controller directly for access, correction, or deletion of inaccurate data.
Users can lodge complaints with a data protection supervisory authority regardless of Remerge's role as a processor.
__________________________________________________________________________________
Legal Disclaimer
Remerge reserves the right to disclose or transfer personal information as required by law (based on Art. 6 (1) (f) GDPR) during mergers, acquisitions, dissolution, or asset sales and to protect rights or comply with legal processes. Users will be notified of any changes in ownership or uses of personal information via email or a prominent website notice.
Personal information may also be disclosed (based on Art. 6 (1) (c) GDPR) to protect user safety, investigate fraud, or respond to government requests. Personal information may be disclosed to third parties with prior user consent. Legal storage obligations may require blocking data from further use.
__________________________________________________________________________________
Downloadable pdf
Non-EU Data Processing Agreement
__________________________________________________________________________________
Changes to Our Privacy Policy
This privacy policy may be updated or changed. Changes will be posted to this privacy statement and other appropriate places to inform users of the information collected, its usage, and disclosure circumstances. Regularly check www.remerge.io for the latest version of the privacy policy.
Effective Date: 2018/05/25
Amended on: 2019/10/17: incorporate and reference CCPA
Amended on: 2021/05/21: incorporate services improvements
Amended on: 2021/07/12: Incorporating SCCs in the DPA - C2P in the EU
Amended on: 2024/07/31: text improvements DPO information update