AMPD Digital Profiler Privacy Policy

Purpose of this Policy

This privacy policy (“Policy”) aims to give you information on how RealityMine Ltd and On Device Research Ltd collects and processes your personal data on behalf of Media Partners Asia Research Services Pte Ltd (MPA). MPA has engaged RealityMine Ltd to provide software applications and data processing services for the purposes set out in this Policy.

This Policy applies to all MPA respondents who agree to participate in research programs (“Program”) that involves downloading and installing to their mobile device or computer, a software application (the “App”) developed by On Device Research Ltd. utilising an SDK developed by RealityMine Ltd., or a software application developed by RealityMine Ltd.

‘Data Controller’ refers to MPA as Data Controller, ‘We’, ‘us’ and ‘our, refers to RealityMine Ltd and On Device Research as Data Processors. The Data Controller has appointed a data protection officer (DPO) and the Data Processor has appointed a data protection manager (DPM) and DPO each of whom will be happy to address any questions you have in relation to this privacy policy. If you have any questions about this privacy policy, including any requests to exercise your Legal Rights, please contact the DPO or DPM using the details set out below.

Contact details

For further information about our Privacy Policy or our processing of data about you, please contact us by either of the following methods:

Primary contract: Media Partners Asia Research Services Pte. Ltd. acting as Data Controller

Full name of legal entity: Media Partners Asia Research Services Pte. Ltd.

Name or title: Data Protection Officer

Email address: dpo@ampd-research.com

Postal address: 45A Amoy Street, Singapore 068971

Additional contact: RealityMine Ltd acting as Data Processor

Full name of legal entity: RealityMine Ltd

Name or title: Data Protection Manager

Email address: dpm@realitymine.com

Postal address: Data Protection Manager, RealityMine Limited. Warren Bruce Court, Warren Bruce Rd, Stretford, Manchester, M17 1LB, United Kingdom

Additional contact: On Device Research Ltd. acting as Data Processor

Full name of legal entity: On Device Research Ltd.

Name or title: Data Protection Officer

Email address: data-protection@ondeviceresearch.com

Postal address: Data Protection Officer, On Device Research, 1a Winscombe Street, London, N19 5DG United Kingdom

In Singapore, you have the right to make a complaint at any time to the Personal Data Protection Commission (PDPC), the Singapore supervisory authority for data protection issues (https://pdpc.gov.sg). We would, however, appreciate the chance to deal with your concerns before you approach the PDPC so please contact us in the first instance.

In the Philippines, you have the right to make a complaint at any time to the National Privacy Commission, the Philippines supervisory authority for data protection issues (https://privacy.gov.ph). We would, however, appreciate the chance to deal with your concerns before you approach the National Privacy Commission so please contact us in the first instance.

In Indonesia, you have the right to make a complaint at any time to the Ministry of Communications & Information Technology, the Indonesian supervisory authority for data protection issues (www.kominfo.go.id). We would, however, appreciate the chance to deal with your concerns before you approach the Ministry of Communications & Information Technology so please contact us in the first instance.

In Thailand, you have the right to make a complaint at any time to the Personal Data Protection Committee, the Thai supervisory authority for data protection issues (https://pdpc.th). We would, however, appreciate the chance to deal with your concerns before you approach the Personal Data Protection Committee so please contact us in the first instance.

In Malaysia, you have the right to make a complaint at any time to the Personal Data Protection Commission (PDPC), the Malaysia supervisory authority for data protection issues (https://daftar.pdp.gov.my). We would, however, appreciate the chance to deal with your concerns before you approach the PDPC so please contact us in the first instance.

You may also contact Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (https://ico.org.uk).

Changes to the privacy notice and your duty to inform us of changes

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

Information Collection

The Information We Hold:

We may collect both personal information and non-personal information from you as described below.

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

We may collect, use, store and transfer different kinds of personal data about you which we have grouped together follows:

We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.

How we Collect the Information:

We use different methods to collect data from and about you. We have set out below further detail on exactly how data is collected from you when using the Application.

The Application collects ‘clickstream data’ and may also gather diary/survey data if configured. Clickstream data is information generated by you and your device while surfing the Internet and interacting with various sites, services and device functions.

The service will either install the “Meter” (a piece of software on your device to collect the data described above) and/or will establish the “VPN” (a profile on your device to direct all internet data generated by and for your device through RealityMine to enable Us to collect the data). Regardless of whether data is collected via the Meter or the VPN, We will only use the data as described in this Policy.

In greater detail, the Application may collect the following types of information:

  1. Online browsing: This includes the sites you visit and apps you use, including news sites/apps or social networks, and your interactions with them.
  2. Online activities: This includes the search terms you enter and the results of such searches, the videos you view, the products you shop for online, information you enter into forms, the materials you download or upload, the advertisements you see, cookies on websites you visit, information and content on sites or apps that you visit or use and with which you interact and may include personal, financial and health information (subject to the process described below in the section entitled “Protecting Personal & Sensitive Information”).
  3. System information: This includes information about the device and browser that you are running on, including the IP address and phone number of the device, how the Application is operating, and which other applications are installed or running.
  4. Mobile Usage Information, which refers to information about your use of your mobile device which we are able to collect if you have downloaded and installed one of our Applications/VPN profiles on your device. Please note this information is collected and transmitted to us ‘in the background’ and does not require any further activation on your part. We call this ‘passive tracking’. This can include the following types of information:
    • Information about your internet browsing habits – how much time you spend browsing the internet on your mobile device or computer, the sites you visit or apps you use, and the terms of any search you carry out.
    • Information about your usage of other apps and features (such as the camera, though we do not collect any photos) on your mobile device, including the identity of the apps and features, when you downloaded them, how often you use them and for how long.
    • Your location (see below)
    • Information about the time and duration of calls you make or receive on your mobile device. We do not collect or record the content of your calls.
    • Information about when you send or receive text messages, SMS or MMS. We do not collect or record the content of SMS text or MMS messages sent and received through your phone’s native OS.
    • Information about the time emails are sent and received on your mobile device.
    • Whether you call, email, SMS or MMS, RealityMine systems ‘scramble’ those persons’ numbers or email addresses, so we will not identify the telephone number or email address of the person you are calling/emailing/texting; however, we can tell whether they are already in your ‘Contacts’ in your mobile device.
    • Information about the type of mobile device you own, when and for how long you charge it, its battery status, whether it is switched on, off or in a stand-by or ‘Airplane’ mode.
    • Information about which mobile network you use, which wi-fi networks you connect to, and at what times.
    • Information about the volume of data downloaded to your mobile device, the times that you download that data and the method of connection you use (wi-fi or mobile network).
    • Information we can deduce from combining the above information e.g. what apps you were using just before you searched for particular information using your mobile device’s internet browser, or how often you call, email or text a particular contact, or the geographic location in which you are most likely to charge your device, make a telephone call, or download an app.
    • Operating system capabilities to view to contents of your applications such as Accessibility services.
    • The AdvertiserID/IDFA of your device.
    • Calendar
  5. Location Information, meaning data which reveals the geographic location of you and your mobile device, where you have given us your consent to collect such information. When you first download the Application, you will be asked if you agree to your location information being disclosed to us. If you consent, then we may collect and transmit this information on a semi-continuous and passive basis, which does not require any further activation on your part. If you wish at any stage to turn off this passive location tracking, you will need to uninstall the Application, by following all of the defined steps from the instructions set out in the Application Removal section below.
  6. Information you provide. In some cases, we may ask you to send video, audio or image content to us. That content may include personal information, for example in the form of an identifiable image of you.
  7. Audio Content Information. The devices may sample background audio content using the device’s microphone. The actual audio is never stored, but immediately converted into a “fingerprint” in a non-reversible process. The “fingerprint” is used to try and identify the TV show or commercial being listened to. This feature is disabled during phone calls.
  8. The above list contains examples of the type of data collected and is not a comprehensive list of every single data element.

Protecting Personal & Sensitive Information

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on the Data Controllers instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so

Cookies

We may collect certain information in part through the use of a technology called a “cookie.” A cookie is a small text file that is saved to your device using your browser, which allows sites to recognize you and store preferences and other information if you return to the site using the same device and browser.

We use temporary session cookies during the download and registration process to correctly identify the research panel that you have joined, enable the creation of a unique, anonymous identifier and to trigger the download process.

We may use cookies apart from the Application and link that data to other data in your profile, including data that is collected through your use of the Application.

You may remove cookies and/or control their operation by adjusting your browser settings. Please visit the ‘help’ section of your browser for more information.

How we use your data

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

Purposes for which We will use your personal data

We process your data on the basis that we have a legitimate Interest in doing so and to ensure the proper performance of the Contract which we have in place with the Data Controller.

Purposes for which the Data Controller will use your personal data

This section describes how your data – which includes web use, app use, demographic information, survey responses and information we have obtained from third parties – contributes to the kinds of services provided by the Data Controller to their client or clients (‘Clients’). Typically, panel members’ data is combined into consumer segments and reported upon as aggregated (or grouped) results. Consumer segments are pools of users who have common interests or characteristics, for example, “women between the ages of 28-34 interested in using Netflix.” Once aggregated, the results and consumer segments are shared with the Clients of the Data Controller and other parties as described in this Policy. On some occasions, the Data Controller may share non-aggregated results for limited purposes. The following are examples of the kinds of services the Data Controller provides, and how your data is used in these services:

Advertising Research – Your data is combined with data from other users into a pool that is then analyzed for exposure to certain advertising. Information about the combined pool, which does not identify any particular user, is shared with the Data Controller so they can understand if and how their advertising spending impacts the consumer journey and consumer decisions. For example, by comparing the behaviors of a group of users who saw a particular online advertisement with another group of users who did not see that advertisement.

Media Use Analysis – Your data is combined with data from other users to form consumer segments that are shared with the Data Controller without identifying any particular user. These segments are typically analyzed on behalf of Clients to understand where consumers go online and how consumers interact with digital media, which includes website content, apps and advertising that they see. For example, the Data Controller may help companies understand the effectiveness of their websites or apps by comparing how users are interacting with their websites or apps versus how users are interacting with their competitors’ websites or apps.

Profile Building – The Data Controller may use the personally identifiable information you have provided to us outside of the Application or an anonymous identifier associated with you (such as an IP address or similar identifier) to get additional information about you from other public and private data sources. These third-party data sources may provide them information on your purchases (both online and off-line), your household and lifestyle information, and broader demographic and personal history details. The Data Controller may combine this information with other information to create and enhance profiles that are shared as described in this Policy. For example, by looking at both web browsing activity and in-store purchases, the Data Controller’s research may identify a consumer segment whose members visit certain websites when they are in the process of researching a product (like a television, computer, or automobile) but are likely to make the actual purchase in a physical store. This data can help the manufacturer or seller of that product better understand where to find customers who may be interested in their products.

Consumer Analysis – The Data Controller may use your data, including personally identifiable information they have obtained directly or through a trusted third-party vendor, to enhance their or their Client’s consumer segments explained above. The Data Controller uses personally identifiable information in this way when their Client already has this information because it is usually the only way to match their profiles with those of their Clients. Sometimes the Data Controller may gather information from your clickstream data, such as a session ID, and share it with a third party in order to match your information with the information possessed by a third party as part of their services. Although in each of these cases they may permit these other parties and their customers to use your information to enhance their broader consumer segments, to which they then may target advertising. In the normal course of your online activities, you may be a member of a broader consumer segment that sees particular advertising that your data helped create.

Targeted Surveys - The Data Controller may send you invitations to participate in surveys on the basis of your online behaviors collected by the Application. For example, if you visit sites that suggest you enjoy travel, the Data Controller may send you a survey regarding travel services. The Data Controller may provide their Clients with some or all of the responses to these surveys without directly identifying any particular user, including specific answers and quotes from individual respondents.

The Data Controller may also use your information for purposes of maintaining the configuration and proper functioning of the Application, for database or Application services (such as customer support, email, or surveys), and for purposes of data quality and data cleansing.

As part of the registration process prior to installation of the Application or in connection with your participation in a survey or other service, the Data Controller may directly collect information such as your name, telephone number, email address, birth year, household information, income and gender. This information is part of your consumer profile and used as described above. Of course, the contact information you give also helps the Data Controller reach you with information related to Application maintenance and upgrades and other service related communications.

When working with a third party (such as another data provider) to supplement your profile, the Data Controller protects your privacy by having the data provider sign a confidentiality agreement stating that they will not share personally identifiable information with unauthorized parties. The Data Controller instructs them to maintain the confidentiality, security and integrity of the information we provide and not to use the information for any purpose other than those explicitly authorized.

The Data Controller may share information about you with authorized vendors and service providers, in connection with the services that they perform. These third parties are prohibited from using your information for other purposes.

Additional Disclosure of your Information

In the event We go through a business transition, such as a merger, acquisition by another company, or sale of all or a portion of its assets, your information may be among the assets transferred.

We also reserve the right to disclose your information as required by law, court order, or legal process served on us, when we believe that disclosure is necessary to protect our rights, or to combat suspected fraudulent activities.

Application Removal

You can opt-out of this Program at any time by removing the Application from your device. For instructions on how to do so, please read and follow all defined steps of the Application Removal Instructions which were provided to you when you joined the study. However, an overview of the process for each operating system is outlined below:

If you've installed the Curious Cat application, go to the 'in progress' tab and find the AMPD Digital Profiler task. Tap 'Settings', tap 'Deactivate' and follow the in-app instructions to deactivate the SDK and exit the project. If as part of this study you installed a VPN, you will need to remove the Root Certificate from your settings.

If you are using a Windows machine, find AMPD in ‘Programs and Features’, double click to bring up the uninstallation wizard and click ‘Uninstall’. Following these steps will automatically remove all browser extensions.

If you are using a OSX machine, Force Quit AnalyzeMe, drag the application to the trash and then empty the trash. Following these steps will automatically remove all browser extensions.

If you are not able to quickly and easily opt-out from data collection, we can and will help you if you ask. If you have any questions regarding removal or opting-out, you must contact the Data Controller.

If you have set your browser to “private browsing” or a similar setting, the Application may still continue to operate and collect data to be sent to Us. To completely stop the operation of the Application and the collection of data from your device, you must follow the instructions above to remove the Application.

Data Security

We have put in place appropriate technical and organisational measures to protect your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

Security Incident Notification

If We become aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data or Personal Data while processed by Us (each a “Security Incident”), We will promptly and without undue delay (1) notify the Data Controller of the Security Incident; (2) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident in conjunction with the Data Controller.

Notification(s) of Security Incidents will be delivered by the Data Controller to the Data Subject.

All parties mentioned herein will make reasonable efforts to assist the Data Controller in fulfilling their obligation under the Personal Data Protection Act 2012 (Republic of Singapore), the Data Privacy Act 2012 (Republic of the Philippines), the Personal Data Protection Regulation 2016 (Republic of Indonesia), the Personal Data Protection Act 2019 (Kingdom of Thailand), Personal Data Protection Act 2010 (Act 709) (Malaysia), and GDPR Article 33, or other applicable law or regulation to notify the relevant supervisory authority and data subjects about such Security Incident.

Our obligation to report or respond to a Security Incident under this section is not an acknowledgement by Us of any fault or liability with respect to the Security Incident.

The Data Controller must notify Us promptly about any possible misuse of data.

Data Access Rights

You have the right to request:

If you would like to modify or remove personally identifiable information about you that is being held by Us, then you should contact your Data Controller with your specific requests. Such access rights do not include the ability to modify or remove clickstream data, information that has been inadvertently collected as described above in the Protecting Personal & Sensitive Information section or information that has already been shared with a third party as permitted by this Policy.

If you wish to access the data we hold on you, you can access the Data Subject Access Request (DSAR) form by contacting who will provide the form to you within 30 working days. As part of the DSAR, you will be asked to provide two forms of identification to the Data Controller, which should be dated within the last 3 months.

If you wish to lodge a complaint, you can do so by contacting , who will respond to you within 30 days.

GLOSSARY

LAWFUL BASIS

Legitimate Interest means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.

Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.

Comply with a legal or regulatory obligation means processing your personal data where it is necessary for compliance with a legal or regulatory obligation that we are subject to.

YOUR LEGAL RIGHTS

You have the right to:

Request access to your personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.

Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.

Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request. Your request will be actioned within 90 days following company policy.

Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.

Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data's accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it. At the instruction of the Data Controller, We will perform data processing in order to produce our suite of data products. Your Data Controller will then receive a selection of these reports to meet their business requirements.

Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.

Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

Data Retention

We will retain the information described above for as long as the information has value as part of the services we offer to our clients, or as long as is necessary to comply with our legal obligations, resolve disputes, and enforce our agreements, up to a maximum of 3 years from the first date of data collection. If you opt out of the Program by following the directions to remove the Application as described above in the Application Removal section, we no longer will collect data from you but we will retain and continue to use your data collected prior to your removal of the Application unless you contact us pursuant to the Data Access Rights section above.

Children’s Privacy

We do not seek to collect personal information from users under the age of 15 for use in connection with our online research panels. If we do seek to collect personal information from users under 15 in the future, we will, when applicable, obtain verifiable parental consent and adhere to the Children’s Online Privacy Protection Act and all appropriate data laws and regulations.

Privacy Policy Changes

If we are going to use your information in a manner materially different from that stated in our Privacy Policy at the time of collection, you will be notified by your Data Controller via email. If we make any non-material changes to our privacy practices that do not affect information already stored in our database or for future collection, your Data Controller will post a prominent notice on their website notifying members that there is a change and pointing them to the revised privacy policy.

Contact Us

If we have any personally identifiable information about you, you may correct, update or delete your contact information by contacting the Data Controller.

If you have questions related to this Policy, the data that has been collected by the Application, or other privacy concerns, please contact the Data Controller.

If you wish to contact the Data Protection Officer of the Data Controller, you can do so by emailing dpo@ampd-research.com

If you wish to contact the Data Protection Manager of the Data Processor at RealityMine, you can do so by emailing dpm@realitymine.com

If you wish to contact the Data Protection Officer of the Data Processor at On Device Research, you can do so by emailing data-protection@ondeviceresearch.com