GDPR Compliance

1. Our Commitment to GDPR Compliance

IMC, Inc. and its affiliates ("IMC," "we," "us," or "our") are committed to protecting the privacy and fundamental rights of individuals in the European Economic Area (EEA), United Kingdom (UK), and Switzerland in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK General Data Protection Regulation ("UK GDPR"), the Swiss Federal Act on Data Protection ("FADP"), and all related implementing legislation (collectively, "European Data Protection Laws").

We have implemented comprehensive data protection measures across our organization, including appointing a Data Protection Officer, conducting Data Protection Impact Assessments, maintaining records of processing activities, implementing privacy by design and by default principles, and establishing robust data breach notification procedures. This page describes our GDPR compliance program and your rights as a data subject.

2. Scope and Applicability

This GDPR Compliance page applies to the processing of personal data of individuals located in the EEA, UK, and Switzerland in connection with: (a) our corporate websites and client interfaces; (b) our advertising technology platform and services, including our SSP, DSP, ad server, analytics, fraud detection, and brand safety tools; (c) our sales, marketing, and business development activities; and (d) any other interactions with IMC. This page supplements our Privacy Policy and should be read in conjunction with it.

3. Our Role: Controller vs. Processor

Under the GDPR, IMC may act in different capacities depending on the context of the data processing:

• Data Controller: IMC acts as a data controller when we determine the purposes and means of processing personal data, such as when we process data through our advertising platform for our own purposes (e.g., ad delivery, fraud detection, platform improvement), when we collect data through our websites, and when we process data for our own marketing and business operations.
• Data Processor: IMC acts as a data processor when we process personal data solely on behalf of and under the documented instructions of our clients (the data controllers). In such cases, our clients' privacy policies govern the processing, and we process data only as instructed by the client, subject to our Data Processing Agreement.
• Joint Controller: In limited circumstances within the EU, IMC and its publisher clients may act as joint controllers for the initial collection of identifiers and user information on digital properties and the transmission of this information to IMC. Further processing is IMC's sole responsibility as an independent controller.

4. Lawful Basis for Processing

We process personal data based on one or more of the following lawful bases under Article 6 of the GDPR:

• Consent (Article 6(1)(a)): Where you have given clear, informed, and unambiguous consent to the processing of your personal data for one or more specific purposes. This is the primary basis for processing related to personalized advertising, creating user profiles, and storing/accessing information on your device. You may withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
• Contractual Necessity (Article 6(1)(b)): Where processing is necessary for the performance of a contract to which you are a party, or to take steps at your request prior to entering into a contract. This applies to managing client accounts, providing our services, and processing transactions.
• Legitimate Interest (Article 6(1)(f)): Where processing is necessary for the purposes of our legitimate interests or those of a third party, except where such interests are overridden by your data protection rights and fundamental freedoms. We rely on legitimate interest for fraud detection and prevention, security of our systems, frequency capping, delivering and presenting advertising, saving privacy choices, improving our services, and internal business operations. We have conducted balancing tests for each legitimate interest processing activity.
• Legal Obligation (Article 6(1)(c)): Where processing is necessary for compliance with a legal obligation to which we are subject, such as tax reporting, regulatory compliance, and responding to lawful requests from authorities.

For detailed information about the legal basis for each specific processing purpose, please refer to the table in Section 9 of our Privacy Policy.

5. Personal Data We Process

The categories of personal data we process in connection with our services include: device characteristics and identifiers (cookie IDs, device advertising IDs, IP addresses, hashed email addresses); browsing and interaction data; user profiles and behavioral data; non-precise and precise location data; contact and professional information provided directly by individuals; and financial and billing information for our clients. For a comprehensive description of the personal data we collect, please see Section 4 of our Privacy Policy.

We do not intentionally collect or process special categories of personal data (as defined in Article 9 of the GDPR), including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning a person's sex life or sexual orientation. We contractually prohibit our clients and partners from passing such data to our platform.

6. Your Rights Under the GDPR

As a data subject located in the EEA, UK, or Switzerland, you have the following rights under the GDPR and equivalent legislation:

• Right of Access (Article 15): You have the right to obtain confirmation as to whether we are processing your personal data and, if so, to access that data along with information about the purposes of processing, the categories of data concerned, the recipients or categories of recipients, the retention period, and the source of the data.
• Right to Rectification (Article 16): You have the right to obtain the rectification of inaccurate personal data concerning you without undue delay. You also have the right to have incomplete personal data completed.
• Right to Erasure / Right to Be Forgotten (Article 17): You have the right to obtain the erasure of your personal data without undue delay where: the data is no longer necessary for the purposes for which it was collected; you withdraw consent and there is no other legal ground for processing; you object to processing and there are no overriding legitimate grounds; the data has been unlawfully processed; or erasure is required for compliance with a legal obligation.
• Right to Restriction of Processing (Article 18): You have the right to obtain restriction of processing where: you contest the accuracy of the data (for a period enabling us to verify accuracy); the processing is unlawful and you oppose erasure; we no longer need the data but you require it for legal claims; or you have objected to processing pending verification of whether our legitimate grounds override yours.
• Right to Data Portability (Article 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller without hindrance, where the processing is based on consent or contractual necessity and is carried out by automated means.
• Right to Object (Article 21): You have the right to object at any time to the processing of your personal data based on legitimate interest, including profiling. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defense of legal claims. Where personal data is processed for direct marketing purposes, you have the right to object at any time, and we will cease processing for such purposes.
• Right Not to Be Subject to Automated Decision-Making (Article 22): You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, unless the decision is necessary for a contract, authorized by law, or based on your explicit consent.
• Right to Withdraw Consent (Article 7(3)): Where processing is based on consent, you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

7. How to Exercise Your Rights

To exercise any of your rights under the GDPR, you may:

• Contact our Data Protection Officer at dpo@imc.ad;
• Contact our Privacy Team at privacy@imc.ad;
• Submit a request through our contact page;
• Write to us at any of our office addresses listed below.

We will respond to your request without undue delay and in any event within one (1) month of receipt. This period may be extended by two (2) further months where necessary, taking into account the complexity and number of requests. We will inform you of any such extension within one month of receipt of the request, together with the reasons for the delay. We will verify your identity before processing your request. If we cannot verify your identity, we may request additional information. There is no fee for exercising your rights, unless your request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act on the request.

8. Consent Management

Where consent is the legal basis for processing, we ensure that consent is: (a) freely given, specific, informed, and unambiguous; (b) given by a clear affirmative action; (c) as easy to withdraw as it is to give; and (d) documented and auditable. We work with our publisher clients to ensure that appropriate consent management platforms (CMPs) are implemented on their digital properties to obtain valid consent from end users before our platform processes their personal data for purposes that require consent.

We participate in the IAB Europe Transparency & Consent Framework (TCF), which provides a standardized mechanism for obtaining and communicating user consent across the digital advertising ecosystem. When a user provides or withholds consent through a TCF-compliant CMP, we respect those choices and process data accordingly.

9. Joint Controllership

In the European Union, IMC and its publisher clients may, in limited circumstances, act as joint controllers under Article 26 of the GDPR for the initial collection of identifiers and user information on digital properties and the transmission of this information to IMC ("Joint Processing"). Further processing of your information beyond this initial collection is IMC's sole responsibility as an independent controller.

We have entered into joint controller arrangements with our publisher clients that set out the respective responsibilities of each party, including: (a) the distribution of responsibilities for compliance with GDPR obligations; (b) the respective roles for providing transparency information to data subjects; (c) the mechanisms for cooperation with data protection authorities; and (d) the procedures for handling data subject rights requests. Our publisher clients are responsible for establishing the necessary legal basis for Joint Processing by obtaining consent on their digital properties and providing the required transparency information.

Regardless of the terms of any joint controller arrangement, you may exercise your rights under the GDPR with respect to and against each controller. If you wish to exercise your rights concerning Joint Processing, please contact us using the details provided below.

10. International Data Transfers

As a global company with headquarters in the United States and offices in the UK and Singapore, IMC may transfer personal data originating in the EEA, UK, or Switzerland to countries that have not been deemed to provide an adequate level of data protection by the European Commission or the relevant UK or Swiss authorities. When we make such transfers, we implement appropriate safeguards in accordance with Chapter V of the GDPR, including:

• Standard Contractual Clauses (SCCs) adopted by the European Commission (Commission Implementing Decision (EU) 2021/914), supplemented by additional technical and organizational measures where necessary based on transfer impact assessments;
• The UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, as approved by the UK Information Commissioner's Office;
• Compliance with the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework;
• Adequacy decisions by the European Commission, where applicable;
• Binding Corporate Rules, where applicable;
• Derogations under Article 49 of the GDPR, where no other transfer mechanism is available and the conditions for the derogation are met.

We conduct transfer impact assessments to evaluate the level of data protection in the recipient country and to determine whether supplementary measures are necessary to ensure that the transferred data receives an essentially equivalent level of protection. You may request a copy of the applicable transfer mechanism by contacting us at legal@imc.ad.

11. Data Privacy Framework

IMC complies with the EU-U.S. Data Privacy Framework ("EU-U.S. DPF"), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework ("Swiss-U.S. DPF") as set forth by the U.S. Department of Commerce. IMC has certified to the U.S. Department of Commerce that it adheres to the DPF Principles with regard to the processing of personal data received from the EU, UK (and Gibraltar), and Switzerland. If there is any conflict between the terms of our privacy policies and the DPF Principles, the DPF Principles shall govern. The Federal Trade Commission has jurisdiction over IMC's compliance with the Data Privacy Framework. For more information, please see Section 14 of our Privacy Policy.

12. Sub-Processors

When IMC acts as a data processor on behalf of its clients, we may engage sub-processors to assist in the delivery of our services. We maintain a list of approved sub-processors and will provide prior written notice to our clients of any intended changes to the list of sub-processors, giving clients the opportunity to object to such changes. All sub-processors are subject to contractual obligations that require them to process personal data only as instructed, to implement appropriate technical and organizational security measures, and to comply with applicable data protection laws. For more information, please see our Data Processing Agreement.

13. Data Protection Officer

IMC has appointed a Data Protection Officer (DPO) in accordance with Articles 37-39 of the GDPR. Our DPO is responsible for: (a) informing and advising IMC and its employees about their obligations under the GDPR; (b) monitoring compliance with the GDPR and our data protection policies; (c) providing advice on Data Protection Impact Assessments; (d) cooperating with supervisory authorities; and (e) acting as the contact point for supervisory authorities and data subjects on issues relating to data processing.

You can contact our Data Protection Officer at:

14. Data Protection Impact Assessments

In accordance with Article 35 of the GDPR, IMC conducts Data Protection Impact Assessments (DPIAs) for processing activities that are likely to result in a high risk to the rights and freedoms of individuals. This includes, but is not limited to, large-scale processing of personal data for advertising purposes, systematic monitoring of publicly accessible areas, and the use of new technologies for data processing. Our DPIAs assess the necessity and proportionality of the processing, the risks to data subjects, and the measures to mitigate those risks. We consult with our DPO and, where required, with the relevant supervisory authority before commencing high-risk processing activities.

15. Data Breach Notification

IMC has established comprehensive data breach detection, investigation, and notification procedures in accordance with Articles 33 and 34 of the GDPR. In the event of a personal data breach:

• We will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals.
• Where the breach is likely to result in a high risk to the rights and freedoms of individuals, we will communicate the breach to the affected data subjects without undue delay.
• Where IMC acts as a data processor, we will notify the relevant data controller without undue delay after becoming aware of a personal data breach.
• We maintain a register of all personal data breaches, including the facts relating to the breach, its effects, and the remedial action taken.

16. Data Retention

In accordance with the data minimization principle (Article 5(1)(c)) and storage limitation principle (Article 5(1)(e)) of the GDPR, we retain personal data only for as long as necessary to fulfill the purposes for which it was collected. For detailed information about our retention periods, please see Section 15 of our Privacy Policy. We regularly review our retention periods and securely delete or anonymize personal data that is no longer necessary.

17. Security Measures

In accordance with Article 32 of the GDPR, IMC implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Pseudonymization and encryption of personal data;
• Measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
• Measures to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
• Regular testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of processing;
• Access controls, multi-factor authentication, and role-based access management;
• Network security controls, intrusion detection and prevention systems;
• Employee security awareness training and confidentiality obligations;
• Physical security controls for offices and data centers;
• Regular security audits and vulnerability assessments.

18. IAB Transparency & Consent Framework

IMC participates in the IAB Europe Transparency & Consent Framework (TCF) and complies with its specifications and policies. The TCF provides a standardized approach to obtaining and managing user consent for the processing of personal data in the digital advertising ecosystem. Through the TCF, publishers can communicate user consent choices to all vendors in the advertising supply chain, ensuring that personal data is processed only in accordance with the user's preferences. We respect the consent signals communicated through TCF-compliant consent management platforms and process personal data accordingly.

19. Right to Lodge a Complaint

If you believe that our processing of your personal data infringes the GDPR or other applicable data protection laws, you have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement (Article 77 of the GDPR). You also have the right to an effective judicial remedy against a supervisory authority (Article 78) and against a controller or processor (Article 79).

• EEA: Contact your local Data Protection Authority. A list of EEA DPAs is available at the European Data Protection Board website (edpb.europa.eu).
• UK: Contact the Information Commissioner's Office (ICO) at ico.org.uk or by phone at +44 303 123 1113.
• Switzerland: Contact the Federal Data Protection and Information Commissioner (FDPIC) at edoeb.admin.ch.

We encourage you to contact us first so that we can try to resolve your concern directly. We take all complaints seriously and will investigate and respond to your complaint in a timely manner.

20. Contact Us

For any GDPR-related inquiries, to exercise your rights, or to raise a concern about our data protection practices, please contact us: