Privacy and Cookie Notice

We have updated this information to provide you with more detailed information about the ways we use your personal data and to include changes we have made following the recent decision of the Belgian Data Protection Authority about the IAB Transparency and Consent Framework, which is the rules and procedures used to make online advertising work. This ruling means we will require Hybrid Theory partners to collect your consent before we will accept your personal data from them. In most cases, they asked for your consent for this processing anyway. You have always had the right not to allow your personal data to be processed for these reasons.

At Hybrid Theory, we are dedicated to consumer privacy. Our technology and processes are regularly audited by Audit Bureau of Circulations (ABC) and the European Digital Advertising Alliance (EDAA) to ensure we meet industry best practices of consumer data privacy. Any data we collect will only be used in accordance with all applicable laws, including the General Data Protection Regulation (2016/679) (GDPR) within the European Union (EU), the Data Protection Act 2018 (DPA) within the United Kingdom (UK), the ePrivacy Directive (2002/58/EC) as implemented in EU member states, the Privacy and Electronic Communications Regulations 2003 in the UK, the California Consumer Privacy Act of 2018 (CCPA), the Brazil General Personal Data Protection Law of 2018 (LGPD), the Singapore Personal Data Protection Act 2012 (PDPA), the Hong Kong Personal Data (Privacy) Ordinance (Cap. 486) as amended in 2021 (PDPO) and the Australia Privacy Act No. 119 1988 (Privacy Act). Hybrid Theory reserve the right to revise and update this Privacy Notice when necessary.

Hybrid Theory reserves the right to revise and update this Privacy Notice as and when necessary, but we will always ensure we highlight any changes to data subjects. Please find the most recent version history for this Privacy Notice below:

Version	Last Updated	Key Changes
V1.0	4 June 2018	Not applicable
V1.1	4 November 2018	Updates to include cookies and opt-out information
V1.2	26 February 2020	Updates to include information on CCPA rights and more detailed information on advertising and profiling activities
V1.3	7 May 2020	Updates to include reference to EU-U.S. Privacy Shield
V1.4	10 August 2020	Changes to formatting; inclusion of more detailed profiling and international data transfer mechanisms
V1.5	19 April 2021	Inclusion of updated international data transfer mechanisms
V1.6	18 August 2021	Update to supervisory authority contact details and new systems and various clarifications
V1.7	2 November 2021	Updates and expansion to cookie notice

Hybrid Theory provides technology services that enable you to receive online advertisements that are relevant to your interests. Through this, we process pseudonymous data which relates to the relationships between people, the website pages they visit and/or the actions they take on a website, with the purpose of facilitating advertising to consumers that is more relevant and tailored to their particular interests. We achieve this through creating segmented profiles based on users’ browsing history that allows our clients to categorize users with similar characteristics or interests, improving their ability to deliver more relevant advertising. In doing so, we make all efforts to ensure that we only process personal data where we have a suitable legal basis to do so and only process personal data in a pseudonymous form where possible.

Hybrid Theory is a data controller and is either jointly or solely responsible for processing your personal data. You may contact our Data Protection Officer at privacy@hybridtheory.com.

This Privacy Notice applies to information we collect through our website and in the course of providing our services and operating our business. Please note, this Privacy Notice does not apply to Personal Data collected through the recruitment process or during employment (please see our Recruitment Privacy Notice for how we use the personal data of job applicants). We may collect, use, store and transfer different kinds of personal data about you if you give us permission to do so. The categories of personal data we will ask to collect may include:

• Identity Data
• Contact Data
• Financial Data
• Browsing Data
• Technical Data
• Behavioural Data
• Marketing and Communications Data

This data may be collected through information you submit directly to our website or cookies operated by Hybrid Theory or our third-party partners or collected through our website or as you otherwise provide to us, including through the course of our business activities. We define and explain these categories of data further below (Section 3. How Is Your Personal Data Collected?). We may also collect limited personal data in order to keep our website and computer systems safe, prevent fraud and identify and fix bugs.

We use different methods to collect data about you, which are explained further below (Section 5. Disclosures Of Your Personal Data).

We will only use your personal data for the purpose for which we obtained it through the course of our business activities, and for which you give us consent, which may include the following:

• To improve our website, products or services
• To contact you in the course of marketing or customer relationships
• To recommend products or services which may be of interest to you
• To create profiles of your interests in order to show you relevant
  advertisements
• To measure the performance of advertisements you see
• To generate insights about the people who see the advertisements we show
• To show you the best version of the advertisement for the device you are using
• To identify you and your device
• To link the devices you use to give you a consistent online experience including creating a consistent profile about you based on information collected from any of your devices
• To identify your precise location in order to show you relevant advertisements.

We will also collect personal data to keep our website and computer systems safe, to prevent fraud and to identify and fix bugs on the basis of our legitimate interests in providing a safe service that functions as intended, and protecting ourselves against crime. You can choose to opt out of this.

More details on how we create profiles and use your personal data can be found below (Section 4. How We Use Your Personal Data).

We may share your personal data with our trusted third-party partners, including organisations we use for data storage and real-time bidding platforms that allow our clients to present suitable, targeted advertising to you. When we share your personal data, we put in place the appropriate contractual terms to require that the other party protects your data. This is explained further below (Section 5. Subheading, Third Party Partners).

In addition to our local systems, which are sited in the countries in which we have offices, the information that you provide to us may be stored in our secure servers which are located in Dublin, Ireland within the European Economic Area (EEA). On occasion, we may transfer data between countries. In particular:

• We may share personal data with our staff in our offices such as in the UK, Spain, Singapore, Hong Kong and Australia
• As part of our online advertising activities, we may collect data from various locations around the world, including the UK, EU, US, Singapore, Hong Kong, Australia, Brazil and other countries, and this may be shared with third party partners in other countries
• We use third-party hosting and IT service providers with data centres in the UK, EU and US, which may involve transferring data to these regions
• We transfer personal data to our clients, partners and third-party hosting and IT service providers, typically in the UK, EU, US, Singapore, Hong Kong and Australia

For this purpose, we conduct a transfer impact assessment of any data flows before the transfer takes place, which involves considering the risk of using certain third parties or providing access to data to foreign jurisdictions, and what measures we have in place to ensure the security of any personal data we share. Where we share or transfer the personal data of UK or EU citizens, we ensure the following safeguards are in place:

• Adequacy decisions adopted by the European Commission, the Information Commissioner’s Office and/or the UK Secretary of State
• Standard Contractual Clauses (SCCs) between our legal entities and third parties approved for use in the UK and/or EU
• Technical measures, such as encryption and pseudonymisation.

More details can be found below (Section 6. International Transfers).

Under certain circumstances,
you have rights under data protection laws in relation to your personal data that we collect, which we are committed to respecting. If you are a UK or EU citizen, you have the right to:

• Request a copy of your personal information that we process
• Request any inaccuracies in your personal information be corrected
• Object to or restrict the processing of your personal data in certain circumstances
• Have your personal information erased, where we no longer require it
• Understand the logic behind any automated decision making processes we use, and the right not to be subject to wholly automated decisions that have legal or similarly significant effects on you.

If you are unhappy about the ways we process your personal data, you may complain to the appropriate supervisory authority. These rights may be limited where we process personal data about you in an anonymous form, in which case you should contact the website publisher that originally collected the information
from you. Additionally, we may require additional information or identifiers from you, such as CookieIDs, in order to comply with a request for the exercise
of your legal rights. More details can be found below (Section 10. Cookies). If you are a Californian citizen, the CCPA provides consumers (California residents) with specific rights regarding their personal information. In particular, you have the right to:

• Request information about the processing of your personal data and access it
• Request a copy of personal information we hold about you in a commonly used format
• Request deletion of your personal information
• Request information about third parties to whom your data has been disclosed
• Opt-out from the sale of personal data to other companies
• Not be discriminated against as a consumer when you exercise any of your
  CCPA rights

You have the right to opt-out from allowing us to process your personal data in order to show you advertisements tailored to your interests. To exercise this, please click https://hybridtheory.com/opt-out.Please note that exercising this right will not prevent you from seeing online advertising.

If you are looking for more information on how we process your personal data including details on data security, data retention, individual rights and lawful processing bases, please read our website Privacy Notice below.

We have updated this information to provide you with more detailed information about the ways we use your personal data and to include changes we have made following the recent decision of the Belgian Data Protection Authority about the IAB Transparency and Consent Framework, which is the rules and procedures used to make online advertising work. This ruling means we will require our clients to collect your consent before we will accept your personal data from them. In most cases, they asked for your consent for this processing anyway. You have always had the right to stop your personal data being processed for these reasons.

Hybrid Theory respects your privacy and is committed to protecting your personal data. This Privacy Notice will inform you in more detail as to how we look after your personal data when you visit our website or that we otherwise collect from you (regardless of where you visit from) and tell you about your privacy rights and how the law protects you.

Hybrid Theory is the data controller, either jointly or solely and responsible for the legality of processing your personal data (collectively referred to as “Hybrid Theory”, “we”, “us” or “our” in this privacy notice).

CONTACT DETAILS

Hybrid Theory has appointed a Data Protection Officer (DPO), as we are legally required to by virtue of our online advertising activities. Our DPO is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact the DPO using the details set out below. You can contact our DPO in the following ways: Full name of legal entity: Hybrid Theory Global Ltd. Email address: privacy@hybridtheory.com Telephone number: +44 (0) 20 7090 1000 Postal address: Epworth House 25 City Road London EC1Y 1AA United Kingdom Telephone number: +44 (0) 20 3934 2174 You have the right to make a complaint at any time to your supervisory authority. We would, however, appreciate the chance to deal with your concerns before you approach the supervisory authority so please contact us in the first instance.

The Information Commissioner’s Office (ICO) is the UK supervisory authority for data protection issues for UK citizens.

The ICO’s contact details are below: Email address: icocasework@ico.org.uk Postal address: Information Commissioner’s Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. Telephone number: +44 (0) 303 123 1113

The Agencia Española de Protección de Datos (AEPD) in Spain is Hybrid Theory’s EU lead supervisory authority for data protection issues for EU citizens, owing to the presence of Hybrid Theory’s core data engineering operations in Spain.

The AEPD’s contact details are below: Postal address: C/ Jorge Juan, 6. 28001 – Madrid Telephone number: +34 (0) 91 266 35 17

The California Privacy Protection Agency (CalPPA) is the supervisory authority for data protection issues for Californian citizens.

The CalPPA’s contact details are below: Email address: info@cppa.ca.gov

The Singaporean Personal Data Protection Commission (PDPC) is the supervisory authority for data protection issues for Singaporean citizens.

The PDPC’s contact details are below: Postal address: 10 Pasir Panjang Road, 03-01 Mapletree Business City Singapore 117438 Email address:
info@pdpc.gov.sg Telephone number: +65 6377 3131

The Hong Kong Office of the Privacy Commissioner for Personal Data (PCPD) is the supervisory authority for data protection issues for Hong Kong citizens.

The PCPD’s contact details are below: Postal address: Room 1303, 13/F, Dah Sing Financial Centre, 248 Queen’s Road East, Wanchai, Hong Kong Email address: communications@pcpd.org.hk Telephone number: +852 2877 7026

The Office of the Australian Information Commissioner (OAIC) is the supervisory authority for data protection issues for Australian citizens.

The OAIC’s contact details are below: Postal address: GPO Box 5218 Sydney, NSW 200 Email address: enquiries@oaic.gov.au

Telephone number: +61 1300 363 992

The Brazil Autoridade Nacional de Proteção de Dados (ANPD) is the supervisory authority for data protection issues for Brazilian citizens.

The ANPD’s contact details are below: Postal address: Autoridade Nacional de Proteção de Dados, Esplanada dos Ministérios, Bloco C. 2° andar, CEP 70297-400-Brasilia-DF. Email address: anpd@anpd.gov.br Telephone number: +55 (61) 3411 5961

OUR CHANGES TO THE PRIVACY NOTICE AND YOUR DUTY TO INFORM US OF CHANGES

We keep our Privacy Notice under regular review. This version was last updated on 12 October 2021. It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

THIRD-PARTY LINKS

This website includes links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.

This Privacy Notice applies to information we collect through our website and in the course
of our business operations. Personal data, or personal information, means any information relating to an identified or identifiable natural person. We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

• Identity Data includes first name, last name, username or similar identifier collected via our website or other websites
• Contact Data includes email address and telephone number, usually collected via our website or business communications
• Financial Data includes bank details, company name and other information that you may provide to us in the course of business
• Technical Data includes Internet Protocol (IP) address, Uniform Resource Locators (URLs), device identifiers, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices
  you use to access the Internet or this website or websites associated with our third party partners. This may also include your location data (such as
  Global Positioning System (GPS) information or information on which country or city you are located in)
• Browsing Data includes a history of labels in relation to websites you have viewed and your interactions with various web pages, as collected through our cookies and cookies installed by our third-party providers. This data is limited to data that does not include “real-world” identifiers, such as name, address, email address, etc. This may also include Inferred Data – i.e., whereby we assign characteristics such as related to your age, gender, lifestyle or interests that we ascribe to you by nature of your viewing history. We take measures to ensure these do not include Special Category Data
• Marketing and Communications Data includes your preferences to receive marketing from us and our third parties and your communication preferences

We may also collect, use and share such data, including Browsing Data, as “Aggregated Data”, such as for statistical purposes. This may involve
aggregating users’ browsing interests, where the Aggregated Data is completely anonymous. We may also collect data on usage of a website’s functionalities to calculate the percentage of users accessing a specific website feature. We take measures to limit the collection of Special Category Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sexual life, sexual orientation, political opinions, trade union membership or information about your health,). We achieve this by prohibiting the labelling of information on your browsing history or interests with Special Category Data, by us or our third-party partners, and from prohibiting cookies installed by us or our third-party partners from being used on websites featuring content related to Special Category Data. We do not collect any information about criminal convictions and other offences.

We use various methods to collect data from and about you. If you:

• Visit the Hybrid Theory website:
  • If you consent to accept marketing and performance cookies, will collect
    technical data using cookies and similar technologies;
  • Performance cookies are used to enable us to analyse the performance of our website, for example which pages are more popular. We use this information to improve our ability to sell our services.
  • Marketing cookies are used to enable us to create a profile about you and use this to market our services to you and to people with similar profiles to you.
• Do business with us:
  • We will collect your identity and contact data to enable us to negotiate a contract with you and to communicate with you about the contract;
  • We may also use your identity and contact data to send you marketing materials from time to time, because we have a legitimate interest in marketing similar products and services to our clients.
  • If you are a very small enterprise such as a sole trader, the
    financial data you provide to us may also count as personal data.
• Visit a site operated by one of our clients and consent to accept marketing cookies:
  • We will collect technical data using cookies and similar technologies;
  • This data may be used to create browsing data and combined with other information to create a profile about you that may include
    inferred data which we use to match your profile with advertisements in order to show you advertising that is more likely to be interesting to you. Where we use inferred data, we do this on the basis of our legitimate interest in fulfilling the contracts with our clients, which we achieve by ensuring that the profiles we create include suitable profiling information to match your interests with the kinds of advertisements our clients create.

We may also process your personal data where we have a legal obligation to do so, such as where we are ordered by a court to provide information about you.

Third parties or publicly available sources. We will receive personal data about you from various third parties as set out below:

1. Technical Data and Browsing Data from the following parties:

• Analytics providers, such as Google Analytics
• Third party data providers, such as 33Across and ShareThis

1. Identity Data, Technical Data and Browsing Data from data brokers or aggregators such as 33Across and ShareThis.
2. Identity and Contact Data from publicly available sources, such as Companies House and the Electoral Register.

We have set out below, in a table format, a description of all the ways we use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are, where appropriate. Note that we may process your personal data on more than one lawful basis depending on the specific purpose for which we are using your data.

If you…	We use your personal data…	Type of data	Lawful basis for processing, including basis of legitimate interest
Visit the Hybrid Theory website	To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data	Identity Contact Technical	Legitimate interests (for the provision of administration and IT services, network security, to prevent fraud)
Visit the Hybrid Theory website	To use data analytics to improve our website, products/services, marketing, customer relationships and experiences	Aggregated Technical	Consent (as received through our website)
Do business with us	To register you as a new customer	Identity Contact	Performance of a contract
Do business with us	Sending you marketing communications	Identity Contact Marketing and Communications Data	Performance of a contract Legitimate interests (for business development and sales purposes)
Do business with us	To process invoices, collect payments and make payments	Contact Identity Financial	Performance of a contract (to process and collect payments we contract to provide or receive); Legal obligations (to store such data for our financial obligations)
Visit a site maintained by one of our clients and consent to marketing cookies	To monitor your behaviour on websites and collect, store, and access information about your interests	Identity Aggregated Technical Browsing	Consent (as received through our website or the websites of our third-party partners)
Visit a site maintained by one of our clients and consent to marketing cookies	To create a personalised profile of your interests, advertisements and content	Identity Aggregated Technical Browsing	Consent (as received through our website or the websites of our third-party partners)
Visit a site maintained by one of our clients and consent to marketing cookies	To technically deliver relevant website content and advertisements to you	Identity Technical Browsing	Consent (as received through our website or the websites of our third-party partners)
Visit a site maintained by one of our clients and consent to marketing cookies	To measure the performance of ads and content delivered to you	Identity Aggregated Technical Browsing	Consent (as received through our website or the websites of our third-party partners)
Visit a site maintained by one of our clients and consent to marketing cookies	To generate data to allow us and our clients to develop and improve advertised products	Identity Aggregated Technical Browsing	Consent (as received through our website or the websites of our third-party partners)
Visit a site maintained by one of our clients and consent to marketing cookies	To link your devices in order to build a consistent profile of you and provide a consistent online experience to you	Identity Aggregated Technical Browsing	Consent (as received through our website or the websites of our third-party partners)
Visit a site maintained by one of our clients and consent to marketing cookies	To match your online information and interests with information collected offline	Identity Contact Aggregated Technical Browsing	Consent (as received through our website or the websites of our third-party partners) Consent (as received from web forms used by Hybrid Theory or our third-party partners)

Profiling Hybrid Theory may use data to create profiles of users’ interests, in addition to matching them to existing profiles or “segments”, which will allow us to target them with advertising that is useful to them later on. As part of this, we collect Browsing Data and
Inferred Data from the sources listed above, which is typically related to a user’s web activity. Analysing this data allows us to understand a user’s interests, and match them to “segmented profiles” or “model audiences” based around categories of hobbies or features common to a group of online web users. This allows us to then show users who are interested in receiving targeted advertising a relevant advertisement that appeals to that particular group of users. This is performed using an automated process using artificial intelligence (AI) developed and managed by our Data Engineering team. The outputs are passed on to our third-party partners and used to target advertisements to the user groups we assign you to. As part of this process, we take steps to exclude any categories or labels related to Special Category Data or children’s data being used to collect or generate such profiles.

THIRD-PARTY MARKETING

We will collect your consent before we share your personal data with any third party for marketing purposes. This will be achieved through the use of opt-in click or button functionalities through our website or requiring you to perform another affirmative action, such as replying to an email or text, to confirm your consent. You can withdraw your consent at any time.”] [accordion title=”5. DISCLOSURES OF YOUR PERSONAL DATA” content=”If you have consented to marketing and advertising cookies for any or all of the purposes shown above, we may share your personal data with the parties set out below for the purposes set out in the table above. These may include:

• Online advertisement bidding platforms, DSPs and SSPs, including:
  • Appnexus/Xandr
  • The Trade Desk
  • Smadex
• Data content providers and aggregators, including:
  • ShareThis
  • 33Across
  • NetAcuity
  • Factual/Foursquare
• Segmenting software and creative platform providers, including:
  • Permutive
  • Versium
  • NEXD
  • MediaGrid
  • TruOptik
  • Scoota
  • Kinetiq
• Targeting software providers and adservers, including
  • Adsquare
  • Illuma
  • Delve
  • Just Premium
  • Flashtalking
  • ZoomInfo
• CRM database providers, including:
  • Salesforce
  • HubSpot
• Advertising technology providers, including:
  • Clipcentric
  • Maxmind
• Service providers, IT and system administration services, including:
  • Google LLC
  • Amazon Web Services
  • Nvoy Technologies

If you do business with us, we may share your personal data with third parties such as:

• Professional advisers including lawyers, bankers, auditors and insurers who provide consultancy, legal, banking, accounting and insurance services.
• Tax authorities, regulators and other authorities based in the UK, Spain, California, Brazil, Singapore, Hong Kong, Australia or any other territory with jurisdiction over us, who require reporting of processing activities in certain circumstances. For more information on data protection supervisory authorities, please see Section 1 above.

THIRD-PARTY PARTNERS

With any website that you visit that uses Hybrid Theory cookies, the publisher of that website is a joint controller of the data collected through such cookies. In particular, several of our clients may use Hybrid Theory’s cookies in order to allow us to personalise the advertisements that you receive. Data content providers and aggregators act as separate data controllers with Hybrid Theory and may provide cookies on a variety of publishers’ websites which collect your personal data. For example, 33Across and ShareThis may then provide this data in a live data feed to Hybrid Theory. In this case, 33Across and ShareThis act as separate controllers of this data. Our other third-party advertising partners may also receive your personal data from Hybrid Theory as data controllers or processors. This personal data consists of Browsing Data (including Inferred Data) and personal data such as Technical Data and Identity Data associated with it. This may be carried out in order to organise targeted advertising to you on various websites that you may visit. In order to ensure the compliance of third parties with GDPR, CCPA and other applicable legislation, we require our contractors and third parties to commit to respecting a similar level of the protection of personal data to that under the GDPR, CCPA and other applicable legislation in their contracts with us. In particular:

• Where such third parties process personal data on our behalf, we require them to only process such personal data on our documented instructions
• We ensure that our third parties take organisational and technical measures to ensure the security of personal data under their control, including access controls, obligations to report personal data breaches, and requirements to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
• We ensure that third parties only process personal data for limited time periods and that personal data is deleted or returned to us at the termination of the processing.
• We place limitations on third parties that process personal data on our behalf from engaging the use of sub-processors or other third parties.

OTHER DISCLOSURES

Hybrid Theory may also disclose personal data in special cases when we have a good faith belief that such action is necessary to: (a) conform to legal requirements or (b) to respond to lawful requests by public authorities, including to meet national security or law enforcement requirements.

In addition to our local systems, the information that you provide to us may be stored in our secure servers which are located in Dublin, Ireland within the European Economic Area (EEA). On occasion, we may transfer data outside of the UK or EU/EEA, to other countries. In particular:

• We may share data between our staff in UK, EU, US, Singapore, Hong Kong and Australia offices
• As part of our online advertising activities, we may collect data from various locations around the world, including the UK, EU, US, Singapore, Hong Kong, Australia, Brazil and other countries
• We also use third-party hosting and IT service providers with data centres in the UK, EU and US, which may involve transferring data to these regions
• Additionally, we may also transfer personal data to our clients, partners and third-party hosting and IT service providers, typically in the UK, EU, US, Singapore, Hong Kong and Australia

For this purpose, we typically conduct a transfer impact assessment of any dataflows before the transfer takes place, which involves considering the risk of using certain providers or providing access to data to foreign jurisdictions, and what measures we have in place to ensure the security of any personal data we share. On top of this, where we share or transfer the personal data of UK or EU citizens, we typically ensure the following safeguards are in place:

• Adequacy decisions adopted by the European Commission and/or the Information Commissioner’s Office
• UK-government or EU-approved Standard Contractual Clauses (SCCs) or International Data Transfer Agreements (IDTAs) between our legal entities and third parties

We may also transfer personal data to some of our third-party partners in the course of the provision of our services, which may be located outside the EEA. Where data is transferred to the US we will ensure that such parties have EU-approved Standard Contractual Clauses with us, which allows us to legally transfer your personal data to them. In particular, this includes:

• Salesforce (Our CRM system provider)
• Google LLC (using GoogleDrive)
• Amazon Web Services (AWS)
• HubSpot (Our CRM system provider)

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. Moreover, we ensure that any Identity Data that we process will be internally pseudonymised – i.e., cookie IDs converted to Hybrid Theory IDs, where possible. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable supervisory authority of a breach where we are legally required to do so.

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of providing you any services, carrying out targeted advertising, and satisfying any legal, regulatory, tax, accounting or reporting
requirements. In particular, we focus on limiting our retention periods to ensure the accuracy of information collected about online users, and to minimise the chance of individuals being served content unsuitable for them or against their reasonable expectations. To limit any unnecessary intrusion into your privacy, we also ensure that all our user profiles have definitive retention periods, as we set out below. With regard to the use of personal data collected from cookies, the retention period is set by the original website that placed such a cookie, rather than Hybrid Theory.

Where we do business with you:

Type of data	Retention period	Justification
Identity Data (e.g., name, company).	We store your identity data for the duration of services provided to you and in accordance with the retention of Contact Data, which is typically for the duration of our relationship with you plus 2 years. We may also store this information together with Financial Data, where it is appended to invoices, for example.	To ensure we keep up to date with users’ interests.
Contact Data (e.g., email address, telephone number).	We store contact details for the duration of the period we deem our services will remain relevant to you, which is typically for the duration of our relationship with you plus 2 years.	To keep in contact with our customers/suppliers.
Financial Data (e.g., bank details, company name).	We will store such data for the duration of our financial obligations in the relevant jurisdiction where our office is based.	To comply with our legal obligations (such as with respect to our company and tax obligations) in the financial sphere.

 

Where you consent to marketing and advertising cookies:

Type of data	Retention period	Justification
Browsing Data (including Inferred Data) (e.g., browsing history, labels, interests, and preferences).	Where we use an advertising platform, such as Appnexus/Xandr, we ensure user profiles are updated every 7 days. These profiles are only stored for a maximum of 180 days with Appnexus/Xandr. We only store identifiable information on users’ Browsing interests and browsing history for 3 months at a time.	To allow advertisements to be tailored to users and to keep up to date with users’ interests (data may be stored longer in an aggregated format).
Technical Data (e.g. cookie and device information).	Cookies are set to be deployed for the periods outlined in the cookie notice. Data collected from Hybrid Theory cookies: We expire cookies and cookie and device information on a users’ browser after 13 months. Technical Data collected by cookies will be stored for 3 months at a time. Data collected from cookies deployed by our third-party partners: Cookie expiry periods are set by our partners. Technical Data collected by cookies will be stored for 3 months at a time.	To ensure the operation of our website and to keep up to date with users’ interests.

We may store certain data, including Identity, Browsing and Technical Data for longer than the periods specified, but only in an aggregated and anonymous format, to which the GDPR (or other legislation) no longer applies. Such anonymous data will be used for research and statistics reporting on an aggregated basis for as long as this data is relevant. This information will be stored for a maximum of 5 years.

For more information on cookies, please see our Cookie Notice (Section
12).

Under certain circumstances, where you are an UK or EU citizen, you may exercise rights under the GDPR in relation to your personal data, upon request. In most cases, the website publisher or third-party partners that originally collected the information from you, such as through a cookie, will be better placed to help you comply with such rights. In particular, your rights include:

• Request access to your personal data. This entitles you to receive a copy of the personal data we hold about you, together with information about how we process it
• Request correction of the personal data that we hold about you. This entitles you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us
• Request erasure of your personal data. This entitles you to ask us to erase your personal data in certain circumstances, for example, such as where i) you have successfully exercised your right to object to processing (see below); ii) we have processed your information unlawfully, iii) we are required to erase your personal data to comply with local law, amongst other situations; iv) we no longer need to process your personal data
• Object to processing of your personal data where we are relying on a legitimate interest, and object to the creation of profiles about you. You also have the right to object where we are processing your personal data for direct marketing purposes.
• Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to data that you or our third-party partners have provided to us and does not apply to Inferred Data used to create profiles

You can exercise any of your rights by emailing us at privacy@hybridtheory.com. In some cases we may also provide direct routes to exercise a specific right, such as including an ‘unsubscribe’ link in marketing emails or presenting you with a cookie banner.

What we may need from you

In order to allow you to exercise these rights, we must be in a position to identify any personal data, including Identity, Browsing and potentially Inferred Data that relates to you. To do this, we may ask you to provide us with specific identifiers, such as Cookie IDs, or further information. We are not obliged to comply with any data subject rights in relation to personal data that we cannot identify. When making a request, we may ask that you provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative. We request that you kindly describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

Time limit to respond

We aim to respond to all verified requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

No fee usually required

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

Under certain circumstances, where you are a California resident, you have rights under the CCPA in relation to your personal data, upon request. In most cases, the website publisher or third-party partners that originally collected the information from you, such as through a Cookie, will be better placed to help you comply with such rights. Your rights include:

• Request to opt-out from the sale of personal data to other companies
• Not to be discriminated against as a consumer when you exercise any of the
  aforementioned rights

The CCPA provides consumers (California residents) with specific rights regarding their personal information. This section describes your CCPA rights and explains how to exercise those rights.

• Access to Specific Information and Data Portability Rights: You have the right to request that Hybrid Theory disclose certain information to you about our collection and use of your personal information over the past 12 months. This will include the categories of personal data collected, the sources of such data, the purposes which we use it for, and information on whether we have sold or disclosed your personal information to any recipients
• Deletion Request Rights: You have the right to request that Hybrid Theory deletes any of your personal information that we collected from you and retained, subject to certain exceptions. In particular, where this personal data is used for providing a good/service/contract with you, for detecting security incidents or fraud, for disclosure pursuant to a legal obligation, and other circumstances
• Personal Information Sales Opt-Out and Do Not Sell My Personal Information: You have the right to direct us to not “sell” your personal information to third parties, including our advertising partners, at any time (the “right to opt-out” or “Do Not Sell My Personal Information”). Consumers who opt-in to personal information sales may opt-out of future sales at any time. To exercise the right to opt-out, you (or your authorized representative) may submit a request to us by visiting the following Internet Web page link https://www.hybridtheory.com/do-not-sell
• Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights. This means that, in an event of any of your request to us, we will not engage in or suggest any discrimination against you, in particular, we will not:
  • Deny you goods or services
  • Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties
  • Provide you a different level or quality of goods or services
  • Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services

However, we may offer you certain financial incentives permitted by the CCPA that can result in different prices, rates, or quality levels. Any CCPA-permitted financial incentive we offer will reasonably relate to your personal information’s value and contain written terms that describe the program’s material aspects. Participation in a financial incentive program requires your prior opt-in consent, which you may revoke at any time. To exercise the access, data portability, and deletion rights described above, please submit a verifiable consumer request to us at privacy@hybridtheory.com

What we may need from you

In order to allow you to exercise these rights, we must be in a position to be able to identify any personal data, including Identity, Browsing and potentially Inferred Data that relates to you, for which we may require you to provide us with specific identifiers, such as Cookie IDs. We are not obliged to comply with any data subject rights in relation to personal data that we cannot identify. When making a request, we may ask that you provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative. Please describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

Response Timing

We endeavour to respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing.

Format

Any disclosures of your personal data we provide will only cover the 12-monthperiod preceding your request. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.

You have the right to opt-out from having advertisements tailored to our interests. To exercise this, please click https://www.hybridtheory.com/opt-out

You also have the right to opt-out to any Identity Data or Browsing Data collected through cookies that Hybrid Theory or our Third-Party Partners may carry out, as well as to your tracking through such cookies. Opting-out, arrangements will also be made so that the user is no longer tracked by Hybrid Theory and that data is no longer received from such partners in relation to the user. You can ask us or third parties to stop sending you marketing messages at any time by accessing our website and selecting your preference here
https://www.hybridtheory.com/opt-out

Where you opt-out of receiving these marketing messages, this will not apply to personal data provided to us as a result of a product/service purchase, warranty registration, product/service experience or other transactions. You can also opt-out from our third-party partners present in the online advertising ecosystem (such as 33Across and ShareThis) by selecting your country of residence in this page and clicking on “Your Ad choices” You will be presented with a list of the companies that collect data from you for behavioural advertising that adhere to the European Interactive Digital Advertising Alliance (EDAA) that you can opt-out from. You can also opt-out of all Hybrid Theory cookies, including targeting that we and third-party partners we pass this information to (such as Appnexus/Xandr). For more information, please see our Cookie Notice (Section 12).

At Hybrid Theory, we use cookies to collect, aggregate and process mainly analytical and interactive data so we can understand which computer browsers have viewed which content on a website; which websites are most visited from which geographical location and which other browsers and users you may have interacted with. A cookie is a small text file that is downloaded onto your computer when you visit our website and allows us to recognise you as a user. Typically, these contain two pieces of
information: a site name and unique user ID. All information these cookies collect is aggregated and anonymous. Cookies are essential to the effective operation of our website. Cookies make the interaction between you and the website faster and easier. Cookies may also be set by the website you are visiting (first party cookies) or they may be set by other websites who run content on the page you are viewing (third party cookies). Hybrid Theory uses cookies on its website and/or the websites of our third-party partners:

• That are strictly necessary to enable you to move around our websites or to provide certain basic features
• To enhance the functionality of the website by storing your preferences
• To help improve the performance of our website on your device
• To enable us to record and view your interests and behavioural information
• To provide you with targeted advertising

We require you to accept or decline certain cookies by accepting or declining our Cookie Consent Notice when first accessing our website. By subsequently accepting these cookies and using our website, your initial cookies preference will remain in place and cookies will remain stored on your device, unless this functionality is rejected or disabled by your browser, or until you subsequently opt-out to such cookies. Opting out of Hybrid Theory cookies does not mean you will no longer receive online advertising. However, it does mean that Hybrid
Theory will no longer deliver ads tailored to your Web preferences and usage patterns. The Hybrid Theory Opt-out Tool is cookie-based. In order for the tool to work on your computer, your browser must be set to accept cookies. Be advised that if you change computers or upgrade or change browsers, clear or delete this opt-out cookie either separately or by clearing all cookies of your browser or if you use multiple computers or browsers, you will need to repeat this opt-out process for each computer and each browser.

Non-Essential Cookies: A list of the non-essential cookies we use on the website are detailed below:

Hybrid Theory Cookies: Hybrid Theory (Affec.tv) cookies are used by Hybrid Theory is order to monitor user’s web browsing behaviour and allow us to identify a user’s interest, to serve them relevant advertisements.

Google Analytics: analytics.js (__ga, _gat), are cookies used by Google to generate web analytics and for tracking how you use the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage. The information generated by the cookie will be forwarded to Google servers in the U.S. for statistical analysis purposes only.

Google Adwords: Using Google Adwords code, we are able to see which pages helped to lead to contact form submissions. This allows us to make better use of our paid search budget.

Browser Storage Time

The cookies and cookie information (Technical Data) are stored on your browser for a period of 13 months maximum unless you clear their cache and the cookies themselves.

Opting Out of Cookies

You can opt-out from Hybrid Theory’s use of cookies here: https://www.hybridtheory.com/opt-out

You can also opt-out of advertisements made using cookies under the mechanism above see Section 11. Opt-Out to Advertisements. You can also choose to opt-out of Hybrid Theory’s cookies through websites of our third-party partners that you visited and which use Hybrid Theory cookies. You can manage the cookies stored on your device as well as stop cookies from being installed on your browser. For more information on how to manage cookies usage on your device, please let us refer you to information found on these topics on allaboutcookies.org, more specifically by clicking on the links below:

• Managing the Cookies Stored on Your Device
• Stop Cookies from Being Installed on your Browser

Please note that if you prefer to block some or all of the cookies Hybrid Theory uses, you might lose some of our website’s functionality.

Hybrid Theory may update this Privacy Notice at any time by publishing an updated version in our website. You should check this Privacy Notice for updates each time you visit our website to be sure that you are aware of any changes. You should check the top of the document to see the latest version in force.