This Privacy Policy (“the Policy”) explains how and why Ad Observatory processes personal data when people install Malicious Content Observer (“the Application”). The Policy does not cover any other personal data processing by Ad Observatory, which is covered by other applicable policies and procedures, including Ad Observatory’s Digital Privacy Statement. If you have a question regarding the Policy or the use of the Application, please contact info@adobservatory.com

Guiding Principles

Ad Observatory is committed to respecting individuals’ right to privacy, protecting personal data and compliance with applicable laws globally. In accordance with these guiding principles, the Application has been designed to process the minimum amount of personal data possible to achieve Ad Observatory’s objectives.

Purposes and means of data processing

The purpose of the Application is to collect information about the malicious ads directed at and seen by private individuals on social media websites. This is done with the objective of facilitating public understanding of how the advertising is deployed. Ad Observatory believes that it is in the public interest to understand this phenomenon and its impact on individuals.

To this end, Ad Observatory collects basic demographic information about the individuals who install the Application as well as information about the ads that they see. This information has been kept to an absolute minimum, so that it is not possible for Ad Observatory to identify individual users of the Application.

Ad Observatory also maintains a public, online repository of aggregate data (“the Database”) collected by the Application in order to render its research findings transparent and facilitate research by others. This information is anonymized so that it is not possible to identify individual users of the Application from within the Database. The Database can be accessed here.

Data processed by the Application

When an individual user installs the Application, they are invited to provide basic demographic information about themselves: their age group, gender and ethnicity. This basic demographic profile (“the Profile”) helps Ad Observatory understand which people see which ads. It is not mandatory to provide this information and the Application can still collect data that contributes to the research project without creating a Profile.

No other personally identifiable information is requested or processed by the Ad Observatory. The browser language, which is recorded by the Application for the purposes of correctly parsing the ads, is also included in the Profile. The Application does not undertake any “profiling” or “automated decision-making” as defined by the GDPR.

If the user has elected to share their Profile, an instance identification number (“ID”) is created and stored locally by the Application. When an ad is seen by the Application, details of the ad together with the ID and the Profile data is transmitted to Ad Observatory. This data is then added to the Database, with the exception of the ID, which is not added to the Database.

If the user has decided not to create or share a Profile, only the data related to the ads is transmitted to and included in the Database. All users can view the data related to the ads that has been processed by the Application at any time by clicking on the Ad Observer icon and navigating to ‘Ads’.

Legal basis for processing

Ad Observatory processes data for the above purposes on the basis of consent. By installing the Application, users consent to the processing of their data for the purposes described above. Individuals may withdraw their consent at any time by uninstalling the Application. As noted above, data retained in the Database is anonymized, meaning that a user’s withdrawal of consent will not mean the deletion of the data related to the ads that the Application has collected.

Sensitive data

As noted above, individuals may elect to provide information about their ethnicity when they install the Application. This data, which may fall within the definition of “special category data” under the GDPR, is processed with consent. As noted above, this data is not stored by Ad Observatory in a format that allows identification of the individual concerned. No other sensitive data is requested or processed by Ad Observatory.

Information security

Ad Observatory takes reasonable steps to protect personal data against loss, misuse, and unauthorized access, alteration, disclosure or destruction. This includes the use of technical, organizational and legal measures to ensure the confidentiality, integrity and availability of personal data. Information transmitted across the internet remains vulnerable to unauthorized access. The transmission of such data is therefore at the individual’s own risk.

Data retention

No personal data is retained by Ad Observatory. The only data that is retained has been fully and irreversibly anonymized

Data Subjects Rights

Individuals whose personal data is processed in accordance with the GDPR have the following rights:
The right to be informed as to whether Ad Observatory holds data about them
The right of access to that information
The right to have inaccurate data corrected
The right to have their data deleted
The right to opt-out of particular data processing operations
The right to object to data processing
The right to receive an explanation about any automated decision making and/or profiling, and to challenge those decisions where appropriate.

Changes and revisions

Should Ad Observatory make changes to this Policy, the date and nature of the change will be indicated below.