Your trust and the safety of your data are critical foundations of Kochava’s privacy-first data solutions.
As an industry-leading technology provider, we help enable compliance and ensure the security of your data and that of your customers. In today’s privacy-centric data economy, brands can form closer connections with consumers than ever before by building trusted relationships. Therefore, it is vital to protect information being shared across platforms and connected devices while also empowering consumers with choice.
The California Consumer Privacy Act (CCPA) represents a significant shift in state-side consumer data privacy legislation, with implications for brands serving and targeting consumers in the state of California.
For answers to important questions about your business, Kochava, and the CCPA, visit our CCPA FAQ.
CCPA requires brands to provide consumers with a comprehensive description of their online and offline practices regarding the collection, use, disclosure, and sale of personal information and of the rights of consumers regarding their personal information. Privacy policies must be designed and presented in a way that is easy to read and understandable to an average consumer. Unlike Europe’s General Data Protection Regulations (GDPR), which required app developers to “ask consumers for consent,” the CCPA requires developers to provide consumers a mechanism to “opt-out” from having their personal data sold, with stricter “opt-in” mechanisms for minors. Full legislation here.
The CCPA took effect on January 1st, 2020, with enforcement commencing no later than July 1st, 2020.
Kochava complies with the CCPA in its capacity as a “service provider” in providing Kochava Measurement services.
Kochava complies with the CCPA in its capacity as a “business” in providing Kochava Collective services.
As an acting member of the Interactive Advertising Bureau (IAB), Kochava is enacting the IAB’s CCPA Compliance Framework within our native measurement SDKs, and requires data suppliers contributing to the Kochava Collective to pass appropriate privacy string signals.
The General Data Protection Regulation (“GDPR”) creates consistent data protection rules across Europe. It applies to companies that are based in the EU and global companies like Kochava that process personal data about individuals in the EU. Kochava is, and will continue to be, compliant with all data privacy laws across the globe. We are committed to complying with GDPR legislation and collaborating with partners to facilitate compliance.
We thought it would be helpful to provide the context upon which Kochava delivers its services to clients in order for you to better understand how Kochava complies with GDPR and treats client data.
Kochava provides a number of different services to clients:
A comprehensive set of data analytics and attribution tools
The characteristic Kochava Measurement client is a company that has created an app and wants to measure every aspect of an advertising campaign promoting it. The Kochava Measurement client enters into a contractual relationship with Kochava, which allows the client to embed Kochava software (an “SDK”) into its app. The client customizes the SDK to collect certain data derived from the app. Kochava processes this data on behalf of the client and visualizes it on a private dashboard for the client’s analysis. The client pays Kochava a fee for providing this service. The data remains the exclusive property of the client at all times.
A mobile audience marketplace
The characteristic Kochava Collective client is a company that has created an app and wants to advertise it to specific audiences. The Kochava Collective client enters into a contractual relationship with Kochava in order to access a mobile audience marketplace and use the data therein for advertising purposes. The client browses the marketplace and builds custom audiences based on data attributes associated with mobile devices. The client then chooses among partnering ad networks to activate an ad campaign directed to those mobile devices. Kochava is paid a fee for providing this service. Kochava populates the marketplace with data from its Free App Analytics clients and third-party suppliers.
A limited set of free data analytics and attribution tools, made available in return for your contribution of data to the Kochava Collective marketplace
The characteristic Free App Analytics (“FAA”) client is a company that has created an app and wants to measure the performance of an advertising campaign promoting it. The FAA client enters into a contractual relationship with Kochava, which allows the client to embed Kochava software (an “SDK”) into its app. The client customizes the SDK to collect certain data derived from the app. Kochava processes this data on behalf of the client and visualizes it on a private dashboard for the client’s analysis. Instead of the client paying Kochava a fee for this service, the FAA client allows Kochava to use the data for Kochava’s own purposes. There are two distinct differences between Kochava Measurement and FAA: (1) The FAA client has access to a limited set of data analytics tools, whereas the Kochava Measurement client has access to the full suite of tools; and (2) the FAA client receives the service free of charge in exchange for granting first-party data rights to Kochava, whereas the Kochava Measurement client pays Kochava a fee for services without granting additional data rights. Kochava does not, and will not, determine the purposes or means of processing personal data of European data subjects for any of its clients. As such, Kochava operates exclusively as a Data Processor under GDPR across each of its business units.
In its capacity as a Data Processor, Kochava adheres to the rules of the GDPR as follows:
The Kochava Measurement and FAA service platforms (“Platform”) are designed to enable clients to:
- Determine which personal data the Platform processes;
- Limit the collection of personal data to that which is adequate, relevant, and necessary for the purpose of which they are processed;
- Manage the retention periods of personal data; and
- Destroy personal data.
The Platform is designed to:
- Process personal information in conformance to the instructions provided by the client;
- Collect only the personal data that are necessary for fulfilling the purposes of which they are processed;
- Make personal data accessible only to a limited number of people whose job requires such access; and
- Ensure a level of security appropriate to the risk of processing personal data.
Kochava contractually prohibits its clients from utilizing the Platform to collect, process, or otherwise handle sensitive personal data.
Kochava does not keep personal data any longer than is necessary for the purposes for which it is being processed. Kochava deletes personal data after a client’s contract has expired or has been terminated.
Kochava will continue to promptly inform clients of incidents involving personal data in line with the data incident terms in our current (and any subsequently updated) agreements. Kochava maintains, and will continue to invest in, advanced threat detection and avoidance technologies, as well as a rigorous 24/7 incident management program to help identify and respond to security or privacy events (and any personal data breaches under the GDPR) without delay.
Kochava is audited annually by an independent third party against GDPR and ISO/IEC 27001:2013 standards.
Kochava ingests client data to its cloud servers from locations across the world. Upon ingestion, Kochava transfers the data to its secure processing facility located in the United States. Kochava is certified under the EU-U.S. Privacy Shield frameworks, which is a legal mechanism to enable the transfer of personal data from the European Economic Area to the US, where certified organizations guarantee to provide a level of protection in line with EU data protection law. See more here:
Kochava also offers clients EU-approved Model Contract Clauses upon request.
Kochava will, in addition, continue to monitor the evolution of international data-transfer mechanisms under the GDPR, and is committed to having an ongoing lawful basis for data transfers in compliance with applicable data protection laws.
Kochava does not subcontract any of its processing operations to a subprocessor in the absence of a written agreement which contractually obligates the subprocessor to adhere to all applicable GDPR data processing requirements.
You may click here to be redirected to the Kochava web page dedicated to providing guidance on opting out of interest-based advertising.
In order to protect your privacy, Kochava has engineered its systems to not collect identifying information such as email, name, and phone number. However, GDPR considers mobile device identifiers and IP addresses to be “personal information.” A mobile device identifier is a unique string of 30+ numbers associated with your device (e.g., cell phone). An IP address is a series of numbers separated by periods that identifies each computing device using a particular “Internet Protocol” at a given time to communicate over a network.
If you are concerned that Kochava has this information, we will be happy to delete it from our systems upon request. You may submit a request to delete all your personal information by emailing Kochava at email@example.com or by contacting the legal department via telephone at 855-562-4282. However, please bear in mind that when you contact Kochava with such a request, because of the precautions we have proactively taken to protect your privacy, you are actually volunteering more personally identifying information to Kochava as a result of lodging the request than Kochava would have ever had prior to you initiating contact.
In its capacity as a processor of personal data, Kochava will ensure its contractual agreements with clients require the parties to adhere to the respective obligations of controllers and processors. Furthermore, Kochava will enter into data-processing agreements with clients where required.
Service Level Standards
The Kochava Platform will operate and otherwise comply and function in all material respects on an uptime basis of 99.99% over a rolling annual basis. If an incident disrupts the client’s use of the Platform, then Kochava shall respond as follows:
- Critical Priority Incident rendering the Platform inoperative: Kochava shall respond to Company within one hour of notice and immediately begin replicating and verifying the problem.
- High Priority Incident degrading the operations and use of the Platform: Kochava shall respond to Company within four hours of notice and immediately begin replicating and verifying the problem.
- Medium Priority Incident affecting the operations of, but not degrading, the Platform: Kochava shall respond to Company within six hours of notice and immediately begin identifying and verifying the problem during normal business hours.
- Low Priority Incident having a minor impact on the operations of the Platform- Kochava shall respond to Company within eight hours of notice if alerted between 6:00 a.m. – 8:00 p.m. PST Monday through Friday and begin identifying and verifying the problem within two business days.
†Listed certifications include those held by Kochava directly and those held by our cloud and data center service providers in so far as those certifications are applicable to our data processing and storage operations. For more information, contact firstname.lastname@example.org.