Cheetah Messaging Privacy Notice
Cheetah Digital (“Cheetah”, “We”, “Us”, “Our”) is a global provider of enterprise email and cross-channel campaign management technologies and services which enable our Customers to communicate effectively with their customers and subscribers across engagement contexts.
To learn how Cheetah Digital meets the requirements of the European Union’s General Data Protection Regulation (“GDPR”), please visit our GDPR Statement
To learn more about our firm commitment to not providing products or services used for sending unsolicited commercial electronic messages ('spam'), please refer to the Global Anti-Spam Policy.
Our Commitments and Adherence
Cheetah Digital supports initiatives of greater transparency and accountability within the digital marketing ecosystem, and adheres to the following industry self-regulatory codes of conduct.
The Digital Advertising Alliance. As a cross-channel marketing service provider we support the Self-Regulatory Principles for Online Behavioral Advertising set forth by the U.S.-based Digital Advertising Alliance (“DAA”). Cheetah Digital Customers subscribe to the DAA opt-out platform which offers U.S. consumers choices to opt-out from behavioral (interest-based) advertising. For more information please follow this link to www.AboutAds.info
The Data & Marketing Association. Cheetah Digital adheres to the Guidelines for Ethical Business Practice set forth by the U.S.-based Data & Marketing Association (“DMA”). We and our corporate Customers honor consumer choices relating to the email marketing offers they may receive. Please visit the DMA for more information about their self-regulatory program.
The Email Sender & Provider Coalition. Cheetah Digital is a member of the ESPC and signs on to the ESPC Email Marketing Pledge. We endorse the ESPC’s permission-based principles articulated in the ESPC Email Marketing Best Practices Guide.
Cheetah Messaging Services Overview
Cheetah Digital’s email and cross-channel campaign management platforms ingest and consolidate data from a variety of online and mobile sources to build marketing audiences and profiles. We then help our Customers orchestrate data-driven, personalized electronic communications that can be planned or triggered in real time. For example, if you visit a Customer website to buy jeans but leave before making a purchase, you may later receive an email reminding you about the event. As a permission-based marketing service provider we take consumer privacy seriously and offer Customers ways to meet their obligations under applicable privacy laws and marketing regulations.
Types of Personal Data We Process
Cheetah Digital Processes the following types of Personal Data on behalf of our Customers in accordance with our Services:
Directly identifiable information (also known as personally identifiable information) such as your name, email address, phone number, and postal address, which enable a variety of direct marketing and non-marketing communications
De-identified website visitor and email behavioral data (including mobile websites) collected via placement of cookie and cookie-like technology by Cheetah Digital or the Customer’s third-party analytics providers to measure the effectiveness of our Customers’ engagements
Demographic and preference information such as your gender, age, favorite store location, shopping and lifestyle interests, which are used for segmentation and personalization purposes
Pseudonymous online identifiers such as your IP address, Cookie ID, mobile device identifiers (Apple ID, Google Ad ID), and related technical data about the browser or device which helps bring together the various data points
Other linked or linkable data which helps Customers create a unified view of their customers and to deliver optimized content using our Services
Personal Data Collection
As various laws define personally identifiable information differently, we endeavor to comply with the highest applicable protections applicable to us, notably the EU data protection and privacy laws (e.g. the EU General Data Protection Regulation). We expect our Customers to comply with the respective laws of the location in which personal data is collected for use with our Services.
We do not intentionally collect or receive, or otherwise Process, personal data that is especially sensitive, but may be asked to do so by select Customers. This includes information that specifically identifies or relates to minors; information which reveals an individual's religious and political affiliations, racial and ethnic origins, sexual preferences and orientation; health related data, biometric and genetic data; information payment card industry data, and credit-worthiness information, among others. If asked to Process such data, we will act in accordance with the heightened data protection and privacy requirements set out under applicable laws, rules, and industry standards.
De-Identified Data Collection
Through the implementation of Cheetah Digital pixel tags and similar technologies that our Customers place on their standard and mobile websites, or within email messages, Cheetah places a cookie on your browser, or collects a unique identifier from your mobile device, as directed. The type of information collected through the placement of the pixel may include other commonly associated information from your device or Internet access, such as your IP address, browser type, Operating System (OS), HTTP referrer, event time and event type. These data elements may be unique to the website you recently visited, ad you viewed, or marketing email you interacted with.
Cross-Channel and Cross-Device Data Collection
In order to help our Customers orchestrate the most relevant campaigns possible, Cheetah Digital offers email retargeting and email reactivation capabilities. These capabilities help marketers engage website and shopping cart abandoners with timely and relevant incentives, reactivate legacy email subscribers, and target engaged email audiences online with interest-based display, mobile or social ads. When using our Services, Customers are thus able to synchronize personal information with other unique non-personal identifiers, such as cookie, for a variety of marketing and analytics uses.
For example, if you click-through an email that Cheetah Digital helped facilitate on your smartphone, you may see a similar ad on a standard website or within a social media application, or embedded within a personalized email offer. Please see below for more information on the technologies driving these capabilities and your choices for continued tracking.
Grounds for Using Your Personal Data
When providing access to our platforms and delivering Services, Cheetah Digital acts a Data Processor and relies on the following lawful grounds to Process Personal Data:
Legitimate business interests. We may use Personal Data for our legitimate business interests to administer our platforms, ensure the integrity of our transmission network, and to enforce our Acceptable Use Policy
Data Subject Consent. To the extent Customers need to collect and share, or allow us to facilitate collection and sharing of Personal Data to enable our Services, it is the responsibility of Customers to provide necessary privacy notices and obtain required consent(s).
Data Management and Integration Technology
Cheetah Digital Services enable our Customers to collect, manage and integrate a variety of data from the digital properties they own, the web pages and forms we may host on their behalf, and from third party partners Customers may choose to work with.
Our technology empowers marketers to collect and integrate data from outside sources through multiple points of entry, including API calls, webforms, manual uploads and secure file transfers, among others. Available data ingestion methods include batch import and HTTP posting, complemented by standard, sequential and advanced data loading capabilities. As such, Customer databases (and recipient profiles) are frequently updated with new personal and non-personal information. Cheetah Digital has no means to independently embed our forms and technologies into Customers’ digital properties without their direction.
We use commercially reasonable means to secure these data points of entry.
APIs we offer our Customers
Cheetah Digital offers our Customers a variety of Application Programming Interfaces (APIs) to simplify or automate how they use the platform for a variety of processing activities. For example, our Advanced Data Load Endpoint allows a single API request to load data into multiple joint tables simultaneously, rather than sequentially.
Personal and non-personal information submission: Customers may use APIs to submit records containing personal and associated data (as described above) into their marketing databases. Our APIs accommodate a number of industry standard web communication channels and data loading techniques, including via HTTP-based webform submissions, batch data imports and sequential data loading services.
API endpoint security: Data we collect on behalf of our Customers through API endpoints is secured through commercially reasonable technical and administrative means. Generally, our API endpoints are built in a manner that imposes a set of constraints on how data may be submitted to the system. For example, if you wish to submit personal data via a URL, you would specify for the connection to be secured using SSL encryption and the data transmitted over HTTPS.
Endpoints that support JSON and XML data objects are secured using a two-step security validation process. We use an industry standard protocol to authenticate requests to access available services. We then validate whether the requestor has the proper rights and privileges to the service being requested. Unauthorized users will be denied the ability to submit data using such endpoints.
Web pages and forms we host for our Customers
Cheetah Digital provides web page hosting for our Customers’ for their convenience. Hosted services facilitate email subscription, preference management, refer-a-friend, sweepstakes, and on-demand content fulfillment information (e.g. coupons and real-time offers). Our privacy and security practices with respect to these hosted pages are:
Personal data collection and use
When hosting forms and providing data collection tools to our Customers Cheetah Digital acts as a 'pipe' and underlying technology provider allowing Customers to load personal data directly into their Cheetah Digital marketing databases. As data processor, the personal data that we collect on behalf of our Customers is the exclusive property of the Customer that is branded on the web page. Web pages we host on the Customer's behalf will include links to their website and privacy notices providing information on the Customer’s privacy and data security practices.
A special note about Refer-a-Friend (RAF) services: We offer our Customers the ability for recipients to use a web form we host on their behalf to forward an email message to another recipient. Referrals of this nature are sent similarly to any other commercial message a Customer would send through our Services with all of the applicable tracking technology referenced above.
In accordance with international privacy laws and business policy, we collect referral email addresses only to process the message transaction. Neither we nor our Customers may use the referral email address for any purpose other than to execute the requested email transmission on behalf of the forwarder. Since email forwarding may be restricted by law or otherwise impractical in some jurisdictions, Customers are responsible for ensuring compliance wherever this service is offered.
In special circumstances, we may host this transmission request for a specified period of time in order to monitor delivery or deliver subsequently requested email referrals.
If you believe that an email sent through a RAF web page we host was sent to you incorrectly, please email us with the message in question and its full transmission header.
De-identified and non-personal data collection and use: Web pages we host may include use of all of the de-identified, pseudonymous and non-personal information collection technologies described above.
Hosted web page security: Data we collect on behalf of our Customers is held in a secure environment, with restricted user access, and managed by a team of experienced system administrators. The pages we host on our Customers’ behalf are encrypted with SSL and certified by a third party security provider, Once we collect information through a hosted web page on our Customers' behalf, the Customers will have immediate access to this data for their own purposes. While we maintain privacy and data security processes for information we host through our Services, we are not responsible for such practices for information hosted by our Customers. If you have questions or concerns about our Customers' privacy practices or representations, please communicate directly with the Customer.
Performance and Personalization Technology
As part of our Services we may set cookies associated with pixel tags for (i) web pages we develop and host on behalf of Customers, or (ii) where authorized by a Customer within their email messages and on their own websites.
Cookies may be downloaded from our web servers and stored locally on an email recipient's computer. Information on the cookie is then referenced by the web browser in conjunction with specific web-enabled email or visited web pages. This cookie responds to a web server with information about how the email recipient engaged with the email or web pages (i.e., open, click-through, image download, etc). An example of this occurs when Customers track email users' visits to a website and any subsequent online sales that could be correlated with the email recipient.
In addition to engagement tracking, our cookies enable our Customers to provide website and email personalization services for their email subscribers, customers, or registered website visitors. This requires us to connect email and website visitor activity with previously provided information in order to offer personalization, web form pre-population and closer relevance of our Customers' email marketing efforts.
The cookies we attempt to set do not contain any directly identifiable personal data such as name or email address in the cookie itself, but pseudonymous identifiers such as a cookie ID may be utilized for performance tracking purposes.
The cookies that Cheetah Digital sets are configured to expire, generally after 7 days, but the expiration period can be longer. Cheetah Digital cookies are re-authenticated for incremental 7-day, or greater, periods when a Customer's customer opens an email or clicks through an email to a URL embedded into the email. Otherwise, they expire.
How you can control email-related cookies:
All Internet browsers can be set to notify you before you receive a cookie and give you control over whether or not you choose to accept any particular cookies. You have the option of setting your browser to turn off cookies or restrict cookie delivery to particular websites.
Please visit Cookiepedia for more information about how to delete and control cookies.
At this time, we do not respond to 'do not track' browser signals.
Please note that our platforms do not read, store or otherwise interact with cookies placed by other firms on sites where Cheetah Digital may place a cookie. As such, we are not responsible for tracking technologies placed on Customer websites by Customers or their other adtech service providers.
Email-related pixel tags (aka web beacons)
A pixel tag is an invisible image with a line of code, also called a clear gif, which is placed within an email message in the same way as on a web page. The reasons for use of a pixel tag in an HTML email message include:
To sense whether an email recipient can receive html email or only receive text email.
To detect whether the email recipient has opened the message, and whether that email message was opened successive times.
To help activate a cookie and integrate web activity with email activity.
Please note that pixel tags do not create, modify or delete files on a user's machine. They are not executable and cannot be used to deliver dangerous content, such as a virus. Rather, pixel tags help our Customers identify particular email recipients, who can then be sent more relevant email content in the future.
Message 'click-through' monitoring
Nearly every email sent through our systems includes a hyperlink to another website. Our Customers have the ability to track whether that hyperlink has been clicked on and whether that link was clicked on successive times. Customers can then determine the success of their email campaigns and tailor future messaging to recipients based on the relevancy of that 'click-through' activity. When links are clicked on, additional pixel tags attempt to activate cookies to help measure the effectiveness of the email campaign.
User-initiated message forwarding
We may also collect anonymous tracking information with email messages 'forwarded' from a recipient within their own email software or webmail service to another user. Examples of information collected may include the number of times the message was forwarded, the number of times the forwarded message was opened, and the click-through activity within those forwarded messages. No identifiable personal data concerning a natural personal is collected with email messages forwarded by a recipient through this process.
Access and Your Privacy Rights
Cheetah Digital respects and acknowledges that individuals frequently desire to access their personal information, or make other requests regarding their personal rights. However, we have no direct relationship with the individuals whose personal data we process on behalf of our corporate customers. An individual who seeks access to personal data concerning them, or who seeks to correct, amend, request Processing restrictions, object to Processing, or delete Personal Data or exercise a right of portability should direct his or her query to the respective Cheetah Digital Customer. If requested by a Customer to provide assistance with such requests, we will respond within 30 days.
If you have any questions about our ingestion and use of your personal data when delivering our Services, please email us. If you are unable to obtain the information or resolution you seek, you may also contact our Data Protection Officer.
With respect to the emails sent by our Customers, message recipients may object to the processing of their personal data for electronic marketing uses by opting out (unsubscribing) using the unsubscribe mechanisms available within the email and text messages sent using our platforms. You may also email us to lodge a spam complaint. For more information about our permission-based standards, please refer to our Global Anti-Spam Policy and Message Recipient Guide.
Data Security and Retention
The security of your information is important to us. Your information is maintained in a secure environment and we take appropriate steps to protect against loss, misuse and unauthorized access, alteration, disclosure, or destruction of your data in our care. We employ strict controls around employee access to the personal data in our care based on business need and use cases which warrant access.
We take commercially reasonable steps to ensure the ongoing confidentiality, integrity, availability and resilience of our systems and services processing your personal information. In the event of a physical or technical incident, we will restore the availability and access to information in a timely manner. If you have questions about the security of your personal data, please contact us as described below.
International Data Transfers
We maintain facilities and offices around the world, including in the United States, the European Union, and Japan. Your personal data may be transferred to, stored, or processed outside of your country or the country in which you were located when you initially volunteered the information.
As a global marketing technology and services provider working on behalf of our international Customers, we take many steps to protect the personal data in our care, including offering contractual assurances to this effect. Should the relationship with one of our group companies, Customers or partners involve cross-border data flows outside the European Economic Area, we shall formally undertake to comply with the highest data protection standards, notably by adhering to the Standard Contractual Clauses adopted by the European Commission and related requirements under EU data protection and privacy laws.
Our web content and corporate communications may contain links to other sites. Cheetah Digital is not responsible for the content or privacy practices of these sites. We recommend users read the privacy statements of each linked website.
Notification of Changes to this Policy
If we decide to change our website and tracking privacy practices, we will post those changes to this privacy statement, and other places we deem appropriate so that you are aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it.
We reserve the right to modify this Policy at any time. If we make material changes to these statements, we will notify you on this page prior to the changes taking effect.
Cheetah Digital Head Office
72 W Adams St,
Chicago, IL 60603
Or contact us using this online form
If you wish to escalate your inquiry after contacting the privacy team, you are welcome to contact our Data Protection Officer, ePrivacy GmbH, at email@example.com.
Represented by: Prof. Dr. Christoph Bauer
Große Bleichen 21
You have the right to complain to a Data Protection Authority about our or our Customers’ collection and use of your personal data. For more information, please contact your local authority (contact details for data protection authorities in the European territories are available here).