Privacy Statement for our Advertising Technology

1. Introduction

Caroda s. r. o., Id. No.: 05296072 is a company incorporated under the laws of the Czech Republic with its registered office at Lomnického 1705/9, Nusle, 140 00 Praha 4, Czech Republic (“Caroda”). Caroda is a technology company providing publishers with means to create new video advertising channels and to merge and optimize existing ones. By design we do not need and therefore do not process any personal data within the meaning of GDPR. This document covers the data that we do process in connection with Caroda advertising technology. For Caroda website data processing policy, please refer to the Privacy Policy for our Website.

2. What we do

Caroda provides a programmatic advertising technology platform focused on video advertising. Caroda platform enables our customers, who are mostly publishers, to

  • connect different ad sources, such as SSPs, direct campaigns or 3rd party players;
  • combine such sources into single placements;
  • measure campaign effectiveness, based on contextual information only

3. Data Subject Data We Process

At Caroda we do our best to protect user's privacy and as such, we have a strict policy on what information is processed and for what reason. We're a registered IAB TCF Vendor and as such declare the following uses of information:


3.1. General

We process certain information about data subjects as set out below. We do not process any information about data subjects that would fall within the definition of personal data under GDPR. We don’t aggregate any user-associated profiles either, anonymous or non-anonymous.

3.2. Selecting Basic Ads

3.2.1. Data processed
Caroda platform selects ads to be displayed based on user’s:
   a) Operating system;
   b) Browser type and its configuration;
   c) Country;
   d) Language of site;
   e) Page urls where ads are delivered.

3.2.2. Purpose
We believe it beneficial to the person viewing the ad that they understand the language of the ad, the ad is relevant to where they are located, and that the ad is relevant to their interests as judged by the content of the site they are viewing. The same is very important for advertisers as these factors heavily impact the effectiveness of any ad. Knowing the exact browser type and operating system is crucial to understand if a creative can be delivered correctly and to prevent advertisers loses due to technical reasons.            

3.2.3. Technical means
All campaign targeting information is exposed on runtime for every separate ad placement. This allows our software to perform the ad selection process on the user’s browser rather than our servers. We store campaign history on the browser side by using local storage in order to be able to enforce capping by user impressions.

3.3. Measuring Ad Performance

3.3.1. Data Processed
Caroda processes the following user data to measure ad performance.
   a) Device Type;
   b) Country;
   c) User interaction with advertising creatives.

3.3.2. Purpose
It is crucial for both publishers and advertisers to understand the geographical distribution and preferred user experience for the ad opportunities. This allows them to plan advertising creatives that work well based on past data.

The user data is combined with our advertising player tracking, allowing to clearly differentiate different types of behaviors for both different countries and different device types (desktop, mobile, tablet).Our advertising player tracking includes all of the IAB VAST event types described under the VAST4 standard and custom indicators for opportunities, advertising delivery, viewability and unique impressions.

3.3.3. Technical means
All ad performance related data is collected through a typical ad tracking endpoint, that takes parameters specified in 3.3.1. from the url of the requests. The requests are crafted at runtime.
A list of previously viewed campaigns is stored in local storage. This allows us to conditionally trigger unique impression counting without requiring a profile, anonymous or non-anonymous, to be sent.

3.4. Ensure security, prevent fraud, and debug

3.4.1. Data Processed
To ensure security, prevent fraud and debug, Caroda collects to following user data:
   a) A small sample of detailed advertising player logs stored on the user’s browser;
   b) Results of browser feature tests to detect bots and fake traffic.

3.4.2. Purpose
Part of our company's mission and one of our main differentiating factors is to ensure video advertising creatives are displayed in an as reliable way as possible; above market standards.

One of the challenges of building a software that runs on millions of devices is that sometimes, rare incidents happen where we can not replicate problems that happen in the real world. In order to deal with this, we collect detailed run logs, containing no personally identifiable information, from a small percentage of the users. This information often is enough to do a blind fix of a reported issue, even when it’s not possible for us to replicate a reported issue.

In addition to this, we also need to be able to discriminate against fake traffic to protect our advertisers from overspending and publishers from lowering inventory valuation.

3.4.3. Technical means
A detailed log is stored on the user’s side by using the IndexedDB feature. The log can be explicitly saved by a console command when debugging specific issues. A small percentage of all run logs are centrally collected on our side in order to debug widespread rare issues.

We test for bots are done by both positive and negative tests by trying to run code supposedly incompatible with what a bot could do, and tests incompatible with a normal browser would do. The results are stored as part of the previously mentioned logs.

3.5. Technically deliver ads

All previously mentioned purposes are in part about technically delivering ads. No additional data is processed other than what is mentioned at 3.2, 3.3 and 3.4.

3.6. Necessity

We take privacy very seriously at Caroda and for that reason we always use the least intrusive way we can use to solve any of our data problems. All of the mentioned data above is the least intrusive way we know of in order to accomplish the mentioned purposes.

3.7. Balancing with rights of data subjects

All of the data processing in relation to the mentioned purposes at 3.2, 3.3, 3.4 and 3.5 are essential to our business model and the data process only narrows vague groups to which any user belongs. Based on our legitimate interest analysis, we believe that the legitimate interests described in the mentioned purposes greatly outweighs the small cost of having very vague data collected about an individual.

3.8. Enabling Third Party Vendors

By design, Caroda is a platform enabling our customers to use other advertising software products, such as SSPs, DSPs, ad servers, banner scripts, etc. We don't share any of the collected information with any of the integrated sources or any other party other than the publisher.

We however, don’t assume responsibility on how other advertising solutions are used by integrating them through our platform. In order to read more about any specific SSP integrated through our platform, please visit their website or contact them directly.

4. Information for Personal Data Subjects About Their Rights Under GDPR

We are not a controller of your personal data as we do not process any. If you feel that we do, we are Caroda s. r. o., Id. No.: 05296072, a company incorporated under the laws of the Czech Republic with its registered office at Lomnického 1705/9, Nusle, 140 00 Praha 4, Czech Republic.

You can contact us regarding a suspected use of personal data at:
Phone: +420 776351144
E-mail: privacy@caroda.io
ID of the government mandated address for official electronic communication (in Czech: “datová schránka”): ffkzik6

If you believe we are processing your personal data and doing so incorrectly, you can contact us or lodge a complaint with the supervisory authority, which is the Czech Office for Personal Data Protection.

You can always ask us to

  • give you access to your personal data;
  • correct your personal data that is inaccurate;
  • delete your personal data if the conditions set out in Article 17 of the GDPR are met, or restrict their processing;
  • tell you if we process your personal data;
  • provide you with access to the processed personal data and for information on the processing of this data;
  • you can ask us to provide a copy of the processed personal data.

You can only request access to your personal data. If you want to apply for the exercise of someone else's right, you must have a power of attorney from them. You can submit this request in any way, including e-mail. However, the authorized employee is obliged to verify your identity, so he / she may ask you to prove your identity.

We will usually inform you about the measures taken in response to your request within one month. However, in some complex cases, we may extend the deadline.This request and its processing are free of charge. However, in justified cases, we may demand reimbursement of certain costs (e.g. the price of a portable disk, on which you are provided with a list of all personal data that we process about you).

5. Updates

The current privacy statement is subject to change. We do take responsibility to correctly display the date of enforcement and also to inform all of our customers of any changes to this statement.

This version of this Privacy Statement was issued as at 15 February 2021.