Version 1.0
Last update: 01/04/2021

BLUE PRIVACY POLICY

General Information

OC Group's Privacy Policy (from now on “Blue”) is intended to clarify our company's data processing and privacy policy.

Blue is a technology company that provides retargeting services.

Our retargeting service consists of displaying products and or service ads according to the interest of a potential customer.

To provide this type of service, Blue uses an artificial intelligence algorithm that identifies the interests of a potential customer based on its browsing behavior and consumption patterns (research, interests, geographic location). Such data is collected without identifying the potential customer.

By using such data, Blue’s clients ("Advertisers") are able to offer media targeted to their end customer based on their browsing behavior. This means, Advertisers are able to display ads in banners located on internet pages, blogs and partner websites ("Publishers") which their customers usually visit.

When providing such service Blue's algorithm does not collect personally identifiable data, such as full name, gender, document numbers, mailing address and e-mail address. The data collected by Blue is solely related to user’s behavior when such user is browsing through websites, as well as their preferences. This data is collected by assigning a random identifier to ensure user's anonymity.

A user's identifier is randomly assigned to identify a user’s behavior pattern while preserving its anonymity. Due to the randomness of this process, it is not possible to identify personal data or revert the anonymization process.

In addition, the data collected related to the browsing patterns of a possible consumer is processed only by Blue. There is no third party or middleman in such data processing. Therefore, privacy is one of Blue’s principles.

This is also why we prioritize transparency and accessibility. The terms of our relationship are available and understandable to our customers, partners and website visitors.

Service

Blue offers a retargeting service to its Advertisers, as described above.

How our service works

Blue renders an internet advertising service, called retargeting. For this purpose, users' navigation data is collected when they enter one of our partner’s website. Such data collection is carried out by using tags - a set of programming code added to a partner’s website. Such tags work behind the browsing environment, without the user's knowledge. In this process, it is important to note that no personally identifiable data is collected.

From there on the user may be impacted by a partner's ad, through Blue's retargeting services. The goal is to nudge the user to return to a partner's website to purchase the product or service that the user has shown interest in the partner website.

Data collection and use of personal data

Blue does not collect personally identifiable data when a user accesses any Publisher’s or Advertiser’s website. That means Blue does not collect any data that makes it possible to identify a user while browsing a website.

User’s personal data will only be collected by Blue upon consent, except for other cases provided for in this Privacy Policy or by legal requirement.

Legal Basis: Section. 7, item I Brazilian Law No 13.709/19

What data do we collect from users?

Through tags (set of programming code added to a Publisher or Advertiser’s website background), Blue collects data related to an user’s browsing activity, such as:

  • From which website the user came from;
  • For how long the user stays on each page of the partner’s website;
  • What was the last page visited in the partner’s website before its abandonment;
  • If a user has visited a product, we collect the visited product identifiers (IDs);
  • If a user added products to a shopping cart, we collect such product’s IDs; and
  • If a user makes a purchase, we collect the IDs of the purchased products, the total amount of that sale and the transaction ID.

Why do we collect these data?

The data collected serves to enable us to display extremely relevant ads to users who have expressed an interest in making a purchase on the website of one of Blue's partners.
The algorithms used by Blue rates each step in a purchase journey with a different level of importance to perform the ad display service. The closer the user gets to the end of a purchase process, the more relevant the ad will be to them.


Product identifiers (IDs) allow Blue to link products of interest to a user with similar products in terms of category and price.
Such process is made to offer products with a high probability of interest to the user through online advertising.

For how long and where will this data be kept at Blue?

All data collected is stored for 180 days in Blue’s encrypted servers provided by AWS (Amazon Web Services) cloud computing services. Blue has no physical servers to store data. For this reason, access to the servers is done only through password and is protected by encryption.

How Blue’s employees handle data

User’s browsing data is used by the artificial intelligence algorithms of Blue’s retargeting service.

In addition to the anonymous collection of data, such data is used in an aggregate way to direct content according to the preferences that a set of users presented through the identifiers randomly assigned to them by Blue’s algorithm. Therefore, there is no individualization of users during the retargeting activity.

Due to such process Blue’s employees do not have access to a specific user’s browsing data nor perform any analysis on such data. The browsing data is used by the artificial intelligence algorithm to perform a classification process and then assign each identifier of a product to the identifier of a user who has expressed interest in that product.

Data storage

All data collected is stored in encrypted servers, protected by password and accessed only by Blue's technical responsible (CTO) or Blue professionals with a technical clearance level, whose access is also controlled by the company's CTO. All servers are stored in the cloud and are used as a service offered by AWS (Amazon Web Services).

Such data remains stored for a maximum of 180 days. After this period such data is permanently deleted from the servers. From the moment data is deleted from the servers Blue's retargeting service is unable to target new ads to a user unless that user returns to one of Blue’s Advertiser partner’s website. In the event a user returns to an Advertiser’s website, the storage process is renewed and follows the same pattern described in this paragraph all over again.

Blue only keeps data required by law or by any authority competent to make such a request.

International data transfer

The servers used by Blue are distributed in 4 regions of the world, namely Brazil, United States, Germany, and Singapore. All servers in each location have other identical corresponding servers, for the purpose of redundancy. The exchange of information occurs only within the environment of the servers themselves so that there is no data processing carried out in other jurisdictions besides Brazil.
Through such structure, information that is recurrently used remains in the location of the service provided, in order to minimize the latency in the response of requests made by any user to these servers.

Data Security

All collected information is stored and treated within an environment with maximum security. The entire environment is encrypted, password protected and controlled directly by the company's technical responsible (CTO). Additionally, these servers have redundancy features so that there is no loss of data in case of collapse or any other threat situation.

The browsing data collected during the retargeting process is stored in our servers, following strict encryption control. Only the technician responsible for the company (CTO) has access to these servers. Such data remains stored for a maximum of 180 days.

Access to any of the databases mentioned above is done through passwords and with a person responsible for each of the information storage and processing platforms.

Rules for Advertisers and Publishers

We only accept as Advertisers / Publishers companies that commit to a minimum standard of privacy.
This means that our Advertisers or Publishers:

(i) must have a privacy policy, which is requested whenever Blues enters into a contract with an Advertiser or Publisher;

(ii) may not use any Blue product or service to violate users' privacy rights;

(iii) may not use or process personal or sensitive data without prior consent of the holders of such personal data or without any other legal basis that legitimates such action.

Cookie Policy

We use some internal cookies to address, assign an identifier and store a user's browsing data in our environment, such as:

ckid

this cookie is an identifier (ID) provided by the user's internet browser and is used to pair the user with relevant products in marketing campaigns.

hash

is an identifier (ID) generated in a randomized process that ensures the impossibility of identifying a user, precisely to maintain his anonymity. The ID is generated through the ckid.

BLUEID   

is an identifier (ID) generated to ensure that a user does not receive an ID more than once to avoid duplication in the system, even if he leaves the internet browser (browser) and manages another browsing session.

Benefits of using Cookies?

Cookies save certain browsing information. Thus, when a user visits a Blue partner website again, it will recognize your browser and will be able to maintain your previously set options and preferences, especially in relation to your preferences when searching for products and services on the internet.

What happens if Cookies are not accepted?

Once we put our tags within the environment of a partner website, such partner is responsible for notifying the use of cookies to its users.

If the user rejects the use of Cookies, our tags will not be triggered, and anonymous information of that user will not be collected. Thus, our retargeting service will not work for that user in terms of its navigating behavior in the partner’s website.

Thus, the user will no longer receive ads related to their buying behavior.

I don't want ads!

If you do not want ads targeted by Blue to appear during your navigation on the internet, you can access the link http://www.getblue.io/optout/ to disable the service and prevent cookies from targeting your browsing information.

Erase Personal Data

Data deletion will only occur when there is an explicit request from a personal data subject, provided Blue has collected its personal data. As a business rule due to a privacy by design principle (privacy from the origin and conception of the product), Blue does not collect personal data. The data stored from internet users are anonymized by the process explained at the beginning of this policy.

Therefore, no identifiable data is stored by Blue and there is no possibility of identifying a user by using Blue’s services. Therefore, the rules of the Brazilian General Data Protection Law do not apply to users who somehow provide anonymous data to Blue.

Legal Basis: Section 12 in Brazilian Law No. 13.709/1

If a personal data subject wants to make any request, check existing own personal data, request for changes or deletion of personal data, such subject may request such access directly to an Advertiser or Publisher who is a Blue customer. The holder of personal data may also request Blue to confirm the existence of the collection and processing of personal data and, if confirmed, the corresponding change and / or deletion.

Any personal data request made directly to Blue must be made through the following link: http://www.getblue.io/dataremoval. A personal data collection and processing will not be performed due to the use of the retargeting product of Blue, but for any other business reason that leads to a collection and processing of a subject’s personal data.

Amendments

Blue may change this Privacy Policy at any time. Each version of the Privacy Policy will contain the effective date and version at the beginning of the document to ease user identification. You can also request an old version of the privacy policy for consultation.

Any changes to the Privacy Policy will be communicated to users and, to continue using the services provided by Blue, this Policy must be accepted by users.

Personal data requests

Any situation regarding personal data should be communicated to dpo@getblue.io

Responsible (DPO):

Gabriella Pontes Garcia

dpo@getblue.io

Disputes

This Privacy Policy is governed by the laws of the Federative Republic of Brazil. Any dispute arising from this Privacy Policy or Blue’s service will be solved by the jurisdiction of the Court of the District of São Paulo, State of São Paulo, Brazil. Any other jurisdiction is deemed excluded, however privileged it may be or may become. Any dispute will be solved in Portuguese language and in São Paulo, State of São Paulo, Brazil.

Contact Details:

OC GROUP TECNOLOGIA DA INFORMAÇÃO LTDA

Rua Alvorada nº 1289, conjunto 1210

Vila Olímpia, São Paulo - SP

Tax ID (CNPJ) 27.036.715/0001-50.

Telephone:(11) 3846-6784