Platform Privacy Policy
We, Piano Software Inc., Philadelphia, US and affiliated companies belonging to Piano group (collectively, “Piano”, “we”, “us”, “our”, or “we”), formerly known as Piano Media, Press Plus and Tinypass and now incorporating Newzmate, Cxense and AT Internet are committed, as data processor, to partnering with customers and users to help them understand and comply with data protection regulations (GDPR, ePrivacy, CCPA, LGPD …).
Piano provides online products for digital activities, as well as potential additional services on behalf, and based on instructions of the data controller, owners, and publishers of digital platforms – websites, mobile applications, or any other connected platform (“Publishers”).
We collect, process and store personal data and other information through our products – Composer , Analytics , DMP , VX , ID and ESP (“Platform”), or when providing our service to Publishers (“Service”).Personal Data Management on the Platform
To provide the Platform and/or perform the Service, Piano collect, process and store data on behalf of the Publisher. The answers to the following questions allow us to explain how we manage personal data on the Platform.
What kind of personal data do we collect?
Raw ID-type information: for instance, the user-terminal ID (cookie or mobile ID), that is transformed in a hashed visitor ID, or the IP address, that can be anonymized, to perform geolocation for instance
All standard business information provided by the products of the Platform: for instance, navigation data (browser and device type, type of events or content, …), behavior information (sources, navigation path, time spent on contents, …), information related to registered or subscribed users (first name, last name, email, …)
Additional and specific information that the Publisher can collect: based on the technology used to collect data (see following “How do we collect personal data?”), the Publisher can measure, collect, and analyze any business relevant information for him via our Platform
Composer, Analytics, and DMP collect by default pseudonymized information, but directly identifiable information can be added by the Publisher. VX, ID and ESP services are working with directly identifiable information.
We therefore consider by default all data collected, processed, and stored via our Platform as personal data according to GDPR art. 4.1.
What do we do with personal data?
We process the collected data to provide the information requested by the Publisher on the Platform: audience measurement data, content orchestration, account management, subscription processes, …
What are we not doing with personal data?
As data processor, and respecting the terms of contracts and the data processing agreement (DPA) signed with the Publisher acting as data controller, we do not:
Sell personal data to anyone;
Monetize personal data by other means;
Claim ownership over personal data;
Barter personal data for other services or products.
We do not knowingly process personal data relating to children less than 13 years of age (or 16 if the age of consent is higher in a particular country) or permit Publishers to provide us with such data. If we become aware that a Publisher has provided us with any personal data of children, we delete such data from our databases.
We do not knowingly process sensitive or special categories of personal data as defined in article 9 of the GDPR.
How do we collect personal data?
Personal data is collected via so called tagging libraries (mainly JavaScript on the web and SDK for native application) implemented by the Publisher on its online platforms. See Cookies and Similar Technologies below for further details on complementary data collection methods.
When a user/data subject visit a Publisher platform, and according to the legal basis chosen by the Publisher (see Purpose of Processing and Legal Basis below), https requests are sent to Piano servers to perform the service requested by the Publisher.
How long do we store personal data?
Depending on the product of the Platform, or regarding specific legal obligation to perform (e.g., for payment with VX), the data retention period can be different and always agreed in the contract with the Publisher acting as data controller. Analytics, for instance, has a predefined data retention period of 25 months with the opportunity for the Publisher to customize it.
For all products, all data is deleted at the end of the contract relationship with the Publisher.
Where do we store personal data?
Depending on the product used by the Publisher, the data collected from the end-user can be stored in different places. Please see the Piano Sub-Processors’ table in the Sub-processors and Affiliates paragraph below, to see where the data is stored/hosted.
Do we share personal data?
We, by default, do not share any data to anyone without the Publisher prior approval.
We, however, may share personal data, with all the adequate technical and organizational measures to protect it, in the following cases:
Intragroup: Only if necessary and for specific purposes, we may share personal data within affiliated companies belonging to Piano group (see Sub-processors and Affiliates below). Our employees might have access to personal data on a strictly need-to-know basis typically governed and limited by function, role, and department of the particular employee. All affiliated companies belonging to Piano group concluded an intra-group data processing agreement (DPA) with EU Standard Contractual Clauses.
Service providers: We use sub-contractors who might process personal data for us and to support us in providing the Platform and Services requested by the Publisher (see Sub-processors and Affiliates below).
Legal disclosures: We may have to release personal data and other information we possess when necessary or appropriate to comply with the law; cooperate with law enforcement or national security requirements; respond to lawful requests; protect the rights of Piano or a Publisher, other Piano customers, and users, and third parties; or to enforce our terms of use. However, in doing so, we may:
Dispute demands for release to the extent we believe, in our sole discretion, are unwarranted, illegitimate, or overbroad.
Will notify Publishers of any requests unless we have some contradictory orders.
Piano never had to disclose any personal data for legal purposes so far.
Cookies and Similar Technologies
To provide the products of the Platform, Piano is using trackers, especially cookies on standard websites, or mobile IDs on native applications. Local storage, server-to-server request, clear gifs, pixel tags, web beacons or other similar technologies may also be used in some cases.
You can access some information about the trackers used on and across all products (Composer, VX, ID, ESP, DMP, Analytics) under to the following link:
Users can control the use of trackers on their devices via the following means:
Use the opt-out mechanism on the dedicated online platform provided by the Publisher
Use the device appropriate configuration (browser or cellphone Operating System – Apple or Android mainly – settings)
Our third-party partners may also use tracker, cookies, or similar technologies, to provide users advertising based upon user´s browsing activities and interests. Users can opt out of interest-based advertising click here , or if located in the EEA click here .
Purpose of Processing and Legal Basis
Publishers can use the Piano Platform and the associated Services for the following main purposes:
Understand the audience
Optimize content
Engage the audience
Monetize the online platform
Based on the main purposes observed in the digital marketing world, the following table synthesized for each purpose, what Piano product is by default aimed for, and what is the by default legal basis for seen on our side for this purpose: