Last updated date: March 2020
If you are a California resident, please make sure that you review the section “Additional information for California residents” below for important information, as required by California privacy laws, about the categories of personal information that we collect and disclose, and your rights under California privacy laws.
Introduction and Overview
In addition, please review the Service’s Terms of Service, which govern your use of the Service, and include among other things limits on our liability and your remedies, mandatory arbitration, and waiver of jury trial and class actions. By using our Service, you agree to our Terms of Service (which grant us rights from you, limit our liability to you and limit your remedies) and consent to our collection, use and sharing of your information and data, and other activities, as described below.
1. Personal information that we collect
In this section, we explain what personal information we collect about you and how we collect it.
i. Information that you provide
You can use most of our Services without actively submitting any information about yourself, but you may choose to provide us with personal information through the Services, and when you do this, we will collect the personal information that you provide. In particular:
- If you desire localised content, we will collect your postal code
- If you contact us about opportunities to partner with XUMO, we will collect information about you through our contact form, including your full name and email address. We may also collect information that you choose to provide to us in connection with such enquiry.
- If you contact us through our user support channels, we will collect information about you including your full name, email address and, optionally, information about your streaming device. We may also collect additional contact information, such as your postal address, phone number or any other information that you provide to us.
- If you sign up for our mailing lists, we will collect your email address.
ii. Information about your use of the Services
We automatically collect information about your use of the Services, such as the time of your visit and the content you view. For example, we track what channels and content individual users view and how long a user watches those channels and content.
We also receive and collect technical information about your device and software, as applicable, including the type of device, operating system and version, network information, IP address (a unique number used to identify a device on the Internet), mobile device advertising identifier (a resettable identifier that is assigned to your mobile device by your operating system provider, such as Apple or Google), connected TV application device identifier (such as your Roku advertising identifier), connected TV identifier, the page you visited before visiting our website, and crash data.
iii. Information from third parties
In some jurisdictions, we may collect information about your device or household from third parties. We will use this information to customise the content and advertisements that are shown to you.
2. Advertising and analytics Services provided by others
The Services interact with Nielsen’s proprietary measurement, which will allow you to contribute to market research. By clicking on http://www.nielsen.com/digitalprivacy, users can access more information about the measurement software and learn about their choices with regard to Nielsen’s measurement.
3. Use of information
We use the personal information that we collect to analyse traffic and user activities on our Services, identify popular areas or features, and optimise and personalise the Services. This includes linking information gathered through various methods to provide you with a consistent experience on our Services. For example, we may suggest content or titles that may be of interest, organise your guide to show the most relevant channels or titles, and customise notifications or advertisements or other marketing communications on our Services or third-party sites and services.
We may also use the information we collect for the following purposes:
- Respond to customer service requests
- Provide, maintain and improve our Services, as well as develop new content and features
- Protect the rights and property of XUMO and others, including to detect, investigate and prevent fraud and other illegal activities and to enforce our agreements
- Marketing and advertising
4. Disclosure of your personal information
We will not disclose your personal information to any unrelated third parties unless we have your consent to do so, with the exceptions we mention here:
- With service providers who provide services to us under a contract and are required to keep the personal information confidential
- If reasonably necessary to comply with a law, regulation or compulsory process (for example, to respond to a subpoena)
- If we conclude that your actions violate our user agreements or policies, or to protect the rights, property or safety of XUMO or others
- In connection with a merger, sale of company assets, financing or acquisition of all or a portion of our business, provided that the receiving party agrees to protect personal information in accordance with the commitments of this policy and applicable law
- With our parent, subsidiaries and affiliates
As noted above, we share personal information that does not directly identify you but that identifies your device, such as cookie identifiers, device identifiers and IP addresses, through third-party cookies and similar technologies on our Services, to enable those third parties to provide us with analytics and advertising services.
We may share information that cannot be linked back to you or your device (such as aggregated data), which is not considered personal information under this Policy, with third parties.
5. Data storage
We store the personal information that we collect for as long as is necessary for the purpose(s) for which we originally collected it. We may also retain personal information as required by law.
6. Individuals in the EEA, United Kingdom and Switzerland
(a) Information about the processing of your data
(b) The personal data that we collect from you
(c) How we collect your personal data
We collect your personal data in a number of ways as described below.
6.1 Information you give to us directly
6.2 Personal data that we collect automatically
6.3 Information from third parties
In instances where our Services are integrated into your TV or are delivered through an application on your TV or other streaming device, we may collect information about your device or household from the relevant TV or streaming device manufacturer.
(d) How we use your personal data
Where we rely on legitimate interest as this lawful basis, our legitimate interest is necessary for promoting our business, improving the services that we offer to you and your experience when you interact with us, and ensuring effective operational management and internal administration of our business and the exercise of our rights.
6.4 To fulfil contracts
If you enter into a contract with us (for example by downloading our app so that you may watch our programming), we need to process personal data in order to fulfil the contract by providing the Services. If we cannot process your device/browser information and IP address, we will not be able to provide the Services/application to you.
6.5 Where we have your consent
We ask for your consent to send you direct marketing communications and serve you personalised advertisements. You can choose to unsubscribe at any time as explained in ‘your rights’ below or opt out from receiving personalised advertisements as described in our Cookie Information Policy. As explained in that policy, you can opt out of receiving interest-based advertising on our connected devices app by adjusting your personalised advertising choices in the settings menu.
6.6 Where we have a legal obligation
To protect, investigate, deter and report fraudulent, unauthorised or illegal activity in connection with your use of our Services or the security of our platform.
6.7 Where we have a legitimate interest
We may process your personal data where it is necessary for our legitimate interests as a business in the following situations:
Account management and record keeping and correspondence in relation to products and services you receive from us.
- Fraud detection and checks.
- To respond to any enquiries, information requests or complaints that you make to us or that are made about you.
- To inform you of upcoming events, promotions or programming, and communicate with you about these, where you have shown an interest.
- To send you marketing communications when you have not objected to receiving such communications from us.
- To contact you for your views and feedback on our Services.
- To assist with internal record keeping.
- To provide you with, and maintain the quality of, our Services and to analyse the use of our Services in order to help to guide improvements.
Where we rely on legitimate interest as a ground for processing your personal data, we carry out a ‘balancing test’ to ensure that our processing is necessary and that your fundamental rights of privacy are not outweighed by our legitimate interests, before we go ahead with such processing.
(e) Personal data sharing and disclosure
- SpotX: we use the connected television advertising service SpotX, to select and show you personalised ads that make our website/application more interesting for you and provide insights on that advertising. This involves collecting statistical information about you, which is processed by our advertising partners. SpotX uses tracking technologies such as web beacons in order to place a cookie on your device, which makes it possible to specifically target Internet users with advertising once they have demonstrated an interest in our Services. We use SpotX to assist us in tailoring our Services to your interests, to ensure that you don’t see the same add too many times, and to provide analytics that help us to improve our Services. SpotX’s server is located in the USA and you can learn more about their privacy practices at https://www.spotx.tv/privacy-policy/
- Freewheel: we use the online advertising service Freewheel, to select and show you personalised ads that make our website/application more interesting for you and provide insights on that advertising. This involves collecting statistical information about you, which is processed by our advertising partners. Freewheel uses tracking technologies such as web beacons in order to place a cookie on your device, which makes it possible to specifically target Internet users with advertising once they have demonstrated an interest in our Services. Freewheel’s server is located in the USA and you can learn more about their privacy practices at http://freewheel.tv/privacy-policy/
- Oath: we use the online advertising service Oath to select and show you personalised ads that make our Services/application more interesting for you and provide insights on that advertising. This involves collecting statistical information about you, which is processed by our advertising partners. Oath uses tracking technologies such as web beacons in order to place a cookie on your device, which makes it possible to specifically target Internet users with advertising who have already demonstrated an interest in our Services. Oath’s server is located in the USA and you can learn more about their privacy practices at https://www.verizonmedia.com/policies/us/en/verizonmedia/privacy/.
- Telaria: we use the online advertising service Telaria to select and show you personalised ads that make our Services/application more interesting for you and provide insights on that advertising. This involves collecting statistical information about you, which is processed by our advertising partners. Telaria uses tracking technologies such as web beacons in order to place a cookie on your device, which makes it possible to specifically target Internet users with advertising who have already demonstrated an interest in our Services. Telaria’s server is located in the USA and you can learn more about their privacy practices at https://telaria.com/privacy-policy/.
- HubSpot: We use HubSpot to provide customer support services, including accepting customer complaints and providing tech support for our Services/application. HubSpot receives your personal information when you contact them for customer support and processes that data in the EEA. You can learn more about HubSpot’s privacy practices at https://legal.hubspot.com/privacy-policy.
XUMO will not sell, rent or transfer your personal data to third parties without your consent or for reasons inconsistent with the purpose for which the data were originally collected or for other purposes authorised by law.
(f) Storage, transfer and retention of your personal data
Your personal data is generally stored on our server located in the EEA but as discussed above limited data may be transferred to our advertising and analytics partners in the USA. Where XUMO transfers your personal data from within the EEA to a country outside the EEA, we ensure adequate security measures are in place to offer protection for your personal data equivalent to that which it would receive within the EEA and in compliance with applicable data protection law. We have in place EU Model Contractual Clauses as an adequate safeguard for transfers outside the EEA. For further details of how we safeguard your personal data transferred outside the EEA (including how to obtain a copy of such safeguards), please contact us at firstname.lastname@example.org.
- our contractual obligations and rights in relation to the personal data involved;
- legal obligation(s) under applicable law to retain data for a certain period of time;
- statute of limitations under applicable law(s) which is the period during which contractual claims could be brought;
- our legitimate interests where we have carried out balancing tests (see section on ‘How do we use your personal data’ above);
- (potential) disputes; and guidelines issued by relevant data protection authorities
(g) Your rights
By law, you have a number of rights (subject to certain conditions) when it comes to your personal data. Further information and advice about your rights can be obtained from the data protection regulator in your country.
|Rights||What does this mean?|
|Your right to object to processing||You have the right to object to certain types of processing, including processing for direct marketing (i.e. if you no longer want to be contacted with potential offers or opportunities). Unsubscribing from newsletters and email marketing communications can most easily done by clicking on the unsubscribe link at the bottom of any email we have sent to you or, alternatively, by modifying your account settings and preferences.|
This is so that you are aware and can check that we are using your personal data in accordance with data protection law.
|Your right to update and rectification||You are entitled to have your personal data corrected if it is inaccurate or incomplete.|
You are generally able to review, correct or update your personal data at any time by accessing your account on the XUMO Platform where it has been created. However, you may choose to send us a written request to do so on your behalf at any time.
|The right to erasure||This is also known as ‘the right to be forgotten’ and, in simple terms, it enables you to request the deletion or removal of your personal data where there is no compelling reason for XUMO to keep using it. This is not a general right to erasure, there are exceptions.|
You are generally able to delete your personal data at any time by accessing your account on the XUMO Platform where it was created. However, you may choose to send us a written request to do so on your behalf at any time.
|Your right to restrict processing||You have rights to ‘block’ or suppress further use of your personal data. When processing is restricted, XUMO can still store your personal data, but will not use it further. We keep lists of people who have asked for further use of their personal data to be ‘blocked’ to make sure that the restriction is respected in future. However, please note that at a minimum we require access to your IP address and device information to provide our Services to you, so if you request that we block use of your personal data, you will be unable to use our Services.|
|Your right to data portability||You have rights to obtain and reuse your personal data for your own purposes across different services.|
|Your right to lodge a complaint||You have the right to lodge a complaint about the way XUMO handle or process your personal data with your national data protection regulator by contacting the applicable data protection regulator directly.|
|Your right to withdraw consent||If you have given XUMO your consent to anything that we do with your personal data, you have the right to withdraw your consent at any time (although if you do so, it does not mean that anything that we have done with your personal data with your consent up to that point is unlawful). This includes your right to withdraw consent to our use of your personal data for marketing purposes.|
You can exercise any of these rights by emailing us at email@example.com with the subject line “Privacy Rights”. Please note that we may require you to provide proof of your identity before we can respond to your request.
We usually act on requests and provide information free of charge, but may charge a reasonable fee to cover our administrative costs of providing the information for:
- baseless or excessive/repeated requests, or
- further copies of the same information.
XUMO may refuse, restrict or defer the provision of information where XUMO has the right to do so under current data protection legislation.
Please consider your request responsibly before submitting it. We will respond as soon as we can. Generally, this will be within one month from when we receive your request but, if the request is going to take longer to deal with, we will come back to you and let you know.
If you are not satisfied with our response to a complaint that you have made, or think that we are not complying with data protection law, you can make a complaint to the data protection regulator in your country. Contact information for EEA data protection authorities may be found at https://edpb.europa.eu/about-edpb/board/members_en, for the UK data protection authority at https://ico.org.uk/make-a-complaint/ and for the Swiss data protection authority at https://www.edoeb.admin.ch/edoeb/en/home.html.
(h) Data security
We want you to feel confident about using the XUMO Services/application. Therefore, XUMO defines and implements reasonable technical and organisational measures necessary to maintain the security of personal data, according to the nature of the personal data processed and the circumstances of the processing, with the objective of avoiding unauthorised processing or access, alteration or loss, to ensure the confidentiality, integrity and availability of the data.
XUMO uses industry-standard SSL encryption to protect data transmissions. If you communicate with XUMO otherwise than via XUMO Services/application (e.g. by email), please be advised that the security of your communications is uncertain and confidentiality cannot be guaranteed. By sending sensitive or confidential email messages or information which are not encrypted, you accept the risk of such uncertainty and possible lack of confidentiality.
We may use the personal data that you provide to us to better understand your interests so that we can try to predict what other products, services and information you might be most interested in. We call this profiling. This enables us to tailor our communications and those of our third parties to make them more relevant and interesting for you.
We do not use your personal data to make automated decisions about you that may have legal effects or otherwise significantly impact you.
(j) Children’s privacy
XUMO will not knowingly collect personal data from or about children in the EEA, UK or Switzerland under thirteen (13), or knowingly allow minors between thirteen (13) and sixteen (16) to register as users without parental permission. If a parent or legal guardian becomes aware that his or her child under sixteen (16) has registered as a user without their consent, he or she should delete the relevant account or, if this is not possible, inform XUMO immediately. If XUMO becomes aware that a child under thirteen (13) or between thirteen (13) and sixteen (16) but without parental permission has registered as a XUMO user, their access as a user will immediately be denied and their account deleted as quickly as possible (including all personal data associated with that account).
If you believe that XUMO might have any personal data from or about a child under thirteen (13), please notify us by email at firstname.lastname@example.org.
(k) Links to other sites
7. Data transfers
We and our service providers transfer your personal information to, or store or access it in, other countries where the laws may not provide levels of protection for your personal information that are equivalent to the protection provided by the laws of your home country. When we do this, we take steps to ensure that your personal information receives an appropriate level of protection through contractual requirements imposed on the recipient of the information.
8. Children’s privacy
We are do not knowingly collect personal information from children under the age of thirteen (13). If you are a parent or guardian and you believe that your child under the age of thirteen (13) has provided us with personal information without COPPA-required consent, please contact us at the email address listed in the Contact Us section below.
(a) Promotional emails
You can opt out of receiving promotional emails by following the instructions in those messages. If you opt out of receiving promotional emails from us, we may still send you non-promotional emails.
(b) Mobile push notifications
When you consent, we may send promotional and non-promotional push notifications or alerts to your mobile device. You can deactivate these messages at any time by changing the notification settings on your mobile device.
(c) Cookies and similar technologies
Most web browsers are set to accept cookies by default. If you prefer, you can usually choose to set your browser to remove or reject browser cookies.
10. Questions or complaints
11. Additional information for California residents
In this section, we provide information, as required under California privacy laws, including the California Consumer Privacy Act (“CCPA”), which requires that we provide California residents with certain specific information about how we handle their personal information, whether collected online or offline. This section does not address or apply to our handling of publicly available information made lawfully available by state or federal governments or other personal information that is subject to an exemption under Section 1798.145(c)–(f) of the CCPA.
Categories of personal information that we collect and disclose. Our collection, use and disclosure of personal information about a California resident will vary depending upon the circumstances and nature of our interactions or relationship with such resident. The table below sets out generally the categories of personal information (as defined by the CCPA) about California residents that we collect, sell and disclose to others for a business purpose. We collect these categories of personal information from the sources and for the purposes described above.
|Categories of personal information collected||Do we collect?||Do we disclose for business purposes?|
|Name, contact info and other identifiers such as an online identifier and Internet Protocol address.||Yes||Yes|
|Purchase history and tendencies such as products or services purchased, obtained or considered, or use histories or tendencies.||No||No|
|Usage data such as Internet or other electronic network activity information, including, but not limited to, browsing history, clickstream data, search history and information regarding a resident’s interaction with an Internet website, application or advertisement.||Yes||Yes|
|Audio, video and other electronic data: audio, electronic, visual or similar information such as call recordings.||No||No|
|Profiles and inferences such as inferences drawn from personal information to create a profile reflecting a resident’s preferences, characteristics, psychological trends, predispositions, behaviour, attitudes or intelligence.||Yes||Yes|
Categories of personal information sold. The CCPA defines a “sale” very broadly as disclosing or making available to a third party personal information in exchange for monetary or other valuable consideration. While we do not disclose personal information to third parties in exchange for monetary compensation from such third parties, we do disclose or make available personal information to third parties in order to receive certain services or benefits from them, such as when we allow third-party tags to collect information such as browsing history on our sites, in order to improve and measure our ad campaigns. The categories of personal information that we may “sell” within this broad definition in the CCPA includes:
- Name, contact information and other identifiers
- Usage data
- Profiles and inferences
California residents’ rights. California law grants California residents certain rights and imposes restrictions on particular business practices as set forth below.
Do not sell. California residents have the right to opt out of our sale of their personal information. You may submit a request to opt out of the sale of your personal information by visiting www.XUMO.com/ccpa
Initial notice. We are required to notify California residents, upon or before the point of collection of their personal information, about the categories of personal information collected and the purposes for which such information is used. You can find this notice at the top of this Policy.
Verifiable requests to delete and requests to know. Subject to certain exceptions, California residents have the right to make the following requests, at no charge:
Request to delete. California residents have the right to request deletion of their personal information that we have collected about them and to have such personal information deleted, except where an exemption applies.
Request to know. California residents have the right to request and, subject to certain exemptions, receive a copy of the specific pieces of personal information that we have collected about them in the prior 12 months and to have this delivered, free of charge, either (a) by post or (b) electronically in a portable and, to the extent technically feasible, readily usable format that allows the individual to transmit this information to another entity without hindrance. California residents also have the right to request that we provide them with certain information about how we have handled their personal information in the prior 12 months, including the:
- categories of personal information collected;
- categories of sources of personal information;
- business and/or commercial purposes for collecting and selling their personal information;
- categories of third parties with whom we have disclosed or shared their personal information;
- categories of personal information that we have disclosed or shared with a third party for a business purpose; and
- categories of third parties to whom the residents’ personal information has been sold and the specific categories of personal information sold to each category of third party.
California residents may make a request to know up to twice every twelve (12) months.
Submitting requests. Under the California Consumer Privacy Act (CCPA), California Residents (Consumers) have the right to submit a request to know, request to delete, or request to opt out of the sale of their personal information. However, the CCPA also requires XUMO to reasonably verify each request to know or request to delete before responding.
You may submit a request to opt out of the sale of your personal information by going to www.XUMO.com/ccpa. However, XUMO currently has no way to reasonably verify a consumer’s identity and we are therefore not able to fulfil requests to know or requests to delete. We will respond to verifiable requests received from California residents as required by law.
Right to non-discrimination. The CCPA prohibits “discrimination” against California residents for exercising their rights under the CCPA. The CCPA definition of discrimination may include where a business denies or provides a different level or quality of goods or services, or charges (or suggests that it will charge) different prices, rates or penalties to residents who exercise their CCPA rights, unless doing so is reasonably related to the value provided to the business by the residents’ data.
Financial incentives. A business may offer financial incentives for the collection, sale or deletion of California residents’ personal information, provided that the incentive is not unjust, unreasonable, coercive or usurious, and is made available in compliance with applicable transparency, informed consent and opt-out requirements. California residents have the right to be notified of any financial incentive offers and their material terms, the right to opt out of such incentives at any time, and may not be included in such incentives without their prior informed opt-in consent.
Your rights under California’s Shine the Light law. Under California’s “Shine the Light” law (Cal. Civ. Code § 1798.83), California residents who provide us with their personal information are entitled to request and obtain from us, free of charge, information about the personal information (if any) that we have shared with third parties for their own direct marketing use. Such requests may be made once per calendar year for information about any relevant third-party sharing in the prior calendar year (so, requests submitted in 2020 would be applicable to relevant disclosures (if any) in 2019). If you are a California resident and would like to make such a request, please submit your request in writing by emailing us at email@example.com, using the subject line “Request for California Privacy Information”. In your request, please attest to the fact that you are a California resident and provide a current California address. We will reply to valid requests by sending a response to the email address from which you submitted your request. Please note that not all information sharing is covered by the “Shine the Light” requirements and only information on covered sharing and the relevant details required by the Shine the Light law will be included in our response.
For more information about our privacy practices, you may contact us as set forth in the Contact Us section below.
12. Contact us
If you have any questions or concerns regarding our privacy policies, please send a detailed message to our support team, and we will try to resolve your concerns, or you may contact our Privacy Officer at: firstname.lastname@example.org or by post at XUMO, 3347 Michelson Dr, Suite 150, Irvine, CA 92614, USA (Attn: Legal Department).
© 2020, XUMO, LLC. All rights reserved.