Product Privacy Notice

Merkle UK One Limited and its affiliates ("Merkle", "our", "us" and "we") is a global data-driven, technology-enabled performance marketing agency. We help our clients to improve how they advertise and market, whether by print, post, email or on websites.

This privacy notice (“Notice“) sets out where we get personal information from, what types of personal information we store, how we use it, what we do to protect it, and your choices and rights about your personal information.

1. Sources of Information

To help our clients target their advertising and marketing in a more effective and relevant manner, we collect certain information about consumers. We receive personal information from third party sources like data brokers, our clients (who may already do business with you), our partner publishers and partner service providers. We may also receive personal information from other sources such as public registers. We put information together so that we can check your personal information is correct and up to date, and then we keep the collection of information about you in our data store (see How We Use Your Personal Information).

2. Types of Personal Information We Process

From our sources (see Sources of Information), we get and store various types of information about people. These may include the following, which we link to a pseudonymous identifier for each individual:

• Information about you and your household, such as your adult household member's dates of birth or age, gender and marital status, and your pets. The only information we have about children is how many children are in your household and their year of birth or age range. We do not knowingly collect data about individuals under the age of 16. We use reasonable efforts to remove information about individuals under 16 from our data store.
• Contact information, such as your name, address, phone number and email address.
• Your occupation, and whether or not you are a company director.
• Your property , including its value, how long you've lived there, information about your mortgage; and information about your car.
• How you like to use your electronic devices, including mobile phone, TV provider, internet access at home or at work. This may include whether you use social media, play games, download music or watch TV online, take or share photos or videos, research holidays, gamble, use mobile banking apps or online banking, etc.
• Interests and hobbies, such as the sports you like, the newspapers you read, whether you enjoy crossword puzzles, current affairs, movies and TV, cooking, pubs or theatres. We also store information about your holiday preferences and frequency, and your charitable interests and how you donate.
• Whether you prefer to shop by mail order, telephone or internet, how often you shop online and your weekly spend, and whether you prefer to shop online.
• Information on financial matters like whether you own store/loyalty or bank cards or credit cards, the types of insurance cover you have, information about your pension (and its adequacy), loans and investments, and whether you have a will. However, we do not and will not collect or store any bank account details or card numbers.
• Information about how you use the internet, including internet protocol (IP) address used to connect your computer to the internet, mobile device IDs, websites that you visit and how you interact with those websites and any apps you may use.

We do not want to, and try not to, collect any personal information about ethnicity, sexual orientation, health, religious or philosophical beliefs or trade union membership, and we do not collect or hold any information on passports or identity cards or about people's location or movements.

3. How We Use Your Personal Information

We use personal information to help our clients find people who are in certain "segments", for instance: "men living in a particular postcode area who are aged between 20 and 30". These people might already be customers of the client or the client might want to find only people who aren't its customers yet.

We combine or match personal information in our data store to select the most appropriate group of people for a particular advertising or marketing campaign. We try to make sure that only the people who fit the client's desired audience are selected, and that ads are only shown on those people's devices (and not other people). We also use matched or combined information to check that your contact information is up-to-date and accurate, confirm which devices are used by which people and conduct data analytics to assist targeting – this includes predictive data concerning people's purchasing behaviour, likelihood of response to marketing or purchase of a product, brand loyalty, product and brand affinities and preferences.

All this may include doing what's known as "profiling" (see Profiling, and Your Right to Object to Profiling).

We or our partners may then show ads or send marketing messages to people or we will provide our clients with information so that they can send marketing or show ads to consumers. For example, you may see adverts or get marketing messages based on what we know people with similar interests to you find useful, or you may get marketing about our client if you've agreed that a company (with whom you are already a customer) can send you marketing messages from other companies, like our clients.

In addition, we may share your personal information with trusted social media platforms who allow us to buy adverts for our clients. This may mean that you receive our clients’ marketing messaging when you use those social media platforms.

We are what's known as the "data controller" (see Glossary) of the personal information kept in our data store. This means that we have control over how that information is processed, we must handle it only in certain ways and we have to honour your rights regarding your personal information (see Your Rights). We collect, process, keep and use the personal information in the data store for our legitimate business interests, which involve helping our clients to deliver relevant advertising or marketing. We don't use the stored information for any other purpose.

When a client uses Merkle to run an advertising or marketing campaign, for the personal information used for that campaign Merkle is what's known as a "data processor" for the client (see Glossary below). As a data processor, we use that personal information only for the client's advertising or marketing campaign, act only on the client's instructions, and do not control or share any of that information without direction from the client.

After a client campaign, Merkle helps its clients review how effective the campaign was, which also helps us to improve our service and the relevance of future campaigns to consumers. Our partners provide information to help us to review success which, in limited circumstances, may include detail that, theoretically, could identify the individual people concerned. However, we don't link or store those reports to the people concerned or use them for anything else, and we don't share that data in a way that would allow our clients to link the data or reports to any individual.

3.1 Profiling

Some of what we do with your information involves what's known as "profiling" – automatically using personal information to work out certain things about people, like analysing or predicting their personal preferences, interests, or behaviour.

Automatically working out whether you fit in a certain category, e.g. "men living in a particular postcode area aged between 20 and 30", is treated as profiling, even though it's based on facts about you. Similarly, when we try to predict your buying habits, how likely you are to respond to marketing or advertising and which products or brands you like the most, this counts as profiling. We take steps to ensure that our profiling process is accurate.

We do not make automatic decisions about you based on profiling, except to find out which group of people fall within our clients' campaign criteria (e.g. "People who like cats," or "People who seem like these particular customers of the client"). This lets our client target its advertising or marketing to a large group of people more quickly and efficiently. The only result of this automated decision is that, if you are in the selected group, you may receive targeted advertising or marketing from our client (which may be personalised to you), or your information may be passed on to our client for their advertising or marketing. Generally, people who get advertising or marketing messages would not be significantly affected by it, because they are free to choose whether or not to buy the advertised or marketed product/service.

You can object to and opt out of our profiling (see Your Rights).

3.2 How We Protect Your Personal Information

Merkle's safeguards include robust systems and processes designed to ensure that we collect only the minimum necessary personal information, and that only Merkle staff who need to view your personal information can see it. We carry out checks to make sure we adhere to restrictions on our use of the information (such as where you have not agreed to receive marketing). Our stored information is refreshed at least monthly, to help keep it accurate and up to date and we also use data from other third parties which indicate if people have moved or have deceased to keep our data clean. Merkle also regularly tests systems to check that its selection of people to target for marketing or advertising is fair, effective and unbiased.

We regularly check that our stored information is correct and up to date, for example through regular checks of our data brokers and by comparing the information we get from different sources. We also provide a way for you to update your information yourself.

We have implemented policies, processes and systems to ensure your information is secure, including encryption of your information in storage and while being sent, whether to us or by us. Our Global Information Security Program is based on the ISO27001/2 standards, the ISC2 CISSP Ten Domains, SANS, and industry and internal Merkle best practices. We continuously monitor and improve standards and regularly test our security measures. We also maintain an incident response plan for dealing with any incident or breach whereby your information may be put at risk or compromised, including measures for logging and audit trails, incident detection and security incident information gathering and reporting.

Merkle also requires its clients, publishers and service providers to implement appropriate security measures to safeguard your information and to notify us of any incidents affecting your information.

3.3 Storing and Deleting Your Personal Information

Merkle keeps personal information only for as long as we need it for our legitimate business purposes, to provide services to our clients. For example, where a client has given us personal information for a specific campaign, but we realise that the client will not be marketing to that individual, then we will we delete the information.

We delete all personal information used for a client campaign within a reasonable time after the campaign has ended. If a client or partner gives us any personal information for a particular client campaign, or we get any extra personal information for a client to use for its campaign, we also delete that information within three months of the campaign ending.

Personal information that we get from our data providers may, in principle, be kept longer, to provide services or selected personal information to our clients, except for information which you have asked us to delete (see Your Rights below). We make sure that information is securely deleted and won't be recorded again in our systems. Where we get updated information about you, we keep the old information for our historical records and to make sure the information we store stays up to date. This is because, if certain information about you must be deleted, we need to keep enough details about you (e.g. your name and the type of information deleted) so that if we receive that deleted information again, we'll know to delete the newly-received information. In addition, we regularly delete information associated with inactive IDs and review whether old information needs to be kept for a legitimate purpose, otherwise we securely delete that information as soon as it becomes redundant, so that we keep the absolute minimum necessary of old information.

4. Sharing Personal Information with Others

Merkle may share personal information from its data store with:

• our partners, where necessary to operate or improve our services to our clients, but we make our service providers promise to use the information only to provide their services for us;
• our clients, for their analytics, profiling and/or marketing purposes;
• third parties, where necessary to protect Merkle's legal rights or property;
• government and law enforcement agencies, where necessary to comply with our legal obligations in response to their requests or court orders; and
• Affiliates or others, if Merkle should sell or transfer any part of its business or assets or become involved in another merger or business transfer.

5. Your Information, Your Choice

5.1 Merkle's Stored Information – You Have Choice and Control

We realise that you may not want us to use your information. Our business depends on consumer information and trust, so we are very clear that you have choice and control: you decide what information about you, if any, you are willing for us to keep and use, and for what purposes. For example, you may be happy for us to use your information for marketing but not for profiling, or you might be willing for us to perform profiling but you don't want any of our clients to use your information for their marketing or advertising.

If you want to object to or restrict Merkle's processing of any of your personal information (or all of it), for any of the purposes described previously (or all of them), or if you want to exercise any of your other rights (see Your Rights below), then please send your request to us (see Contact Us – Data Protection Officer, below).

There are good reasons why you may be willing for Merkle to continue to hold and use your personal information. Many websites on the Internet are free because they are supported by advertising. Without the money they make from advertising, website owners may need to charge consumers, otherwise they may not be able to make their website content available. Another good reason is that you may want to see adverts for products and services that you are more interested in. Not all advertising shown to consumers is relevant to their interests, but Merkle works with its clients to show you advertising that you may find more useful, based on information held about you.

5.2 Opting Out of Direct Mail and Telephone Marketing

Responsible marketing companies respect your choice to not receive direct marketing.

Merkle checks the Mailing Preference Service and the Telephone Preference Service to ensure that we do not contact you with unwanted marketing by phone and post. We also check any lists given to us by our clients of people who have asked not to receive any marketing from that client. Note that if you have already consented to marketing by a client of Merkle they may still market to you even if you follow the steps below, so you should contact them directly if you do not want to receive marketing from them.

• If you would like to opt out of direct postal mail marketing, register at www.mpsonline.org.uk
• If you would like to opt out of telephone marketing, register at www.tpsonline.org.uk

6. Your Rights

If you are from the European Economic Area, you have rights (with some exceptions and restrictions) to:

• object to our processing of your personal information;
• object to receiving marketing;
• access your personal information, i.e. find out exactly what information we hold about you;
• request erasure of your personal information;
• request correction or updating of any of your personal information that is inaccurate;
• request restriction of processing of your personal information, in some situations (so that we will keep it, but can't do anything with it while waiting for the issue to be resolved);
• request the "porting" (sending) of certain of your personal information, to yourself or to another organisation; and/or
• complain to your local data protection authority about our collection or use of your personal information - for more information, contact the UK Information Commissioner's Office.

If you are from the European Economic Area and would like to exercise any of these rights in relation to any information that Merkle holds about you, please contact findoutmoreuk@merkleinc.com). We will consider and respond to your request in accordance with the relevant law. 

You can also write to us at:

We will need you to submit proof of identify (such as, a current driving licence photocard, passport etc.) and proof of address (such as, bank or building society statement, council tax statement etc.) dated within the past 3 months – this is to protect you and ensure that we are processing your information in line with your actual instructions. Please note that once we have verified your identity and address, we will immediately destroy your proof of identity and address. You can provide your proof of identity as a scanned copy (via email) or photocopy (via post).

Once we have received your initial request, we will ask you to send these to us in a secure manner.

Please also confirm if you prefer to communicate either by mail or email in your request.

7. Transferring Information Outside of the UK

Merkle's data store is kept in the UK, and backed up in the UK.

However, Merkle sometimes transfers personal information outside of the European Economic Area, to its affiliates in the USA and China (and occasionally to other countries), for maintenance or support purposes. We may also transfer personal information to countries where our overseas clients are located, to provide our services to them, or to our partners or service providers that may provide services from other countries.

When we make any of these transfers, we take appropriate steps to ensure EU data protection law is complied with. These steps might include, for example, transferring the information to someone in a country which the European Commission has decided provides adequate protection for personal information, or to someone who has signed standard contractual clauses approved by the European Commission. Merkle's intra-group agreement includes these standard contractual clauses, to cover transfers to our non-European affiliates.

8. Contact Us – Data Protection Officer

If you have any questions about this Notice or would like to exercise any of the rights mentioned above, you can contact our UK Data Protection Officer in any of the following ways:

Address: Merkle, Inc., Colston Tower, Colston Street, Bristol, United Kingdom BS1 4UH

Telephone: (+44) (0) 330 060 6065

Email: dpouk@merkleinc.com

9. Glossary

"data controller" – the person or company that controls the purposes and means of processing personal information. Merkle is the data controller of the personal information it stores.

"data processor" – a person or company engaged by a controller to process personal information for the controller. Merkle acts as a data processor for its client when using personal information for the purposes of a client's advertising or marketing campaign.

"European Economic Area" – the 28 countries in the European Union plus Iceland, Liechtenstein and Norway.

"personal information" – any information that relates to an identified or identifiable living individual.

"processing" – for personal information, this includes storing, copying, viewing, sharing, sending and analysing the personal information.

"profiling" - automatically using personal information to work out certain things about people, like analysing or predicting their performance at work, reliability, economic situation, personal preferences, interests, behaviour, location or movements.

"transfer" – sending personal information outside the European Economic Area (e.g. by storing it on equipment located outside the European Economic Area), or allowing someone from outside the European Economic Area to access personal information.

10. Changes to the Privacy Notice

We may make changes to this Privacy Notice on occasion. We will post any revised versions of this Privacy Notice on the Merkle website. Please review this Privacy Notice periodically in order to ascertain whether any changes have been made.

This policy was last updated on December 31, 2019.