| Blog|FAQ|Newsletter

    • BMS PRIVACY POLICY

    Privacy Policy

    1. General Information:

    1.1 Last updated: This Privacy Policy has been effective since September 09th, 2025.

    1.2 This Privacy Policy is issued by Blue Dawn Marketing Consulting Group S.L.(hereinafter “Blue”) in compliance with Regulation (EU) 2016/679 (General Data Protection Regulation hereinafter “GDPR”), Directive 2002/58/EC of the European Parliament and of the Council (hereinafter “ePrivacy Directive”), Organic Law 3/2018 of 5 December on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter “LOPDGDD”) and Law 34/2002 of 11 July on Information Society Services and Electronic Commerce (hereinafter “LSSI”).

    1.3 Blue is a technology company specialized in retargeting services, which involve displaying advertisements tailored to the interests of potential consumers based on their browsing behavior and consumption patterns. This service is powered by an artificial intelligence algorithm developed by Blue, which processes behavioral data collected in a strictly anonymous manner without capturing any personally identifiable information such as names, contact details, IP addresses, banking data, or geolocation. Instead, users are assigned a randomly generated identifier that allows the system to recognize behavior patterns without compromising personal identity or enabling reidentification.

    Blue's clients, referred to as "Advertisers", can use this data to deliver personalized ads to users across digital spaces such as websites, blogs, and other partner platforms ("Publishers"). All data processing is carried out exclusively by Blue, without third-party intermediaries, with a strong emphasis on privacy and anonymization. Committed to transparency and ethical data practices, Blue ensures that all customers, partners, and website visitors can easily understand the nature and terms of this data driven relationship.

    2. Data controller:

    • Company name: Blue Dawn Marketing Consulting Group S.L.
    • Address: Santa Rita 1 Numeros 1 y 2, San Pedro de Alcántara, 29670, Malaga, Spain
    • Email: legal_eu@getblue.io
    • CIF: B93646701

    3. How our service works

    3.1 Blue performs an internet advertising service called retargeting (hereinafter referred to as “Blue’s services”). To this end, users' navigation data are collected when they browse within a partner website. Such collection is carried out by means of tags, a set of programming code added to the partner website, which triggers and works behind the navigation environment, without the user's knowledge. In this process, it is important to emphasize that no data is collected that allows the identification of a user and the consent of the user is indispensable.

    3.2 From this, the user may be impacted by advertising from the partner, through Blue’s services, with the aim of making the user return to the partner's website to purchase the product or service of interest in the partner website.

    4. Collection and use of data

    4.1 Blue does not collect personally identifiable data when a user accesses any Publisher or Advertiser website. That is, we do not collect any data that makes it possible to identify a user while browsing a website.

    5. What data do we collect from users?

    5.1 By means of tags (a set of programming code added to the website of a Publisher and Advertiser, which triggers and works behind the scenes, without the user's knowledge), Blue collects data related to the user's navigation (completely anonymous), such as:

    • What website the user came from;
    • How long this user remains on each page of the partner environment;
    • What was the last page visited in the partner environment before leaving it;
    • If you have visited a product, we collect the visited product identifier (ID’s);
    • If you have added products to the cart on a website, we collect the ID’s of the products added there; and
    • If you made the purchase, we collect the ID’s of the products purchased, the total value of that sale and the transaction ID.
    • IP addresses (collected outside of advertiser’s website for fraud detection / general geo location purposes).
    • URLs of the web pages visited by each user (“referrer”)
    • Timestamps (to understand when the user visited our client's environment and saw products, so we understand when he is more likely to convert);
    • Technical browser and device information as (“user agent”);
    • Attribution of unique identifiers, such as cookie IDs and mobile advertising IDs;

    6. Why do we collect this data?

    6.1 The data collected is used to display extremely relevant advertisements to users who have expressed an interest in making a purchase on the website of one of Blue's partners.

    6.2 The algorithms used by Blue also assign different amounts related to the purchase steps carried out by the user to carry out this ad display service. The closer the user gets to the end of a purchase process, the more relevance the ad will have for them.

    6.3 Product identifiers (ID’s) allow Blue to relate products of interest to a user with products of similar categories and prices, in order to offer, through online advertising, products with a high probability of interest from the user.

    7. Data storage and information security

    7.1 All data collected within the scope of Blue’s services are stored in an environment with high security standards. The entire infrastructure is encrypted, password protected and directly supervised by the Group’s Chief Technology Officer (CTO). Access to any database is restricted exclusively to the CTO and duly authorized Blue professionals with the technical capacity to manage such systems. The servers also maintain redundancy mechanisms to avoid data loss in the event of collapse or other threat situations.

    7.2 Although not directly employed by Blue, the CTO is intrinsically connected to the Company through his role within another legally independent company part of the Group and established in Brazil. As such, the CTO may be involved in supervision or related data management activities, always in accordance with this Privacy Policy and subject to the same security and compliance standards.

    7.3 Data collected in connection with Blue’s services are stored on encrypted servers in AWS cloud computing services (Amazon Web Services). Such data are retained for a maximum period of 180 days, after which they are permanently deleted. From that point onwards, Blue is unable to direct new advertisements to the user, unless this user returns to Blue's Partner Advertiser portal. In the event that the user returns to the Advertiser's portal, the storage process is renewed.

    7.4 Access to any database mentioned above is done through passwords and with people responsible for each of the platforms for storing and processing information

    7.5 We only keep data required by law or by any authority with competence to make such a request and for the period legally required in order to comply with the applicable legal obligations.

    8. How does Blue handle the data?

    8.1 The browsing data of the Advertisers and Publishers website user collected by Blue are used by the artificial intelligence algorithms of Blue's retargeting product.

    8.2 These data are used in aggregate form to direct content according to the preferences that a set of users presented through the identifiers randomly assigned to them by the Blue system. Therefore, there is no individualization of users during Blue’s services.

    8.3 In this way, Blue employees do not have access to navigation data or perform any analysis on these data. Navigation data are used by the artificial intelligence algorithm to carry out a classification process and assign each identifier of a product to the identifier of a user who has expressed interest in that product.

    9. How Google uses information from sites

    https://policies.google.com/technologies/partner-sites

    10. International data transfer

    10.1 Blue transfers certain personal data collected in connection with its services to jurisdictions outside of the European Economic Area (“EEA”), such as Brazil, as Blue’s primary servers and data storage infrastructure are located within the facilities of the Group in Brazil as explained in point 7.2. Any such transfer shall be carried out subject to appropriate safeguards and in full compliance with applicable data protection legislation to ensure an adequate level of protection for the rights of data subjects.

    Blue may also transfer data to recipients located in countries recognized by the European Commission as offering an adequate level of protection for personal data, or to recipients in the United States that have certified their compliance under the EU-U.S. A list of countries deemed to provide adequate level of protection without the need for additional safeguards, can be accessed by clicking here.

    11. Purposes of processing

    Processing of data; ensure security, prevent and detect fraud, and fix errors:

    11.1 This purpose is to be used by third parties operating on digital property, and it does not affect publishers’ ability to run fraud checks outside of the TCF (IAB Transparency & Consent Framework) and independently. This purpose is intended to enable processing activities such as:

    • Monitoring, preventing ex and post ante:
    • General Invalid Traffic Detection and Blocking
    • Sophisticated Invalid Traffic Detection and Blocking
    • Automated Browsing, Dedicated Device
    • Automated Browsing, Non-Dedicated Device
    • Incentivized Human Activity
    • Manipulated Human activity
    • Falsified Measurement Events
    • Domain Misrepresentation
    • Hidden Ads
    • Advertising Spam
    • Process of identifying product errors - making products work (not improving them)
    • Ensuring operability of the system/platform

    Deliver and present advertising and content

    This purpose is intended to enable processing activities such as:

    • Receiving and responding to ad or content requests
    • Delivering of ad-files or content files to an IP address
    • Using information received automatically to deliver compatible ads or content, such as:
    • User Agent type
    • Supported language
    • Connection type
    • Size and type of the ad or content requested
    • Respond to a user’s interaction with ad or content by sending the user to a landing page
    • Logging that an ad was delivered, without recording any personal data about the user
    • Logging that content was delivered, without recording any personal data about the user

    12. Adherence to the IAB Transparency & Consent Framework

    12.1 We hereby inform you that Blue is a participant in the IAB Europe Transparency & Consent Framework. In this capacity, we adhere to the Policies and Specifications outlined in the Transparency & Consent Framework. Additionally, our assigned Vendor ID is 620. Users may reference this Vendor ID to obtain further information regarding our compliance with these requirements, if needed, by visiting https://iabeurope.eu/vendor-list-tcf/.

    13. Rules for Advertisers and Publishers

    13.1 We only accept as advertisers/partners companies that are committed to a minimum standard of privacy. This means that our Advertisers or Publishers:

    1. (i) must have a privacy policy, which is requested when contracting with an Advertiser or Publisher;
    2. (ii) may not use any Blue product to violate users' privacy rights;
    3. (iii) may not use personal or sensitive data for processing without prior consent of the holders of personal data or without any other legal basis for doing so.

    14. Cookie Policy

    14.1 The cookies used by Blue have a maximum duration of thirty (30) days in the absence of cookies refreshing. Accordingly, such cookies will automatically expire and be rendered inactive upon the completion of this period, after which they will no longer collect or store any information.

    14.2 We use some internal cookies to address, assign an identifier and store a user's browsing data in our environment, such as:

    Internal Cookies Meanings
    CKID This cookie is an identifier (ID) provided by the user's internet browser and is used to match the user with relevant products in marketing campaigns.
    HASH Is a randomly generated identifier (ID) that ensures the impossibility of identifying a user, precisely to maintain their anonymity. The ID is generated from the ckid.
    BLUEID Is an Identifier (ID) generated by Blue to ensure that a user is not identified more than once and generates duplication in the system, even if he/she leaves the internet browser and generates another browsing session.
    IDE This is Used by Google Doubleclick to register/report user actions.
    DSID It is a tracker used to identify a logged-in user on non- Google sites and to store user preferences regarding ad personalization.
    JSESSIONID Is a tracker used for session management.
    _ga GoogleAnalytics

    15. Benefits of using Cookies?

    15.1 Cookies save certain browsing information. Thus, when you visit a Blue partner website again, it will recognize your browser and will be able to keep your options and preferences previously marked, mainly in relation to your preferences when searching for products and services.

    16. What happens if Cookies are not accepted?

    16.1 Once we trigger our tags within the environment of a partner website, the responsibility for the notice regarding the use of cookies is of the partner. If the user rejects the use of Cookies, our tags will not be triggered, and the anonymous information of that user will not be collected. In this way, our retargeting service will not work for that user, referring to that partner website visited. Thus, the user no longer receives advertisements relevant to their purchasing behavior.

    17. Legal basis for processing

    • Data controller designation (Art. 4.7. GDPR)
    • Consent of collection and use of the data (6.1(b) ; 6.1(f) ; 7 GDPR)
    • Processing the data, which is adequate, relevant and limited to what is necessary in relation to the purposes (Article 5 GDPR ; 5 LOPDGDD)
    • Data collected during the time is strictly necessary for the purposes for which the data are processed (Article 5(e) ; 13.2(a) ; 14.2(a) GDPR)
    • Blue employees handle data (Article 5(f) GDPR)
    • Data storage (Article 5(f) ; 6.1(f)GDPR)
    • International Data transfer (Article 45 ; 46 GDPR)
    • Security measures (Article 32 GDPR)
    • Cookie Consent (Article 5.3 ePrivacy Directive)
    • Cookie processing (Article 22.2 LSSI ; 6.1(a) GDPR)

    18. Data Subject Rights

    18.1 The right to access the data in compliance with article 15 GDPR and article 13 LOPDGDD.

    18.2 The right to request that Blue corrects any data if it is found to be inaccurate or out of date in compliance with article 16 GDPR and article 14 LOPDGDD.

    18.3 The right to obtain from the Data Controller the restriction of processing in compliance with article 18 GDPR and article 16 LOPDGDD.

    18.4 The right, where there is a dispute in relation to the accuracy or processing of data collected, to request a restriction to be placed on further processing in compliance with article 18 GDPR.

    18.5 The right to object to processing the data collected for direct marketing purposes in compliance with article 21 GDPR and article 18 LOPDGDD.

    18.6 The right to request that the Data Controller provides you with your data and where possible, to transmit that data directly to another Data Controller. You are entitled to request a copy of your personal data which Blue holds about you in compliance with article 20 GDPR and article 17 LOPDGDD.

    18.7 The right to withdrawal your consent for processing of data and ask for the deletion of the data collected, stored and processed for Blue at any time by sending email to legal_eu@getblue.io in compliance with (Article 7.3 GDPR ; 12.6 GDPR ; 17 GDPR ; Article 22.1 LSSI ; Article 15 LOPDGDD). The data subject shall provide according to Spanish Data Protection Agency all necessary information required to process the data deletion request including full name, email address, telephone number, a copy of an identification document, a description of the data to be deleted, and any other relevant details. The information provided and collected will not be stored in any database or cloud service, it will be permanently deleted from all systems once the request has been addressed and resolved.

    19. Programmatic Media Platform and Branding (BMS)

    19.1 In addition to the primary service offered (retargeting), Blue also provides another service called Blue Media Services (hereinafter “BMS”) which is a programmatic advertising media platform that integrates an Ad Server, a Data Management Platform (DMP), a Demand-Side Platform (DSP), and real-time analytics into a single system. BMS enables the planning, activation, and optimization of digital advertising campaigns, from branding and prospecting to retargeting and conversion. Campaigns are carried out through direct connections with major ad exchanges and premium publishers, ensuring access to high-quality inventory. BMS uses machine learning and automated bidding strategies to optimize performance in real time, while providing log-level data, detailed reporting, and full transparency on media investments.

    19.2 The branding helps you connect with entirely new audiences who are likely to engage with your brand even before they’ve visited your site. Using advanced machine learning and audience targeting, we serve eye-catching, memorable ads that drive awareness, interest, and ultimately, action.

    19.3 For more technical information regarding BMS services, you can visit the following website: https://bluems.com/

    19.4 These services are provided and governed under the same parameters set forth in this Privacy Policy. However, certain specific provisions apply with respect to the cookie lifetime and the nature of the data collected while performing these services:

    • The cookie lifetime will normally be the same as when performing Blue’s services (retargeting), thirty (30) days, however at the explicit request of the client, the cookie lifetime may be extended for a period of up to 365 days within a BMS service.
    • E-mail addresses from clients in the Latin American region, when processed in the context of the BMS services, may be collected. This constitutes the only information gathered by Blue when performing its services that may be considered “personal data”, and such data shall be always processed in full compliance with the GDPR and applicable Spanish legislation. Thus, the data shall be stored solely for the period strictly necessary to perform the services, for the purposes required to provide such services, and to comply with any applicable legal obligations.

    20. Newsletter/Contact Information

    20.1 All Personal Data provided by users when subscribing to the newsletter or contacting Blue to initiate collaboration will be always processed in accordance with the GDPR and LOPDGDD. This information will not be stored beyond the period necessary for the purpose for which it was collected, and the user may withdraw their consent at any time in accordance with what has been explained above.

    21. Amendments

    21.1 We may revise, update, or otherwise modify this Privacy Policy from time to time at our sole discretion. Any such changes will become effective immediately. Your continued use of our services after the effective date shall constitute your deemed acceptance of, and agreement to be bound by, the updated Privacy Policy. If you do not agree with the updates, you must discontinue your use of the services.

    22. Requests about data

    22.1 All questions, comments, and concerns regarding our Privacy Policy and privacy practices are welcome. If you wish to, ask questions, raise concerns, or exercise your rights related to your data, please contact us at: legal_eu@getblue.io.

    Officer (DPO): Diana Baitan Lisnic
    Email: legal_eu@getblue.io
    Telephone number: +34 607469712

    23. Conflicts

    24.1 This Privacy Policy shall be governed by and construed in accordance with the laws of Spain and the applicable regulations of the European Union. Any dispute, controversy, or claim arising out of or relating to the interpretation, performance, or enforcement of this Privacy Policy shall be submitted to the exclusive jurisdiction of the competent courts of Spain. By using our services, users expressly agree that any legal actions or proceedings related to the processing of the data and privacy matters will be resolved under the legal framework and jurisdiction established by Spanish law, without prejudice to any mandatory rights that may apply under other relevant jurisdictions.