Version 1.0
Last update: 05/20/2024

Blue Media Services' Privacy Policy (hereinafter 'BMS') is intended to clarify our company's data processing and privacy practices.

BMS is a technology company that provides retargeting services.

Our retargeting service involves displaying product and service ads based on a potential customer's interests.

To provide this service BMS uses an artificial intelligence algorithm that identifies a potential customer's interests based on their browsing behavior and consumption patterns (research interests geographic location). This data is collected without identifying the potential customer.

By using this data BMS's clients ("Advertisers") can offer targeted media to their end customers based on their browsing behavior. This means that Advertisers can display ads in banners on internet pages blogs and partner websites ("Publishers") that their customers usually visit.

When providing this service BMS's algorithm does not collect personally identifiable data such as full name gender document numbers mailing address and email address. The data collected by BMS is solely related to user behavior while browsing websites as well as their preferences. This data is collected by assigning a random identifier to ensure user anonymity.

A user's identifier is randomly assigned to identify a user's behavior pattern while preserving anonymity. Due to the randomness of this process it is not possible to identify personal data or reverse the anonymization process.

Additionally the data collected related to a potential consumer's browsing patterns is processed only by BMS. There is no third party or middleman in this data processing. Therefore privacy is one of BMS's principles.

This is also why we prioritize transparency and accessibility. The terms of our relationship are available and understandable to our customers partners and website visitors.

BMS offers a retargeting service to its Advertisers as described above.

BMS provides an internet advertising service called retargeting. For this purpose users' navigation data is collected when they enter one of our partner's websites. This data collection is carried out using tags—a set of programming code added to a partner's website. These tags work in the background without the user's knowledge. Importantly no personally identifiable data is collected.

From there the user may be impacted by a partner's ad through BMS's retargeting services. The goal is to nudge the user to return to a partner's website to purchase the product or service that they showed interest in on the partner's website.

BMS does not collect personally identifiable data when a user accesses any Publisher's or Advertiser's website. This means BMS does not collect any data that could identify a user while browsing a website.

Personal data of users will only be collected by BMS with consent except in other cases provided for in this Privacy Policy and in cases of legal requirements.

Legal Basis: Article 7 Item I of Law No. 13.709/18 The data collected by BMS is considered "anonymized data" by law and during the processing of such data it is not possible to reverse the anonymization process meaning it is impossible to identify the data subject due to the Information Security procedures adopted by Blue and indicated in this Privacy Policy.

User's personal data will only be collected by BMS upon consent, except for other cases provided for in this Privacy Policy or by legal requirement.

Through tags (set of programming code added to a Publisher or Advertiser's website background) BMS collects data related to a user's browsing activity such as:

• From which website the user came from;
• For how long the user stays on each page of the partner's website;
• The last page visited on the partner's website before abandonment;
• If a user has visited a product the visited product identifiers (IDs);
• If a user added products to a shopping cart the IDs of such products; and
• If a user makes a purchase the IDs of the purchased products the total amount of that sale and the transaction ID.

The data collected allows us to display highly relevant ads to users who have shown interest in making a purchase on one of BMS's partner websites. The algorithms used by BMS rate each step in a purchase journey with a different level of importance to perform the ad display service. The closer the user gets to the end of a purchase process the more relevant the ad will be to them.

Product identifiers (IDs) enable BMS to link products of interest to a user with similar products in terms of category and price. This process aims to offer products with a high probability of interest to the user through online advertising.

All collected data is stored for 180 days on BMS's encrypted servers provided by AWS (Amazon Web Services) cloud computing services. BMS has no physical servers for data storage. Access to the servers is only through passwords and protected by encryption.

User browsing data is used by the artificial intelligence algorithms of BMS's retargeting service. This data is used in an aggregate way to direct content according to the preferences that a set of users present through the identifiers randomly assigned to them by BMS's algorithm. Therefore there is no individualization of users during the retargeting activity.

Due to this process BMS's employees do not have access to specific user browsing data nor perform any analysis on such data. The browsing data is used by the artificial intelligence algorithm to perform a classification process and then assign each product identifier to the identifier of a user who has shown interest in that product.

All collected data is stored on encrypted servers protected by passwords and accessed only by BMS's technical responsible (CTO) or BMS professionals with a technical clearance level whose access is also controlled by the company's CTO. All servers are stored in the cloud and are used as a service offered by AWS (Amazon Web Services).

The data remains stored for a maximum of 180 days. After this period the data is permanently deleted from the servers. Once data is deleted from the servers BMS's retargeting service cannot target new ads to a user unless that user returns to one of BMS's Advertiser partner's websites. If a user returns to an Advertiser's website the storage process is renewed and follows the same pattern described in this paragraph all over again.

BMS only retains data required by law or by any authority competent to make such a request.

We hereby inform you that BMS is a participant in the IAB Europe Transparency & Consent Framework. In this capacity, we adhere to the Policies and Specifications outlined in the Transparency & Consent Framework. Additionally, our assigned Vendor ID is 1105. Users may reference this Vendor ID to obtain further information regarding our compliance with these requirements, if needed, by visiting https://iabeurope.eu/vendor-list-tcf/

The servers used by BMS are distributed in four regions of the world: Brazil the United States Germany and Singapore. All servers in each location have identical corresponding servers for redundancy. Information exchange occurs only within the server environment ensuring that no data processing occurs in jurisdictions outside of Brazil.

This structure ensures that information frequently used remains in the location of the service provided minimizing latency in response to requests made by any user to these servers.

All collected information is stored and treated in a maximum security environment. The entire environment is encrypted password-protected and controlled directly by the company's technical responsible (CTO). Additionally these servers have redundancy features to prevent data loss in case of collapse or other threat situations.

The browsing data collected during the retargeting process is stored on our servers with strict encryption control. Only the technician responsible for the company (CTO) has access to these servers. The data remains stored for a maximum of 180 days.

Access to any of the databases mentioned above is password-protected and managed by a person responsible for each of the information storage and processing platforms.

We only accept Advertisers/Publishers who commit to a minimum standard of privacy. This means that our Advertisers or Publishers:

(i) Must have a privacy policy, which is requested whenever BMS enters into a contract with an Advertiser or Publisher.

(ii) May not use any BMS product or service to violate users' privacy rights.

(iii) May not use or process personal or sensitive data without the prior consent of the holders of such personal data or without any other legal basis that legitimizes such action.

We use some internal cookies to address assign an identifier and store a user's browsing data in our environment such as:

ckid: This cookie is an identifier (ID) provided by the user's internet browser and is used to pair the user with relevant products in marketing campaigns.

hash: An identifier (ID) generated in a randomized process to ensure the impossibility of identifying a user maintaining anonymity. The ID is generated through the ckid.

BMSID: An identifier (ID) generated to ensure that a user does not receive an ID more than once avoiding duplication in the system, even if the user leaves the internet browser and starts another browsing session.

Cookies save certain browsing information. Thus when a user visits a BMS partner website again it will recognize the user's browser and maintain previously set options and preferences especially regarding their preferences when searching for products and services on the internet.

Once we place our tags within a partner website's environment the partner is responsible for notifying users about the use of cookies. If the user rejects the use of cookies our tags will not be triggered and anonymous information about that user will not be collected. Thus our retargeting service will not work for that user in terms of their browsing behavior on the partner's website. Consequently the user will no longer receive ads related to their buying behavior.

If you do not want ads targeted by BMS to appear during your internet browsing you can access the link https://www.bluems.com/optout to disable the service and prevent cookies from targeting your browsing information.

Data deletion will only occur when there is an explicit request from a personal data subject provided BMS has collected their personal data. As a business rule due to a privacy by design principle BMS does not collect personal data. The data stored from internet users is anonymized by the process explained at the beginning of this policy.

Therefore, no identifiable data is stored by BMS and it is not possible to identify a user by using BMS's services. Therefore the rules of the Brazilian General Data Protection Law do not apply to users who provide anonymous data to BMS.

Legal Basis: Section 12 in Brazilian Law No. 13.709/1

If a personal data subject wants to make any request check their personal data or request changes or deletion of personal data they may request such access directly from an Advertiser or Publisher who is a BMS customer. The holder of personal data may also request BMS to confirm the existence of the collection and processing of personal data and if confirmed the corresponding change and/or deletion.

Any personal data request made directly to BMS must be made through the following link: https://www.bluems.com/dataremoval. Personal data collection and processing will not be performed due to the use of BMS's retargeting product but for any other business reason that leads to the collection and processing of a subject's personal data.

BMS may change this Privacy Policy at any time. Each version of the Privacy Policy will contain the effective date and version at the beginning of the document to ease user identification. You can also request an old version of the privacy policy for consultation.

Any changes to the Privacy Policy will be communicated to users and to continue using the services provided by BMS this Policy must be accepted by users.

Any situation regarding personal data should be communicated to gabriella@ggac.com.br

Responsible (DPO):
Gabriella Pontes Garcia
gabriella@ggac.com.br

This Privacy Policy is governed by the laws of the Federative Republic of Brazil. Any dispute arising from this Privacy Policy or BMS's service will be resolved under the jurisdiction of the Court of the District of São Paulo State of São Paulo Brazil. Any other jurisdiction is deemed excluded regardless of any privilege it may have or acquire. Any dispute will be resolved in Portuguese and in São Paulo State of São Paulo Brazil.

BLUE MEDIA SERVICES LTDA
Rua Alvorada nº 1289 conjunto 1211
Vila Olímpia São Paulo - SP
CNPJ 37.746.861/0001-23
Phone: (11) 3846-6784
© 2022 Copyrights by BMS - All rights reserved.