We, Piano Software Inc., Philadelphia, US and affiliated companies belonging to Piano group (collectively, “Piano” , “we”, “us”, “our”, or “we”), formerly known as Piano Media , Press Plus and Tinypass and now incorporating Newzmate , Cxense and AT Internet are committed, as data processor, to partnering with customers and users to help them understand and comply with data protection regulations (GDPR, ePrivacy, CCPA, LGPD …).
Piano provides online products for digital activities, as well as potential additional services on behalf, and based on instructions of the data controller, owners, and publishers of digital platforms – websites, mobile applications, or any other connected platform (“Publishers ”).
We collect, process and store personal data and other information through our products – Composer , Analytics , DMP , VX , ID and ESP (“Platform ”), or when providing our service to Publishers (“Service ”). .
To provide the Platform and/or perform the Service, Piano collect, process and store data on behalf of the Publisher. The answers to the following questions allow us to explain how we manage personal data on the Platform.
Raw ID-type information: for instance, the user-terminal ID (cookie or mobile ID), that is transformed in a hashed visitor ID, or the IP address, that can be anonymized, to perform geolocation for instance
All standard business information provided by the products of the Platform: for instance, navigation data (browser and device type, type of events or content, …), behavior information (sources, navigation path, time spent on contents, …), information related to registered or subscribed users (first name, last name, email, …)
Additional and specific information that the Publisher can collect: based on the technology used to collect data (see following “How do we collect personal data? ”), the Publisher can measure, collect, and analyze any business relevant information for him via our Platform
Composer, Analytics, and DMP collect by default pseudonymized information, but directly identifiable information can be added by the Publisher. VX, ID and ESP services are working with directly identifiable information.
We therefore consider by default all data collected, processed, and stored via our Platform as personal data according to GDPR art. 4.1.
We process the collected data to provide the information requested by the Publisher on the Platform: audience measurement data, content orchestration, account management, subscription processes, …
As data processor, and respecting the terms of contracts and the data processing agreement (DPA) signed with the Publisher acting as data controller, we do not:
Sell personal data to anyone;
Monetize personal data by other means;
Claim ownership over personal data;
Barter personal data for other services or products.
We do not knowingly process personal data relating to children less than 13 years of age (or 16 if the age of consent is higher in a particular country) or permit Publishers to provide us with such data. If we become aware that a Publisher has provided us with any personal data of children, we delete such data from our databases.
We do not knowingly process sensitive or special categories of personal data as defined in article 9 of the GDPR.
Personal data is collected via so called tagging libraries (mainly JavaScript on the web and SDK for native application) implemented by the Publisher on its online platforms. See Cookies and Similar Technologies below for further details on complementary data collection methods.
When a user/data subject visit a Publisher platform, and according to the legal basis chosen by the Publisher (see Purpose of Processing and Legal Basis below), https requests are sent to Piano servers to perform the service requested by the Publisher.
Depending on the product of the Platform, or regarding specific legal obligation to perform (e.g., for payment with VX), the data retention period can be different and always agreed in the contract with the Publisher acting as data controller. Analytics, for instance, has a predefined data retention period of 25 months with the opportunity for the Publisher to customize it.
For all products, all data is deleted at the end of the contract relationship with the Publisher.
Depending on the product used by the Publisher, the data collected from the end-user can be stored in different places. Please see the Piano Sub-Processors’ table in the Sub-processors and Affiliates paragraph below, to see where the data is stored/hosted.
We, by default, do not share any data to anyone without the Publisher prior approval.
We, however, may share personal data, with all the adequate technical and organizational measures to protect it, in the following cases:
Intragroup: Only if necessary and for specific purposes, we may share personal data within affiliated companies belonging to Piano group (see Sub-processors and Affiliates below). Our employees might have access to personal data on a strictly need-to-know basis typically governed and limited by function, role, and department of the particular employee. All affiliated companies belonging to Piano group concluded an intra-group data processing agreement (DPA) with EU Standard Contractual Clauses.
Service providers: We use sub-contractors who might process personal data for us and to support us in providing the Platform and Services requested by the Publisher (see S