PRIVACY POLICY

SECOND LAYER

  1. Introduction

This Privacy Policy describes how SMADEX (“we”, “our”, “us”) collects and uses certain information (Personal Data) of Targeted End Users and our Clients (“Data Subjects”) through the Internet Portal www.smadex.com (“Site”) and for the provision of our digital advertising services. It also details the steps we take to protect personal data, the parties to whom we disclose it, and the choices and rights that the Data Subject has regarding how we collect and process their Personal Data. 

This Privacy Policy is in compliance with the current data protection regulations, such as the European General Data Protection Regulation (GDPR), the California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Act (2020) and the Organic Law 3/2018 of December 5 on Protection of Personal Data and Guarantee of Digital Rights.

SMADEX participates in the IAB Europe Transparency & Consent Framework (TCF) v2.2 and complies with its specifications and policies. SMADEX identification number within the TCF (vendor registration) is 161.

Please note, you must be of legal age to use the services offered through this Site. For more information on How we protect minors refer to Section 13. 

  1. Who is the Data Controller?

A data controller is the natural or legal person who determines the purposes and means of the processing of Personal Data.

  • Data Controller: SMADEX, S.L.U. 
  • CIF. B65322034
  • Headquarters:  C/ Diputació 303 Primera Planta. 08009 Barcelona – Spain.
  • Email: privacy@smadex.com
  1. What does this Privacy Policy cover?

The privacy practices and policies that we outline in this Privacy Policy will apply to the way that we use your Personal Data. To such extent, you can fall, as a Data Subject, into one of the following categories:

  • “Targeted End User”: it refers to the Data Subjects using mobile apps provided by advertisers, vendors and other partners (acting as an “End User”).
  • “Clients”: requesting the provision of Services from us through our webpage.
  1. Data Protection Officer

A Data Protection Officer (DPO) is the person in charge of safeguarding the fundamental right to the protection of Personal Data at SMADEX as well as ensuring that we process such Personal Data in compliance with the applicable data protection laws and regulations.

Our Data Protection Officer can be accessed at the following online and post addresses:

  • Email: privacy@smadex.com
  • Adress: Smadex S.L.U, C/ Diputació 303 Primera Planta. 08009 Barcelona – Spain

You can contact our Data Protection Officer in case you want to exercise any of your Data Protection Rights (refer to section 12), or if you have any question concerning this Privacy Policy.

  1. Personal Data that we will collect

When you visit a website or use an application that uses SMADEX technology, we collect certain information about you and your device, for the purpose of serving advertisements to you.

5.1. Categories of Personal Data we collect about Targeted End Users:

Category (Personal Data type) Example
Identifiers
  • Device ID
  • IP address
  • Cookie identifiers
  • User Agent 
  • Device Model
Internet activity information
  • Data concerning the displaying of the advertising, such as date/time of viewing, and the website or application where the advertisement was displayed
  • Data concerning your activities and actions on the advertiser sites and apps if you click on the advertising
Geolocation information
  • City
  • Region, country
  • Zip code
  • Geographic coordinates (if you have enabled location services on your device)

5.2. Categories of Personal Data we do NOT collect about Targeted End Users:

  • Special categories of data (art. 9 GDPR): Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

5.3. Categories of Personal Data we collect about our Clients:

Category (Personal Data type) Example
Identifiers
  • Name
  • Company Name
  • Email
  • Phone number
  • Business Address
  • City
  • Region, country
  • Zip code

In case you provide data of Third Parties, you state that you have their consent, and you undertake to transfer the information contained in this clause to them, exempting SMADEX from any liability. In any case, SMADEX may carry out periodical verifications to verify this fact, adopting due diligence measures in accordance with the applicable regulations.

Purpose Activity Description Legal Base
CAMPAIGN MANAGEMENT

Data collection of the data detailed in Section 5 by SMADEX and from Third parties that are part of the online advertising supply chain like Advertisers’ and Publishers’ websites and mobile applications.

 Measure advertising performance Monitoring the performance of campaigns. In particular, control of impressions, clicks and user conversions. Consent
Campaign Frequency Capping Frequency capping to ensure recording and limiting the number of times the specific ad is shown to the user. Consent
Cookies for attribution in web Usage of cookies to monitor the performance of campaigns. In particular, landings and actions performed in the advertiser landing page. Consent
Optimizing Campaigns Usage of campaign personal data to tailor targeting and ad delivery to maximize customer metric goals. Consent
TARGETING Activity audiences retargeting Retarget Device IDs or Cookie IDs that have seen a SMADEX Ad and potentially interacted with it (clicked, viewed a video, installed an app, .. Consent
DEVELOPMENT AND IMPROVEMENT OF OUR SERVICE Development and improvement of SMADEX Services Developing Machine Learning models, analyzing trends or deriving insights, etc Legitimate Interest
SECURITY AND DEBUGGING Ensuring security, preventing and detecting fraud, and fix errors Monitoring, detecting, and preventing anomalous or potentially fraudulent activities, such as instances involving advertising and artificial ad clicks and ensuring the proper and secure functioning of systems and processes as well as addressing and rectify any issues that may arise during the delivery of content and advertisements. Legitimate Interest
LEGAL AND REGULATORY Compliance with Legal requests and litigation response Processing activities based on the response to requests from government bodies or courts and to address litigation matters and to ensure compliance with anti-bribery and anti-corruption Legal Obligation
  1. Use of your Personal Data

We use the categories of data mentioned above primarily to deliver targeted advertising we believe will be of Targeted End Users particular interest. For more information about how targeted advertising works, you can visit the Network Advertising Initiative’s (“NAI”) educational page at: https://www.networkadvertising.org/understanding-online-advertising/how-does-it-work.

6.1.  The Personal Data for Targeted End Users that we may process can fit in the following categories:

SMADEX DOES NOT process Personal Data for the purposes described in Article 22 GDPR (“Automated individual decision-making, including profiling”).Aggregate data

The statistical purpose implies that the result of processing for statistical purposes is not Personal Data, but aggregate data. This means that Personal Data is not used in support of measures or decisions regarding any particular natural person (Recital 162 GDPR).

In addition to the uses detailed above, we may process user data as an aggregate, anonymous and non-individual level, for the following purposes:

  • Operate and improve our technology.
  • Conduct research and development.
  • Report on campaign performance with our clients. 
  • Carry out campaign forecasting.

6.2. In particular, we process data from our Clients to:

Purpose/Activity Description Legal Base
Providing SMADEX service To fulfill your requests for using SMADEX services Performance of a contract or adoption of pre-contractual measures
To provide Smadex Services based on your request Performance of a contract or adoption of pre-contractual measures
Marketing campaigns To send you marketing communications Consent
Compliance with Legal requests and litigation response Ensure compliance with anti-bribery and anti-corruption. Legal Obligation
  1. How SMADEX obtains the consent of the Targeted End Users

The Transparency and Consent Framework (TCF) is an industry-standard developed by the Interactive Advertising Bureau (IAB) to provide transparency and control over the processing of Personal Data for online advertising. It enables us to obtain User consent in a standardized and user-friendly manner.

  1. Means of collection of your Personal Data

Most of the Personal Data we process is not directly collected by SMADEX but collected and transferred to us by a Third-Party supplier which is part of the online advertising supply chain, (e.g. real time bidding platforms). Where applicable, such parties have obtained consent from the relevant data subject, in order to transfer their data to us.

  1. Retention of your Personal Data

SMADEX will keep your Personal Data to attend and/or carry out the requested services (as long as you do not request their deletion or opposition through the means indicated in the section “Your Personal Data Rights”) and will keep them for the periods of limitation necessary according to the legislation that, in each case, is applicable to meet future liabilities. Once the legal statute of limitations has expired, your personal data will be destroyed.  

However, for each of the processing, in the information that we will provide you with at the time of collecting your personal data, we will inform you of the period of processing of your respective personal data for such processing. In particular: 

  • We may retain the Personal Data we collect, such as the IP address and other information described above, for up to a maximum of 12 months before we aggregate that data into summary reports.
  • We store the aggregated summary data (which for example, does not include IP address or other information that may be tied to a particular browser or device) for more than ninety (90) days.

We also inform you that we will take all reasonable steps to ensure that your data is rectified or deleted when it is inaccurate. 

  1. Access to your Personal Data

In general, SMADEX will not communicate your personal data to third parties, except in the following cases:

  1. Competent Authorities and bodies, Courts, Tribunals or any other Third Parties legitimized in accordance with the applicable regulations;
  2. We share the Personal Data with other companies operating in the online advertising industry, for the purposes described in Section 6 of this Privacy Policy. In those cases, we may enter data processing agreements with the following categories of data recipients for the indicated purposes below:
Categories of Data Recipients Purposes
Real Time Bidding Platforms
  • Managing advertisement campaigns
Advertisers
  • Retargeting
  • Segmenting
Trackers
Data Management Platforms
Technology Suppliers
  • Performance monitoring 
  • Retargeting
  • Segmenting

In addition, SMADEX has contracted the provision of certain services (e.g. virtual infrastructure services, cloud computing, customer relationship management, organization of games and contests, management of loyalty programs, sending emails for marketing purposes, etc.) to suppliers, which may have access to and/or process personal data in their capacity as data processors. Some of these suppliers may process and store personal information on servers located outside your country of residence. 

  1. Where will collected Personal Data be processed?

Based on the Services provided by Smadex, and depending on the user’s location, data transfers to other countries may occur. In such a case, your personal data may be transferred internationally to third parties located outside the European Economic Area (“EEA”), provided that SMADEX has the authority to do so and subject to compliance with the appropriate safeguards set out in Articles 44 to 50 of the GDPR. Such Third Parties shall only access the data to perform their services on behalf and for the account of SMADEX, under an obligation of confidentiality and always following SMADEX’s instructions and without at any time using such data for their own purposes and/or unauthorized purposes.

Whenever we transfer Personal Data out of the EU, EEA, Switzerland & UK we ensure that adequate safeguards are implemented. Those safeguards include among others:

  • Adequacy decision: declaration by the European Commission that a non-EU State, offers an adequate level of data protection equivalent to that provided by European data protection legislation, making international data transfer to a third party established in that State outside the EU possible;
  • Binding Corporate Rules (also known as “Binding Corporate Rules”): these are applicable to corporate groups or the union of companies engaged in a joint economic activity, which enables the flow of personal data on the basis of a self-regulation accepted and assumed by each of the signatory entities;
  • Standard Contractual Clauses: this is a mechanism signed between the exporter of Personal Data from any of the EEA countries and a third country. It is a contractual agreement whose model has been approved and published by the European Commission and aligned with the precepts of the GDPR.
  • Code of Conduct or a certification mechanism, together with binding and enforceable commitments made by the recipient regarding the implementation of appropriate safeguards for the protection of the transferred data.
  • In the absence of the above, your personal data may exceptionally be transferred to a third country or international organization, in application of the mechanisms that may be recognized in this respect by data protection legislation.  

SMADEX, in order of preference, will carry out international transfers under the following guarantees:

Guarantee Criteria used by SMADEX
Adequacy Decision Measure included as preferred by SMADEX. You can find the list of countries subject to an adequacy decision at: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en   
Binding Corporate Rules In the absence of an Adequacy Decision, it will be the preferred security measure that SMADEX will request to the importer of the personal data. You can find the list of entities that have BCR here: https://edpb.europa.eu/our-work-tools/accountability-tools/bcr_en?page=1
Standard Contractual Clauses As a secondary guarantee mechanism in the absence of the above, we will proceed to subscribe and/or request a copy as appropriate from the importer of the personal data of the signed version of the Standard Contractual Clauses aligned with the European Commission models, available here: https://eur-lex.europa.eu/legalcontent/ES/ALL/?uri=CELEX%3A32021D0914.
  1. Your Personal Data Rights

Our advertising technology does not collect any information that directly identifies you as an individual, and instead only collects certain digital identifiers that may identify your device or your Internet browser.

As such, in order for us to give you access to Personal Data connected with your digital identifiers, you will need to provide us with additional information, as explained below, to enable us to locate relevant records.

12.1. Your rights

If you are a resident within the European Economic Area (EEA), UK and Switzerland you will have the following rights: 

  • The right to be informed. You have the right to be informed about how we collect and use your Personal Data, how long we plan to keep that data, and who we will share it with. 
  • The right of Access. You have the right to know exactly what information SMADEX has collected about you, how we are storing and processing that data, and what we are going to do with it. The right to access the Personal Data that is processed by the Data Controller in accordance with Article 15 GDPR.
  • The right to rectification (correction). You have the right to have incomplete data completed and incorrect data corrected. in accordance with Article 16 GDPR.
  • The right to erasure. You have the right to have Personal Data permanently deleted, in accordance with Article 17 of the GDPR.  This is also known as the “right to be forgotten.” Please note that this right doesn’t apply if the processing of data that’s subject to an erasure request is necessary to comply with a company’s legal obligations or while the commercial and/or contractual relationship that we have with you remains in force. In that case, there is a series of Personal Data that is necessary for us to process in order to comply with the contract, so while it lasts, we cannot delete them, block them or cancel them, because otherwise it would prevent us from complying with the contract.
  • The right to restrict or to the limitation of processing. If you can´t require that we erase your Personal Data, you have the right to restrict our ability to process that data, under certain circumstances indicated in article 18 GDPR.
  • The right to data portability. Individuals have the right to obtain and reuse their Personal Data for their own purposes across different services in accordance with Article 20 GDPR. Data subjects can request that data controllers send their Personal Data files electronically to third parties. If technically feasible, companies must provide the data in commonly used, machine-readable formats.
  • The right to object. You have the right to object to the processing of your Personal Data in certain circumstances, in particular, to those Processing operations that are based on consent or on the existence of a legitimate interest (including, but not limited to, the sending of commercial communications) in accordance with article 21.2 GDPR. For example, if an organization uses Personal Data for direct marketing, scientific and historical research, or to perform a task in the public interest. However, we may still process the data to establish or defend legal claims, or if we can demonstrate there are legitimate grounds that override individuals’ interests and rights. In those cases in which the Processing is based on the existence of a legitimate interest, the Data Subject shall be entitled to request the weighting report carried out by the Data Controller. In addition, in cases where the Processing is for the purpose of sending own or third party commercial information, the Data Subject may opt-out free of charge and voluntarily to an advertising opt-out mechanism. 
  • Right to withdraw consent: given for the performance of the Processing identified in the section Processing based on the Data Subject’s consent, without such revocation having retroactive effect, in accordance with Article 7.3 RGPD. 
  • The right to not be subject to automated decision making. You have the right to demand human intervention, rather than having important decisions made by algorithms. Companies are required to inform people that they will be subject to algorithmic decision-making and let them know that they can opt out of it.

To exercise any of these individual Privacy Rights, refer to section 12.3 below. 

We will respond to your request as soon as possible and, in any case, within the established legal deadline. You may also withdraw your consent at any time through the email address: privacy@smadex.es, without, in any case, the withdrawal of the same condition to ensure proper management of the business relationship.

If you make a Data Subject Rights request as set out in this Privacy Policy, we will provide you with any information we might have concerning your data identifier, including where available transaction logs reflecting where we have used our technology in order to deliver an advertisement to you, and we will follow your instructions concerning the correction, removal and processing of such data.

Please note, however, that we have a very short retention period for most files with digital identifiers that we store or process. Therefore, we may not be able to give you any files at all. In these cases, we will inform you that we have not been able to locate any records associated with your digital identifiers.

Finally, we remind you that in the event that you provide us with data relating to another natural person you must, prior to their inclusion, inform them of the points contained in this Policy.

12.2. If you are a resident of California, you may have the following additional rights with regard to the Personal Data we maintain about you:

Shine the Light California residents are entitled to request and obtain from SMADEX a list of all the third parties to which we have disclosed certain Personal Data
(as defined by California´s Shine the Light Law) during the preceding year for those third parties´ direct marketing purposes.To request this information, please contact us at privacy@smadex.com. In the subject of the email include “California Shine the Light Request” and include your mailing address, state of residence and email address so we can provide a response.
Privacy Rights for California Minors in the Digital World If you are a California resident under the age of 18, and a registered user of our Website, you can request and obtain removal of content or information you have publicly posted. To make such a request, send an email with a detailed description of the specific content or information to privacy@smadex.com

Please be aware that such a request does not ensure complete or comprehensive removal of the content or information you have posted and that there may be circumstances in which the law does not require or allow removal even if requested.
California Individual Privacy Rights
(California residents can exercise these privacy rights with respect to their Personal Data)
  • Right to Access Personal Data. You have the right to know (i) the categories of Personal Info we have about you; (ii) the categories of sources from which that Personal Data was collected (iii) Our business or commercial purpose for collecting, selling, or sharing your Personal Data (iv) the categories of third parties to whom we disclose Personal Data(v) the specific pieces of Personal Data we have collected about you.
  • Right to Know What Personal Data is Sold or shared and to Whom. You have the right to know what Personal Data of yours is being sold or shared, and with whom. 
  • Right to Deletion: You have the right to request that we delete the Personal Data that we have collected or maintain about you. There may be circumstances under which we will be unable to delete such Personal Data, such as if we need to comply with our legal obligations. 
  • Right to Correct Inaccurate Personal Data. You have the right to request us if we maintain inaccurate Personal Data about you, taking into account the nature of this Personal Data and the purposes of the processing. To such extent, we shall use commercially reasonable efforts to correct the inaccurate Personal Data.
  • Right to Opt Out of Sale or sharing your Personal Data. You have the “right to opt-out” of sale or sharing of your Personal Data. If you do not affirmatively opt out, and you are not a minor (under 16), your Personal Data may be sold as disclosed in this Privacy Policy. You can submit your request to opt out of the sale or sharing of your Personal Data by completing our “California Right to Opt-Out of the Sale or Sharing Personal Data” request form available here.
  • Right to Limit Use and Disclosure of Sensitive Personal Data. You have the right to limit, at any time, the use and disclosure of your sensitive Personal Data, except when we use such Personal Data in a way reasonably expected by an average consumer.
    • For information purposes, “sensitive Personal Data”  includes any private information that divulges any of the following: i) personal identification numbers, including social security, driver’s license, passport, or state ID card number; ii) account or debit or credit card numbers combined with passwords or codes that would enable access to the accounts; iii) a user´s exact geolocation; iv) a user’s racial origin, religious beliefs, or union membership; v) a user’s mail, email, or text message content unless the information was intentionally sent to the business; a user´s consumer’s genetic data, such as DNA simples; vi) the processing of any biometric data to identify a consumer, and vii) Personal Data concerning a user’s health or 
    • sexual orientation.
  • Right of No Retaliation. If you choose to exercise any of these rights, Entravision will not discriminate against you in anyway.

To exercise your California rights, complete our “California Consumer Request” form available here.

If we are unable to comply with your requests, we will let you know the reason why.

We will take steps to verify your identity before processing your request, which may include requesting information from you to match with information we already have about you. 

12.3 How to make a Right request for Targeted End Users

Step 1: Locating your digital identifiers.

For us to locate relevant records, we will need you to provide us with your digital identifiers. You can find your digital identifiers as follows:

  • Web Browsing

As described in this Privacy Policy, our advertising technology may operate by using text files called “cookies” that are placed on your device. Some of these cookies include a digital identifier. To locate these digital identifiers, you can search through your cookies for the cookies named smxtrack, or smaxtrackid_{{order_id}}, where “order_id” is a number. The text in each of these cookies is a separate digital identifier.

Please keep in mind that different cookies are placed on each browser that you use to access the Internet. As a result, if you use multiple browsers (for example, Google Chrome and Mozilla Firefox), you will need to locate the different cookies for each browser. If you need assistance locating these cookies for your browser, please feel free to email us for assistance at privacy@smadex.com.

  • Mobile Devices

Additionally, certain mobile devices (for example, mobile phones or tablets using the iOS or Android operating systems) generate a persistent “Advertising Identifier” per device, which, among other things, can be used by third parties for purposes of providing you with targeted advertising. On iOS devices, your Advertising Identifier may be referred to as an “IDFA,” “IFA,” or an “ID for Advertising.” On Android devices, your Advertising Identifier may be referred to as an “Advertising ID.” Please follow instructions from your mobile device manufacturer on how to locate your specific Advertising Identifier.

Step 2: Verification of Your digital identifiers

In order to make sure that we are only providing Personal Data to the correct person, we also will need some supporting proof to demonstrate that you are indeed connected to the digital identifiers you located in Step 1. For digital identifiers stored in cookies, please take a screenshot of each cookie, taking care to make sure that the screenshot shows both the name of the cookie and the full digital identifier. For digital identifiers located on a mobile device, please take a screenshot of a screen that displays the digital identifier. Additionally, please sign and send a scanned copy of a statement attesting that the digital identifiers you have locate are indeed associated with you. 

Step 3: Contacting us.

Once you have located your digital identifiers and can provide us with verification concerning them, you should reach out to us. The easiest way to do so would be to email us at privacy@smadex.com. Please make sure to include the following information in your email:

  • Your full name
  • The country in which you are located at the time you are making your request.
  • A full list of your digital identifiers
  • Supporting proof, as described in Step 2
  • A signed statement, as described in Step 2

You can also make a subject access request by mail, by sending a written request with all of the above-listed information to the following address:

Data Protection Officer
SMADEX, S.L.U.
C/ Diputació 303 Primera Planta
08009 Barcelona
Spain

You also have the right to lodge a complaint with our Data Protection Supervisory Authority, the Agencia Española de Protección de Datos (Spanish Agency for Data Protection) at www.aepd.es

  1. How do we protect minors?

We take special consideration to protect the safety and privacy of children. Our Website and our platform is intended for users of all ages except for children under the age of 13 in general in the United States or 16 in the European Union and in the California State. Therefore, such children may not provide any Personal Data to or on the Websites. 

If we learn we have collected or received Personal Data from any subject of the referred ages, we will delete it automatically. 

If you are a parent or a legal guardian and believe your child under 13 in the United States or under 16 in the European Union and in the California has provided us with Personal Data without consent, please contact us at privacy@smadex.com.

  1. Links 

This Site may include, display or display links to other websites for your convenience and information. Such websites may operate independently of us. These linked sites may have their own privacy policies, which we strongly encourage you to read when you visit them. To the extent that any linked websites you visit are not owned or controlled by us, we are not responsible for the content of such websites, their use or their privacy practices.

  1. How long is this Privacy Policy updated?

This Policy may be updated periodically to reflect changes in our processing of personal data. We will post a prominent notice on the Site to notify you of any significant changes to our Policy and will indicate at the bottom of the Policy when it was last updated. 

Last updated: April, 2025. 

© 2025- SMADEX S.L.U – Reproduction in whole or in part is prohibited. All rights reserved.