PurePlay Privacy Policy

Effective Date: May 21, 2026

1. Introduction

This Privacy Policy describes how PurePlay LLC (“PurePlay,” “we,” “us,” or “our”) collects, uses, and shares information (a) when you visit pureplay.ai and any other websites, landing pages, or marketing properties that link to this Policy (together, the “Website”), and (b) when we plan, deliver, and measure programmatic advertising on behalf of our advertiser and agency customers (the “Advertising Services”).

PurePlay is a U.S.-based, business-to-business software and advertising-services company. Our Website exists primarily to introduce people to our company and our Pulse Intelligence Platform, to let you request a demo or contact our team, and to share research, blog content, and product updates. It is not the platform itself.

U.S.-only scope. Our products, Website, and Advertising Services are directed solely to businesses and individuals located in the United States. We do not knowingly market to, solicit personal information from, or target advertising to individuals located outside the United States. If you are located outside the United States, please do not use the Website or submit personal information to us. We do not intend for this Policy to confer rights under any non-U.S. privacy law. We host and process personal information collected through the Website on U.S.-based cloud infrastructure, and we do not transfer it outside the United States. Where our service providers operate global infrastructure, we configure those services to enforce U.S. data residency for our workloads.

If you are a customer or authorized user of the Pulse Intelligence Platform, personal information processed in that authenticated environment is governed by your organization’s agreement with us and our separate Pulse Intelligence Platform Privacy Notice, not by this Policy.

Our role. PurePlay acts as a business / controller for personal information collected through the Website. When we process information in the course of our Advertising Services — including pseudonymous identifiers received in DSP bid streams and audiences provided by our customers — we act as a service provider / processor on behalf of our advertiser and agency customers (“Customers”), and that processing is governed by our written agreements with those Customers.

By using the Website, you acknowledge the practices described here.

 

Part A — The Website

2. Information We Collect

We collect information in three ways: information you give us, information we collect automatically when you interact with the Website, and information we receive from third parties.

Information you provide

When you fill out a form on the Website — for example, requesting a demo, contacting sales, downloading gated content, signing up for our newsletter, registering for an event or webinar, or applying for a job — we collect the information you submit. This typically includes your name, business email address, company name, job title, phone number, U.S. state, and any free-text content you include. For job applications, we may also collect resumes, work history, and other information you choose to share.

Submitting a form is an explicit, opt-in action by design — we only receive what you choose to send. For any future form, survey, or other on-site data collection beyond a standard contact/demo/inquiry use case, we will clearly explain on the collection page how we intend to use the data, and your opt-in will be required before we use it for that purpose.

When you correspond with us by email, chat, or phone, we collect the contents of that correspondence and any information you choose to include. If we record or transcribe a call or chat for quality, training, or recordkeeping purposes, we will disclose that fact at the point of collection.

Information collected automatically

When you visit the Website, we and our service providers automatically collect technical information about your device and your interaction with our content. This includes IP address, approximate location derived from IP address (typically state, region, or city — not precise geolocation), device and browser type, operating system, language preferences, referring URL, the pages and content you view, the links you click, search terms entered on our site, and the dates, times, and duration of your visits. We may also collect campaign attribution data such as UTM parameters.

Much of this is collected by third-party analytics providers (for example, Google Analytics) operating on our behalf. These providers collect information directly from your browser using cookies and similar technologies, and process it under their own privacy and security terms. We see aggregate, report-level output and we do not store individual visitor analytics records in our own databases. Our hosting and CDN providers also keep short-lived access logs (IP, user agent, request path, response, timestamp) for security and operational diagnostics, retained per provider defaults and reviewed by PurePlay only on an exception basis.

Information from third parties

We may receive information about you from third parties, including business contact data providers and lead enrichment services that supplement information you submit (for example, augmenting a form submission with publicly available company firmographic data such as company size, industry, or technologies in use). We may also receive information from joint marketing partners, event co-sponsors, and platforms like LinkedIn when you engage with our content there or when you authorize a platform to share your information with us. We require these third parties to represent that they have collected and shared your information in accordance with applicable law and their own privacy notices.

3. How We Use Website Information

We use the information we collect to:

Respond to your requests, including demo requests, sales inquiries, support questions, and event registrations.

Send you marketing communications about our products, research, events, and content, where you have asked to receive them or where otherwise permitted by law.

Operate, maintain, secure, and improve the Website, including diagnosing technical issues, preventing fraud and abuse, and analyzing how visitors use our content.

Personalize your experience on the Website and tailor the content, offers, and advertising you see on the Website and on other sites and platforms.

Measure the performance of our marketing campaigns.

Conduct research and produce aggregated or de-identified analytics about our market, our audience, and our business.

Recruit and evaluate candidates if you apply for a role with us.

Comply with our legal and regulatory obligations, enforce our terms, and protect our rights, our users, and the public.

We will not repurpose information you submit through a form for a use that wasn’t disclosed at the point of collection without obtaining your opt-in for the new use. We will not use Website personal information for purposes that are incompatible with the purposes for which it was collected.

Use of information with AI and machine learning

We are an AI company, so it is reasonable for you to ask how we use Website data with respect to AI. To be clear: we do not use personal information collected through this Website — including form submissions, email correspondence, or behavioral data — to train, fine-tune, or otherwise develop generalized AI or machine-learning models, and we do not share Website personal information with third-party AI providers for those purposes. We may use aggregated or de-identified Website data (data that cannot reasonably be used to identify you) for internal analytics, including model and product evaluation. Any AI processing carried out within the Pulse Intelligence Platform on customer-supplied data is governed separately by our customer agreements and the Pulse Intelligence Platform Privacy Notice.

We do develop our own AI and machine-learning models as part of the Pulse Intelligence Platform; those models are trained on programmatic performance signals and other inputs appropriate to each model's purpose, not on Website personal information, and we do not use a Customer's data to train models for use outside the originating Customer engagement. Where we use third-party large-language-model providers (for example, Anthropic, OpenAI, or Google) as part of internal tooling or platform features, we do so under enterprise agreements that contractually prohibit the provider from using our inputs to train its models, and we do not submit Website personal information to those services. Our AI practices are informed by the NIST AI Risk Management Framework (AI RMF).

4. How We Share Website Information

We do not exchange your personal information for money. That said, U.S. state privacy laws define “sale” and “sharing” broadly enough that our use of third-party advertising and analytics cookies — for things like retargeting and measurement — can fall within those definitions. You have the right to opt out (see Section 19).

We share information in the following circumstances:

Service providers. We share information with vendors and contractors that help us run our business and operate the Website. This includes website and content hosting providers, CRM and marketing-automation platforms, analytics providers, email service providers, lead enrichment vendors, customer-support tools, event and webinar platforms, payment processors (where applicable), recruiting tools, and security and IT services. Service providers are bound by written contracts that limit their use of personal information to performing services for us, prohibit them from selling it, and require them to protect it with reasonable safeguards.

Advertising, analytics, and measurement partners. We work with third-party advertising platforms, ad networks, social media platforms, retargeting providers, and analytics vendors that help us understand who is visiting our Website, measure the performance of our campaigns, and reach relevant business audiences with PurePlay marketing across other websites, apps, and platforms. These partners may set their own cookies or similar technologies on your device when you visit the Website and may combine information collected here with information they collect elsewhere. Their handling of your information is governed by their own privacy policies.

Joint marketing and event partners. If you register for or attend a co-hosted event, webinar, or piece of co-branded content, we may share your registration information with the partner organization, which will use that information in accordance with its own privacy policy. We will tell you when this is the case at the point you register.

Affiliates. We may share information within our corporate group — including any current or future parent companies, subsidiaries, and other affiliates — for the purposes described in this Policy.

Legal compliance and protection of rights. We may disclose information if we believe in good faith that doing so is necessary to comply with applicable law, regulation, legal process (such as a subpoena, court order, or government request), or enforceable governmental request; to enforce our terms and other agreements; to detect, prevent, or address fraud, security, or technical issues; or to protect the rights, property, or safety of PurePlay, our customers, our employees, or others.

Business transfers. If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or part of our business or assets, information we hold may be transferred to or accessed by the parties involved in that transaction, subject to standard confidentiality protections.

Aggregated or de-identified information. We may share aggregated, anonymized, or de-identified information — information that cannot reasonably be used to identify you — for any purpose, including marketing, research, and the development of new products and features. When we de-identify information, we maintain technical safeguards and contractual prohibitions against re-identification, and we will not attempt to re-identify the information except as permitted by law to test our de-identification process.

5. Cookies and Tracking Technologies

The Website uses cookies, pixels, tags, software development kits (SDKs), local storage, server logs, and similar technologies (collectively, “cookies”). We use these technologies for the following purposes:

Strictly necessary cookies. Required for the Website to function — page loading, security, load balancing, and remembering form input as you move through a multi-step form. They cannot be turned off through our cookie controls.

Analytics and performance cookies. Help us understand how visitors find and use the Website — which pages are most popular, where visitors come from, how long they stay, and where they encounter problems. We use this information to improve content, navigation, and performance. Examples include cookies set by Google Analytics or similar web analytics providers.

Marketing and advertising cookies. Used to make marketing more relevant to you and to measure the performance of our marketing programs. They support activities like retargeting, audience matching with advertising platforms, conversion tracking, and attribution. They are typically set by third-party advertising and social media partners and may be used to build a profile of your interests across the websites you visit.

Interest-based advertising and remarketing

We work with third-party advertising vendors to deliver interest-based advertising — for example, to show you PurePlay ads after you have visited the Website, or to reach business audiences who resemble our existing customers. These vendors typically include Google (Google Analytics, Google Ads, including remarketing), LinkedIn (LinkedIn Insight Tag and audience matching), Meta / Facebook (Facebook Pixel and Custom Audiences), and our marketing automation provider. Each processes information under its own privacy policy, and may combine information we share with information they collect elsewhere. You can opt out of interest-based advertising from many of these vendors using the industry tools described below.

We are working toward implementing a cookie consent and preference management interface on the Website. Until that is in place, you can manage cookies and similar technologies through your browser settings (most browsers allow you to block, delete, or be notified about cookies), through device-level advertising controls offered by iOS, Android, and other operating systems, and through industry opt-out tools such as the Digital Advertising Alliance’s WebChoices tool (optout.aboutads.info) and the Network Advertising Initiative opt-out page (optout.networkadvertising.org). Blocking cookies may affect how the Website functions and the relevance of the marketing you see.

The Website is not currently designed to respond to “Do Not Track” browser signals, as there is no common industry standard for how to interpret them. We do honor recognized opt-out preference signals such as Global Privacy Control (GPC) for residents of U.S. states whose laws require us to do so, treating a valid GPC signal as a request to opt out of “sale” and “sharing” of personal information for the browser on which it is sent.

 

Part B — Programmatic Advertising Services

6. Our Role in Advertising Operations

PurePlay plans, executes, and measures programmatic advertising campaigns on behalf of Customers. Customers determine the audiences, geographies, channels, and campaign objectives; PurePlay executes media buying and measurement on their behalf using demand-side platforms (“DSPs”) such as Beeswax and, where applicable, Google Display & Video 360, and we interface with supply-side platforms (“SSPs”), ad exchanges, data management platforms (“DMPs”), measurement vendors, and identity / clean-room providers selected by us or by the Customer.

In this context, PurePlay acts as a service provider (under U.S. state privacy laws) and processor on behalf of the Customer, who is the business / controller for the underlying advertising data. Our processing is limited to the purposes specified by the Customer and to the purposes set out in this Policy.

Customer responsibilities. Customers are contractually required to (a) have a lawful basis and appropriate consumer notices and opt-out mechanisms in place for any data they direct us to process, (b) not provide PurePlay with sensitive categories of personal information except as expressly agreed in writing, and (c) not direct PurePlay to perform any processing that PurePlay reasonably believes violates applicable U.S. privacy law.

7. Pseudonymous Identifiers and Signals We Process for Advertising

To plan, deliver, measure, and report on advertising campaigns, we process the following categories of pseudonymous digital identifiers and signals (“Advertising Identifiers”). Advertising Identifiers are not, by themselves, traditional personal information — they are device-level or browser-level identifiers that, under U.S. state privacy laws, may nevertheless constitute personal information when linked to a device, browser, or household.

Mobile Advertising IDs (MAIDs) such as Apple IDFA and Google AAID, where the user has not enabled Limit Ad Tracking or denied App Tracking Transparency permission.

Connected TV (CTV) identifiers such as IFA (Interactive Advertising Bureau Identifier for Advertising) and platform-specific device identifiers (e.g., Roku RIDA, Samsung TIFA, Vizio VIDA), where the user has not opted out.

Cookie IDs and similar browser identifiers, including DSP- and SSP-issued IDs received in bid requests.

IP address (which we treat as a personal identifier under U.S. state law).

Coarse geolocation derived from IP address or device signals (typically DMA, postal code prefix, city, or state — not precise GPS coordinates).

Bid request signals provided by the publisher or SSP, including app bundle / domain, content category, page URL, device type, operating system, screen size, language, and connection type.

Hashed match keys (e.g., SHA-256 hashed email or phone) provided by Customers solely for the purpose of audience matching in a privacy-safe environment, as described in Section 12.

8. Our Core Privacy Commitments for Advertising

Across all Advertising Services, PurePlay commits to the following. These commitments apply in addition to, and do not limit, any rights you have under applicable law:

No directly identifying PII in the ad stack. We do not collect, request, or accept names, raw email addresses, raw phone numbers, postal addresses, government-issued identifiers, payment card numbers, or other directly identifying personal information into our DSP, bid stream, audience, or measurement systems. Where Customers provide match keys for audience activation, those keys are pre-hashed by the Customer (or by a clean-room provider) using an industry-standard one-way hash (typically SHA-256, with email normalized per the platform’s specification).

No re-identification. We do not attempt to re-identify, and we contractually prohibit our service providers, DSPs, DMPs, SSPs, and measurement partners from attempting to re-identify, any pseudonymous Advertising Identifier as a specific named individual. We do not combine Advertising Identifiers with directly identifying personal information held in our CRM or marketing systems.

No cross-context profile linked to identity. We do not build a persistent cross-site, cross-app, or cross-device profile of any identified individual. Audience segments and frequency-control records are keyed to pseudonymous device or browser identifiers and are not tied to a name or contact record.

No sensitive-category targeting. We do not knowingly target, infer, or build audiences based on health conditions or medical treatment, racial or ethnic origin, religious or philosophical beliefs, sexual orientation, gender identity, citizenship or immigration status, union membership, precise (GPS-level) geolocation, biometric data, or the contents of mail, email, or text messages. We also do not engage in financial-eligibility, employment-eligibility, housing, insurance, or credit decisioning based on Advertising Identifiers.

No children. We do not knowingly process Advertising Identifiers for users we know to be under 16, and we do not target advertising to inventory categorized as directed to children under the Children’s Online Privacy Protection Act (COPPA). Bid requests flagged as child-directed (e.g., COPPA flag, app store age rating) are excluded from targeting and from audience construction.

Opt-out honoring. We honor recognized opt-out signals at the device, browser, and bid-request level (Section 16), and we honor consumer privacy requests we receive from Customers and directly from individuals (Section 19).

Minimization and purpose limitation. We process the minimum Advertising Identifiers and signals needed for the Customer’s campaign, and we use those identifiers only for the purposes described in Section 9. We do not sell Advertising Identifiers in the colloquial sense and we do not use them to enrich third-party data products.

9. How We Use Advertising Identifiers

We use Advertising Identifiers solely for the following advertising purposes, on behalf of our Customers and under contract with them:

Targeting — bidding on inventory matching the campaign’s audience, geography, content, and contextual criteria.

Frequency capping — limiting the number of times a given device or browser sees an ad.

Brand safety, fraud detection, and invalid-traffic filtering — identifying bots, non-human traffic, and unsafe content adjacencies, including through accredited third-party verification providers.

Measurement and reporting — counting impressions, clicks, video events, viewability, completion, and (where permitted by the Customer and the data source) post-exposure outcomes such as site visits, store visits, or sales lift, reported in aggregated form.

Audience construction — building and refining campaign audiences (for example, devices observed visiting a specified set of publisher domains, content categories, or aggregated physical locations) for use within the same campaign or for the Customer who provided the underlying data.

Service operation, billing, and audit — operating the platform, reconciling spend, supporting Customer audits, and complying with legal recordkeeping obligations.

We do not use Advertising Identifiers to make decisions that produce legal or similarly significant effects about an individual (e.g., credit, employment, insurance, housing, education, criminal justice). We do not use Advertising Identifiers to engage in price discrimination or to deny goods or services.

10. Sources of Advertising Identifiers

We receive Advertising Identifiers from:

Publishers and DSP bid streams — when a user opens an app, webpage, or CTV experience that includes ad inventory, the publisher’s SSP sends a bid request to DSPs (including DSPs we operate on), containing the signals described in Section 7.

Customers — uploading first-party audiences (typically as hashed match keys), conversion events, or other campaign inputs they have collected with appropriate notice and consent.

Licensed data partners — for example, location-intelligence providers (such as Cuebiq) and demographic-modeling vendors, in accordance with their consent frameworks and contractual representations.

Measurement and verification partners — for conversion, attribution, and outcome measurement on Customer instruction, including accredited brand-safety and invalid-traffic providers.

11. Third Parties We Share Advertising Identifiers With

In the course of operating the Advertising Services, we share Advertising Identifiers with the following categories of third parties, each of which is contractually limited to using the data for the purposes we specify:

Demand-side platforms (DSPs) — e.g., Beeswax (FreeWheel), Google Display & Video 360, and other DSPs the Customer engages us to use.

Supply-side platforms and ad exchanges — to which the DSP transmits bid responses on our instruction.

Data management platforms (DMPs) and audience platforms — to store, segment, and activate Customer-provided or licensed audience data.

Identity and clean-room providers — to match Customer-provided hashed match keys with hashed identifiers held by a publisher, walled-garden platform, or measurement vendor in a privacy-safe environment.

Measurement, attribution, and verification vendors — to measure delivery, viewability, brand safety, invalid traffic, and post-exposure outcomes.

Hosting, storage, and analytics providers — our cloud infrastructure providers (e.g., AWS) and analytical database providers (e.g., Snowflake) on which we store impression logs and reporting data under written data-processing terms.

Customers — to whom we deliver campaign delivery and outcome reporting in aggregated form, and (where the data originated with the Customer) the underlying segment definitions.

Legal, regulatory, and successor recipients — as described in Section 4.

Each of the above is bound by a written agreement that requires it to (i) process Advertising Identifiers only for the limited, specified purposes; (ii) maintain reasonable security; (iii) not sell or further share the data except as permitted by that agreement; and (iv) not attempt to re-identify pseudonymous identifiers.

12. Audience Matching and Data Clean Rooms

Customers sometimes ask us to match their first-party audience (for example, a list of their own customers or prospects) against publisher, walled-garden, or measurement-vendor inventory so the Customer’s advertising can reach a defined audience or so post-campaign outcomes can be measured. We perform these matches under the following rules:

The Customer (or a clean-room provider acting on the Customer’s instruction) is responsible for hashing the match keys before they reach PurePlay. We do not accept unhashed email addresses, phone numbers, or postal addresses into the advertising stack.

Where possible, matching is performed in a privacy-safe environment — such as a data clean room operated by a publisher (e.g., Google Ads Data Hub, Amazon Marketing Cloud), an independent clean-room provider, or a Customer-provided clean room — in which PurePlay does not receive the underlying hashed identifiers, only the resulting audience size, match rate, and aggregated outputs.

Where matching is performed outside a clean room (for example, by uploading hashed identifiers to a DSP’s native audience tool), the hashed identifiers are used only for the specified Customer campaign, are not retained beyond the campaign’s active life plus a reasonable wind-down period, and are not combined with PurePlay’s own first-party data or with any other Customer’s data.

We do not reverse-engineer, decrypt, or attempt to recover the underlying personal information from any hashed match key. We contractually require the same of any third party that handles match keys on our behalf.

We do not perform PII-to-PII linkage on behalf of one Customer using another Customer’s data, and we do not sell or license Customer-provided audiences to other Customers or to third parties.

13. Sensitive Personal Information

PurePlay does not knowingly collect, process, or infer sensitive personal information (as defined under the CCPA and similar state laws) through the Website or in the course of the Advertising Services for the purpose of inferring characteristics about an individual. In particular:

We do not collect government-issued identifiers, financial account numbers, payment card numbers, log-in credentials, precise geolocation, racial or ethnic origin, religious or philosophical beliefs, union membership, genetic data, biometric data, health information, or information about sex life or sexual orientation through the Website.

We exclude health, financial-eligibility, and other sensitive content categories from advertising targeting and audience construction in the Advertising Services, except where the Customer represents in writing that it has a lawful basis (e.g., a HIPAA Business Associate Agreement, an explicit consumer opt-in obtained by the Customer) and engages PurePlay under a separate written addendum.

Because we do not process sensitive personal information for purposes of inferring characteristics, the right to limit the use of sensitive personal information under the CCPA does not apply to our use of such information.

Healthcare and life sciences engagements. For a subset of Customers in the healthcare and life sciences sectors, we may process additional categories of data — for example, hashed or de-identified healthcare-professional (HCP) identifiers such as hashed National Provider Identifier (NPI) lists — under contractual frameworks established by the upstream data provider and by the Customer (for example, third-party data-access programs, prescription-data licenses, or physician-data licenses). In these engagements we process the data strictly within the permitted-use scope, retention windows, and audit obligations imposed by the originating data provider and by the Customer; we do not combine it with our Website personal information or with another Customer's data; and we do not use it to train AI or machine-learning models. AI-assisted creative variants generated for pharmaceutical or other regulated-category activation are subject to the Customer's medical, legal, and regulatory review (commonly known as MLR) prior to activation.

14. Industry Frameworks and Self-Regulatory Programs

We design our Advertising Services to be consistent with leading U.S. advertising self-regulatory programs and technical privacy frameworks, including:

Digital Advertising Alliance (DAA) Self-Regulatory Principles for Online Behavioral Advertising and for Mobile Environments.

Network Advertising Initiative (NAI) Code of Conduct.

IAB Tech Lab Global Privacy Platform (GPP), including the U.S. National (USNAT) and state-specific sections, for the transmission of consumer privacy choices in the bid request.

IAB CCPA Compliance Framework and successor frameworks for U.S. state privacy laws.

Trustworthy Accountability Group (TAG) anti-fraud, brand-safety, and transparency programs.

Where a Customer requires participation in additional frameworks (for example, a sector-specific code of conduct), we will work with the Customer in good faith to comply.

15. Advertising Opt-Outs We Honor

Global Privacy Control (GPC) — we treat a GPC signal from your browser as a valid opt-out of “sale” and “sharing” / targeted advertising under applicable U.S. state laws for the browser on which it is sent.

IAB Global Privacy Platform (GPP) signals passed in bid requests — we honor U.S. National (USNAT) and state-specific opt-out strings transmitted in the bid stream.

Limit Ad Tracking (LAT) and Apple App Tracking Transparency (ATT) — when a MAID is zero’d out or absent, we do not bid using it as a personal identifier.

Device-level controls — you can reset or limit your advertising ID through your iOS, Android, Roku, Samsung, Vizio, or other device privacy settings.

Industry opt-out tools — Digital Advertising Alliance WebChoices (optout.aboutads.info), DAA AppChoices for mobile apps, and the NAI consumer opt-out (optout.networkadvertising.org).

Direct requests — you can submit a request to opt out of sale, sharing, or targeted advertising directly to us (Section 19) or through our “Do Not Sell or Share My Personal Information” link on the Website (once available).

 

Shared Sections

16. Data Retention

We retain personal information only for as long as we need it for the purposes described in this Policy, including to provide the services you request, run our marketing programs, comply with our legal and contractual obligations, resolve disputes, and enforce our agreements.

In practice:

Lead-form and CRM data: retained for the duration of our active business relationship with you or your organization, plus a reasonable period afterward for re-engagement, archival, and recordkeeping purposes (typically up to 7 years after last activity).

Third-party analytics records (e.g., Google Analytics): held by the analytics provider per its retention settings (typically up to 26 months in identifiable form, then aggregated). We do not maintain a copy in our own databases.

Hosting provider access logs: retained per provider defaults — typically days to a few weeks — and not ingested into PurePlay’s analytical databases.

Job applicant information: retained in line with applicable U.S. employment and recordkeeping laws (typically 1–3 years after the application is closed, longer where required by law).

Marketing information: deleted or anonymized when you unsubscribe, when it is no longer useful, or when applicable law requires.

Authenticated platform data (Customer business records): retained for the term of the Customer agreement plus a reasonable period for legal and audit obligations.

Bid stream and impression logs (with Advertising Identifiers): retained in identifiable form for up to 13 months, then aggregated, hashed, or deleted. Aggregate, non-identifiable reporting may be retained longer.

Audience segments built from identifiers: retained for the active life of the campaign plus a reasonable wind-down period, then deleted or rebuilt on a rolling basis. Customer-provided hashed match keys are deleted or returned per the Customer agreement.

Privacy-request records: retained for the period required by applicable U.S. state privacy laws (typically 24 months) so that we can demonstrate compliance.

When we no longer need personal information, we delete it, anonymize it, or — if deletion is not immediately possible (for example, because the information is in a backup) — securely store it and isolate it from further use until deletion is possible.

17. Vendor and Service-Provider Management

We perform reasonable diligence on the privacy and security practices of vendors that process personal information on our behalf, including DSPs, DMPs, measurement vendors, hosting and storage providers, and marketing-technology vendors. We enter into written agreements with these vendors that include, at a minimum:

A limitation of permitted uses to the services we have engaged the vendor to perform.

A prohibition on selling, sharing, or further disclosing the personal information except as permitted by the agreement.

A prohibition on combining the personal information with information from other sources except as needed to perform the services.

A requirement to maintain reasonable administrative, technical, and physical safeguards.

A requirement to notify us promptly of any actual or reasonably suspected security incident affecting our data.

A requirement to cooperate with consumer privacy requests and to delete or return personal information at the end of the engagement.

18. Data Security

We maintain administrative, technical, and physical safeguards designed to protect the personal information we collect against unauthorized access, disclosure, alteration, and destruction. These include:

Encryption of personal information in transit (TLS) and, for sensitive systems, at rest.

Role-based access controls, single sign-on, and multi-factor authentication for internal systems.

Network segmentation, endpoint protection, vulnerability scanning, and logging of security-relevant events.

Vendor security review and least-privilege access for third parties.

Security awareness training for personnel with access to personal information.

Incident-response procedures, including breach notification to affected individuals and regulators where required by applicable U.S. law.

No method of transmission over the internet and no method of electronic storage is completely secure, so while we work to protect your information, we cannot guarantee its absolute security. You play an important role too: please use a strong, unique password for any accounts you maintain with us and let us know promptly if you believe your information may have been compromised.

19. Your U.S. Privacy Rights

Depending on the U.S. state in which you reside, you may have certain rights with respect to the personal information we hold about you. This section describes rights available to California residents and to residents of other U.S. states with comprehensive consumer privacy laws. Where state law does not grant a specific right, we may still honor reasonable requests at our discretion.

California residents

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (together, the “CCPA”), gives you certain rights with respect to your personal information.

Categories of personal information collected. In the past 12 months, we have collected the following categories of personal information through the Website, using the labels in Cal. Civ. Code § 1798.140: Category A (identifiers — such as name, business email address, phone number, IP address, and online identifiers); Category B (categories listed in the California Customer Records statute — such as name, address, telephone number); Category F (internet or other electronic network activity — such as browsing and interaction data on the Website); Category G (geolocation data — approximate location derived from IP address, not precise GPS); Category I (professional or employment-related information — such as company name and job title); and Category K (inferences drawn from the above — such as predicted interest in our products). In the course of our Advertising Services, we additionally process Category A identifiers (such as Mobile Advertising IDs, CTV IDs, cookie IDs, IP addresses, and hashed match keys received from Customers) and Category F internet/network activity (such as impression and event logs) on behalf of our Customers. We do not collect the other CCPA categories through the Website.

Sensitive personal information. We do not collect or process sensitive personal information for purposes of inferring characteristics about you. Accordingly, the right to limit the use of sensitive personal information does not apply to our practices.

Sources. We collect this information from you directly, automatically through your interaction with the Website, and from third parties such as data enrichment providers, advertising and analytics partners, and joint marketing partners (see Section 2). For Advertising Services, sources include DSP bid streams, Customers, and licensed data partners (see Section 10).

Business and commercial purposes. We use this information for the purposes described in Sections 3 and 9 — primarily to respond to your inquiries, market our products and services, operate and improve the Website, deliver and measure advertising campaigns for our Customers, prevent fraud, and comply with law.

Categories disclosed for a business purpose. We disclose each of the categories listed above to the categories of recipients described in Sections 4 and 11 (service providers; advertising, analytics, and measurement partners; joint marketing and event partners; affiliates; legal and government authorities; and parties to a business transfer).

Sale and sharing. We do not sell personal information for monetary payment. However, our use of third-party advertising and analytics cookies and similar technologies — for example, to support retargeting and cross-context behavioral advertising on the Website — and the transfer of Advertising Identifiers through DSP bid streams in the course of our Advertising Services may constitute a “sale” or “sharing” of personal information under the CCPA. The categories of personal information involved in these activities are identifiers, internet or other electronic network activity, approximate geolocation, and inferences. We disclose these categories to the categories of third parties described in Sections 4 and 11. We do not knowingly sell or share the personal information of consumers under 16.

Retention. We retain personal information in accordance with Section 16.

Your CCPA rights. Subject to certain exceptions, you have the right to: (1) know what categories and specific pieces of personal information we have collected, used, disclosed, sold, and shared about you; (2) request a copy of your personal information in a portable format; (3) request that we correct inaccurate personal information; (4) request that we delete personal information we have collected from you; (5) opt out of the “sale” or “sharing” of your personal information; and (6) not be discriminated against for exercising these rights. You can exercise the right to opt out of sale and sharing by contacting us at privacy@pureplay.ai, by using a “Do Not Sell or Share My Personal Information” link or preference center on the Website (once available), or by sending a Global Privacy Control signal from a browser that supports it. You can exercise other rights using the methods in Section 20. We may need to verify your identity before responding, and you may use an authorized agent to submit a request on your behalf.

California Shine the Light. California Civil Code § 1798.83 (“Shine the Light”) permits California residents to request information regarding the disclosure of certain categories of personal information to third parties for those third parties’ direct marketing purposes. We do not disclose personal information to third parties for their own direct marketing purposes within the meaning of Shine the Light. You may direct any Shine the Light request to privacy@pureplay.ai.

Other U.S. state residents

If you are a resident of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Delaware, Iowa, Indiana, Kentucky, Maryland, Minnesota, Nebraska, New Hampshire, New Jersey, Rhode Island, or Tennessee (subject to the effective date of each state’s law), you may have rights similar to those described above. Depending on your state, these rights may include:

The right to confirm whether we are processing your personal information and to access that information.

The right to correct inaccurate personal information.

The right to delete personal information.

The right to obtain a portable copy of personal information you have provided to us.

The right to opt out of the processing of your personal information for purposes of targeted advertising, the sale of personal information, or certain types of profiling that produces legal or similarly significant effects.

The right to limit our use of sensitive personal information.

The right to appeal our decision regarding a privacy request.

Some of our use of advertising, analytics, and measurement technologies on the Website — and the transfer of Advertising Identifiers through DSP bid streams in the course of our Advertising Services — may constitute “targeted advertising” or a “sale” of personal information under these laws. You can opt out by contacting us at privacy@pureplay.ai, by using our cookie preference center (once available), or by sending a recognized opt-out preference signal such as Global Privacy Control. We honor GPC signals as a valid opt-out from the browser on which they are sent in states whose laws require us to do so.

If you would like to appeal a decision we have made in response to your privacy request, please reply to our response or write to us at privacy@pureplay.ai with the word “Appeal” in the subject line. We will respond to your appeal within the time required by applicable law. If your appeal is denied, you may contact your state attorney general.

Nevada residents

Nevada residents have the right under NRS 603A to direct certain operators of websites not to make sales of certain types of “covered information.” While we do not engage in sales of covered information as defined under NRS 603A, you may submit such a request to privacy@pureplay.ai and we will treat it as an opt-out of sale.

Industry opt-outs

For interest-based advertising broadly, you can also opt out using industry tools:

Digital Advertising Alliance — optout.aboutads.info

Digital Advertising Alliance AppChoices (mobile apps) — youradchoices.com/appchoices

Network Advertising Initiative — optout.networkadvertising.org

Mobile: reset or limit your advertising ID in your device’s privacy settings.

Connected TV: use your TV platform’s ad-tracking or interest-based-ads settings.

20. How to Exercise Your Rights

To exercise any of the privacy rights described in this Policy — including requests to access, correct, delete, or port your information; to opt out of sale, sharing, targeted advertising, or profiling; to limit use of sensitive personal information; or to withdraw consent — please contact us at privacy@pureplay.ai. You can also write to us at the address in Section 25.

To help us respond, please include enough information for us to understand your request and identify the personal information you are asking about. We may need to verify your identity before fulfilling certain requests, particularly requests for access, deletion, or correction. We will not charge you a fee unless your request is manifestly unfounded or excessive, as permitted by law.

You may use an authorized agent to submit a request on your behalf, where applicable law permits. We may require the agent to provide proof of authorization and may also ask you to verify your own identity directly.

We will respond to your request within the time frames required by applicable law (generally 45 days, extendable once where reasonably necessary). If we cannot fulfill your request, we will explain why.

If your request relates to a specific advertising campaign run by one of our Customers, we may need to forward the request to that Customer (who acts as the controller / business for that processing) and support them in responding.

If you would like to unsubscribe from marketing emails, you can do so at any time by clicking the unsubscribe link in the footer of any marketing email or by emailing privacy@pureplay.ai. You may continue to receive transactional or relationship messages — for example, responses to your sales inquiry or operational updates about a service you have requested — even after unsubscribing from marketing.

21. Notification of Security Incidents

If we become aware of a security incident affecting your personal information that, in our reasonable assessment, is likely to result in a risk to your rights, we will notify you and applicable regulators as required by U.S. state and federal law. Notifications will describe the nature of the incident, the categories of information affected, the steps we are taking in response, and what you can do to protect yourself.

22. Children’s Privacy

The Website is intended for businesses and business professionals and is not directed to children. We do not knowingly collect personal information from children under 16 (or, under the Children’s Online Privacy Protection Act, under 13). We do not knowingly process Advertising Identifiers of users we know to be under 16, and we exclude inventory flagged as child-directed from our targeting and audience-construction activities. If you believe a child has provided us with personal information, please contact us at privacy@pureplay.ai and we will take appropriate steps to delete it.

23. Third-Party Links and Services

The Website may contain links to third-party websites, services, and resources, and may embed third-party content (such as videos, social media widgets, or research reports). We do not control, and are not responsible for, the privacy practices of those third parties. When you follow a link to or interact with a third-party site or service, you will be subject to that party’s terms and privacy policy. We encourage you to review them before sharing any personal information.

24. Changes to This Policy

We may update this Policy from time to time to reflect changes to the Website, our practices, or applicable law. When we do, we will post the updated Policy on this page and update the “Effective Date” above. If the changes are material, we will provide additional notice — for example, by posting a notice on the Website or, where appropriate, sending an email to addresses we have on file. We encourage you to review this Policy periodically.

25. Contact Us

If you have questions, comments, or complaints about this Policy or our privacy practices, please contact us at:

PurePlay LLC

Attn: Privacy

4840 El Secreto

Rancho Santa Fe, CA 92067

United States

Email: privacy@pureplay.ai