Privacy Statement  

These privacy rules (hereinafter called “Privacy Statement” relate to the processing of Personal Data by Manna Agency B.V. . and/or its affiliated companies (hereinafter called “Companies”, “we”, “us”). Personal data means information about any identifiable person (hereinafter called “Data Subject(s)”), (hereinafter called “Personal Data”). Processing of Personal Data means amongst other things the collection, storage, recording, editing, accumulating, requesting, consulting or deletion of Personal Data.

Starting 25 May 2018, the General Data Protection Regulation, also named GDPR, is European legislation with direct effect in the European Economic Area.

We adhere to the requirements of privacy legislation in our processing. That means among other things that:

    we clearly state the purposes for which we process Personal Data. We do this through this Privacy Statement;

    we limit our collection of Personal Data to only the Personal Data that is necessary for legitimate purposes;

    we take appropriate security measures to protect all Personal Data and demand the same of parties that process Personal Data on our behalf;

    we respect the right of Data Subjects to offer, correct or delete their Personal Data upon request.

We are responsible for certain processing of Personal Data, both as data controller and data processor on behalf of client companies. In this Privacy Statement we explain which Personal Data we process and for what purposes and means. We recommend our customers and visitors to carefully read this Privacy Statement.

This Privacy Statement was last updated on September 9, 2020.

Processing of Personal Data

We act either as data controller or as data processor on behalf of client companies for the performance of our services to those client companies. As data controller we determine the purposes and means of the processing of Personal Data and we are ultimately responsible for compliance with all applicable laws and regulations for the protection of Personal Data. Also, as data controller we have a data processing register in place. This register is part of our information security policy and, like other important privacy documents, we ensure the data processing register to be regularly evaluated and updated where necessary. If and insofar we process Personal Data on behalf of client companies for the performance of our service agreements, the client companies act as data controller and we act as data processor on behalf of the client companies. In these events the client companies determine the purposes and means of the processing of Personal Data and they are ultimately responsible for compliance with all applicable laws and regulations for the protection of Personal Data.

As data processor, we will only process Personal Data in a way that is necessary for the provision of our service agreements and in accordance with the instructions of the applicable client company. Exceptions to the foregoing shall only apply in the event of a legal obligation resting on us as data processor.

Without prejudice to the existing contractual arrangements with client companies, we will treat all Personal Data in strict confidence and inform employees and sub- processors involved in the processing of our Personal Data about the confidential nature of Personal Data. We ensure that these employees and sub-processors sign an adequate confidentiality agreement.

We process Personal Data so that we can provide digital media services to advertisers and publishers across a range of channels in connection with distributing and/or promoting and/or displaying advertisements (meaning text-based, graphical, interactive, rich media and video, or other digital advertisements, including, without limitation, banners, buttons, towers, skyscrapers, pop-ups, pop-unders and video advertisements) for Data Subjects visiting web and/or mobile and/or other digital sites used by the publishers, as determined by the advertisers; and also the delivery of performance marketing software that allows media buyers and affiliate networks to track, manage, analyze and optimize media campaigns by providing data analytics. (hereinafter called “Services”).

We may collect Personal Data directly from Data Subjects when they (register to) use our Services, post on our blog, contact our support team, and visit our website. In doing so, we may use the Personal Data we have collected from them for purposes related to our Services - including but not limited - to:

    verify Data Subjects’ identity;

    administer our Services;

    notify Data Subjects of new or changed services offered in relation to our Services;

    carry out marketing or training relating to our Services;

    assist with the resolution of technical support issues or other issues relating to our Services;

    comply with laws and regulations in applicable jurisdictions;

    address dispute resolution and anti-fraud issues;

    communicate with Data Subjects. The types of Personal Data and categories of Data Subjects processed are as follows:

    Types of Personal Data: User IP-address;
    User device ID;
    HTTP referer (an optional HTTP header field that identifies the address of the webpage which is linked to the resources being requested;
    User-agent string identifying the user's browser and device type;
    Unique identifier for bid request.

    Categories of Data Subjects:
    Visitors on the internet;
    Customers of publisher/affiliate partners.

By using our Services, Data Subjects consent to their Personal Data being collected, held and used in this way and for any other use they authorise. We will only use Personal Data for the purposes described in this Privacy Statement or with express permission of a Data Subject. The Companies guarantee that the processing of Personal Data will be solely based on one of the legal grounds set forth in article 6 GDPR.

Legal basis

The processing of the Personal Data is necessary for the provision of our Services and/or based on individual permission. We also conduct statistical research with Personal Data. In those events we have a legal interest in conducting research in order to improve our Services.

Retention periods

We will store Personal Data that falls under a legal retention obligation in accordance with the duration of this legal retention obligation. For example, we retain Personal Data that forms part of the statutory basic administration for a period of five to seven years after the termination of the relevant commercial agreement. In all other cases we will keep the Personal Data for a maximum period of 1 (one) year after the end of the relevant commercial agreement, unless the privacy statement of an affiliated company contains a deviating retention period for that particular affiliated company. We recommend our customers and visitors to carefully read the applicable privacy statement(s) as well.

Involvement of and sharing with third parties

As data controller we can engage other parties as data processors to perform an aspect or part of our Services to our customers and users; this could be a platform we use for our Services. As far as these third parties need access to Personal Data to perform our Services, we have contracted the correct, contractual, technical and organisational security measures to ensure these third parties use or process the Personal Data solely for the intended purposes and conform the instructions we agreed to with these third parties.

Furthermore, we will not provide Personal Data to other parties without permission of Data Subjects, unless this is legally required or permitted. For example, it is possible that investigative authorities request Personal Data from us in the context of fraud investigations. In that case, the Companies are legally obliged to provide this Personal Data.

When we share Personal Data with third parties that are considered separate data controllers, each party shall be able to determine the purpose and means of processing the Personal Data held under its control in accordance with its privacy notice. With respect to the separate controllership of each party and without the intention of entering into a joint-controllership as defined in article 26 GDPR, we shall enter into a partner agreement with such separate data controllers, that sets out the framework for the sharing of Personal Data between the parties and defines the principles and procedures that the parties shall adhere to and the responsibilities the parties owe to each other. The shared Personal Data will only be processed as far as is necessary according to the purposes and in order to fulfil the obligations as set out in the partner

agreement and the parties guarantee that the processing of Personal Data will be solely based on one of the legal grounds set forth in article 6 GDPR.


We have implemented the following security measures to protect Personal Data:

    our system is accessible from the Companies’ network and via a secure VPN connection;

    we use secure connections (HTTPS) to ensure the safety of data transfers;

    we take organizational access measures;

    we take physical access measures;

    we have placed a reversed proxy for dealing with DDoS attacks.

Individuals’s rights with regard to Personal Data


In the situation where we are data controller for the collection of the Personal Data and therefore directly responsible, a Data Subject can address us in writing for:

Access to Personal Data. The Data Subject can ask us whether we process its Personal Data. If that is the case, we will explain which Personal Data we process, how we process it and for which purposes. One can also request a copy of its Personal Data we process;

Correction of Personal Data. If a Data Subject feels that the Personal Data we process is incorrect or incomplete, he or she can request us to supplement or edit the Personal Data;

Deletion of Personal Data. A Data Subject can request us to delete its Personal Data we process. We will delete the Personal Data without unreasonable delay after receiving such a request, if: the Personal Data is no longer needed for the purpose we processed it; the Data Subject no longer give us permission to process it, if permission was the base for processing it; the Personal Data was processed by us as part of direct marketing; the Data Subject objects against the processing of it and there is no reason (anymore) why we should still be permitted to process the Personal Data; there is a legal reason to delete the Personal Data.

Limitation to processing Personal Data. In some cases the Data Subject might want a limitation to the processing of its Personal Data. In that case, one can request us to limit the Personal Data we process. We will comply with such a request if (after investigation) it turns out to be possible, for example if one doesn’t want all of its Personal Data deleted, but other Personal Data is no longer necessary for the original purpose.

Portability of Personal Data (data portability). The Data Subject can request a copy of its Personal Data we process.

A Data Subject can also indicate the right to object if he or she doesn’t agree with our processing of the Personal Data.

If a Data Subject believes that we do not handle its Personal Data properly, he or she can submit a complaint to us. In the event the parties cannot resolve it and our response to the complaint does not lead to an acceptable result, the Data Subject has the right to submit a complaint about us to the Dutch Data Protection Authority (“Autoriteit Persoonsgegevens”). More information about this regulatory body and the submission of complaints can be found at

To exercise these rights, the Data Subject can contact us via the contact details at the bottom of this Privacy Statement. We will send a written response within 4 weeks.

Third party websites

This Privacy Statement does not apply to third-party websites that are linked to our website through links. We cannot guarantee that these third parties will handle Personal Data in a reliable or secure manner. We recommend that visitors read the applicable privacy notice before using such third-party website.

Change of Privacy Statement

We reserve the right to make changes to this Privacy Statement. It is recommended that visitors regularly consult this Privacy Statement so that they are aware of these changes.

Cookie policy

We use cookies on our websites and in our apps. Any visitor can deactivate cookies for all sites in its browser.

What are cookies? Cookies are small, simple text files and are sent to the visitor’s computer, tablet or mobile phone when visiting a website. Cookies increase the user friendliness when visiting our websites or using our apps.

Why do we use cookies? We use cookies to anonymously monitor the number of visitors on the site, which pages are visited and what kind of information requests are made. The cookies that we use, do not contain name or address data; just data concerning the use are stored (pages visited, technical details and IP address). This data is used to analyse the use and visit, so we can optimise our websites and apps, and can be of even better service to the visitor in the future. Naturally, we will handle this information carefully.

What happens when cookies are turned off? If cookies are turned off, we have less insight in the use of our website and can not optimise it to be of even better service to visitors in the future.

Turning off cookies. If a visitor would rather not use cookies, he or she can turn them off at any moment or remove them from the browser. Instructions for changing the settings of a browser can be found under ‘Help’ in the toolbar of most browsers.

To grant visitors of websites more choice in how their Personal Data is used by Google Analytics, they can also download the Google Analytics Opt-out Browser Add-on.

General contact information

Manna Agency B.V.. Weteringschans 109 1017 SB AMSTERDAM Tel. +31 (0)20 240 2530.

Contact details Data Protection Officer

Mr. Philippe van Wijnen