AppsFlyer Services: How we Process Customer Data
At AppsFlyer, privacy is a core value. We are deeply committed to providing our customers with a service that enables them to gain valuable insights and deliver exceptional user experiences while protecting the data and privacy of their users.
The following provides information about AppsFlyer and how personal data is processed when customers use the AppsFlyer services.
- What is AppsFlyer
- Whose Personal Data is Processed
- What Types of Personal Data is Processed
- AppsFlyer as a Data Processor
- Sharing of Personal Data
- Customer Registration and Log Information
- Data Security
- Privacy Controls
- Children and Mixed Audience Apps
1. What is AppsFlyer?
AppsFlyer provides cloud-based services and technology that enables customers to store, manage, analyze, measure and control their own data (the “Service”). By using AppsFlyer, customers are able to measure their marketing efforts, analyze their app usage, improve app users’ experience, collaborate with their partners and leverage fraud protection technologies while preserving the privacy of their end users.
AppsFlyer offers its Service globally and across multiple platforms, including iOS, Android, Windows, web, CTV and gaming consoles. As a result, AppsFlyer’s Service is designed to be highly flexible and configurable to allow its customers to utilize the Service based on their particular business needs and compliance obligations.
2. Whose personal data is processed?
When customers use AppsFlyer, AppsFlyer processes limited personal data related to the following categories of data subjects:
- End Users of our customers (“End Users”) - meaning individuals who have interacted with, or viewed, customer’s advertising and marketing materials, or use or have used customer’s mobile applications, websites, products and services.
- Our customers (“Service Users”) - registration and Service usage information of users of the Service (e.g. customer’s employees and authorized representatives).
3. What types of End User personal data is processed when customers use the Service?
Customers control the configuration of the Service and how it is used. As such the specific data parameters processed for customers may differ from one customer to another based on their configuration and specific use of the Service. For example, one customer may configure the Service to access a device’s advertising ID (e.g. IDFA, AAID) for measurement purposes while another customer may not. Likewise, different customers may choose different in-app events they would like to measure based on the nature of the app and the customers’ needs.
While customers themselves are able to configure what data to collect, upload, store or transmit to their AppsFlyer account through the Service interface and various developer tools that AppsFlyer makes available to customers (SDK, APIs etc.), there are limits to what data they can collect. The AppsFlyer developer tools by design may limit a customer’s ability to collect certain data from a user’s device in furtherance of data minimization principles (for example, they do not enable the collection of precise GPS location data, boot time etc.). Additionally, AppsFlyer contractually restricts customers from processing certain restricted, sensitive or regulated personal data categories such as protected health information and personal financial data (see Sections 1(w) and 9 in our Master Service Agreement for more information).
The data categories processed by AppsFlyer to provide the various services (measurement, engagement, analytics, and fraud protection) may include the following, subject to the customer’s configuration (“Processed Data”):
- Technical and Device Information: this refers to technical information and information related to an End User’s mobile device or computer. For example, device type and model, browser information, operating system information, CPU and battery information, system language, network information (wifi and carrier), device motion parameters and screen orientation.
- Identifiers: this refers to various identifiers that generally identify a computer, device, browser, vendor or application - for example, advertising IDs such as Apple’s Identifier for Advertisers (IDFA) and Identifier for Vendors(IDFV), Google’s Advertising ID (AAID), Install Referrer, and App ID. Customers may also set their own customer issued id (CUID) and may, in limited circumstances, set emails and phone numbers in cryptographic hashed form.
- Network Data: this refers to information received through standard network connections such as IP address (which may be resolved to IP based regional coarse geolocation) and user agent.
- Engagement Information: this refers to information relating to the customer’s ad campaigns and End User actions, such as clicks on customers’ ads, views (impressions) of customers’ ads, app download and install information including date, app launches information, the type of ads and the webpage or application from which such ads were displayed, pages on the customers’ websites or app visited by an End User, referral URL, and other interactions, events and actions customers choose to measure and analyze within their application or website (e.g. add to cart, in-app purchases made, clicks, engagement time etc.
4. In what capacity does AppsFlyer process the End User’s personal data when customers use the Service?
With respect to its processing of End User data that is deemed personal data, AppsFlyer is defined as a ‘data processor’ or ’service provider’ under various global laws and regulations. The data is owned and controlled by AppsFlyer’s customer; the app developer (or the partners they work with) and AppsFlyer does not use any of the End User personal data for its own purpose. AppsFlyer does not: act as an ad network or data broker; engage in selling, buying, or licensing end users’ data; engage in selling ads, Targeted Advertising, or behavioral profiling; or engage in other similar services that collect and make use of first-party data. Privacy and remaining independent and unbiased are at the core of AppsFlyer’s business.
AppsFlyer’s Data Protection Agreement provides additional information relating to AppsFlyers role and commitments as a data processor. AppsFlyer may use information derived from the aggregation of End User data for market research and analysis, benchmarking, and improvement and marketing of the Services (“Aggregated Data''). Aggregated Data is de-identified and will in no way reveal the identity of a customer or an End User.
5. Is End User personal data shared?
As stated above, AppsFlyer is a data processor and as such customers control the End User personal data. Customers of AppsFlyer are able to use the Service to collaborate with their various partners and to share certain Processed Data (as defined in Section 3 above) with these partners in a secure manner which may include data deemed personal data under various laws (e.g. Advertising ID’s, CUID’s (including emails) and related engagement information). When a customer first logs into the service, no data is configured to be shared. Customers can choose from the AppsFlyer Partner Marketplace what partners they wish to work with and configure the service accordingly. Upon a customer configuring the service to work with their partners, certain Processed Data is shared by the customer with such partners. Subject to the limitations of a partner integration, Customers can define the extent of the data they wish to share and at what granularity, through active choices made by customers. For example, customers may choose to configure the Service not to share any data through postbacks with any partner or to share data with just certain partners. Likewise, customers can configure the Service to share some events with certain partners or not share events at all, or they may choose to share only aggregations where supported (iOS). For more information please see Question #8 below.
End Users should visit the app's specific privacy policies to learn how the app uses and shares information with partners or other third parties.
AppsFlyer does not sell End User personal data to any third party. AppsFlyer does not share personal data with any third party except (i) where directed by customers (e.g. as described above, to integrated partners), (ii) to our subsidiaries and global branches as necessary to help us support and maintain the Service, (iii) to our service providers who help to support our Service – such as data hosting providers and payment processors (who are authorized to use the personal data only as necessary to provide these services to us), (iv) when legally required (e.g. court orders or other lawful requests by public authorities), including to meet national security or law enforcement requirements, (v) to respond to, or prevent, fraud or to protect the safety of AppsFlyer, its customers, End Users or the public, and (vi) as part of any merger or acquisition of AppsFlyer, in which case End User data may be transferred to the surviving or acquiring entity.
6. What personal data of Service Users (as defined in Section 2) is processed by AppsFlyer and in what capacity?
7. How does AppsFlyer protect the data it processes on behalf of customers?
At AppsFlyer, we strive to implement the highest level of security processes and practices across all business units.
We implement various technical and organizational measures that are designed to protect our customer’s data from unauthorized access, accidental loss, destruction or damage. Our security practices are based on industry-leading standards such as SSAE 16 SOC2 and ISO standards, on which we are audited annually. Our security framework includes policies and procedures, asset management, access management, physical security, people security, product security, cloud and network infrastructure security, third-party security, vulnerability management, security monitoring, and incident response.
Please see here for more specific details on the various security measures employed by AppsFlyer.
8. What privacy controls are available to customers when using AppsFlyer?
Since its inception, AppsFlyer has been committed to, and invested heavily in, research into and development of privacy preserving solutions and controls, including privacy-enhancing technologies (PETs). AppsFlyer’s aim, through the principles of ‘privacy by design’ and ‘privacy by default’, is to enable its customers to enhance the privacy and experience of their End Users and to provide them with the flexibility needed to meet their business needs and privacy compliance obligations.
Privacy preserving solutions (privacy by default) include:
- Aggregated Advanced Privacy (AAP)
- Privacy Cloud and Data Clean Room
- SK360 (SKAN)
- Probabilistic Modeling
- Incrementality measurement
Privacy preserving controls (privacy by design) include:
- Opt-in/Opt out for any data processing - this enables customers to align with any consent mechanisms implemented within their app to ensure GDPR, CCPA or other regulatory compliance.
- Opt-out from Device ID utilization (iOS -IDFA, iOS - IDFV and Android). For iOS customers may also use the Strict Mode SDK. This enables alignment with any platform policies and regulatory requirements for child directed or mixed audience applications.
- Opt-out controls for customer data sharing with partners (see also AAP for iOS for aggregated data sharing). This enables customers to comply with platform policies and regulatory requirements including requirements related to child or mixed audience applications (e.g COPPA).
- Opt-in/out controls on types of data shared for in-app events - this enables customers to control with which partners (if any at all) customers share events they choose to measure.
- IP address masking - This will mask IP addresses from any reporting and from any data customers choose to share with their partners.
- OpenDSR - Data Subject Rights Request controls - this enables customers to easily comply with data subject requests they receive such as data deletion and access.
- Post Install deidentification - this enables customers to measure post install events without connection to the device identifier and to the initial attribution. Other identifiers such as IP and AppsFlyer ID are hashed.
For more information on privacy preserving controls, please visit our help center.
9. Does AppsFlyer provide controls for child directed or mixed audience apps?
When processing data of children, app developers need to consider a wide range of platform policies, regulations, and laws that are in place to protect children. Some of these laws are specific to children (COPPA) while others are broad but provide specific protections for children (GDPR and similar regional laws). Additionally, in recent years platforms such as iOS and Android have implemented specific policies and rules to help provide improved safety and privacy for our children.
At AppsFlyer, data privacy is at our core. We strive to be at the forefront of the industry's privacy standards and work to pave the way for heightened security and privacy levels most specifically towards children facing apps.
The following Kids App Implementation guide provides information on the various controls (also described above) that customers need to consider and implement to ensure their compliance with regulations and to protect the privacy of any End Users that are children. For more details on children’s privacy and the use of AppsFlyer, see also AppsFlyer’s Privacy Statement for Kids Apps.