AppsFlyerGDPR Readiness

As the #1 Mobile Attribution and Analytics platform,
AppsFlyer is committed to providing its customers full transparency
and control over their users personal data,
empowering them in their pathway to GDPR compliance.

What it Means
What is the GDPR and how does it affect AppsFlyer customers?

On May 25, 2018, The European Union will begin to enforce a new data privacy law called the General Data Protection Regulation (GDPR) replacing the previous Data Protection Directive. A primary aim of the GDPR is to provide people in the EU greater control over their personal data and data which is collected about them.

Any company that collects (or processes on behalf of the company that collects) personal data of persons in the EU falls under the scope of the GDPR, even if the company has no physical presence in the European Union. This means that most businesses with a global or online presence, including AppsFlyer’s customers are affected.

Our Commitment to You
How does AppsFlyer prepare for the GDPR?

At AppsFlyer, data privacy and security are at our core. Our state-of-the-art real-time infrastructure, advanced security and data protection, independent certifications and global regulatory compliance have earned the trust of the world’s leading brands.

AppsFlyer is committed to and investing significant and strategic resources — implementing rigorous technical measures and working with leading third party consultants — to provide diligent GDPR compliance across our solutions and teams.

Data Security and Privacy Compliance

At AppsFlyer, we are committed to stringent data confidentiality, privacy and security.
Rated compliant by top industry regulators:

  • SOC 2 Type II Accreditation
  • TRUSTe Certification

Data Transfer Practices/Transparency

AppsFlyer’s data transfer practices are certified under the EU-U.S. Privacy Shield Framework. EU and US clients can rely on the Privacy Shield Framework to transfer data lawfully between the EU and the US and vice versa.

  • EU-U.S. Privacy Shield Framework Certification

Data Subject Request Management

To help advertisers (controllers) to adhere to the GDPR obligations towards their end-users requests, AppsFlyer has built new API’s to manage users’ (data subjects’) requests for:

  • The right to erasure (a.k.a. the right to be forgotten)
  • The right to access
  • The right to data portability
  • The right to rectification

Data Protection by Design

AppsFlyer has implemented appropriate technical and organizational measures for ensuring that, by default, only personal data which is necessary for each specific purpose of the service are processed, strictly in accordance with our customers’ instructions and configuration.

  • Personal Data is collected only when we obtain assurances of user consent
  • Anonymized and encrypted personal data options
  • No selling or re-brokering of personal data
  • SDK opt-out/opt-in options
  • Honoring do-not-track privacy choices

Maintain a Connected and Compliant Digital Stack

OpenGDPR is a universal, secure, and common framework for compliance with GDPR mandated data subject rights. The OpenGDPR framework presents a public API specification along with a recommended set of best practices for implementing and maintaining a connected and compliant stack. By adopting OpenGDPR, brands can reliably address data subject requests across their partner ecosystems, in near real-time.

GDPR Best Practices
How AppsFlyer clients can prepare for the GDPR

Mobile app developers and advertisers utilize unique, personal identifiers to measure and understand their performance, optimize their app’s effectiveness and marketing. To ensure that you are complying with the GDPR’s personal data security requirements, here is a list of 6 key recommended measures to take towards GDPR readiness:

  1. Use established third party tools that follow the top industry standards, like AppsFlyer.
  2. Map out and document all data collection, processing and storage, as well as the data processing lifecycle. Ensure adequate security is employed at every stage.
  3. Obtain informed and unambiguous user consent for the collection and use of personal data for the specific purposes for which you are collecting this data.
  4. Does your app really need all the data it accesses? Strive to use only what is absolutely necessary for the purposes of the service provided to your end users.
  5. Manage and respond to users’ requests, including consent withdrawal.
  6. Identify potential weak links within your technology.

Clear answers to your GDPR questions

Is AppsFlyer considered a Data Processor or a Data Controller?
AppsFlyer is considered a Data Processor. A Data Controller is the entity that determines the purposes, conditions and means of the processing of personal data. Our clients are Data Controllers.
Where is AppsFlyer’s data stored?
AppsFlyer’s data processing has been designed to be performed through EU-based servers; AWS and Google Cloud.
Does AppsFlyer have a GDPR certification?
GDPR is not a standard, such as ISO 27000, nor is it a self-certification framework like the EU-US Privacy Shield. It is legislation that leaves considerable room for interpretation and discretion for authorized courts and regulators. Accordingly there is no GDPR certification process nor accreditation by the European Commission or any other authorized regulatory body. AppsFlyer constantly monitors the guidance around GDPR compliance from authorized regulators and will adapt our plans accordingly in case this changes.
Can customer data in AppsFlyer be encrypted?
Although not specifically requested by the GDPR, AppsFlyer offers the ability to anonymize and encrypt personal data in a manner than maintains the quality and accuracy of our services.
Does AppsFlyer have a dedicated Data Protection Officer (DPO) as requested by the GDPR?
Yes, Guy Flechter, our Chief Information Security Officer was appointed as AppsFlyer’s DPO. Guy brings 17 years of experience working with the largest businesses in the world. Guy has shaped and continues to spearhead all of our global compliance efforts.
Does AppsFlyer have a Data Processing Agreement (DPA) in place?
Yes, our executed legal documentation has been updated on March 14, 2018 with updated Online Terms and Conditions, and a DPA.

A word from our lawyers: Nothing stated here is legal, compliance or other advice. It is provided only for your informational and convenience purposes. You should work closely with legal and other professional advisors to determine exactly how the GDPR may or may not apply to you. As we explained above, AppsFlyer is merely a processor of data which you, as the controller of your users’ data, make available to us. So, AppsFlyer can never directly engage with your users nor address their requests. You remain in charge of meeting your data subject users’ requests and we can help you by providing tools to streamline this process.