Optivo helps brands reach opted-in UK consumers outside of their own CRM by using deterministic data and consent-based targeting. It is designed to replace shrinking retargeting pools caused by internet browser restrictions, cookie deprecation, and tighter privacy rules.

• Data foundation: A GDPR-compliant dataset of over 17 million opted-in UK consumers, with 400+ attributes such as demographics, interests,
  location, and engagement behaviour.
• Mechanism: Consumers are recognised when browsing brand websites (via tags deployed through the brand’s CMP). Where consent is present, esbconnect (Optivo) can match these interactions to opted in profiles.
• Activation: Brands can then target these users via email campaigns (delivered through Optivo).
• Transparency: Consumers can view, manage, or revoke consent anytime via brand CMPs, esbconnect’s privacy hub (opt-me-in.com), or unsubscribe links.

Consent is collected via the brand’s own Consent Management Platform (CMP), such as Cookiebot or OneTrust. esbconnect tags should only trigger
after valid consent is given. These CMPs should be configured to comply with UK GDPR and PECR requirements.

Consent is specifically obtained for:

• The use of cookies and tags to collect device data
• Processing for profiling and targeted advertising
• Sharing relevant customer data with esbconnect (if applicable)

Integration is supported with IAB TCF-compliant frameworks, where applicable, or non-IAB implementations via manual cookie categorisation

Consent is required because device fingerprinting and tag-based identifiers are considered personal data processing under PECR/GDPR.
Since the purpose is advertising (not ‘strictly necessary’ functionality), consent must be explicit. The ICO has made this requirement clear in
guidance on cookies and online advertising.

• Joint Controllers: When esbconnect and the brand collaborate to deliver marketing using brand customer data or site-tag data.
• Sole Controller (esbconnect): Where esbconnect uses its own profile data or repurposes shared data for additional services, audience building, or enrichment.

This relationship is documented, and users are informed in both the brand’s and esbconnect’s privacy policies.

Only a short paragraph is needed, which:

• Names esbconnect Ltd
• Explains the purpose (targeted advertising)
• References use of cookies/tags (with consent)
• Clarifies controller roles
• Links to more info on www.opt-me-in.com

esbconnect provides a ready-to-use wording plus long-form explanation
on its privacy hub.

If someone consents on the brand’s CMP, then esbconnect can use the data for own purposes but only where:

• Consent has been given
• Users are informed via both the brand’s and esbconnect’s privacy
  notices

In this case, esbconnect may use the data to:

• Enhance existing profiles
• Build new audiences (e.g. a lookalike audience for the brand to help them acquire new customers)
• Improve relevance and performance of future campaigns (e.g.understand what subject lines are working).

All processing is compliant with GDPR transparency and lawful basis requirements.

Users can:

• Withdraw consent via the brand’s CMP
• Opt out via unsubscribe links in esbconnect-delivered emails
• Contact esbconnect directly via its privacy notice

Requests (DSAR, erasure, rectification, suppression) are honoured promptly within GDPR deadlines.

The tag can be set to necessary, for the purposes of fingerprinting for security or fraud detection may fall under ‘strictly necessary.’ But Fingerprinting for marketing or profiling requires prior consent. For this reason, esbconnect only activates marketing tags when consent is present.

We ask a brand to share their customer data for the purposes of suppression management or to build lookalikes. This will be covered by the Data Processing Agreement and we would recommend that within your privacy policy you inform users you may share data for these purposes.

All long-form documentation is available at www.opt-me-in.com, including:

• Data usage explanations
• Legal basis for processing
• Controller arrangements
• Cookie and fingerprinting practices

When our tag is placed on your website, we read:

IP address, User agent, Browser, Device, any first party cookies related to esbconnect. Where a user identifies themselves by inputting an email address, we read the email address.

Data is stored and processed within the UK/EU.

We have full security policy but these covers the core security principles.

• Encryption at rest and in transit
• Regular penetration testing
• Role-based access controls
• Data minimisation and pseudonymisation where appropriate

We refresh consent on the data we hold every 24 months. In general:

• Data is retained only while consent is valid and data is active/relevant
• Non-engaged users are suppressed after a defined inactivity window

When we contract with a brand, we will send a DPA (data processing agreement) which will specify the ways in which the data can be processed and used, including retention policies.

• Via unsubscribe links in every email
• Via the privacy hub at www.opt-me-in.com
• Via direct contact with esbconnect’s privacy team