Oracle Data Cloud Privacy Policy

1. Introduction

It is important to Oracle that consumers have greater knowledge and control over information related to them that Oracle makes available to its Oracle Marketing Cloud and Oracle Data Cloud marketing services customers (“OMC/ODC services”). This privacy policy is designed to provide consumers (“you” or “your”) with tools to help understand and control the collection and use of that information.

2. Scope

This policy applies to Oracle’s handling of third-party information about you to provide OMC/ODC services (“Marketing Information”). “Third-party” information is information that Oracle receives from third parties and uses to provide OMC/ODC services in accordance with this privacy policy. This may include information that does not directly identify you and as well as information that does. The section of this privacy policy entitled “Types of Information Collected” describes the different types of information.

This policy does not apply to an OMC/ODC customer’s own collection and use of your information (known as “first party” information) to conduct marketing activities, including when they do so using Oracle products or services. For example, an Oracle customer may use the Oracle Marketing Cloud or other Cloud services to collect and manage only the data they themselves (or their agents) have collected or purchased, otherwise known as “first-party” information. This first-party information is collected, shared and used subject to the individual privacy policy of the Oracle customer that collected it, and therefore is not covered by this policy; please consult that company if you have any questions about its use of your information. Please note however, that if you use the opt-out tool described in this policy, Oracle will opt you out of first-party collection and use of your information facilitated by OMC/ODC services for interest-based advertising, in addition to opting you out of the third party collection described later in this policy.

If you are a visitor to an Oracle website or an Oracle customer, and wish to learn more about how Oracle uses information collected from you as part of your general relationship with Oracle or your visit to Oracle websites, please refer to the Oracle Privacy Policy.

3. Types of Information Collected

Marketing Information may include both offline and online information. Offline Marketing Information originates from sources such as brick-and-mortar or online retail stores, grocery stores and their associated loyalty cards, catalog orders and catalog address lists (“Offline Marketing Information”). Offline Marketing Information in the OMC/ODC that directly identifies a particular individual may include:

  • Name and physical address, email addresses, and telephone numbers
  • Behavioral or demographic attributes, when tied to personal identifiers
  • Transactional data based on past purchase behavior, when tied to personal identifiers
  • Company data such as the name, size and location of the consumer’s company and the consumer’s role within the company
  • Data from marketing opt-in lists, consumer surveys, or publicly available information

Online Marketing Information is collected based on Internet-based activity and does not directly identify you (“Online Marketing Information”). Online Marketing Information in the OMC/ODC that does not directly identify a particular individual may include:

  • Unique IDs such as a cookie placed on a computer, mobile or device IDs
  • Internet Protocol address (“IP address”) and information derived from IP address such as geographic location
  • Information about a device such as information contained in HTTP Headers (defined below) or other internet transfer protocol signals, browser or device type and version, operating system, user-agent strings and information about or from the presence or use of “apps” on mobile devices, screen resolution, and the consumer’s preferred language
  • De-identified personal information (such as email addresses that are de-identified so as to be non-identifiable to the recipient of such information)
  • Demographic information such as a consumer’s gender, age, and income range, when not tied to personal identifiers
  • Behavioral data of consumers’ computer or device usage on websites or apps, such as advertisements clicked, websites and content areas, date and time of activities
  • The web search a consumer used to locate and navigate to a website
  • Latitude/Longitude data (“Lat/Long data”)

4. How Information is Collected

Oracle may receive Marketing Information from third parties, such as our customers, data providers and data partners (“Data Sources”). Oracle allows our OMC/ODC Data Sources to send us Marketing Information that they have collected from both online and offline sources. This may include information from customer lists, website membership, or other information created from a third-party’s own technology (such as proprietary modeling or matching technology of other companies). Online Marketing Information is collected from your interactions on your computer or device including data contained in standard HTTP headers or HTML, collected by Cookies, or specific site interaction like clicks, advertisements viewed, and other online behavior able to be determined through JavaScript and Pixel Tags.

“Cookies” are small text files that contain a string of characters and uniquely identify a browser. They are sent to a computer by website operators or third parties. Most browsers are initially configured to accept cookies by default. You may, however, be able to change your browser settings to cause your browser to refuse third-party cookies or to indicate when a third-party cookie is being sent. Check your browser’s “Help” files to learn more about handling cookies.

“HTML” is the language used to write webpages. HTML may include “Pixel Tags” or small strings of code contained in HTML that provide a method for delivering a graphic image on a webpage, email, or other electronic document. Pixel tags allow the operator of the webpage or other document, or a third party who serves the pixel tag, to set, read, and modify cookies on, and to transfer other data to, the browser used to view the webpage or other document. Pixel tags may also be used to obtain information about the computer being used to view that webpage or other document, including the IP address of the computer that the tag is sent to, the time it was sent, the consumer’s operating system and browser type, and other similar information.

“HTTP Headers” are information that is transmitted whenever a webpage is viewed, and contain technical information required for communication between a browsing device and a website server. Other electronic communication protocols (such as those used for email) also use headers to transmit information. Our OMC/ODC customers may transmit information through HTTP (or other electronic communication protocol) headers to Oracle or otherwise direct Oracle to retrieve such information from consumers’ interaction with the customer’s website. This may include information about the device browser, the requested webpage, server and other information the customer knows about the consumer, its computer or device (such as a carrier or device identifier).

5. How Oracle Uses Marketing Information

OMC/ODC customers and partners use Profiles and Interest Segments (each defined below) for marketing campaigns to try to make the content and ads that consumers receive more relevant. Profiles and Interest Segments are based on offline or online interactions with the consumer that have been collected by Oracle’s Data Sources to infer interests. When we receive Offline Marketing Information that identifies a consumer, we remove the direct identifiers, such as name, address, telephone number, and email address, prior to using it for online interest-based advertising.

A “Profile” is a set of attributes about a specific consumer, computer or device, or a set of multiple computers or devices sharing common attributes. An “Interest Segment” is a group of Profiles that share a common behavior or preference. For example, we may create an Interest Segment consisting of Profiles interested in “Travel.” We create these Interest Segments based on the information available to us and the preferences and requests of our customers.

We may prepare reports and metrics based on Marketing Information that provide our customers with the number of consumers in an Interest Segment using aggregated data on consumers’ activity on the websites where Interest Segments are collected and used. We may also prepare aggregate reports for our customers that measure the effectiveness of their marketing campaigns. The reports and metrics provided to our customers do not include any Marketing Information that directly identifies a consumer.

Offline Marketing Information may be used by our customers for offline direct mail campaigns. Oracle may supplement a customer’s marketing list or provide a customer with potential prospective consumers to assist the customer with offline direct marketing. Consumers may opt-out of Oracle’s use of Marketing Information as described below in the “Opting Out” section.

We may also use Marketing Information for billing, auditing, research and development purposes, for our internal operational purposes, and to create aggregate statistics for market research or analytics services. Aggregated statistics do not include any information that directly identifies a consumer.

6. How Oracle Creates Cookie IDs and Other Identifiers

Oracle creates Profiles using various methods and technologies. Oracle creates offline Profiles and Interest Segments at the household level and/or individual level by using past purchase behavior, demographic data, and behavioral attributes. Oracle creates online Profiles through the use of cookies, cross-device/cross-context technology (explained below), or other unique identifiers provided to us by our customers (such as mobile advertising IDs).

Oracle associates each Cookie used for interest-based advertising that we set on a consumer’s web browser with a unique identifier (“Cookie ID”). When our Data Sources transmit information about that web browser to us, or otherwise direct Oracle to collect information from the interaction between that web browser and a webpage, we use the Cookie ID to store the information into a Profile with the same Cookie ID. For example, a computer with a pre-existing Oracle interest-based advertising Cookie may be used to browse airline prices to Hawaii on a travel website one day, and the next day used to browse for used cars on an automobile listing website. Oracle will record that the Profile associated with that Cookie ID is interested in both travel to Hawaii and used cars.

Other Identifiers. Oracle may create a statistical ID (“Stat ID”) for a user or a group of users using the user agent string and IP address. Creating a stat ID involves computing and then assigning a probabilistic identifier to a device or a group of devices based on information contained in the header. Multiple users may share a Stat ID or one user may have multiple Stat IDs. Data Sources may create or collect other unique identifiers and provide those to Oracle. These may include IDs intended for marketing use (such as mobile advertising IDs), hashed email, or proprietary identifiers created by the Data Sources. Oracle may create connections between these and other identifiers.

7. Cross-Device/Cross-Context Technology

Oracle may also link Profiles using cross-device/cross-context technology. This technology is designed to enable Oracle and its customers to connect a consumer’s Interest Segments across the various devices or contexts where the consumer is browsing digital content. For example, a single consumer might use multiple browsers on a single device, or use various devices (such as desktops, smartphones, and tablets), which can result in a consumer having multiple Profiles across these various contexts and devices. Cross-device/cross-context technology may be used to connect these various Profiles and the corresponding Interest Data from the different contexts and devices.

Oracle does this through both deterministic and statistical methods. The deterministic method leverages data that does not change, such as a consumer logging into a single account on multiple devices. The statistical method leverages non-fixed data about the device or browsers that help identify devices or contexts, like partial or full IP address and browser version. Oracle analyzes this data to determine if the devices or contexts are likely to be related to a single consumer. When a probable connection is found, Oracle creates links between the Profile IDs from the different devices/contexts using a reference table to link these devices or contexts. Oracle customers can then use linked Interest Data when serving interest-based advertising and other content across the consumer’s devices/contexts. For example, a consumer searching for trips to Hawaii on a Chrome browser may switch to a mobile application. When this happens, if Oracle has linked the Cookie ID from the Chrome browser to the mobile advertising IDs, Oracle can then provide the consumer with advertising related to Hawaiian vacations on the consumer’s mobile device. Consumers may opt out of Oracle’s use of cross-device technology as described below in the “Opting Out” section.

8. Disclosure of Marketing Information

We disclose Marketing Information to our OMC/ODC customers to facilitate our customers’ use of the OMC/ODC services for executing offline and online marketing campaigns. Our customers may use third-party service providers, acting on their behalf, to create and display advertising or other content that reflects a Profile’s membership in an Interest Segment. When Oracle shares your Marketing Information with OMC/ODC customers, we require them to use Marketing Information consistent with this Policy and to maintain the confidentiality of that information.

We may also share Marketing Information with third-party service providers in order for those service providers to perform business functions for Oracle or on behalf of Oracle customers. When Oracle shares your Marketing Information with third party service providers, we require them to use Marketing Information only for the purpose of providing services to us and to implement security controls to maintain the confidentiality of that information.

Oracle may also use or disclose Marketing Information as we believe to be necessary or appropriate: (a) under applicable law, including laws outside your country of residence; (b) to comply with legal process; (c) to respond to requests from public and government authorities, including public and government authorities outside your country of residence, for national security and/or law enforcement purposes; (d) to enforce our terms and conditions; (e) to protect our operations or those of any of our affiliates; (f) to protect our rights, privacy, safety or property, and/or that of our affiliates, you or others; and (g) to allow us to pursue available remedies or limit the damages that we may sustain.

Additionally, in the event of a reorganization, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of our business, assets or stock (including in connection with any bankruptcy or similar proceedings), we may transfer Marketing Information to the relevant third party.

9. Retention of Marketing Information

Oracle sets Online Marketing Information collected for interest-based advertising to expire within 180 days from the date it is collected. For example, if you last browsed an applicable travel website for airline tickets to Hawaii on January 1, your membership in Oracle’s “Travel to Hawaii” Interest Segment would expire from your Profile by July 1. Device identifiers used for cross-device/cross-context technology, as described above, are retained for 365 days. On an occasional basis and in accordance with applicable law, Oracle may permit some OMC/ODC customers to retain Marketing Information for up to 36 months for limited purposes such as seasonal or cyclical interest-based advertising campaigns or internal analytics and model development; such customers are required to delete this Marketing Information at the end of the agreed time period.

Oracle may also retain Offline Marketing Information and other statistical data related to the performance, operation and use of OMC/ODC services for more than 180 days for security and operations management, statistical analyses, service improvement, and research and development.

10. Accessing Marketing Information

Oracle maintains a consumer tool called the Oracle Data Cloud Registry (“Registry”), which allows you to view the type of third-party online Interest Segments in the Oracle BlueKai Marketplace that is applicable to the device that views the Registry. Please note that the Interest Segments you see within the Registry are information from the Profile associated with the specific browser, computer or device that you are using to visit the Registry. You may see different segments when viewing the Registry from a different browser, computer or device.

You may request to review, correct, update, suppress, or otherwise modify your Offline Marketing Information, or object to the use or processing of such Offline Marketing Information by us, via written request to the address supplied below. Oracle will provide you with a copy of the Offline Marketing Information in our databases, including a list of the Interest Segments that we have associated with you. You may request to receive this information by sending a written request, along with a copy of government-issued identification to verify your identity, to:

Chief Privacy Officer, Oracle
10 Van de Graaff Drive
Burlington, MA 01803
United States of America

While the majority of questions and issues related to access can be handled quickly, complex requests may take more research and time. In such cases, you will be contacted regarding the nature of the request and appropriate next steps within thirty days from the date of receipt of the request. We cannot provide information that is collected and controlled solely by our customers. If you have questions in regards to the privacy practices of our customers, Oracle recommends that you contact that customer directly.

11. Opting-Out

As described above, Oracle uses third party Offline and Online Marketing Information to provide OMC/ODC services to our customers. We also provide consumers the ability to opt out of Oracle’s use of that information.

Online Marketing Information Opt-Out. Oracle offers multiple ways for you to opt out of third-party collection and use of your Marketing Information for online interest-based advertising. Opting out does not mean you will stop seeing online advertisements, but the advertisements you do see will not be influenced by Marketing Information collected using the OMC/ODC. If your browser accepts cookies, you can opt out directly from the OMC/ODC’s third-party interest based advertising by downloading Oracle’s OMC/ODC opt-out cookie for Datalogix, AddThis, Crosswise, and BlueKai (“Opt-out Cookie”). This Opt-out Cookie, when deposited on your browser, will prevent the OMC/ODC from creating Interest Segments based on information collected from that browser. You can access and learn more about the Opt-out Cookie here. The Opt-out Cookie is configured to opt-out for a minimum of 20 years if left undeleted.

Opt Out

You may also opt out using tools provided by the following industry groups. (Oracle’s participation in these organizations may appear under the “BlueKai” or “Datalogix” names.)

  • Digital Advertising Alliance (DAA): http://www.aboutads.info/choices/
  • Network Advertising Initiative (NAI): http://www.networkadvertising.org/choices/
  • European Interactive Digital Adverting Alliance (EDAA): http://www.youronlinechoices.eu/ and http://www.edaa.eu/

Note: The opt-out tools described above are currently Cookie-based and prevent Oracle from using Marketing Information for interest-based advertising on the browser on which they are installed. As a result, the opt out will only function if your browser is set to accept third-party Cookies and may not function where Cookies are sometimes automatically disabled or removed (e.g., certain mobile devices and operating systems). If you delete Cookies, change your browser settings, switch browsers or computers, or use another operating system, you will need to opt out again. Oracle does not use persistent, unique identifiers to revive a previously opted-out profile or deleted Cookie.

Also note: The OMC/ODC may interact with third parties who engage in interest-based advertising in conjunction with certain OMC/ODC services. For example, an Oracle customer may use Oracle Marketing Cloud services to send promotional emails to you, and include tags in those emails that enable a third party to place a Cookie on your web browser. The Oracle customer and the third party may use this Cookie to collect data about you and engage in interest-based advertising at a later time. Because in this limited circumstance, opting out with Oracle’s own opt-out Cookie will not currently prevent the third parties from collecting or using Marketing Information for interest-based advertising, Oracle encourages you to use the NAI, DAA, and EDAA opt-out tools described above if you are interested in opting out of this sort of activity.

Cross-Device/Cross-Context Opt-Out. When you opt out of interest-based advertising above and Oracle has used cross-device/cross-context technology to link that profile to other devices or contexts, Oracle will break the connections from the opted-out profile to those other devices or contexts. If you wish to opt out of interest-based advertising based on your other devices or contexts, you should exercise one of the opt-out options discussed above using each of the devices/contexts (including each browser) that you use.

Mobile Opt-Out. The OMC/ODC allow customers to use Marketing Information collected from mobile devices for interest-based advertising. While the opt-out methods described above often work for mobile web browsing, they are Cookie-based and are therefore less reliable in mobile “app” environments that may not accept Cookies. As an alternative, Oracle suggests you download AppChoices App provided by the Digital Advertising Alliance (DAA). This app allows consumers to exercise opt-out control for specific companies, including Oracle, and provides a more reliable opt-out signal when you are in a mobile app.

Offline Marketing Information Opt-out. Oracle honors your choice to opt out of the use of Offline Marketing Information for offline direct mail campaigns or online interest-based advertising. To process your request to opt out, we require your name, address and email address. Your request will take effect within 30 days. You may still receive marketing due to marketing campaigns already underway; however, you will be opted out of all future marketing campaigns. You can access offline opt-out here.

If you would like to opt out of all direct mail marketing to your home address, you may visit the Data ∓ Marketing Association website for information on how to reduce direct mail marketing to your home address.

Do Not Track. Oracle does not uniformly process do-not-track signals from browsers. However, you may prevent Oracle from collecting Interest Segments using Cookies on a browser by blocking third-party Cookies in that browser. If you block third-party Cookies from being set on your browser, you may not be able to enjoy some features or functionality of, and you may see the same content and advertisements repeatedly on, some websites.

Oracle may add additional opt-out tools over time as they become available.

12. Oracle’s Commitment to Privacy Standards

Industry Involvement. Oracle is a member of, and adheres to the self-regulatory principles of, the Data & Marketing Association (DMA), Direct Marketing Association UK (DMA UK), Network Advertising Initiative (NAI), Interactive Advertising Bureau (IAB), Digital Advertising Alliance (DAA), Digital Advertising Alliance of Canada (DAAC), and European Digital Advertising Alliance (EDAA). As a member of these organizations, Oracle works with industry-leading companies to address important privacy and consumer protection issues in offline direct marketing and online advertising.

The NAI has created a compliance program that incorporates attestation reviews, a consumer complaint process, sanctions and annual reporting to help ensure that member companies keep their promises to you and abide by the NAI’s Self-Regulatory Code of Conduct. Click here to learn more about the NAI.

The Digital Advertising Alliance (DAA), Digital Advertising Alliance of Canada (DAAC), and European Digital Advertising Alliance (EDAA) provide self-regulatory Principles for Online Behavioral Advertising. Click here to learn more about the DAA. Click here to learn more about the DAAC. Click here to learn more about the EDAA.

Data Sources. Oracle requires our Data Sources to comply with laws applicable to their collection, use and sharing of Marketing Information, and to maintain their own privacy policies that disclose their practices as required by applicable laws. Oracle permits these companies to link directly to this privacy policy. Oracle also mandates that these companies obtain your consent as required by applicable law, including consents required to collect, use, and share your information.

Sensitive Data. Oracle is aware of the sensitivity of certain types of data. We do not create any online Interest Segments that reflect third-party Marketing Information that we consider sensitive. While the types of Marketing Information considered sensitive may vary among consumers, we presently treat online Marketing Information as sensitive if it includes precise health information (such as a consumer having a certain medical condition like cancer or diabetes); certain aspects of a consumer’s personal life or financial situation; or interest in “adult” products or services. If you would like to view the list of third-party health and wellness Interest Segments available in the Oracle BlueKai Marketplace, please click here (PDF). We may further restriction segments based on the differing laws in countries outside of the United States. We do not allow our Marketing Information to be used for employment, credit, healthcare, or insurance eligibility purposes. Our customers who collect their own data (first-party data), including those who choose to share their data with other third parties, may have their own standards of what they consider sensitive; however, Oracle requires all such customers to comply with laws applicable to sensitive information.

Children. We do not intentionally collect Marketing Information from, and do not tailor any services to, children under 13 years of age. We prohibit our Data Sources from providing Oracle with information from sites directed to children under the age of 13 or from consumers whose age these companies know to be under the age of 13.

13. Security

The security of Marketing Information is very important to Oracle. We use physical, technical, and administrative safeguards that are designed to protect Marketing Information from loss, misuse and unauthorized access, disclosure, alteration and destruction.

In the event that Oracle determines that Marketing Information identifying you and stored in the OMC/ODC is acquired, or is reasonably believed to have been acquired, by an unauthorized person and applicable law requires notification, Oracle will, consistent with the reasonable needs of law enforcement and subject to applicable law, notify the applicable Data Source who provided Oracle with the information so that it may notify you.

14. Cross Border Transfer

Oracle is a global corporation with operations in over 80 countries and has developed global data security practices designed to ensure that your personal information is appropriately protected. Please note that personal information may be transferred, accessed and stored globally as necessary in accordance with this privacy policy.

Oracle complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention when a customer and Oracle have agreed by contract that transfers of personal information from the European Economic Area (“EEA”) or Switzerland will be transferred and processed pursuant to the Privacy Shield for the relevant services. When conducting those activities on behalf of its EEA or Swiss customers, Oracle holds and/or processes personal information provided by the EEA or Swiss customer at the direction of the customer. Oracle will then be responsible for ensuring that third parties acting as an agent on our behalf do the same.

Oracle has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/list.

The following entities are covered entities under Oracle’s Privacy Shield self-certification: Delphi Asset Management Corporation; MICROS Fidelio Worldwide LLC; Oracle America, Inc.; Oracle Financial Services Software America, Inc.; Oracle Financial Services Software, Inc.; Oracle International Corporation; Oracle Taiwan LLC; Bronto Software, LLC; Monexa, LLC, NetSuite, Inc.; OrderMotion, Inc. With respect to personal information received or transferred pursuant to the Privacy Shield Framework, Oracle is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission and commits to cooperate with EU data protection authorities.

15. Dispute Resolution

If you have any complaints regarding our compliance with this privacy policy, you should first contact us. We will investigate and attempt to resolve complaints and disputes regarding use and disclosure of personal information in accordance with this privacy policy.

If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request. Under certain conditions, more fully described on the Privacy Shield website, you may invoke binding arbitration when other dispute resolution procedures have been exhausted.

16. Contact Us

Oracle has appointed a Chief Privacy Officer. If you believe your personal information has been used in a way that is not consistent with this privacy policy or your specified preferences, or if you have further questions related to this privacy policy, please contact the Chief Privacy Officer by filling out an inquiry form.

Written inquiries may be addressed to:

Chief Privacy Officer, Oracle Corporation
10 Van de Graaff Drive
Burlington, MA 01803
United States of America

17. Corporate Headquarters

Oracle’s corporate headquarters are located at:

500 Oracle Parkway
Redwood Shores, CA
94065, USA
Tel: +1.650.506.7000
Fax: +1.650.506.7200

18. Policy Updates

Oracle may update this privacy policy from time to time. In the event we make material changes that reduces your rights or Oracle obligations under this privacy policy, we will post a prominent notice in this section of this privacy policy notifying users when it is updated.

Policy Updated: February 13, 2018.