Who are we?
In Loco is a technology company that provides intelligence from geolocation data. Our solutions allow businesses to deliver more relevant services to you, the consumer, such as: (i) advertising to their services and products available considering the places visited by the user; (ii) the communication between apps and users at the right time and moment; (iii) address validations without the need for document checks. We believe we can do all this without having to identify you, therefore, ensuring you a non-negotiable right: the right to privacy.
How does our technology work?
With the devices’ location technology active, In Loco’s own technology can detect the presence of your mobile device in places such as stores, malls, parks, public squares, etc., disassociated from your identity. We do not collect data from visits to sensitive places such as religious temples, hospitals, political parties, places of adult entertainment, and others that might be used to make sensitive inferences.
The location data is transformed in convenience to you and solutions to businesses: we consolidate collected data into clusters – groups of unidentified consumers, aggregated by similar consumer behaviour – in order to create metrics about visit flow in stores; target ads according to device profile; send relevant app messages to you through push notifications technology; and validate your home address automatically during registration, without the need for documents, if you choose so, as you register on apps that use In Loco’s technology.
We will explain in detail next how In Loco deals with your data and respects your privacy, spelling out the specific finality of each data type collected, how and for how long it will be used for, with whom we share it and the processing responsibilities, as well as describing our opting out process.
How do we deal with privacy?
Privacy is our market differential and it is an essential condition for all decisions taken at In Loco. We are moved by a privacy by design & default strategy, that is, we think of privacy from the conception to the final use of our products.
Our technology was developed in a way to prevent access to information capable of re-identifying users. In Loco does not collect unique static identifiers of devices (IMEI and MAC), associated accounts (e-mail and telephone), civil identification data (name and social security number), as well as sensitive data – information that reveals ethnicity, religion, political opinion, religious, philosophical, political or union entities membership or data regarding health, sex life, genetics and biometrics.
What personal information do we collect?
When you use a partner application with our software installed, we can collect data about the device for different purposes that, in some way, bring value to you, the partners applications and the advertisers. That includes the mobile advertising IDs from Android and iOS, as well as location data acquired by the device’s sensors. It is important to notice that these information are collected only with proper consent and permissions given by you to the partner applications.
According to our commitment to transparency, we detail below the types of data that can be collected from your mobile device by In Loco, in case you use some of our partner applications, and for which finalities they are used.
Activity (running, walking, driving)
|Targeting for advertising oriented to your profile and applications’ internal communication with you based on relevant places visits. Ex.: Users that visit a specific store.|
|Metrics for advertising and applications’ internal communication. Ex.: How many users have received advertisement A and visited place B?|
|Address validation for financial services|
|Gender inferences. Ex: understand the demography of visitors.|
|Business intelligence for retail brands. Ex.: Which brands are receiving more visits in each region of the country?|
|Ads performance metrics. Ex: how many views/clicks had an ad?|
|Identifier||Advertising identifiers (we only store data after hashing it with salt or encrypting)||Targeting and unique user counting. Ex.: How many users have viewed ad A? How many users have visited place B?|
Operating System version
IP (the last four digits are ignored to deliberately lose precision)
Network type (3G, 4G, Wi-fi)
|Debugging and monitoring of our SDK to improving its functionalities and the usage of resources (CPU, memory, network, battery etc.). Ex.: How many resources is our SDK consuming? Is feature X working as it should?|
Ex.: What is the amount of requests from IP address X?
Ex.: Impacting people from telephone company A.
Network resource optimization.
Ex.: For a low-resolution or poor internet connection device, we can send lighter ads.
Ex.: How are app X users distributed in the country? What kind of places do they frequent?
Ex.: Identifying apps with fast growing user bases.
Ex.: Impacting users from app X with ads.
Apps session (when is the app opened and how much time does it remain opened)
Events defined by apps developers (registration of new user, in-app transactions, visualization of certain areas of the app and use of certain functionalities)
|Block the collection of underage users data.(<18)|
Intelligence about the impact of push notifications communication on the usage of specific app features.
Ex.: Places where certain functionalities are used; push campaigns’ impact on the usage of certain functionalities; increase and decrease of recurrence of use
Intelligence about the app usage and understanding push notifications communication effectiveness on the recurrence the the app usage.
Ex.: Places where the app is most frequently used; time spent in app
It is important to make clear that not all partner apps collect all the data described in this table. This is the maximum amount of data that we can collect from a device in our current technical condition.
We also receive data from the SSPs (Supply-side platforms) Adtelligent, Airpush, Appodeal, AppNexus, Clickky, IronSource, MobFox, PubNative, Smaato, SmartRTB, Tappx and DeCenterAds to send advertising campaigns hired by our clients. SSPs are platforms that provide programmatic media veiculation space in third-party applications. We use this approach to enhance the amount of available spaces in where we can veiculate advertising for our users. Information received in this scenario is related to the device data and the app that made the advertisement request. This exchange follows a programmatic media industry standard, the OpenRTB protocol. It is important to note that we do not use any location data received by this protocol, because we consider our location technology more precise and reliable. All data received in this way follows our security standards and is encrypted.
This way, the data collected does not equip us with the tools to know your real life identity, but only to understand your preferences and context as a consumer, allowing us to recognize your device through time.
How do we handle child data?
In Loco does not make partnerships with child and teenage-oriented applications, neither does it offer services for companies that have children and teenagers as target audience. Therefore, we do not intentionally gather personal information from under 18 years users. If you are a parent or guardian and know your child has provided personal data for us, please let us know. If we discover that we have collected personal data from children without the partner application having verified the consent of the parents, we will take the necessary measures to remove those informations from our servers and end the partnership with the applications, in the case of this situation not being permanently solved.
In Loco follows the standards of privacy from the regulations that regard data protection in Brazil and also the Children’s Online Privacy Protection Act (COPPA) from the United States.
We store data on the AWS Cloud. The storage in cloud servers (cloud computing) is an industry standard, because it allows for simple ways to gain scalability and security for all kinds of technological services.
With whom and why do we share our collected data
In Loco shares anonymized data with its clients and partners. Therefore, in general, clients or partners’ applications will not have access to your individualized visits history or any data that can re-identify you in a direct or indirect way. The exceptions are described below.
However, a partner application can hire In Loco’s services, which includes integration with platforms of customer relationship management - the custom relationship managers (CRMs) - for a personalized communication with you, the user. In this case, by integrating with us, the applications can receive the information that you visited one of their physical stores or their competitors’. This data is associated with your identifier on the partner application.
We also integrate with the platforms FireBase and Urban Airship for the sending of push notifications. In this scenery, we receive from the partners’ applications an identifier of the user in the push provider (one of the platforms listed above) and, in the moment we consider opportune for the sending of the notification, we trigger the platform with the message we want to display and the user identifier that should receive it.
We share clusters (groups of users with similar behaviour) of mobile advertising identifiers with the platforms Adobe DMP and AppNexus for optimizing our campaigns delivery. This data cannot be used for other ends but deliver ads solicited by In Loco.
In the case you have consented for electronic address validation for an application registration, through In Loco’s technology, we will receive from the application an address associated with a device (the “Request”) and send, using inferences about locations collected by that device, a digital proof of address (the “Answer”). The proof consists of a positive or inconclusive answer from our technology. In case of inconclusive answer, we do not send anything else about the user and it’s assumed we don’t have enough information for an automatic validation. In case of positive answer, we send a location count aggregation in a small region from 100 and 1150 meters of radius around the received address to certify the positive answer.
The AWS servers, cloud platform in which we store the data, is located in the USA. The Firebase and Airship services, used to send push notifications, are executed respectively in Google’s global infrastructure, and primarily in the USA. For the platforms that we may share cluster of advertising identifiers, Adobe servers are located in the USA and Ireland, and AppNexus may store data on USA, Singapore, Japan and Brazil. The Braze platform stores data in the USA and European Union, and the Localytics stores data mainly in the European Union, establishing rules to keep a similar level of protection in case of transfer to outside the European Economic Area. Both (Braze and Localytics) are CRM platforms we integrate with, to send location data related to the business of In Loco's partner apps.
The security of the collected data is a priority issue at In Loco. Thus, we use security mechanisms in both data transport and storage, and we’re always updating our protection system. All our requests are made with HTTPS, a safe protocol and industry standard. Besides, the data is stored in encrypted form.
To increase data security and privacy, In Loco applies an encryption and hash function on the Mobile Advertising Id, resulting in identifiers for different uses, which are: (i) hashed ID for single counting and users profiling, which will be aggregated in clusters without the use of Mobile Advertising Id; (ii) encrypted ID for recovering Mobile Advertising Id in strictly necessary cases, such as legal obligations, guarantee of data subjects’ rights, or the sharing cases previously described in this policy. The encrypted IDs are accessed by a strict number of employees who have access to the encryption key.
The elimination of the Mobile Advertising Id ends risks associated to data access from any person without the key capable of decrypting encrypted ID. Both identifiers kept (hashed ID and encrypted ID) are sufficient for all In Loco’s services and do not allow direct identification of data subjects, as well as decreasing risks of the Mobile Advertising Id being capable to identify them in case of confrontation with a third-party database that contains this Id linked to other personal data, such as e-mail, CPF, SSN etc. Therefore, in case of leakage or improper access of the data collected and processed by In Loco, the data subject will not be directly associated with it, reducing the risk of the person from being physically or morally affected.
How to opt-out
In Loco always cares about the consumer experience and, therefore, makes it available for you to "opt-out". To start the process of opting-out click here.
Opting-out is the consumer’s right to choose not to share their device data with companies. We clarify that, by opting out, you will not delete the partner application that allows In Loco to collect data on your device.
By opting out you will disable the collection and processing of data from your device for ad selection purposes by In Loco’s technology. Nevertheless, if you regret this decision, you can always reactivate our services by sending us an email at [email protected].
However, we emphasize that In Loco’s opt-out procedure does not disable advertising on your device. You will still receive ads, though not ads selected based on In Loco’s technology.
Finally, we clarify that the opt-out only disables In Loco’s actions, which means that companies other than In Loco will still collect data from your device. If you want to disable thoroughly the collection of device data associated with your advertising ID, you can change your device settings. Proceed as follows for Android or iOS devices:
- Select “Settings” > “Privacy” > “Advertising”
- Select “Limit Ad Tracking”
- Select “Google Setting” > “Ads”
- Select “Opt Out of Ads Personalization”
It is also possible for you to reset your advertising ID, generating a new one, and, therefore, avoiding the recognition of your mobile device based on the data history associated with your old advertising ID. To do this, if you have an Android or iOS operating system, you can follow the steps below:
- Select “Settings” > “Privacy” > “Advertising”
- Select “Reset Advertising Identifier”
- Select “Google Setting” > “Ads”
- Select “Reset Advertising ID”
If you have any queries about opt-out, please contact In Loco on our service channel: [email protected]
Finally, we would like to remember that if, in any future modification of this Policy, you no longer agree with it, you will always have the option to opt-out, as explained in the previous item above, in order to disable the processing of your device data by In Loco.