Privacy Policy

Last update: October 30th, 2019

Who are we?

In Loco is a technology company that provides intelligence from geolocation data. Our solutions allow businesses to deliver more relevant services to you, the consumer, such as: (i) advertising to their services and products available considering the places visited by the user; (ii) contextualized communication between apps and users at the right time and moment; (iii) address validations without the need for document checks. We believe we can do all this without having to identify you, therefore, ensuring you a non-negotiable right: the right to privacy.

How does our technology work?

To offer our services, we collect data from your mobile device through our SDK (Software Development Kit) installed in partner apps.

All of these apps are required to present our Privacy Policy in their own Terms and Conditions of Use and Privacy Policy, and inform you that some personal data might be collected by In Loco.

By accepting its Privacy Policy, the app will request the needed permissions to use the location functionalities on your device. Once authorized, In Loco starts to collect the data in a safe way and without identifying you.

With the devices’ location technology active, In Loco’s own technology can detect the presence of your mobile device in places such as stores, malls, parks, public squares, etc., disassociated from your identity. We do not collect data from visits to sensitive places such as religious temples, hospitals, political parties, places of adult entertainment, and others that might be used to make sensitive inferences.

The location data is transformed in convenience to you and solutions to businesses: we consolidate collected data into clusters – groups of unidentified consumers, aggregated by similar consumer behaviour – in order to create metrics about visit flow in stores; target ads according to device profile; send relevant app messages to you through push notifications technology; and validate your home address automatically during registration, without the need for documents, if you choose so, as you register on apps that use In Loco’s technology.

We will explain in detail next how In Loco deals with your data and respects your privacy, spelling out the specific finality of each data type collected, how and for how long it will be used for, with whom we share it and the processing responsibilities, as well as describing our opting out process.

It is worth mentioning here that this Privacy Policy deals exclusively with In Loco’s matters of privacy related to the data we collected on mobile devices from partner apps.

How do we deal with privacy?

Privacy is our market differential and it is an essential condition for all decisions taken at In Loco. We are moved by a privacy by design & default strategy, that is, we think of privacy from the conception to the final use of our products.

Our technology was developed in a way to prevent access to information capable of re-identifying users. In Loco does not collect unique static identifiers of devices (IMEI and MAC), associated accounts (e-mail and telephone), civil identification data (name and social security number), as well as sensitive data – information that reveals ethnicity, religion, political opinion, religious, philosophical, political or union entities membership or data regarding health, sex life, genetics and biometrics.

What personal information do we collect?

When you use a partner application with our software installed, we can collect data about the device for different purposes that, in some way, bring value to you, the partners applications and the advertisers. That includes the mobile advertising IDs from Android and iOS, as well as location data acquired by the device’s sensors. It is important to notice that these information are collected only with proper consent and permissions given by you to the partner applications.

According to our commitment to transparency, we detail below the types of data that can be collected from your mobile device by In Loco, in case you use some of our partner applications, and for which finalities they are used.

Data typeDescriptionUses
Wi-Fi signals
Bluetooth-LE signals
Telephone signals
Activity (running, walking, driving)[1]
Targeting for advertising oriented to your profile and applications’ internal communication with you based on relevant places visits. Ex.: Users that visit a specific store.
Metrics for advertising and applications’ internal communication. Ex.: How many users have received advertisement A and visited place B?
Address validation for financial services[2]
Gender inferences. Ex: understand the demography of visitors.
Business intelligence for retail brands. Ex.: Which brands are receiving more visits in each region of the country?
Ads performance metrics. Ex: how many views/clicks had an ad?
IdentifierAdvertising identifiers (we only store data after hashing it with salt or encrypting)Targeting and unique user counting. Ex.: How many users have viewed ad A? How many users have visited place B?
Device Data
Device models
Operating System
Operating System version
Performance metrics
IP (the last four digits are ignored to deliberately lose precision)
Network type (3G, 4G, Wi-fi)
Network Provider
Screen resolution
Installed apps
Debugging and monitoring of our SDK to improving its functionalities and the usage of resources (CPU, memory, network, battery etc.). Ex.: How many resources is our SDK consuming? Is feature X working as it should?
Fraud control.
Ex.: What is the amount of requests from IP address X?
Advertisements targeting.
Ex.: Impacting people from telephone company A.
Network resource optimization.
Ex.: For a low-resolution or poor internet connection device, we can send lighter ads.
Market research.
Ex.: How are app X users distributed in the country? What kind of places do they frequent?
Expansion strategies.
Ex.: Identifying apps with fast growing user bases.
Ex.: Impacting users from app X with ads.
Gender inferences.
App Data
Apps session (when is the app opened and how much time does it remain opened)
Events defined by apps developers (registration of new user, in-app transactions, visualization of certain areas of the app and use of certain functionalities)
Block the collection of underage users data.(<18)
Intelligence about the impact of push notifications communication on the usage of specific app features.
Ex.: Places where certain functionalities are used; push campaigns’ impact on the usage of certain functionalities; increase and decrease of recurrence of use
Intelligence about the app usage and understanding push notifications communication effectiveness on the recurrence the the app usage.
Ex.: Places where the app is most frequently used; time spent in app
[1] Google Play Services provides to Android devices a way to get this kind of data directly from the operational system, called activity recognition.
[2] The operation of this product is described here.

It is important to make clear that not all partner apps collect all the data described in this table. This is the maximum amount of data that we can collect from a device in our current technical condition.

We also receive data from the SSPs (Supply-side platforms) Adtelligent, Airpush, Appodeal, AppNexus, Clickky, IronSource, MobFox, PubNative, Smaato, SmartRTB, Tappx and DeCenterAds to send advertising campaigns hired by our clients. SSPs are platforms that provide programmatic media veiculation space in third-party applications. We use this approach to enhance the amount of available spaces in where we can veiculate advertising for our users. Information received in this scenario is related to the device data and the app that made the advertisement request. This exchange follows a programmatic media industry standard, the OpenRTB protocol. It is important to note that we do not use any location data received by this protocol, because we consider our location technology more precise and reliable. All data received in this way follows our security standards and is encrypted.

This way, the data collected does not equip us with the tools to know your real life identity, but only to understand your preferences and context as a consumer, allowing us to recognize your device through time.

How do we handle child data?

In Loco does not make partnerships with child and teenage-oriented applications, neither does it offer services for companies that have children and teenagers as target audience. Therefore, we do not intentionally gather personal information from under 18 years users. If you are a parent or guardian and know your child has provided personal data for us, please let us know. If we discover that we have collected personal data from children without the partner application having verified the consent of the parents, we will take the necessary measures to remove those informations from our servers and end the partnership with the applications, in the case of this situation not being permanently solved.

In Loco follows the standards of privacy from the regulations that regard data protection in Brazil and also the Children’s Online Privacy Protection Act (COPPA) from the United States.

Data Storage

In Loco stores data for a maximum of 4 (four) years, for usage on the finalities described in this Privacy Policy. Exceptionally, we may retain and use your personal data to: (i) fulfill contracts, agreements and policies; (ii) legal obligations (for instance, if necessary to abide applicable laws); (iii) resolve disputes by court order. In Loco will also store anonymized data for analytics purposes.

We store data on the AWS Cloud. The storage in cloud servers (cloud computing) is an industry standard, because it allows for simple ways to gain scalability and security for all kinds of technological services.

In Loco’s data collection happens through a safe protocol and uses cryptography to protect the data transfer to our servers. Also, the data is stored in a safe database, in a cryptographed way and with restricted access policies, used only for the purposes expressed in this Privacy Policy.

With whom and why do we share our collected data

In Loco shares anonymized data with its clients and partners. Therefore, in general, clients or partners’ applications will not have access to your individualized visits history or any data that can re-identify you in a direct or indirect way. The exceptions are described below.

We also integrate with the platforms FireBase and Urban Airship for the sending of push notifications. In this scenery, we receive from the partners’ applications an identifier of the user in the push provider (one of the platforms listed above) and, in the moment we consider opportune for the sending of the notification, we trigger the platform with the message we want to display and the user identifier that should receive it.

We share clusters (groups of users with similar behaviour) of mobile advertising identifiers with the platforms Adobe DMP and AppNexus for optimizing our campaigns delivery. This data cannot be used for other ends but deliver ads solicited by In Loco.

In the case you have consented for electronic address validation for an application registration, through In Loco’s technology, we will receive from the application an address associated with a device (the “Request”) and send, using inferences about locations collected by that device, a digital proof of address (the “Answer”). The proof consists of a positive or inconclusive answer from our technology. In case of inconclusive answer, we do not send anything else about the user and it’s assumed we don’t have enough information for an automatic validation. In case of positive answer, we send a location count aggregation in a small region from 100 and 1150 meters of radius around the received address to certify the positive answer.

Do we make international transfers?

Data collected by In Loco may be transferred to, and maintained on, servers located outside of Brazil, where data protection laws may differ from Brazilian law. As stated in their respective Privacy Policies, some of the integrations we make with other platforms characterize international transfer. Your consent to this Privacy Policy represents your agreement to these transfers.

The AWS servers, cloud platform in which we store the data, is located in the USA. The Firebase and Airship services, used to send push notifications, are executed respectively in Google’s global infrastructure, and primarily in the USA. For the platforms that we may share cluster of advertising identifiers, Adobe servers are located in the USA and Ireland, and AppNexus may store data on USA, Singapore, Japan and Brazil.

How do we protect your personal data?

The security of the collected data is a priority issue at In Loco. Thus, we use security mechanisms in both data transport and storage, and we’re always updating our protection system. All our requests are made with HTTPS, a safe protocol and industry standard. Besides, the data is stored in encrypted form.

To increase data security and privacy, In Loco applies an encryption and hash function on the Mobile Advertising Id, resulting in identifiers for different uses, which are: (i) hashed ID for single counting and users profiling, which will be aggregated in clusters without the use of Mobile Advertising Id; (ii) encrypted ID for recovering Mobile Advertising Id in strictly necessary cases, such as legal obligations, guarantee of data subjects’ rights, or the sharing cases previously described in this policy. The encrypted IDs are accessed by a strict number of employees who have access to the encryption key.

The elimination of the Mobile Advertising Id ends risks associated to data access from any person without the key capable of decrypting encrypted ID. Both identifiers kept (hashed ID and encrypted ID) are sufficient for all In Loco’s services and do not allow direct identification of data subjects, as well as decreasing risks of the Mobile Advertising Id being capable to identify them in case of confrontation with a third-party database that contains this Id linked to other personal data, such as e-mail, CPF, SSN etc. Therefore, in case of leakage or improper access of the data collected and processed by In Loco, the data subject will not be directly associated with it, reducing the risk of the person from being physically or morally affected.

How to opt-out

In Loco always cares about the consumer experience and, therefore, makes it available for you to "opt-out". To start the process of opting-out click here.

Opting-out is the consumer’s right to choose not to share their device data with companies. We clarify that, by opting out, you will not delete the partner application that allows In Loco to collect data on your device.

By opting out you will disable the collection and processing of data from your device for ad selection purposes by In Loco’s technology. Nevertheless, if you regret this decision, you can always reactivate our services by sending us an email at [email protected].

However, we emphasize that In Loco’s opt-out procedure does not disable advertising on your device. You will still receive ads, though not ads selected based on In Loco’s technology.

Finally, we clarify that the opt-out only disables In Loco’s actions, which means that companies other than In Loco will still collect data from your device. If you want to disable thoroughly the collection of device data associated with your advertising ID, you can change your device settings. Proceed as follows for Android or iOS devices:

  • Select “Settings” > “Privacy” > “Advertising”
  • Select “Limit Ad Tracking”
  • Select “Google Setting” > “Ads”
  • Select “Opt Out of Ads Personalization”

It is also possible for you to reset your advertising ID, generating a new one, and, therefore, avoiding the recognition of your mobile device based on the data history associated with your old advertising ID. To do this, if you have an Android or iOS operating system, you can follow the steps below:

  • Select “Settings” > “Privacy” > “Advertising”
  • Select “Reset Advertising Identifier”
  • Select “Google Setting” > “Ads”
  • Select “Reset Advertising ID”

If you have any queries about opt-out, please contact In Loco on our service channel: [email protected]

Privacy Policy Amendments

In Loco is always working to improve its services and to bring innovation for the consumers. This means that we may update and change the terms of this Privacy Policy from time to time. On our website, you will always find the latest version of the terms.

If you prefer, we can also notify you via email every time the Privacy Policy changes. To receive these notifications, you only have to send an email to us at [email protected]

Finally, we would like to remember that if, in any future modification of this Policy, you no longer agree with it, you will always have the option to opt-out, as explained in the previous item above, in order to disable the processing of your device data by In Loco.

Contact us

If you still have questions, please contact the Data Protection Officer through our communication channel. In Loco encourages comments, questions and suggestions. To contact us, you can send an email to [email protected].