Kochava Data Security & Privacy

Your trust and the safety of your data are critical foundations of Kochava’s privacy-first data solutions.

As an industry-leading technology provider, we help enable compliance and ensure the security of your data and that of your customers. In today’s privacy-centric data economy, brands can form closer connections with consumers than ever before by building trusted relationships. Therefore, it is vital to protect information being shared across platforms and connected devices while also empowering consumers with choice.

CCPA

The California Consumer Privacy Act (CCPA) represents a significant shift in state-side consumer data privacy legislation, with implications for brands serving and targeting consumers in the state of California.

For answers to important questions about your business, Kochava, and the CCPA, visit our CCPA FAQ.

CCPA requires brands to provide consumers with a comprehensive description of their online and offline practices regarding the collection, use, disclosure, and sale of personal information and of the rights of consumers regarding their personal information. Privacy policies must be designed and presented in a way that is easy to read and understandable to an average consumer. Unlike Europe’s General Data Protection Regulations (GDPR), which required app developers to “ask consumers for consent,” the CCPA requires developers to provide consumers a mechanism to “opt-out” from having their personal data sold, with stricter “opt-in” mechanisms for minors. Full legislation here.

The CCPA took effect on January 1st, 2020, with enforcement commencing no later than July 1st, 2020.

Kochava complies with the CCPA in its capacity as a “service provider” in providing Kochava Measurement services.

As an acting member of the Interactive Advertising Bureau (IAB), Kochava is enacting the IAB’s CCPA Compliance Framework within our native measurement SDKs.


GDPR

The General Data Protection Regulation (“GDPR”) creates consistent data protection rules across Europe. It applies to companies that are based in the EU and global companies like Kochava that process personal data about individuals in the EU. Kochava is, and will continue to be, compliant with all data privacy laws across the globe. We are committed to complying with GDPR legislation and collaborating with partners to facilitate compliance.

We thought it would be helpful to provide the context upon which Kochava delivers its services to clients in order for you to better understand how Kochava complies with GDPR and treats client data.


Kochava provides a number of different services to clients:


Kochava Measurement

A comprehensive set of data analytics and attribution tools

The characteristic Kochava Measurement client is a company that has created an app and wants to measure every aspect of an advertising campaign promoting it. The Kochava Measurement client enters into a contractual relationship with Kochava, which allows the client to embed Kochava software (an “SDK”) into its app. The client customizes the SDK to collect certain data derived from the app. Kochava processes this data on behalf of the client and visualizes it on a private dashboard for the client’s analysis. The client pays Kochava a fee for providing this service. The data remains the exclusive property of the client at all times.


Free App Analytics

A limited set of free data analytics and attribution tools.

The characteristic Free App Analytics (“FAA”) client is a company that has created an app and wants to measure the performance of an advertising campaign promoting it. The FAA client enters into a contractual relationship with Kochava, which allows the client to embed Kochava software (an “SDK”) into its app. The client customizes the SDK to collect certain data derived from the app. Kochava processes this data on behalf of the client and visualizes it on a private dashboard for the client’s analysis. Instead of the client paying Kochava a fee for this service, the FAA client allows Kochava to use the data for Kochava’s own purposes. There are two distinct differences between Kochava Measurement and FAA: (1) The FAA client has access to a limited set of data analytics tools, whereas the Kochava Measurement client has access to the full suite of tools; and (2) the FAA client receives the service free of charge in exchange for granting first-party data rights to Kochava, whereas the Kochava Measurement client pays Kochava a fee for services without granting additional data rights. Kochava does not, and will not, determine the purposes or means of processing personal data of European data subjects for any of its clients. As such, Kochava operates exclusively as a Data Processor under GDPR across each of its business units.

Business Unit Role Legal Basis
Kochava Measurement Data Processor Kochava processes data on behalf of its clients.
Free App Analytics Data Processor Kochava processes data on behalf of its clients.

In its capacity as a Data Processor, Kochava adheres to the rules of the GDPR as follows:

Data Protection by Design

The Kochava Measurement and FAA service platforms (“Platform”) are designed to enable clients to:

  • Determine which personal data the Platform processes;
  • Limit the collection of personal data to that which is adequate, relevant, and necessary for the purpose of which they are processed;
  • Manage the retention periods of personal data; and
  • Destroy personal data.

Data Protection by Default

The Platform is designed to:

  • Process personal information in conformance to the instructions provided by the client;
  • Collect only the personal data that are necessary for fulfilling the purposes of which they are processed;
  • Make personal data accessible only to a limited number of people whose job requires such access; and
  • Ensure a level of security appropriate to the risk of processing personal data.

Collection of "Sensitive" Personal Data

Kochava contractually prohibits its clients from utilizing the Platform to collect, process, or otherwise handle sensitive personal data.

Data Retention

Kochava does not keep personal data any longer than is necessary for the purposes for which it is being processed. Kochava deletes personal data after a client’s contract has expired or has been terminated.

Incident Response

Kochava will continue to promptly inform clients of incidents involving personal data in line with the data incident terms in our current (and any subsequently updated) agreements. Kochava maintains, and will continue to invest in, advanced threat detection and avoidance technologies, as well as a rigorous 24/7 incident management program to help identify and respond to security or privacy events (and any personal data breaches under the GDPR) without delay.

Third-Party Audit

Kochava is audited annually by an independent third party against GDPR and ISO/IEC 27001:2013 standards.

International Transfers

Kochava ingests client data to its cloud servers from locations across the world. Upon ingestion, Kochava transfers the data to its secure processing facility located in the United States. Kochava is certified under the EU-U.S. Privacy Shield frameworks, which is a legal mechanism to enable the transfer of personal data from the European Economic Area to the US, where certified organizations guarantee to provide a level of protection in line with EU data protection law. See more here.

Kochava also offers clients EU-approved Model Contract Clauses upon request.

Kochava will, in addition, continue to monitor the evolution of international data-transfer mechanisms under the GDPR, and is committed to having an ongoing lawful basis for data transfers in compliance with applicable data protection laws.

Subprocessing

Kochava does not subcontract any of its processing operations to a subprocessor in the absence of a written agreement which contractually obligates the subprocessor to adhere to all applicable GDPR data processing requirements.

Opt-Out & Right to be Forgotten

You may click here click here to be redirected to the Kochava web page dedicated to providing guidance on opting out of interest-based advertising.

In order to protect your privacy, Kochava has engineered its systems to not collect identifying information such as email, name, and phone number. However, GDPR considers mobile device identifiers and IP addresses to be “personal information.” A mobile device identifier is a unique string of 30+ numbers associated with your device (e.g., cell phone). An IP address is a series of numbers separated by periods that identifies each computing device using a particular “Internet Protocol” at a given time to communicate over a network.

If you are concerned that Kochava has this information, we will be happy to delete it from our systems upon request. You may submit a request to delete all your personal information by emailing Kochava at privacy@kochava.com or by contacting the legal department via telephone at 855-562-4282. However, please bear in mind that when you contact Kochava with such a request, because of the precautions we have proactively taken to protect your privacy, you are actually volunteering more personally identifying information to Kochava as a result of lodging the request than Kochava would have ever had prior to you initiating contact.

Opt Out Policy

Additional Terms

In its capacity as a processor of personal data, Kochava will ensure its contractual agreements with clients require the parties to adhere to the respective obligations of controllers and processors. Furthermore, Kochava will enter into data-processing agreements with clients where required.

Standards, Regulations & Certifications

Kochava and Trusted Partners†

Comprehensive controls over security and risk management

A framework for transferring and processing EU data in the US

Kochava is a registered member of the Trustworthy Accountability Group

Controls over financial reporting

Controls over security, availability, and confidentiality

Public report of controls over security, availability, and confidentiality

Securing cloud computing environments.

German standard for information security of cloud services.

Service Level Standards

The Kochava Platform will operate and otherwise comply and function in all material respects on an uptime basis of 99.99% over a rolling annual basis. If an incident disrupts the client’s use of the Platform, then Kochava shall respond as follows:

  • Critical Priority Incident rendering the Platform inoperative: Kochava shall respond to Company within one hour of notice and immediately begin replicating and verifying the problem.
  • High Priority Incident degrading the operations and use of the Platform: Kochava shall respond to Company within four hours of notice and immediately begin replicating and verifying the problem.
  • Medium Priority Incident affecting the operations of, but not degrading, the Platform: Kochava shall respond to Company within six hours of notice and immediately begin identifying and verifying the problem during normal business hours.
  • Low Priority Incident having a minor impact on the operations of the Platform- Kochava shall respond to Company within eight hours of notice if alerted between 6:00 a.m. – 8:00 p.m. PST Monday through Friday and begin identifying and verifying the problem within two business days.

†Listed certifications include those held by Kochava directly and those held by our cloud and data center service providers in so far as those certifications are applicable to our data processing and storage operations. For more information, contact
privacy@kochava.com.

Changes and Updates to this Privacy Policy

Kochava reserves the right to amend this Privacy Policy at its discretion at any time. Kochava will post any adjustments to the Privacy Policy on this page.

Kochava’s Contact Information

Please contact Kochava with any questions or comments about this Privacy Policy, your information, Kochava’s use and disclosure practices, or your consent choices by e-mail at privacy@kochava.com or by mail at the address below:

Kochava, Inc.
201 Church Street
Sandpoint, Idaho, 83864

This Privacy Policy was last updated April 24, 2024.

Have further questions on Kochava Data Privacy and Security?

Contact Us