Crossix Products Privacy Notice for Consumers
Effective Date: May 5, 2023
This section regarding the Veeva Crossix products is intended to supplement the Veeva Privacy Statement and applies to all Consumers residing in the United States. It describes how Veeva Crossix collects, transfers, and uses data, including certain types of personal data (“Personal Information”) as defined under relevant US State privacy laws (“Applicable Law”), in connection with our tailored advertising and measurement products, which we sell to our advertiser clients, media owners, and other clients.
“Applicable Law” means all applicable federal, state and local laws, rules, regulations and judicial and administrative decisions relating to Personal Information and privacy. Applicable Law includes, but is not limited to: (i) the California Consumer Privacy Act of 2018 (“CCPA”), as amended by the California Privacy Rights Act of 2020 (“CPRA”); (ii) the Virginia Consumer Data Protection Act of 2021, Va. Code Ann. § 59.1-571 to -581; (iii) the Colorado Privacy Act of 2021, Co. Rev. Stat. § 6-1-1301 et seq.; (iv) Connecticut Public Act No. 22-15, “An Act Concerning Personal Data Privacy and Online Monitoring”; (v) the Utah Consumer Privacy Act of 2022, Utah Code Ann. § 13-61-101 et seq.; and (vi) all other equivalent laws and regulations in any relevant jurisdiction relating to Personal Information and privacy, and as each may be amended, extended or re-enacted from time to time.
We may update this supplement from time to time to reflect changes in our products or practices, or for other operational, legal or regulatory reasons. Please re-visit this notice regularly to stay informed. The date at the top of this notice indicates when it was last updated.
If you are a consumer whose Personal Information may be included within Veeva Crossix Products, click here to exercise your Privacy Choices via a “Verifiable Consumer Request”. You may also use the links and telephone number at the beginning of the Veeva Privacy Statement.
Veeva Crossix allows all US residents to request to opt out of the sale or sharing of their Personal Information. Residents of California, Virginia, Colorado, Connecticut, and Utah have additional rights, subject to certain limitations, to:
- Opt-out of the sale/share of their Personal Information, including certain sensitive information (if applicable) (“Do Not Sell or Share My Personal Information” and/or “Limit the Use of My Sensitive Personal Information”);
- Know/access what Personal Information a business collects, stores, shares, and/or sells about them, as well as the categories of Personal Information (“Access Request” and/or “Request to Know”);
- Correct inaccuracies in Personal Information that a business has on file about them (“Correction Request”);
- Delete the Personal Information that a business has on file about them (“Deletion Request”); and
- Exercise the above outlined rights without receiving discriminatory treatment.
We will confirm receipt of your Verifiable Consumer Request promptly and aim to respond to your request within 45 days of its receipt. Should we need more time, we will explain to you the reasons why and how much more time we need to complete the request. Please note that we may need to take up to 90 days to fulfill your request.
You may only make a Verifiable Consumer Request for access or data portability twice within a 12-month period. The Verifiable Consumer Request must:
- Provide sufficient information that allows us to reasonably Verify you are the Consumer about whom we collected Personal Information or an Authorized Agent (e.g., a person registered with the California Secretary of State that you authorize to act on your behalf). You may be required to submit proof of your identity. Only you or your Authorized Agent may make a Verifiable Consumer Request regarding your Personal Information.
- Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.
We will not charge a fee to process or respond to your Verifiable Consumer Request unless we reasonably determine it is excessive, repetitive, or manifestly unfounded. As such, if we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
We will respond to your request consistent with requirements as ascribed by Applicable Law, which do not apply to certain information excluded from the scope, such as publicly available information from government records; De-identified information, Aggregated Consumer Information, and other explicitly excluded information, including health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the California Confidentiality of Medical Information Act (CMIA) or clinical trial data, or Personal Information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994.
For more information about privacy choices across Veeva, please review our privacy statement, available at https://www.veeva.com/privacy/ccpa.
Applicable Law regulates the online collection of Personal Information from children under the age of 16. Our Services are not directed to or used by children, and we do not knowingly collect, use, or process Personal Information from children under the age of 16.
What We Do
Veeva Crossix leverages data and analytics to help health brands communicate more effectively with consumers. To do this, we developed tailored advertising and media measurement solutions which respect your privacy rights. Veeva Crossix does not use Personal Information for automated decision making. Veeva Crossix may retain Personal Information for twelve (12) months from the last date such data was used to generate the relevant Veeva Crossix product. Veeva Crossix may retain one (1) copy of the data for a longer period if required by law.
Audience Solutions (Tailored or Targeted Advertising)
Veeva Crossix and our partners use understanding of the demographic characteristics of certain large population segments to create lists for marketing, also known as Audience Segments. Veeva Crossix Audience Segments are sold to our customers to deliver tailored advertising to relevant consumers via digital and TV advertisements. You can see a list of our Audience Segments here.
Relevant health communications enable consumers to make more informed choices about their health care. The most effective way to deliver relevant communications to the right consumers starts with a deep understanding of the intended audience. Veeva Crossix does this by using data and analytics to understand the demographic characteristics – e.g., age, gender, lifestyle, geography, etc. – most relevant to certain health conditions.
In order to perform these analytics, Veeva Crossix works with third-party consumer data partners to source demographic and consumer information while respecting consumer privacy choices. Veeva Crossix does not store or retain any identifiable demographic and consumer information.
To make Veeva Crossix Audience Segments available for Tailored Advertising in digital environments, we may ask our partners to identify devices or browsers of users with specific demographic and consumer attributes, and the users of these identified devices or browsers may receive Tailored Advertising in their web browsers, within mobile applications, and on connected TVs. Tailored Advertising does not include using your interactions with us or information that you provide to us to select advertisements to show you. In the preceding twelve (12) months, we have not shared Personal Information for cross contextual behavioral advertising purposes.
Veeva Crossix measurement solutions help healthcare marketers answer critical marketing and business questions.
All health-related information received from third-party data suppliers by Veeva Crossix for its measurement services is certified by Expert Determination to satisfy the Privacy Rule’s de-identification standard under the Health Insurance Portability and Accountability Act (“HIPAA”). This HIPAA compliant de-identified health information, as it is no longer considered protected health information, may be legally used and disclosed by Veeva Crossix and its partners.
To measure the impact of health marketing, we connect media exposure data to HIPAA compliant de-identified health data. We report only aggregated insights to our customers; we never report person- or device-level information. Veeva Crossix does not process sensitive personal information (as defined by Applicable Law) in the creation of its Measurement Solutions.
We receive hashed identifiers that have received client advertising, as well as associated campaign metadata (i.e., information related to what ad was shown, on what web property or app, on what device, and when), from an identity resolution partner or directly from a media owner. We are not able to associate these identifiers with any non-pseudonymous Personally-Identified or Device-Identified Information (as those terms are defined in the Network Advertising Initiative (“NAI”) Code of Conduct). We retain these hashed identifiers for a maximum of one (1) year from last contracted use, at which point the user-level data is aggregated for long-term storage.
Collection of Personal Information
|Category of Personal Information Collected||Collect||Disclose||Sell||Categories of Sources of Collection||Categories of Third Parties With Whom Personal Information is Shared|
|A. Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers.||Yes||Yes||Yes||
|B. Personal Information categories as defined in the California Customer Records statute, Cal. Civ. Code Section 1798.80(e), such as name, education, employment, employment history and financial information.||Yes||Yes||Yes||
|C. Characteristics of Protected Classifications under California or Federal Law.||Yes||Yes||Yes||
|D. Commercial information, such as transaction information, purchase history, financial details and payment information.||No||No||No||N/A||N/A|
|E. Biometric Information, such as fingerprints and voiceprints.||No||No||No||N/A||N/A|
|F. Internet or other electronic network activity information, such as browsing history, search history, online behavior, interest data, and interactions with our and other websites, applications, systems and advertisements.||Yes||Yes||Yes||
|G. Geolocation Data, such as Precise physical location.||No||No||No||N/A||N/A|
|H. Sensory Data, such as images and audio, video or call recordings.||No||No||No||N/A||N/A|
|I. Professional or employment-related information, such as job title as well as work history and experience.||No||No||No||N/A||N/A|
|J. Non-Public Education information subject to the federal Family Educational Rights and Privacy Act, (as defined in 20 U.S.C. Section 1232g; 34 C.F.R. Part 99) such as student records.||No||No||No||N/A||N/A|
|K. Sensitive Personal Information, such as Social Security, driver’s license, state identification card, passport number, account log-in in combination with any required security or access code, precise geolocation, racial or ethnic origin, religious or philosophical beliefs, union membership, genetic data, biometric information, health, sex life or sexual orientation.||No||No||No||N/A||N/A|
|L. Inferences drawn from any of the Personal information Collected to create a profile or summary about, for example, an individual’s preferences and characteristics.||No||No||No||N/A||N/A|
Disclosing Personal Information
We may disclose your Personal Information to a Third Party for a business purpose. When we disclose personal information for a business purpose, we enter into a contract that describes the purpose and requires the recipient to both keep that personal information confidential and not use it for any purpose except performing the contract.
We may disclose your Personal Information for a business purpose to the following categories of third parties:
- Our affiliates
- Service providers
- Third parties to whom you or your agents authorize us to disclose your personal information in connection with products or services we provide
As of the effective date, our Disclosures for a Business Purpose include:
- Auditing related to a current interaction with the Consumer and concurrent transactions, including, but not limited to auditing compliance with this specification and other standards;
- Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity;
- Debugging to identify and repair errors that impair existing intended functionality;
- Performing services on behalf of Veeva or a Customer, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying Consumer information, processing payments, providing financing, providing advertising or marketing services, providing analytic services, or providing similar services on behalf of Veeva or a Customer;
- Undertaking internal research for technological development and demonstration;
- Undertaking activities to improve, upgrade, enhance, verify or maintain the quality of Veeva’s Services;
- Disclosure to a Third Party, that is bound not to further disclose such information and is prohibited from Selling such information;
- Consumer Identity Verification Information or Authorized Agent designation and identity verification; and
- Compliance with law.
Tailored Advertising and Your Rights
You may opt out of your Personal Information being included in Veeva Crossix digital advertising and measurement products sold to customers, which includes media served in web, mobile app, and CTV environments, via the following link: https://veeva.wirewheel.io/privacy-page/632894a4370d650016a46903
You may opt out of personalized advertising and cross-device linking in web browsers by visiting http://optout.aboutads.info. You can learn how to opt out of personalized advertising and cross-device linking on mobile devices by visiting https://thenai.org/opt-out/mobile-opt-out/; and on CTV devices by visiting https://thenai.org/opt-out/connected-tv-choices/. To help preserve the choices that you make in the DAA’s WebChoices page, you can install the DAA’s “Protect My Choices” extension that is available at aboutads.info/PMC.
For more information about tailored advertising and cross-device linking, please visit the Network Advertising Initiative (“NAI”) website. We are a member of the NAI and we adhere to the NAI’s Code of Conduct. We also adhere to the DAA’s Self-Regulatory Principles for Online Behavioral Advertising by providing you enhanced notice, transparency and control of our digital marketing practices.
If you have any additional questions about your data rights and our privacy-by-design approach to marketing analytics, please contact Crossix_privacy@veeva.com.