Adjust is user-privacy first

At Adjust, we believe that all app users have a right to privacy, and a right to have their personal data protected. As such, we do our utmost to keep all of our user’s data secure. This attitude has stemmed since long before the GDPR was drafted, and even longer than it will be in place, beginning May 25th, 2018.

Our privacy record

We’ve been ePrivacy certified since 2015, renewing our current status at the end of 2017. According to their website, “since July 2016, [ePrivacy] certification covers the requirements of the General Data Protection Regulation (GDPR) for digital products.” As such, we’re certifiably GDPR ready, but our attitude to privacy goes beyond the letter of the law.

For example, we’re the only attribution service headquartered in the EU, and our German heritage goes hand-in-hand with privacy-first values. For instance, we run our own servers instead of handing our data to cloud services. This means we have total control of our client’s user data, all centralized in Europe.

Reasons we’re prepared for the GDPR

We have a dedicated privacy team

In total, our GDPR team numbers six experts dedicated to the cause. Our data privacy officer is: Prof. Dr. Christoph Bauer. All employees of Adjust are verifiably committed to data secrecy in accordance with Art. 32 para. 4 GDPR.

We handle data with care

All data is secured in transit. The processing of personal data happens in a way that the data can no longer be assigned to a specific data subject without additional information being provided.

We operate our own physical servers

Adjust stores all data of our European clients in Europe, a huge advantage for GDPR compliance. Our main servers are located in Frankfurt, Germany and in Amsterdam, Netherlands.

We uphold the right to be forgotten

Users can now request to have their personal data deleted, at any time. This means that if you receive a request for account information deletion - this would have to be forwarded to us in order to fully comply with the request.

This can be done by implementing either of the following solutions:

  1. Sending a request to our s2s endpoint
  2. Integrating SDK 4.13

What's considered personal data?

According to Art. 4(1) GDPR, personal data now includes various digital identifiers as ‘personal data’. Previously, name, photos, email and so on, were typical identifiers. Now, this list has expanded to include specifically:

  • IP addresses
  • Online identifiers
  • A user’s location data
  • Biometric data (fingerprints and retina scans)
  • Behavioral and demographic profiling data

If your users consent to be tracked, you must protect this data.

A deletion policy, record of processing activities, and TOMs

All these are required by articles 17, 30 and art. 32 para. 4 GDPR. This includes, for example, measures like:

  • Physical access control - Our physical data centers are secure. Security measures include having security officers onsite, monitoring and alarm systems, video/CCTV monitors and much more. No person, not even a member of Adjust, has self-determined access to the servers.
  • Data access, usage and transmission controls - Tools in place to protect unauthorized access, usage or transmission of data. For example, we make sure that the data cannot be changed or deleted by unauthorized persons during transmission.
  • Separation rule - To keep data private and secure we ensure that any information collected for different purposes is separate during processing. This extends to test systems and production systems as well.
  • Pseudonymization - any data is hashed as early as possible. The processing of personal
    data happens in a way that the data can no longer be assigned to a specific data subject without additional information being provided.
  • Availability control and rapid recoverability - frequent backups protect all stored data
    against loss. Adjust creates continuous backups, which are also transferred to a remote site. With this, Adjust can restore data if lost.
  • Incident response management - if data is lost we inform those affected immediately.

While the content on this page is designed to help you understand the GDPR when working with third parties, the information contained should not be construed as legal advice. You should consult with your own legal counsel with respect to interpreting your unique obligations under the GDPR and the use of a company's products and services to process personal data.

For more on our GDPR compliance, get in contact with our privacy team -