Data privacy

At Bombora, we take our responsibility in protecting consumer's rights to privacy very seriously. Our data is pseudonymized and de-identified. This data privacy page is intended to answer frequently asked questions about how we collect, use, and protect consumer data.

Frequently Asked Questions:

1. Where can I find Bombora's privacy policy?
2. What type of data does Bombora collect?
3. What type of data does the Bombora Visitor Insights tag collect?
4. What type of data does the Bombora Audience Verification tag collect?
5. Who has access to this data?
6. How frequently are cookies refreshed or deleted?
7. How long do you store IP data, and do you use it for targeted advertising?
8. Is IP data collected as individual IP addresses or is this aggregated upon collection?
9. How long do you store browser type or operating system (OS) data and do you use it for targeted advertising?
10. Can the storage of cookie data be shortened or extended at a client’s request?
11. Please describe what location data you collect and what role it plays in creating your B2B segments?
12. Do you collect personally identifiable information (PII)?
13. What does Bombora do with data collected from pixels placed on advertising campaigns or websites?
14. Do you share non-personal information with any other partners or firms?
15. From which geographic regions does Bombora collect data?
16. Does Bombora take steps to contractually require publishers to obtain clear and affirmative consent from consumers for the collection of data?
17. What are the options for opting out of behavioral advertising on a desktop device?
18. What are the options for opting out of behavioral advertising on a mobile device?
19. How do I opt-out of the sale of my personal information if I am a CA resident?
20. How is Bombora's Intent data GDPR compliant
21. Does Bombora comply with the EU's data protection regulation?
22. Are there any implications for Bombora's data due to GDPR?
23. Who is the appointed chief privacy officer (CPO) at your firm?
24. Does Bombora track consumer demographic data in the EU?
25. What security measures do you use to prevent data hacking?
26. What is your protocol for informing consumers if their data is hacked?
27. Do you have a process to respond to questions, concerns, corrections, deletions to profiles?
28. To which of the data privacy regulations are you complying with?
29. How is Bombora ethically responsible to its Data Co-op members? 


1. Where can I find Bombora's privacy policy?  
http://bombora.com/privacy/

2. What type of data does Bombora collect?  
Our primary source of data is collected from a proprietary Data Cooperative (Data Co-op) of B2B websites of publishers, marketers, agencies, technology providers, research and event firms that contribute content consumption data to a massive pooled data set that details buyer intent. Data Co-op members provide consent-based brand-anonymous data including unique cookie IDs, IP address, page URL and referrer URL, browser type, operating system, browser language, and engagement. Engagement data validates that the reader is actually consuming the content and not quickly bouncing from the website. Bombora does not collect any personal information that directly identifies any person.
The below includes more information on the data collected:

a. Unique IDs such as a cookie placed on a web browser

b. Internet Protocol address (IP address) and information derived from an IP address such as geographic location

c. Information about a device such as information contained in HTTP requests ('Usage Information') including browser type, operating system (OS), and referring URLs

d. Demographic information such as age, gender, functional area, seniority, and professional group

e. Behavioral data such as device usage, browsing activity, actions on websites and content areas, responses to advertisements delivered by our partners, date and time of these activities  

3. What type of data does the Bombora Visitor Insights tag collect? 

a. Unique IDs such as a cookie placed on a computer, mobile, or device ID

b. Internet Protocol address (IP address) and information derived from an IP address such as geographic location

c. The URL of the page that the consumer has visited as well as the referrer URL

d. Information about a device such as information contained in HTTP requests ('Usage Information') including browser type and operating system (OS)

e. The language of the user's browser

f. Engagement level data including dwell time, scroll depth, scroll velocity, and time between scrolls

4. What type of data does the Bombora Audience Verification tag collect? 

a. Unique IDs such as a cookie placed on a computer, mobile, or device ID

b. Internet Protocol address (IP address) and information derived from an IP address such as geographic location such as the Country, State, Metro Area, City, ZipCode

c. The URL of the page that the consumer has visited

d. Information about a device such as the information contained in HTTP requests ('Usage Information') including browser type and operating system (OS)

5. Who has access to this data?  
Bombora R&D engineers including our data scientist for the purposes of improving our products.

6. How frequently are cookies refreshed or deleted?  
Company Surge® segments are refreshed weekly, IDs/Cookies are refreshed every 30 days and expire after 13 months.

7. How long do you store IP data and do you use it for targeted advertising?  
IP data is stored to user profiles in raw log files for 90 days. However, IP data is not used for targeted advertising.

8. Is IP data collected as individual IP addresses or is this aggregated upon collection?  
IP addresses are collected as individual values and deleted in 90 days.

9. How long do you store browser type or operating system (OS) data and do you use it for targeted advertising?  
Browser type and OS data is stored to user profiles for 180 days. However, the data is not used for targeted advertising. Browser type and OS data is used for brand safety purposes only including fraud and bot detection.

10. Can the storage of cookie data be shortened or extended at a client’s request?  
No. Storage of cookie data is standard across Bombora and cannot be shortened or extended at a client's request.

11. Please describe what location data you collect and what role it plays in creating your B2B segments?  
Location data is derived from IP addresses and can only identify zip codes and metro areas. IP address does not play a role in creating our B2B audience segments.

12. Do you collect personally identifiable information (PII)?  
No. Bombora collects non-personally identifiable information only as defined by the Network Advertising Initiative (NAI).

13. What does Bombora do with data collected from pixels placed on advertising campaigns or websites? 

Bombora's data collection methods are privacy compliant and completely brand anonymous. Data obtained from advertising campaigns and websites are anonymized and aggregated to provide several services including:

a. Tailored website content and promotional content to visitor interests

b. Enable more relevant and targeted advertising

c. Analytics for advertisers to better understand the audience they are reaching

14. Do you share non-personal information with any other partners or firms?  
Bombora may share non-personal information, such as aggregated demographic, user statistics, interest categories and usage information with third parties.

15. From which geographic regions does Bombora collect data?

We collect data globally.

16. Does Bombora take steps to contractually require publishers to obtain clear and affirmative consent from consumers for the collection of data?  
Bombora maintains enters into an agreement with publishers that contain clauses that all data will be obtained in a legal manner that is compliant with privacy laws.

17. What are the options for opting out of behavioral advertising on a desktop device?  
If you wish to opt-out, please visit http://bombora.com/privacy/ .

18. What are the options for opting out of behavioral advertising on a mobile device?  
Online consumers using mobile or tablet devices can opt-out from Bombora by using one of the following methods:

a. iOS Device 
iOS 7 or above: Go to your Settings > Select Privacy > Select Advertising > Enable the 'Limit Ad Tracking' setting
iOS 6: Go to your Settings > Select General > Select About > Select Advertising > Enable the 'Limit Ad Tracking' setting

b. Android Device
For Android devices with OS 2.2 and up and Google Play Services version 4.0 and up: Open your Google Settings app > Ads > Enable 'Opt-out of interest-based advertising.' 

If you've turned on Limit Ad Tracking on your IOS device or the Opt-out of interest-based ads on your Android device, you can restore interest-based ads by turning the settings off. Please note that when you opt-out, you will still see advertising on your mobile or tablet device; however, they may be less relevant to you because they won't be based on your interests. 

19. How do I opt-out of the sale of my personal information if I am a CA resident?
The CCPA provides consumers (California residents) with specific rights regarding their personal information. This section describes your CCPA rights and explains how to exercise those rights.

Personal Information Sales Opt-Out and Opt-In Rights

If you are 16 years of age or older, you have the right to direct us to not sell your personal information at any time (the "right to opt-out"). We do not sell the personal information of consumers we actually know are less than 16 years of age.

Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer requests. The response we provide will also explain the reasons we cannot comply with a request, if applicable. Please note that because most of the information we store can only identify a particular browser or device, and cannot identify you individually. To help protect your privacy and maintain security, we take steps to verify your identity in OneTrust. Making a verifiable consumer request does not require you to create an account with us. Before granting you access to your personal information or complying with deletion, portability, or other related requests, you will need to provide us with some additional information to enable us to identify the personal information we hold about you and ensure that we accurately fulfill your request.

To exercise the right to opt-out, you (or your authorized representative) may submit a request to us by visiting the following link: https://bombora.com/privacy/.

20. How is Bombora's Intent data GDPR-compliant? 

There are two main paths to GDPR compliance – legitimate interest and consent. Bombora is taking a consent-based approach to comply with the requirements of GDPR.

Where other forms of Intent data are based on legitimate interest, Bombora has a direct relationship with owners of the sites in its Data Co-op. Bombora is explicitly listed as a vendor and our data usage (its purpose) is detailed, providing visitors the opportunity to provide knowing consent.

To give users control over their privacy and tracking preferences, Bombora also uses standardized opt out processes as well as making a Data Subject Access Request (DSAR) portal available – another requirement of GDPR.

21. Does Bombora comply with the EU's data protection regulation, GDPR?  
Bombora is working with its partners and consent platforms such as OneTrust to gain user consent and be compliant with GDPR & ePrivacy.  

22.  Are there any implications to Bombora's data due to GDPR?
Bombora and its EMEA co-op partners are preparing compliant user consent paths, including industry standard platforms such as Trustee. Bombora is identifying Data Controller and Data Processor responsibilities and producing complaint agreements with the support of a team of privacy attorneys from Fieldfisher, a UK-based firm. In addition, we are building internal processes to facilitate responses to consumer inquiries, if any, requesting transparency regarding data stored on a particular individual’s profile. 

23. Who is the appointed chief privacy officer (CPO) at your firm?  
Havona Madama, Chief Privacy Officer.

24. Does Bombora track consumer demographic data in the EU?  
No, Bombora does not track demographic data such as age, gender, and ethnicity in the EU.

25. What security measures do you use to prevent data hacking? 

Bombora’s advanced security measures include best-in-class risk assessment programs, incident response plans, intrusion detection systems, and vulnerability testing. Our datacenter conducts regular SSAE 16 SOC 3 audits and implements biometric security. Networks are protected by firewalls and ACLs, and our site-to-site traffic is routed over VPNs. Additionally, we leverage role-based security and needs-based computing.

26. What is your protocol for informing consumers if their data is hacked?  
In the unlikely scenario that there is a data hack, we will inform consumers via a blog article on the Bombora website.

27. Do you have a process to respond to questions, concerns, corrections, deletions to profiles?  

Bombora maintains a privacy@bombora.com email address to respond to consumer concerns and questions. Additionally, we have appointed a chief privacy officer (CPO) to respond to privacy-related questions.

28. To which of the data privacy regulations are you complying with?  
Bombora complies with the data privacy regulations as defined by the Network Advertising Initiative (NAI).

29. How is Bombora ethically responsible to its Data Co-op members? 
Fundamental to the Data Co-op model is confidentiality around the originating source of content consumption behavior. To ensure this, Bombora anonymizes the content consumption activity that it collects and translates this into raw topics, which it uses in aggregate to form its Intent dataset.

Previous Article
Data Practice Certification
Data Practice Certification

Information regarding Bombora's completion of an independent certification of Data Practices through IAB.

No More Articles