Privacy Policy

1. Introduction

OCRO Media Network ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website, services, or platform (collectively, the "Service").

By using our Service, you agree to the collection and use of information in accordance with this policy. If you do not agree with the terms of this Privacy Policy, please do not access our Service.

Data Controller: For the purposes of the EU/UK General Data Protection Regulation (GDPR) and the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), the data controller responsible for your personal information is OCRO Media Network. You can reach our privacy contact at privacy@ocropartners.com.

2. Information We Collect

2.1 Information You Provide

We collect information you voluntarily provide to us, including:

• Contact Information: Name, email address, phone number, company name
• Account Information: Username, password, account preferences
• Campaign Information: Creative assets, campaign briefs, targeting parameters
• Payment Information: Billing address, payment method details (processed securely through third-party payment processors)
• Communications: Messages, inquiries, and support requests

2.2 Information Automatically Collected

When you access our Service, we automatically collect certain information, including:

• Device Information: IP address, browser type, operating system, device identifiers
• Usage Information: Pages visited, time spent, features used, click patterns
• Log Data: Access times, referring URLs, error messages

2.3 Third-Party Information

We may receive information about you from third parties, including social media platforms, analytics providers, and data partners, as permitted by law.

3. How We Use Your Information

We use the collected information for various purposes, including:

• Service Provision: To provide, maintain, and improve our services
• Campaign Management: To execute and manage advertising campaigns
• Communication: To send you updates, security alerts, and support messages
• Analytics: To analyze usage patterns and improve user experience
• Security: To detect, prevent, and address technical issues and fraudulent activity
• Legal Compliance: To comply with legal obligations and enforce our terms
• Marketing: To send promotional communications (with your consent)

4. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, we process your personal data only when we have a valid legal basis under Article 6 of the GDPR. The legal basis we rely on depends on the specific purpose:

• Performance of a Contract (Art. 6(1)(b)): When you submit a campaign brief or engage our services, we process your information to perform the agreement with you — for example, to deliver campaigns, manage payments, and provide support.
• Legitimate Interests (Art. 6(1)(f)): We rely on legitimate interests for activities such as: securing the Service against fraud and abuse, basic website analytics, internal record-keeping, and responding to inquiries you initiate. We balance these interests against your rights and freedoms before relying on this basis.
• Consent (Art. 6(1)(a)): We rely on consent for non-essential cookies, optional analytics, and marketing communications. You can withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
• Legal Obligation (Art. 6(1)(c)): We process certain information to comply with legal obligations such as tax, accounting, anti-money laundering, and lawful requests from public authorities.

Where we rely on legitimate interests, you have the right to object to that processing — see "Your Privacy Rights" below.

5. Data Sharing and Disclosure

6.1 Third-Party Service Providers

We may share your information with trusted third parties who assist us in operating our Service, including:

• Payment processors for transaction processing
• Analytics providers for usage analysis
• Cloud hosting services for data storage
• Email service providers for communications

6.2 Social Media Platforms

To fulfill campaign delivery, we share campaign content with third-party social media platforms. These platforms have their own privacy policies governing the use of shared information.

6.3 Business Transfers

Your information may be transferred in connection with a merger, acquisition, or sale of assets, subject to applicable legal requirements.

5.4 Legal Requirements

We may disclose your information when required by law, court order, or to protect our rights, property, or safety.

5.5 No Sale of Personal Information

We do not sell your personal information to third parties for their marketing purposes.

6. Cookies and Tracking Technologies

6.1 What Are Cookies

Cookies are small text files stored on your device that help us provide a better user experience. The categories of cookies we use are described below in section 6.2.

6.2 Types of Cookies We Use

Cookie Type	Purpose	Duration
Essential Cookies	Required for basic site functionality	Session
Analytics Cookies	Help us understand user behavior	1-2 years
Functional Cookies	Remember preferences and settings	1 year
Marketing Cookies	Track campaign effectiveness	30 days

6.3 Managing Cookies

You can control and manage cookies through your browser settings. Please note that disabling certain cookies may affect the functionality of our Service.

7. Data Security

We implement appropriate technical and organizational measures to protect your information against unauthorized access, alteration, disclosure, or destruction. These measures include:

• SSL/TLS encryption for data transmission
• Secure payment processing through PCI-compliant providers
• Access controls and authentication systems
• Regular security audits and updates

Despite our efforts, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security of your information.

8. Data Retention

We keep personal data only for as long as necessary to fulfil the purposes set out in this policy, after which it is deleted or anonymised. The specific retention periods we apply depend on the type of information:

• Inquiry / contact form data: retained for up to 24 months from your last interaction with us, then deleted, unless we have an active client relationship.
• Active client records (campaign briefs, communications, deliverables): retained for the duration of the engagement and for 6 years thereafter to comply with tax, accounting, and contract law requirements.
• Payment and invoicing records: retained for the period required by applicable tax law (typically 6–10 years depending on jurisdiction).
• Website analytics / log data: retained for up to 14 months in identifiable form, then aggregated or deleted.
• Marketing list data (where you consented): retained until you unsubscribe or withdraw consent, then deleted within 30 days.
• Records of consent and rights requests: retained for up to 6 years to demonstrate compliance with applicable law.

Where we anonymise data rather than delete it, the resulting information is no longer personal data and may be retained indefinitely for analytics and service improvement.

9. Your Privacy Rights

Depending on where you live, data protection law gives you specific rights over your personal information. We honour the following rights for all users globally where they apply, in addition to any further rights granted under your local law:

• Right of access: Request confirmation of whether we hold your personal data and a copy of that data.
• Right to rectification: Request correction of inaccurate or incomplete personal data.
• Right to erasure ("right to be forgotten"): Request deletion of your personal data where one of the legal grounds in Article 17 GDPR applies (for example, the data is no longer needed for the purpose, or you withdraw consent).
• Right to restriction of processing: Request that we limit how we use your personal data while a request is being resolved.
• Right to data portability: Request a copy of personal data you provided to us in a structured, commonly used, machine-readable format, where processing is based on consent or contract and is carried out by automated means.
• Right to object: Object to processing based on our legitimate interests, including direct marketing. Where you object to direct marketing, we will stop the processing without delay.
• Right to withdraw consent: Where we rely on consent, withdraw it at any time without affecting the lawfulness of prior processing.
• Right not to be subject to automated decision-making: We do not make decisions about you based solely on automated processing that have legal or similarly significant effects on you.

How to exercise your rights

To exercise any of these rights, email privacy@ocropartners.com with the subject line "Privacy Request" and a description of your request. We may need to verify your identity before responding. We will respond within 30 days as required by GDPR (extendable by up to two further months where the request is complex). There is no fee for exercising these rights, except where requests are manifestly unfounded or excessive.

Right to lodge a complaint

If you believe we have not handled your personal data in line with applicable law, you have the right to lodge a complaint with a supervisory authority. For users in the EU, this is the data protection authority of the country in which you live or work. For users in the UK, this is the Information Commissioner's Office (ICO) — ico.org.uk. We would, however, appreciate the chance to address your concerns directly first — please reach out to us before contacting a regulator.

10. California Privacy Rights (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA"), gives you the following rights regarding your personal information:

• Right to know: Request that we disclose what personal information we have collected, used, disclosed, and sold or shared about you in the preceding 12 months, including the categories of sources, the business purposes, and the categories of third parties with whom we share it.
• Right to delete: Request deletion of personal information we have collected from you, subject to certain exceptions.
• Right to correct: Request correction of inaccurate personal information.
• Right to opt out of "sale" or "sharing": Direct us not to sell or share your personal information. OCRO does not sell personal information for monetary value, and we do not "share" personal information for cross-context behavioural advertising as those terms are defined under the CCPA. If this changes, we will update this policy and provide a "Do Not Sell or Share My Personal Information" link.
• Right to limit use of sensitive personal information: Where we collect sensitive personal information, you may request that we limit its use to what is reasonably necessary to provide the service.
• Right to non-discrimination: We will not deny you services, charge different prices, or provide a lower quality of service for exercising your rights.

Categories of personal information collected (last 12 months): identifiers (name, email, phone), commercial information (campaign briefs, transaction records), internet/network activity (log data, cookies), and professional information (company name, role).

To exercise CCPA rights, email privacy@ocropartners.com with "California Privacy Request" in the subject line. You may designate an authorised agent to make a request on your behalf — we will require written authorisation and proof of your identity to act on such requests.

11. Children's Privacy

Our Service is not intended for children under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected information from a child, we will take steps to delete such information promptly.

12. International Data Transfers

OCRO operates globally, and your information may be processed in countries outside your country of residence, including jurisdictions whose data protection laws differ from those in your home country. Where we transfer personal data from the European Economic Area, the United Kingdom, or Switzerland to a country that has not been deemed by the European Commission (or the equivalent UK or Swiss authority) to provide an adequate level of protection, we rely on appropriate safeguards as required by Article 46 of the GDPR.

The safeguards we use include:

• Standard Contractual Clauses (SCCs) approved by the European Commission, including the EU SCCs (2021), the UK International Data Transfer Addendum, and the Swiss SCC equivalents.
• Reliance on adequacy decisions where applicable (for example, when transferring to a country with a recognised adequate level of protection).
• Where required, supplementary measures such as encryption in transit and at rest.

You can request a copy of the safeguards we apply to a specific transfer by emailing privacy@ocropartners.com.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on our website and updating the "Last Updated" date. Your continued use of the Service after such changes constitutes acceptance of the updated policy.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices — including to exercise any of your rights described above — please contact us: