Page tree

Skip to end of metadata
Go to start of metadata

Privacy and the Xandr Platform

This page is a reference including information about data protection matters on the Xandr Platform. This page should not be construed as legal advice and Xandr makes no guarantees here about compliance with any law or regulation.

Please note, our Service Policies (for Buying, Selling, and Data Providers) include privacy-specific obligations that you should be aware of.

If you have additional questions about data protection at Xandr after reviewing the information and links in this resource, please contact us via our client support form
On This Page

Xandr Privacy Disclosures

Xandr publishes a public-facing privacy policy, the  Xandr Privacy Statement, that explains Xandr's practices with regard to the collection and use of data on the Xandr platform. 


The Xandr Privacy Statement includes a general statement about the uses for which the Xandr Platform uses cookies. Xandr also publishes a public-facing Cookie Disclosure with the names and specific uses of cookies on the Platform. 

About Cookie Expiration

The Cookie Disclosure does not include cookie expiration. Platform cookies typically have a configured "expires" property of up to three months from when the cookie is set. However, we have not included the cookie expiration in the public disclosure because users might confuse cookie lifespan with data retention period. Cookies may be reset on subsequent calls from the browser to our servers, and the expires property would be reset at that time. We do it this way because many different companies use our Platform, and may be setting, reading, and associating data with cookies at various times and in various places. The retention of data associated with cookies is more relevant than the expiration of the cookie itself.

Xandr discloses in its public-facing Privacy Statement a data retention maximum of 18 months. However, most data is retained for a much shorter period than 18 months. Moreover, customers of the platform exercise control over much of the data:

  • Customer Segment Data: Customers of the Platform own and control their user segments, including the max age of the segments. 
  • Customer Log Data: Customers of the Platform control data retention of log data and other data they remove from the Platform. Logs are typically available for several days before being aggregated.
  • Security: Xandr retains some impression level data for about 30 days for purposes including security and the detection and prevention of malicious or invalid traffic.

Cookie Consent

Xandr is a global company, with customers around the globe using our technology. Some jurisdictions may require consent in some form for setting or reading cookies. Xandr expects customers, in particular Sellers, that deploy and use Xandr technology to acquire and manage consent as needed (see our Service Policies for more information). The Xandr Platform includes configuration options that clients of the Platform may use to indicate whether or not the Xandr platform should use cookies on an impression. 

Industry Self-Regulation of Privacy and User Choice

The Value of Self-Regulation

Xandr believes in the value of self-regulation. We stand by leading self-regulatory organizations' guidelines for best practice, and believe that by adhering to these guidelines we can support the creation of high-quality internet resources and free internet content for all. 

NAI Membership

Xandr is a member in good standing of the Network Advertising Initiative (NAI), a nonprofit member organization formed in 2000. The NAI is the leading self-regulatory association exclusively focused on third-party online advertising, and an overwhelming majority of internet ads served in the US involve the technology of one or more NAI companies. As an NAI member, Xandr adheres to the NAI Code of Conduct as it applies to the Xandr Platform.

Self-Regulatory Resources and Organizations

The following are leading self-regulatory resources in the United States, Canada, and Europe:

    • US: Network Advertising Initiative (NAI). The NAI is the leading self-regulatory program for third-party advertising technology companies. Xandr is an NAI member and sits on NAI's Board of Directors. We recommend membership.
    • US: Digital Advertising Alliance (DAA). The DAA's purpose is to expand self-regulation for interest-based advertising to the entire ecosystem.
    • CA: Digital Advertising Alliance of Canada (DAAC).
    • EU: European Interactive Digital Advertising Alliance (EDAA). 

The AdChoices Icon

The AdChoices icon is intended to give users enhanced notice of data collection and use associated with digital advertising. It is a requirement of industry self-regulation. It is owned and licensed by the DAA.

There are two aspects to trafficking the icon. First, a marketer using the icon must have a license from the DAA or one of its local affiliates. Xandr does not, at this time, license the icon on behalf of customers, so customers must have their own license. 

 Second, the marketer must have the technical capability to traffic the icon, and provide an appropriate UX upon click. Although a company may use its own, home-grown, solution to trafficking the icon, Ghostery and Truste have turnkey solutions that are integrated into the Xandr Platform.

User Choice and the Xandr Opt-Out

The Xandr Platform implements an opt out as defined by industry self-regulatory programs, and as applicable for both display and mobile advertising. The Platform has a cookie-based opt out for display advertising, which as explained below, includes an API that can be called from industry opt out pages or from Platform customers' own privacy pages. This enables clients to meet their own self-regulatory compliance requirements as they apply to their use of the Xandr Platform. Some customers may use other platforms in addition to Xandr, so will incorporate multiple opt outs into their offering to consumers. The industry opt out pages support this use case.

Note that when a user opts out from a Platform client's privacy page or from Xandr's privacy page, the user's opt out applies to the entire Xandr Platform. 

The Xandr opt out works by replacing the unique random 64-bit identifier in the UUID2 cookie with the generic value of "-1". By eliminating the unique identifier, this prevents IBA data from being collected or used to serve targeted advertising to the browser. 

Additionally, current mobile platforms now provide a global configuration option for users to opt out of IBA in mobile apps. When Xandr receives an opt out flag set using these configurations, it honors in the same way as an opt out cookie. See, for example:

Integrating with Industry Opt Out Pages

  • Our Opt Out API
    • Xandr provides an API that integrates with interest-based advertising opt out pages run by industry self-regulatory programs. The Xandr API will be called from platform clients' listings on the opt out pages, or from opt outs on clients' own web pages, or from other sources.
    • A token will be provided in response to the action_id=3 calls, and it must be passed back to our endpoint to effectuate an optout (action_id=4), but the value for the participant_id can be set to any value

    • In most cases, tech support personnel from the self-regulatory programs will know how to integrate the Xandr opt out, because other Xandr clients are already listed on their opt out pages, but here are the URLs to be used:

      • For the NAI and AboutAds opt out pages in the US, use the following URL format:

        • Reads the opt out status and 302 redirects the browser to a URL at : 

        • Sets the opt out, confirms, and then redirects the browser to a URL of the format <rd>/finish/<participant_id>/<action_id>/ <cookie-result>-<other-result> /<message>: 

      • For the YourOnlineChoices pages in the EU, use the following:

        • Status: 

        • Opt out: 

        • Opt in: 


Data Flows and Locations of Data Processing

Xandr has data centers in the US, EU, and Asia. For the most part, requests from devices in each region will be served by data centers in that region. However, this is not guaranteed, and can vary based on network conditions. Cookie data  – segments  – is not currently mirrored between the three regions, but may be in the future. Log-level data is transmitted to US data centers for reporting and aggregation. Log-level data is typically retained in the Platform for no more than approximately 30 days, though possibly longer in some cases.

Types of Processing

The Xandr Platform processes data to facilitate the buying and selling of online advertising between its customers. Data regarding advertising impressions is made available to customers that wish to bid on the impressions. Purchasers of advertising impressions receive logs of their purchased impressions. Xandr uses data to provide, manage, maintain, and enhance the Platform, which includes, but is not limited to, providing optimization tools for buyers and sellers, security, and the prevention of malicious or invalid activity. Xandr does not otherwise use the data on its own behalf.

Information Security

Xandr is committed to protecting personal, private, confidential, and sensitive data and the systems used to process, store, or transport such data. This is includes, but is not limited to, customer data, employee data, and company, vendor, and partner proprietary data. Our Data Protection and Security on the Xandr Platform document outlines the measures employed by Xandr towards that commitment. 

Personal Information

Personally Identifiable Information (PII)

Xandr prohibits clients from bringing personally identifiable information (PII) onto the Platform. As of this writing, Xandr defines PII as information that by itself, directly identifies an individual, such as name, address, phone number, email address, or government identifier.

Self-regulatory codes or laws in other jurisdictions may have inconsistent notions of which data fall within the definition of PII (or Personal Data in some jurisdictions). Xandr makes efforts to comply with applicable laws, rules, regulations, and self-regulatory codes. Clients of the Platform should ensure they understand their own compliance requirements with respect to their use of the Xandr Platform, including requirements included in our Service Policies.

IP Truncation

To enhance user privacy, the Platform provides configuration options to truncate IP addresses in order to reduce the granularity. There are Platform-wide features, as well as features specific to buyers and sellers. 

When an IP address is truncated, the final octet (the digits after the third dot) of the IP address will be replaced with 0. For example, will become Bid requests, log-level data, and creative/pixel macros will subsequently include the truncated address. The full address is used only for the detection and prevention of malicious or invalid activity, e.g. bots and malware, and certain other operational uses, e.g. responding to the request. Requests with truncated IP address will continue to include geography.


The Platform will truncate IP addresses from certain geographic regions regardless of member-level settings. Currently affected regions are: Germany, Spain, Italy, France, but this list may change at any time at the discretion of Xandr.

For Sellers

Sellers may instruct the ImpBus to truncate IP addresses by setting placement-level configuration or by passing the truncate_IP flag in their ad tags.

For Buyers 

Buyers can also truncate IP addresses in their log-level data feeds. As a consequence, any IP address truncated on the buy side will also be truncated when passed through to the sell side. To request this configuration setting for your Xandr account, please contact your Xandr account representative.

Sensitive Information

Sensitive Information includes information deemed sensitive under applicable laws or self-regulatory codes, including, but not limited to, the following:

  • Health information
    • In addition to any applicable laws, Xandr employs the Network Advertising Initiative definition of Sensitive Health Information:
      • Information about any past, present, or potential future health or medical conditions or treatments, including genetic, genomic, and family medical history based on, obtained or derived from pharmaceutical prescriptions or medical records, or similar health or medical sources that provide actual knowledge of a condition or treatment
      • Information, including inferences, about sensitive health or medical conditions or treatments, including, but not limited to, all types of cancer, mental health-related conditions, and sexually- transmitted diseases
      • Further explanation can be found in the commentary to the NAI Code of Conduct.
  • Financial information
    • In addition to any applicable laws, Xandr employs the NAI and DAA definitions of financial information. To be clear, Xandr considers to be sensitive any negative information or inferences about users' financial status or creditworthiness.
  • Sexual Orientation or sex life
    • Information or inferences regarding a user's sexual orientation or sexual behavior.
  • Race or ethnicity
    • Specific information about a user's race or ethnicity. 
  • Political views
    • Specific information about a user's political affiliations or views, excluding public registration information in the US.
  • Trade union membership
    • Specific information about a user's trade union membership or affiliation.
  • Children
    • Information, based on knowledge or inference, that identifies users as being under the age of 13.
    • Information about a user's visits to child-directed inventory. 

Additional Information and Assistance

If you have any questions or concerns not addressed in our wiki, please contact us via our client support form



  • No labels