Book a demo

Data Product Privacy Policy

Effective date: January 1, 2026

Above Data, Inc. (“Above Data,” “we,” “us,” or “our”) is committed to transparency and responsible data practices. This Data Product Privacy Policy (“Policy”) explains how we receive, process, store, and protect data in connection with our enterprise data products, data marketplace, activation tools, and related services (collectively, the “Products”).

This Policy applies only to data processed through the Products. For information about how we handle data collected through our website, please refer to our Website Privacy Policy.

1. Types of Data We Process

Our Products process de-identified, pseudonymous, and certain categories of personal information, depending on the data we receive from enterprise customers and data partners.

1.1 De-Identified Data

De-identified data is information that cannot reasonably be used to identify an individual without additional information kept separately.
Examples include:

  • Aggregated analytics
  • Modeled or derived attributes
  • Statistical classifications or segment IDs

1.2 Pseudonymous Data

We also process pseudonymous identifiers that may be considered “personal information” under certain privacy laws because they may be reasonably linked to a device, browser, or household.

These identifiers do not reveal a person’s name, email, address, or identity, and we maintain technical and organizational measures to prevent reidentification. Examples include:

  • Hashed or tokenized email addresses
  • Device identifiers (if provided by partners)
  • Cookie IDs or similar online identifiers
  • IP-derived IDs (city/state geolocation, connection-derived identifiers)
  • Platform-specific identifiers used for ad measurement or targeting

1.3 Data We Do Not Use

Above Data does not intentionally receive or use directly identifiable personal information (such as full names, postal addresses, or unencrypted contact information) or sensitive personal information (such as health data, racial or ethnic origin, or biometric identifiers) in connection with our Products.

If such information is inadvertently provided to us by a partner, we:

  • Segregate it from all other datasets,
  • Prevent it from being used in any modeling, marketplace, or activation workflows,
  • Do not attempt to link it to any pseudonymous or de-identified data, and
  • Delete or permanently isolate it in accordance with our security and data minimization practices.

This ensures that any inadvertently received sensitive or identifiable information is never incorporated into data products, never distributed, and never used for any commercial purpose.

2. How We Receive Data

We receive data from:

  • Enterprise customers
  • Data providers and aggregators
  • Public or commercially available sources
  • Partners participating in our data marketplace

All partners warrant that:

  • They have a lawful basis to provide data
  • They maintain appropriate consent and opt-out mechanisms
  • They suppress consumers who have opted out of sale/sharing

3. How We Use Data

We process data only for legitimate business purposes, including:

3.1 Data Activation

  • Enabling secure exchange of pseudonymous datasets
  • Building interoperability across taxonomies
  • Connecting datasets to activation platforms and measurement tools
  • Normalization, enrichment, and modeling

3.2 Analytics & Insights

  • Aggregated reporting
  • Measurement and attribution models
  • Trend and pattern analysis

3.3 AI & Machine Learning

  • Semantic layer mapping
  • Model training on de-identified or pseudonymous attributes
  • Data transformation and classification

3.4 Compliance & Suppression

  • Managing opt-outs of sale/sharing
  • Suppressing identifiers to honor deletion requests
  • Ensuring downstream compliance obligations

We do not:

  • Reidentify individuals or attempt to match pseudonymous data to real-world identities
  • Enable use of data for credit, insurance, employment, housing, or other uses restricted by law

4. Our Commitment Against Reidentification

Above Data maintains a strict “no reidentification” policy.
We do not:

  • Attempt to link pseudonymous identifiers to named individuals
  • Possess the data necessary to identify natural persons
  • Allow customers or partners to reidentify through our systems

We use:

  • Hashing
  • Salting
  • Tokenization
  • Data separation controls
  • Differential privacy techniques (where applicable)

This is consistent with legal requirements for processing pseudonymous and de-identified data.

5. Consumer Privacy Rights

Even when we process pseudonymous identifiers, we implement systems to respect consumer rights as required under United States’ state privacy laws, including CCPA / CPRA (California), CPA (Colorado), VCDPA (Virginia), CTDPA (Connecticut), UCPA (Utah), and other applicable state laws. 

5.1 Access, Correction & Deletion

Because we do not maintain identifiable information, we cannot return data “about you” in a readable form.

However, we honor deletion requests, where feasible, by:

  • Suppressing pseudonymous identifiers (cookie IDs, hashed identifiers, device IDs)
  • Ensuring suppressed IDs are not included in data products, models, or marketplace distributions

Because we do not maintain identifiable information or the ability to associate pseudonymous identifiers with a specific individual without additional information we do not possess, we are unable to “correct” data in the traditional sense. Instead, consumers may request suppression or deletion of pseudonymous identifiers associated with their request.

5.2 Right to Opt Out of Sale or Sharing

Where data partners classify transfers to Above as “sales” or “sharing,” we honor consumer opt-outs by:

  • Maintaining suppression lists
  • Applying those lists before distributing data
  • Ensuring opt-out preferences propagate downstream where feasible

You can exercise rights through the Above Data Request Form.

5.3  Right to Appeal

If we deny your privacy request, you have the right to appeal our decision. You may submit an appeal by contacting us at the information provided in the “Contact Us” section. We will review and respond to your appeal within the timelines required under applicable state laws. If your appeal is denied, you may also have the right to contact your state Attorney General.

5.4 Non-Discrimination

We do not discriminate against individuals for exercising their privacy rights. This includes no changes to pricing, access, features, or quality of service as a result of submitting a privacy request.

5.5 Verification of Requests

We verify requests using only the identifiers you provide to us (such as a hashed email, device ID, or other pseudonymous identifier). We do not request additional identifying information and we do not reidentify data to fulfill any request. If we cannot reasonably verify your request, we may be unable to fulfill it.

5.6 Opt-Out of Targeted Advertising and Profiling

Some state privacy laws provide consumers with the right to opt out of targeted advertising or certain types of automated profiling. Where these laws apply, consumers may opt out by submitting a request through our Data Subject Request Form. We apply suppression of pseudonymous identifiers to honor these requests, where feasible, and we propagate opt-out preferences downstream to the extent technically and contractually feasible.

5.7 Use of Cookies and Other Tracking Technologies

Our Products do not use cookies or similar tracking technologies that can identify or track individual users. 

For any cookie-related activities or browser tracking on our Website, please refer to our Website Privacy Policy 

6. Our Role as a Business / Controller

For purposes of U.S. privacy laws, Above Data acts as an independent business/controller (as defined under applicable U.S. privacy laws) when receiving data from partners or making data products available through our marketplace.

This means we independently determine:

  • The purposes and means of processing
  • How pseudonymous data is stored, normalized, enriched, and shared

We do not act as a processor for customer instructions unless separately agreed in writing.

7. Data Sharing and Downstream Use

We may make pseudonymous and/or de-identified datasets available to:

  • Enterprise customers
  • Measurement partners
  • Activation platforms
  • Analytics systems
  • Cloud storage or compute vendors

All sharing occurs under strict contractual obligations that:

  • Prohibit reidentification
  • Limit permitted uses
  • Enforce security and privacy controls
  • Require honoring opt-out and suppression requirements

We do not share identifiable information.

8. Data Retention

We retain pseudonymous and de-identified data only for as long as necessary to:

  • Provide Products and marketplace functionality
  • Maintain system integrity and security
  • Comply with legal obligations
  • Support analytical or modeling objectives

We periodically rotate identifiers and apply minimization standards consistent with applicable law.

Retention periods vary by dataset type and are based on business needs, contractual requirements, security considerations, and data minimization standards. We periodically rotate or refresh pseudonymous identifiers, remove stale datasets, and apply retention limits aligned with the purposes for which the data was collected. We do not retain pseudonymous identifiers longer than reasonably necessary to support our Products or compliance obligations.

9. Security Measures

We use industry-standard security safeguards, including:

  • Encryption in transit and at rest
  • Access controls and monitoring
  • Separation of environments
  • Logging and auditing
  • Vendor due diligence
  • Penetration testing and vulnerability scanning

No system is 100% secure, but we maintain a comprehensive information security program.

10. Children’s Data

Our Products are not directed to children under the age of 13. We do not knowingly receive personal information relating to children under 13, and our data supply partners are contractually required to exclude such data. If we learn that data relating to a child under 13 has been provided to us, we will delete or isolate it consistent with our data minimization practices.

11. International Transfers

We may transfer pseudonymous or de-identified data to countries outside your jurisdiction, including the United States.

We maintain contractual, technical, and organizational measures to ensure adequate protection, including:

  • Standard Contractual Clauses
  • Data processing agreements
  • Regional access controls

12. Updates to This Policy

We may update this Policy to reflect:

  • New Products
  • Evolving data marketplace practices
  • Changes in privacy laws

The revised version will be posted with a new effective date.

13. Contact Us

For questions or privacy-related requests, please contact us at:
privacy@abovedata.io
or through our Data Subject Request Form.

Thank you

We received your request. We will verify your identity using the information you provided and will respond to your request within 30 days. If additional verification or time is needed, we will let you know.