JOINT CONTROLLERSHIP PRIVACY STATEMENT: FACEBOOK PIXEL
This privacy statement applies only to the situations where Compensate Operations Oy (hereinafter referred to as “Compensate” or “we”) and Facebook Ireland Ltd (hereinafter referred to as "Facebook") act as joint controllers when you visit our website (compensate.com, hereinafter referred to as “Compensate website” ) or the Shopify landing page
This results from the fact that Compensate, by setting up certain Facebook Business Tools on Websites, allows Facebook to place cookies on the computer or any other device of you visit the Websites (hereinafter “you” or "Visitor"), regardless of whether you have a Facebook account or not.
Below you will find a description of how Compensate and Facebook handle your personal data when you visit the Websites.
1. Joint controllers
The primary controller is:
Facebook Ireland Ltd.
4 Grand Canal Square
Grand Canal Harbour
Dublin 2 Ireland
You can contact the data protection officer of the primary controller Facebook by clicking
The other controller is:
Compensate Operations Oy
Lönnrotinkatu 7 B,
I Processing of personal data by Facebook
Compensate uses Facebook Pixel on the Websites. Facebook Pixel is a part of the Facebook Business Tools. Accordingly, Compensate and Facebook have entered into an agreement called
Facebook is responsible for enabling your rights under Articles 15-20 of the GDPR with regard to the Personal Data stored by Facebook after the joint processing. Facebook is also responsible for granting you a right to object to the processing insofar as the joint processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child (GDPR article 6(1) (f).
It is also responsible for the security of the Facebook Pixel (Art 32 GDPR) and for ensuring a notification of a personal data breach to the supervisory authority and for communicating the personal data breach to you (Arts 33 and 34 of GDPR), insofar as a personal data breaches concerns its obligations under the Controller Addendum.
You can amend your privacy settings on Facebook.
II Processing of personal data by Compensate
2. How we collect data
In relation to the joint controllership with data deriving from the use of the Facebook Pixel, we only process one type of data: analytics data. Although we do not normally use analytics data to identify you as an individual, you can sometimes be recognized from it, either alone or when combined or linked with other data. In such situations, analytics data can also be considered personal data under applicable laws and we will treat such data as personal data. In addition, analytics data is collected and transmitted to Facebook.
We may collect the following analytics data when you visit or interact with the Websites:
2.1. Analytics Data
The Facebook Pixel collects:
- The HTTP header information which include information about the web browser or app used (eg. user agent, locale country-level, language)
-Information regarding standard/optional events such as “Page view” or “App install”, further object properties, as well as buttons clicked by Visitors
- Online identifiers, such as IP addresses and, insofar as provided, Facebook-related identifiers or device identifiers (such as mobile OS advertising IDs) as well as information on opt-out/limited ad tracking status.
3. The purpose for collecting analytics data
We use the personal data we collect for i) customer communication, ii) marketing, iii) quality improvement and iv) trend analysis
In general, Facebook pixel can be used to track Visitor behaviour after they have been redirected to our website by clicking on a Facebook and / or Instagram ad. We also target FB/Instagram ads to people who have visited our product listing and create look-a-like audiences based on the information of who has been visiting our product listing. This allows us to record the effectiveness of online advertising on, for instance, Facebook and Instagram advertisements for statistical and market research purposes and, if necessary, create a look-a-like audience from users on our website where Facebook finds people who have attributes similar to our users.
4. Legal grounds for the processing
On the Websites, you will be requested to grant your consent for the processing of personal data. In this event, you may withdraw your consent at any time.
Sometimes Compensate processes personal data to pursue our legitimate interest to run, maintain and develop our operations and to create and maintain customer and other business relationships. When choosing to use your data on the basis of our legitimate interests, we weigh our own interests against your right to privacy and e.g. provide you with easy to use opt-out from our marketing communications and use pseudonymized or non-personally identifiable data when possible.
We may also process your personal data in order to comply with our legal obligations.
5. How we may share your personal data
We only share your personal data within our organization if and as far as reasonably necessary for the purposes of this Privacy Statement.
We do not share your personal data with third parties outside of our organization unless one of the following circumstances applies:
For the purposes set out in this Privacy Statement and to authorized service providers. We may regularly send your personal data to Facebook.
5.1 Data transfers to Facebook
We may use the Facebook Pixel to send Facebook the following types of personal information.
- ”Event Data” is other information Compensate shares about you and other people when they interact with the Websites, such as visits to the Website, installations of our apps, and purchases of our other products. There are several reasons we may provide Facebook with the Event Data.
Event Data for Measurement and Analytics Services
We may instruct Facebook to process Event Data (a) to prepare reports on our behalf on the impact of our advertising campaigns and other online content (“Campaign Reports”) and (b) to generate analytics and insights about people and their use of our apps, websites, products and services (“Analytics”).
We may provide Facebook with Event Data to target our ad campaigns to people who interact with our business. We may direct Facebook to create custom audiences, which are groups of Facebook users based on Event Data, to target ad campaigns (including Website Custom Audiences, Mobile App Custom Audiences, and Offline Custom Audiences). Facebook will process Event Data to create such audiences for Compensate. Facebook will not provide such audiences to other advertisers unless Compensate shares audiences with other advertisers through tools we make available for that purpose, subject to the restrictions and requirements of those tools and our terms.
Event Data To Deliver Commercial and Transactional Messages
Facebook may use the Matched User IDs and associated Event Data to help Compensate reach people with transactional and other commercial messages on Messenger and other
Event Data to Improve Ad Delivery, Personalize Features and Content and to Improve and Secure the Facebook Products
Compensate may provide Event Data to Facebook to improve ad targeting and delivery optimization of our ad campaigns. Facebook may correlate that Event Data to people who use Facebook Company Products to support the objectives of your ad campaign, improve the effectiveness of ad delivery models, and determine the relevance of ads to people. Facebook may use Event Data to personalize the features and content (including ads and recommendations) that we show people on and off the Facebook Company Products. In connection with ad targeting and delivery optimization, Facebook will: (i) use your Event Data for delivery optimization only after aggregating such Event Data with other data collected from other advertisers or otherwise collected on Facebook Products; and (ii) not allow other advertisers or third parties to target advertising solely on the basis of the Event Data.
5.2 Other transfers
Furthermore, we may provide your personal data to our affiliates or to authorized service providers who perform services for us (including, for instance, data storage, accounting, payment, sales, and marketing service providers).
When your personal data is processed by third parties as data processors on behalf of Compensate, Compensate has taken the appropriate contractual and organizational measures to ensure that your data is processed exclusively for the purposes specified in this Privacy Statement and in accordance with all applicable laws and regulations and subject to our instructions and appropriate obligations of confidentiality and security measures.
Please bear in mind that if you provide personal data directly to a third party, such as through a link somewhere on our website, the processing is typically based on their policies and standards.
For legal reasons and legal processes
We may share your personal data with third parties outside our organization if we have a good-faith belief that access to and use of the personal data is reasonably necessary to: (i) meet any applicable law, regulation, and/or court order; (ii) detect, prevent, or otherwise address fraud, crime, security or technical issues; and/or (iii) protect the interests, properties or safety of Compensate, the Users or the public as far as in accordance with the law. When possible, we will inform you about such processing.
For other legitimate reasons
If Compensate is involved in a merger, acquisition or asset sale, we may transfer your personal data to the third party involved. However, we will continue to ensure the confidentiality of all personal data. We will give notice to all the Users concerned when the personal data are transferred or become subject to a different privacy statement. In addition, Compensate and Foundation may transfer all the personal data defined in this Privacy Statement to each other, if there is a legitimate reason to do so.
With your explicit consent
We may share your personal data with third parties outside Compensate when we have your explicit consent to do so. You have the right to withdraw this consent at all times.
6 Transfers to countries outside the European Economic Area (EEA)
We use service providers in several geographical locations. As such, we and our service providers may transfer your personal data to, or access it in, jurisdictions outside the EEA or your domicile.
We will take steps to ensure that your personal data receives an adequate level of protection in the jurisdictions in which they are processed. We provide adequate protection for the transfers of personal data to countries outside of the EEA through a series of agreements with our service providers based on the Standard Contractual Clauses or through other appropriate safeguards.
More information regarding the transfers of personal data may be obtained by contacting us on any of the addresses indicated above.
7.How long we will store your data
The tracking of users who have landed on our website after clicking on one of our Facebook and Instagram ads can remain active up to 180 days.
8. Your rights
Under the GDPR, you have the right to
In relation to the data Compensate processes, here are your rights:
Right to access
You have the right to access and be informed about your personal data processed by us. We give registered Users the possibility to view certain User Data through their user account on the Services. We give all of you the possibility to request a copy of their personal data.
Right to withdraw consent
In case the processing is based on the consent granted by you, you may withdraw the consent at any time. Withdrawing consent may lead to fewer possibilities to use the Services. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
Right to rectify
You have the right to have incorrect or incomplete personal data we have stored about you corrected or completed by contacting us. Registered Users can correct or update some of their User Data through their user account on the Services.
Right to erasure
You may also ask us to delete your personal data from our systems. We will comply with such a request unless we have a legitimate ground to not delete the data.
Right to object
You may have the right to object to certain use of your data if such data are processed for other purposes than necessary for the provision of the Services or compliance with a legal obligation. If you object to the further processing of your personal data, this may lead to fewer possibilities to use the Services.
Right to restriction of processing
You may request us to restrict the processing of personal data for example when your data erasure, rectification or objection requests are pending and/or when we do not have legitimate grounds to process your data. This may, however, lead to fewer possibilities to use the Services.
Right to data portability
You have the right to receive the personal data you have provided to us yourself in a structured and commonly used format and to independently transmit those data to a third party.
How to use your rights
The aforementioned rights may be used by sending a letter or an e-mail to us on the addresses set out above, including the following information: full name, address, and e-mail address We may request the provision of additional information necessary to confirm your identity. We may reject requests that are unreasonably repetitive, excessive or manifestly unfounded.
In case you consider our processing of personal data to be inconsistent with the applicable data protection laws, a complaint may be lodged with the local supervisory authority for data protection. In Finland, the local supervisory authority is the Data Protection Ombudsman (
7. Direct Marketing
You have the right to prohibit us from using your personal data for direct marketing purposes, market research and profiling made for direct marketing purposes by contacting us on the addresses indicated above or by using the unsubscribe possibility offered in connection with any direct marketing messages.
8. Information security
We use administrative, organizational, technical, and physical safeguards to protect the personal data we collect and process. Measures include for example, where appropriate, encryption, pseudonymization, firewalls, secure facilities, and access right systems. Our security controls are designed to maintain an appropriate level of data confidentiality, integrity, availability, resilience and ability to restore the data. We regularly test our systems, and other assets for security vulnerabilities.
Should despite the security measures, a security breach occurs that is likely to have negative effects on your privacy, we will inform you and other affected parties, as well as relevant authorities when required by applicable data protection laws, about the breach as soon as possible.
More information on how we process your data please visit our