Privacy & Data

Find answers to commonly raised privacy questions about partnership
set-up, editorial, legal, tech and other issues.

Who is Opinary’s responsible data protection officer?

For EU:

ePrivacy GmbH, represented by Prof. Dr. Christoph Bauer
Große Bleichen 21
20354 Hamburg

Where can I read Opinary’s privacy policy?
Which data protection authority is responsible for Opinary?

Berliner Beauftragter für Datenschutz und Informationsfreiheit

(Berlin Commissioner for Data Protection and Freedom of Information)

Friedrichstr. 219
10969 Berlin

Which Service Domains does Opinary utilize?

Opinary currently operates two service domains:

What types of integration does Opinary support?
Opinary supports the following integration types:
  • JavaScript
  • API
What are your policies regarding cookies?

Interested in how we deal with cookies? Please read our Cookie Policy here.

Are cookies persistent?

Yes. Persistent cookies can remain on the user’s device for between 60-90 days; session cookies only last for one browser session. 

The cookies stored allow us to summarize voting results in a statistically meaningful way and to optimize our service and the information presented in the interests of the user.

For more information on how we use cookies, please see our Cookie Policy.

What type of data will cookies collect or hold?

The Cookies will collect and/or hold the following categories of data:

  • IP address

  • User-provided data

  • Users’ profiles

  • Device characteristics

  • Privacy choices

  • Device identifiers

  • Browsing and interaction data

For more information on how we use cookies, please see our Cookie Policy.

What personal data does Opinary collect?

The Opinary tool gathers the following user data:

  • Cookie IDs

  • IP address

According to which principles does Opinary (Affinity Global GmbH) process and store personal data?
  • “Privacy by design” and “Privacy by default” is ensured at Affinity Global GmbH (Opinary) through processes and procedures at the first design level. This means that before the actual implementation of new features, the impact on the user is measured using the seven principles of the “Privacy by design” concept and, in case of doubt, the DPO is consulted. In addition, no new feature may conflict with the technical and organisational measures in place here, nor may it have a negative impact on them. Responsible for compliance here are: CTO/CIO, development team and, in the case of far-reaching decisions, the management.

  • Only user data that is operationally necessary for the execution of the Affinity Global GmbH service is collected and stored. This service includes the analysis and measurement of user click behavior to ensure the improvement and relevance of our offer, as well as the need to ensure the accuracy of aggregates and projections of our user surveys.

How exactly does the data processing look like from a technical point of view?

When a poll is accessed for the first time, the following steps occur:

  • (In EU only) We verify compliance with the TCF v2.0 standard to ensure adequate consent.

  • A unique cookie ID is generated and stored in the LocalStorage.

This randomly generated cookie ID remains valid exclusively for this specific user on this specific publisher.

Domain: Home
Key: u
Example: v1-5fda11ab-8e5df56211766e20

During the voting process, the following steps are taken:

  • The vote of the user is stored in the LocalStorage.

This action is essential for presenting the user with their previous voting choice when they revisit the poll, enabling them to modify their selection if needed.

From a technical perspective, the process appears as follows:
Domain: Home
Key: /compasses/[CLIENT]/[POLLID]-_opinary_vote
Example: {“x”:0.43,”y”:-0.30,”slice”:7,”customer”:”[CLIENT]”}

  • Additionally, we transmit the vote to our servers.

This step is essential for the accurate counting of votes and the presentation of aggregated statistics.

Furthermore, the user ID mentioned earlier is also transmitted. As customary with every HTTP request, the IP address is included.

Both pieces of information are indispensable for maintaining the accuracy of our polls’ aggregations and projections.

How long does Opinary store personal data?

The typical duration for retaining personal data spans 90 days, with automated processes in place to ensure automatic deletion and minimize the retention of unused data.

What security measures does Opinary take to protect personal data?

Opinary ensures the protection of personal data with technical and organizational measures (TOM). These include access control, access control, separation control and pseudonymization.

In addition, technical measures are implemented to render information unrecognizable, i.e. IP addresses are shortened (for ipv4 addresses, the last character block is removed. For ipv6 addresses, the last 3 blocks are removed) and user agents are extracted so that only browser and OS versions remain. Cookie IDs are pseudonomized by distinguishing between internal and external IDs, which are only connected by an internal random mapping. Upon deletion and blocking, the internal mapping is deleted, making the connection between IDs unrecognizable and unreproducible.

Are there certificates that prove Opinary's GDPR compliance?

Opinary holds the ePrivacyseal* data protection seal of approval, which is awarded by ePrivacy GmbH following an in-depth technical and legal audit of a company’s online and mobile offerings. The certification covers the requirements of the Datenschutz-Grundverordnung (DSGVO /GDPR) for digital products. 

*It is not an accredited certification procedure in the sense of Art. 42 DSGVO, but a recognized data protection law firm. More at eprivacy.eu.

ePrivacy GmbH is not (yet) an approved certification body within the meaning of Article 42 (5) of the GDPR, as official approval as a certification body is currently not possible (the relevant procedures on the part of the authorities are not available).

(More information here.)

Which sub-service providers does Opinary work with?

Currently, we utilize Google Cloud Platform and Xandr Inc. as our sub-services.

All personal data passing through Google Cloud Platform is processed via servers in the EU (Frankfurt). 

(A detailed overview can be found here.)

Have standard contractual clauses (SCC) already been concluded between you and your sub-processors in third countries?

Yes, EU Model Contract Clauses are routinely established with all subcontractors. You can read more about this on Google here.

Personal data routed through Google is processed within the EU.

Xandr Inc. may handle data outside the EU, but does so in accordance with GDPR regulations.

Are there any guidelines for advertising materials?

Yes. Opinary’s Data at rest is encrypted by default.

Our cloud provider handles encryption at the infrastructure level, while data encryption at the storage level is implemented using AES256.

The encryption keys are managed by Google Cloud Platform and only Opinary has access to them.

What are “Vote Coordinates”?

Vote coordinates describe the position of a vote on a poll.

Here are example values:


Vote coordinates are part of our vote cookie ([poll-url]-_opinary_vote). However, they do not describe personal data.

Does Opinary share tracking insights with other (third) parties?

No, Opinary does not share tracking insights with third parties.

Does Opinary have a security incident response team available 24/7?


Does Opinary provide employees with security awareness training?

Yes, all employees are trained to be aware of possible security issues.

Does Opinary have an SDLC policy? Is SAST/DAST testing performed?

Opinary has a SDLC policy and we perform SAST testing.

DAST testing is not performed by us.

Does Opinary require third-party vendors to sign an NDA?

Our third-party vendors do not have access to crucial data. Due to this, they are not required to sign an NDA.

Examples for 3rd party vendors are Xandr and Google Cloud.

Are security assessments performed on all vendors used?

Yes. We assess all our vendors thoroughly.

If the vendor has network access to your organization, does Opinary monitor the vendor's activity?

Vendors do not have any network access to our organization.

Do polls track the users' activity once they have answered a question?

Yes. We use cookies to track activity within polls.

For more information on how we use cookies, please see our Cookie Policy.

How frequently is SAST testing done?

SAST testing is conducted whenever code is checked in or during a code release. This process is integrated with our CI/CD environment.

Where are Opinary’s databases containing publisher data located?

All events (votes, impressions, etc.) are processed and stored in the EU (via Google Cloud).

Non-personalized data (settings, poll questions, images, etc) are available globally to speed up response times.

After initial processing, is data transferred somewhere else? (ex. Are you keeping the data for purposes other than providing us reporting?)

No. All data remains with Opinary.

How much of the following data do you receive when people participate in polls: Advertisement Interaction Data; IP Address; Unique Identifiers & Cookies; Usage Data.

Technology Usage Information

  • Advertisement Interaction Data: Advertising is disabled for NBCU, therefore clickdata is not collected.

  • IP Address for Geolocation: We process the IP address for technical reasons, but anonymize it before storing.

  • Unique identifiers and cookies (E.g., MAID): Unique identifiers and cookies:

  • Usage data (e.g. Browsing or Search history, clickstream, browsing time, gameplay): We solely retain users’ votes. Usage data beyond our polls is not gathered by our platform.

Do you process user account information for distributing your product?

We do not process user account information for distributing our product. This includes:

  • Account credentials (username, password, security questions)

  • Marketing preferences

  • Membership information

  • Unique customer/user ID

  • Unique device identifiers

Are you combining data you receive from individuals participating in polls with data from other places?

No. We do not combine data retrieved from polls with any other data.