Privacy & Data Compliance
How Primer Handles Privacy & Data Protection Compliance
Primer is designed to help you build and activate privacy-responsible audiences for your marketing and advertising campaigns. This article explains how we support key privacy regulations, how we process personal data on your behalf, and where you can find our legal documentation.
Is Primer GDPR/CPRA compliant?
Yes. Primer supports GDPR and CPRA compliance and provides a Data Processing Addendum (DPA) that defines “Applicable Data Protection Law(s)” to include GDPR, CCPA, and CPRA. Our DPA governs how Primer processes Customer Personal Data under those laws and forms part of our customer contracts.
Our role: processor vs. controller
When you use Primer to upload, sync, or otherwise provide us with your customer data, we generally act as a data processor/service provider on your behalf.
You remain the data controller/business for that data and decide what is collected, how it is used, and who it is shared with.
Our DPA describes the subject matter, duration, nature, and purposes of processing, as well as the categories of data subjects and personal data that we handle for you.
For details, see our DPA: link
Legal bases and individual rights
Our Privacy Policy includes a dedicated GDPR section that explains:
The legal bases we rely on when we process personal data, such as consent, contract performance, legal obligation, and legitimate interest.
The rights available to individuals under GDPR and other applicable laws, including:
Access to their data
Correction (rectification)
Deletion (erasure)
Restriction and objection to processing
Data portability
If you receive a data subject request that involves data processed by Primer, you can contact us and we will assist you in fulfilling that request in accordance with our DPA. Contact details: [email protected].
Data sources, consent, and permitted use
Primer works only with data partners who warrant that they have secured all necessary rights and consents required under applicable privacy laws. This ensures that any data provided to Primer can be used for its intended, permitted purpose (for example, to build and activate advertising audiences).
In practice, that means:
Our partners must have a valid legal basis for collecting and sharing data with Primer.
Data is only used in line with the purposes described in our agreements and privacy notices.
We contractually prohibit data partners from providing data that was collected or shared in violation of applicable laws.
More information on our data sources and how we use data is available in our Privacy Policy: link
Security and subprocessors
We implement technical and organizational measures designed to protect personal data against unauthorized access, disclosure, alteration, or destruction. Examples include:
Access controls and authentication
Encryption in transit and at rest (where applicable)
Logging and monitoring of our production systems
Internal security, privacy, and data-handling policies
Where we rely on subprocessors (such as cloud infrastructure providers) to deliver the service, they are bound by written agreements that include data protection and confidentiality commitments. Our current list of subprocessors is available in our Trust Center: link
International data transfers
Depending on your location and how you use Primer, personal data may be processed or stored outside of the country where it was collected. Where required by law, we implement appropriate safeguards for international transfers, such as:
Standard Contractual Clauses (SCCs) or their successors, as approved by the European Commission
Other transfer mechanisms recognized under applicable data protection laws
The specific transfer mechanisms we use are described in our DPA and Privacy Policy.
If you have questions about how Primer can support your organization’s specific compliance needs, please reach out to us at [email protected] or contact your Primer representative.
Last updated