Skip to main content Advertising Goals Contact an expert Find a partner Display Performance Max Retail Search Video and CTV Deal curation Gaming solutions Monetization Ad preview Display data Keyword planner Search data Copilot Editor Import tools Audience targeting Automated bidding Conversion tracking AI Web Hub Case studies Insights Marketing with Purpose Webcasts Certifications Free consultation Insider newsletter Learning Lab Agency center Media kit Partner portal Agreements Policies Blog Support Sign up Microsoft Security Azure Dynamics 365 Microsoft 365 Microsoft Teams Windows 365 Microsoft AI Azure Space Mixed reality Microsoft HoloLens Microsoft Viva Quantum computing Sustainability Education Automotive Financial services Government Healthcare Manufacturing Retail Find a partner Become a partner Partner Network Microsoft Marketplace Marketplace Rewards Software development companies Blog Microsoft Advertising Developer Center Documentation Events Licensing Microsoft Learn Microsoft Research View Sitemap

CUSTOMER MATCH TERMS OF USE

Customer Match enables you to target users on the Microsoft Advertising network who have previously interacted with you by providing their personal information (for example, email addresses and/or unique identifiers from your customer relationship management database (if applicable)) to Microsoft. The personal information you provide (“Company Upload Data”) and the data set that Microsoft creates when it matches Company Upload Data with Microsoft’s unique identifiers is “Match Data.” If you disclose Company Upload Data that includes information about individuals located outside of the United States to Microsoft, the “Data Processing Terms” in Exhibit 1 are made part of these Customer Match Terms of Use.

  • By clicking “I accept,” you agree to the following terms, and the Microsoft Advertising Agreement, including the Microsoft Advertising Policies. These terms supplement the Microsoft Advertising Agreement. To the extent that these terms conflict with the Microsoft Advertising Agreement, these terms will take precedence. Microsoft may update these terms from time to time.
  • Microsoft will use Company Upload Data and Match Data internally to verify or maintain the quality or safety of Customer Match, to improve, upgrade, or enhance Customer Match, and for other related uses subject to your approval. Without your approval, Microsoft will not retain, use, or disclose Company Upload Data and Match Data for any purpose other than for the specific purpose of providing Customer Match, including for a commercial purpose other than providing Customer Match.
  • Microsoft may modify, suspend, or terminate access to Customer Match at any time without prior notice required.
  • You represent and warrant that:
    • Your collection, use, and disclosure of the Company Upload Data and the Match Data is in compliance with all applicable laws and industry guidelines or codes.
    • You will not disclose or attempt to disclose to Microsoft information other than Company Upload Data in connection with the Customer Match service.
    • You have a lawful basis, if required, under applicable law; the necessary rights and permissions; and the authority, if you are disclosing Company Upload Data on behalf of an advertiser, to disclose the Company Upload Data to Microsoft and for Microsoft to use the Match Data to provide you with the Customer Match service and other related advertising services that you elect to utilize.
    • You have collected Company Upload Data directly from an individual (not through a third-party service). For example, you collected the email address of an individual who signed up to receive your newsletter or purchased an item from you.
    • You maintain a privacy notice that describes your collection, use, and disclosure of information you collect from individuals.
    • The Company Upload Data does not include the personal information of any individual who exercised an applicable legal right (or option, if you give individuals a broader ability to revoke consent or opt out than applicable law requires) to revoke consent or opt out of disclosure of their personal information to third parties. If an individual exercises their right or option to revoke consent or opt out after you have disclosed Company Upload Data containing that individual’s personal information to Microsoft, you will promptly remove that individual’s personal information from the Match Data created by Microsoft.
    • The Company Upload Data does not include the personal information of any individual who is under 18 years of age, and was not collected from any website, app, or other online service that is targeted to children under 18.
    • The Match Data is not derived from or used to identify any individual’s sensitive personal information or special categories of personal data, as defined in applicable laws and industry guidelines, codes, or in the Microsoft Advertising policies.
  • Microsoft represents and warrants that it:
    • Will comply with all applicable U.S. state privacy laws, including, but not limited to, the California Consumer Privacy Act (“U.S. State Privacy Laws”), including providing the same level of privacy protection required of “businesses” under the California Consumer Privacy Act for the applicable data processing activities.
    • Upon advance written notice, will take reasonable and appropriate steps to make available information to demonstrate our compliance with applicable provisions of the CCPA in accordance with these terms or as we otherwise determine and if you discover unauthorized use of Company Upload Data by us, we will take reasonable and appropriate steps to work with you to remediate such allegedly unauthorized use, if necessary.
    • Maintains technical, organizational, and physical safeguards to protect Match Data.
    • Will not combine Match Data with any other data set without your approval.
    • Will delete Company Upload Data after Microsoft uses it to create the Match Data.
    • Will assist you by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of your obligation to respond to requests for exercising individuals' rights laid down in applicable law, including individual rights of access, correction, and erasure.
    • Will notify you if it determines that can no longer meet its obligations under U.S. State Privacy Laws.

EXHIBIT 1 – DATA PROCESSING TERMS

If you disclose personal information of individuals located outside of the United States to Microsoft, these Data Processing Terms are made part of the Customer Match Terms of Use. These Data Processing Terms apply to the Processing of Company Upload Data and Match Data, within the scope of the European General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), Act on the Protection of Personal Information (Act No. 57 of 2003 as amended in 2020) ("APPI"), and other equivalent laws and regulations in any relevant jurisdictions outside the United States relating to Personal Data and privacy, by Microsoft on your behalf.

For purposes of these Data Processing Terms, you and Microsoft agree that you are the Controller of Company Upload Data and Match Data and Microsoft is the Processor of such data. You and Microsoft are independent Controllers in respect to all other Processing of Personal Data and the party doing such Processing is solely responsible for compliance with applicable Data Privacy Laws. These Data Processing Terms do not limit or reduce any data protection commitments made by the parties elsewhere in the Customer Match Terms of Use, the Microsoft Advertising Agreement, or other agreements between you and Microsoft. To the extent that these terms conflict with the Customer Match Terms of Use, these terms will take precedence.

  1. Definitions

    Capitalized terms used but not defined have the meaning given in the Customer Match Terms of Use, including these Data Processing Terms.

    (a) Controller” means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the Processing of Personal Data.

    (b) Data Privacy Law(s)” means any and all applicable privacy laws, regulations, guidelines and industry standards, including but not limited to the European General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), ePrivacy Directive (Directive 2002/58/EC), Act on the Protection of Personal Information (Act No. 57 of 2003 as amended in 2020) ("APPI"), and all other equivalent laws and regulations in any relevant jurisdiction relating to Personal Data and privacy.

    (c) Data Subject” means an identifiable natural person who can be identified, directly or indirectly, in particular by referencing an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

    (d) Personal Data” means Company Upload Data or Match Data relating to an identified or identifiable natural person and where it is applicable, an identifiable, existing juristic person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

    (e) Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

    (f) Processing” means any operation or set of operations that is performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction. “Process” and “Processed” will have corresponding meanings.

    (g) "Processor” means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller.

  2. Processing by Microsoft shall be governed by the Customer Match Terms of Use, including these Data Processing Terms and are binding on Microsoft in regard to you. The subject-matter and duration of the Processing, the nature and purpose of the Processing, the type of Personal Data, the categories of Data Subjects and your obligations and rights are set forth in the Customer Match Terms of Use, including these Data Processing Terms. In particular, Microsoft shall:

    (a) Process the Personal Data only on your documented instructions, unless required to do so by a legal requirement to which Microsoft is subject; in such a case, Microsoft shall inform you of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest. The Customer Match Terms of Use and your use and configuration of the Customer Match features constitute your documented instructions relative to such Processing;

    (b) ensure that persons authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

    (c) maintain appropriate technical, organizational, and physical safeguards to protect Personal Data;

    (d) assist you in ensuring compliance with the obligations to conduct data protection impact assessments and prior consultations with supervisory authorities as required by relevant Data Protection Laws, taking into account the nature of Processing and the information available to Microsoft;

    (e) delete all the Personal Data after termination of the provision of the Customer Match service or upon your request, and delete existing copies, unless otherwise required by law. For clarity, the foregoing may be accomplished by deidentifying or modifying Personal Data so that it no relates to an identifiable natural person.

    (f) if required by applicable Data Privacy Laws and upon request, provide periodic confirmation (at most once annually) regarding the status of Company Upload and Match Data and the measures taken by Microsoft to ensure the proper handling of Customer Upload and Match Data.

  3. If you disclose personal information of individuals located in the European Economic Area, Switzerland, or the United Kingdom to Microsoft, upon a minimum of 30 days prior written notice, Microsoft will make available to you information reasonably necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted at your expense (including by reimbursing Microsoft for any time expended and expenses incurred as a result of such audit) by an independent auditor reasonably acceptable to Microsoft and under conditions of confidentiality during regular business hours, provided that you will not exercise this right more than once per calendar year. Such information may be in the form of third-party audit reports and certifications, to the extent that Microsoft has such current reports or certifications generally available to its customers. Before the commencement of any audit, you and Microsoft will agree upon the scope, purpose, timing, and duration of the audit. Microsoft reserves the right to prohibit access or disclosure of any data or information relating to other customers or partners of Microsoft, Microsoft’s internal accounting or financial information, trade secrets, or data or information that may compromise the security or integrity of Microsoft’s infrastructures, premises, or systems, or that may cause a breach by Microsoft of existing contractual obligations or obligations under applicable laws. Microsoft shall immediately inform you if, in its opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions.
  4. You agree that Microsoft may engage Processors in connection with the Customer Match service and you approve the Processors that currently support the Customer Match service. You grant Microsoft general authorization to engage Processors if Microsoft and those Processors enter into an agreement that requires the Processor to meet obligations that are no less protective than these Data Processing Terms. Where that other Processor fails to fulfil its data protection obligations, Microsoft shall remain fully liable to you for the performance of that other Processor's obligations. Microsoft may continue to use Processors to Process Personal Data where the Processors are already engaged by Microsoft and as previously identified to you. Microsoft may engage an additional or replace an existing Processor to Process Personal Data provided that it periodically notifies Company of the updated list of Processors engaged by Microsoft to Process Personal Data. Microsoft will consult with you on concerns you raise with any particular Processor, and the parties will mutually agree on an approach to address such concerns.
  5. Microsoft shall notify you without undue delay after becoming aware of a Personal Data Breach. Such notification will include that information a Processor must provide to a Controller to the extent such information is reasonably available to Microsoft.