Designed to protect privacy

Our identity infrastructure offers the first privacy-by-design approach to connecting, analysing and activating customer data for the purposes of optimising marketing campaigns.

Get started
Permission Controls

Privacy has been ingrained at every step of our technology. By adopting this approach brands, publishers and their media partners can ensure privacy-safe handling of data.

Didn’t find the information you were looking for? Get in contact with InfoSum’s Data Protection Officer at



Data processor vs data controller

InfoSum becomes a processor of your data, however, as data is only processed in accordance with your instructions, InfoSum never becomes a data controller. Our data processing addendum can be reviewed here.


All data uploaded to a Bunker goes through a normalisation process. This process standardizes the data and personal data goes through a hashing process that renders it pseudonymised, while enables it to still be used as a unique identifier.


This approach supports Principle B of GDPR, Storage Limitation as the identity of individuals is not stored any longer than required.

More details on normalization


Everytime a new dataset is uploaded, a new private virtual server is created, known as a Bunker. Only the creator, not even InfoSum, can access this Bunker. You are able to grant permission for other users to query a Bunker, but they will only ever receive aggregate statistical analysis, never the underlying data.

More details on Bunkers


Federated connectivity

By adopting a federated database infrastructure, each Bunker remains decentralised and is able to reside on it’s own isolated server, while allowing them to be connected (where permissions have been granted by both parties) and analysed as one, without requiring data centralisation.


This approach supports Principle C of GDPR, data minimisation, by reducing the amount of information gathered in a single location.

Data deletion

The Bunker owner is able to delete data at any time. When a Bunker is closed, the virtual machine it is running on is terminated, instantly deleting any data contained in it.



Raw data

Only the creator of a Bunker has access to the raw data during the upload process. Following the normalisation of the data, only statistical data is available.


Only the user who created the Bunker is able to access and manage their Bunker. InfoSum does not have access to individual Bunkers, and outgoing permissions only enable aggregate statistical analysis.


The ability for another individual to run analysis against a Bunker is controlled by the owner of the Bunker through permissions. 
Permission do not grant access to your Bunker, they simply allow another party to run analysis against your data.

Different levels of permissions can be granted to determine both the level of analysis possible, and whether it can be analysed in combination with other datasets. Permissions can be revoked at anytime, at which point the federated nature of the analysis means no transfer of data will have occurred.

More details on our Permissions


Federated analytics

To ensure no data is moved outside of a Bunker during analysis, InfoSum adopt a federated analytics approach which means rather than moving data between two (or more) Bunkers, the query moves between each, using Bloom filter technology.


This approach supports Principle F of GDPR - Integrity & Confidentiality, as no raw personal data is passed between the different parties, minimizing the scope for data misuse or breaches.

Mathematical representation

Mathematical representations are generated during the querying process. Once a query has been written and executed by a user, the Platform sends this query to the first dataset referenced in the query (usually the dataset with the smallest number of rows).

The Platform then takes all the IDs within the Bunker that match the query criteria, hashes them and converts them into a mathematical representation. This mathematical representation then moves from Bunker to Bunker and through Bloom filters, tests whether the IDs in the mathematical representation, are also present in the other Bunker(s).

Bloom filters

InfoSum employ Bloom filters to conduct rapid and privacy-preserving querying across any number of Bunkers. A Bloom filter moves between Bunkers and determines whether an individual might be present, or is definitely not.

Differential Privacy

Differential privacy concepts are present throughout the platform to ensure that any query cannot be reverse-engineered. Including:

Rounding: All results output from InfoSum’s platform are rounded. This means the introduction of a single individual to a dataset will not cause the results to change (unless the rounding threshold is crossed).

Noise: A small inaccuracy is inserted into the results. The same query will always have the same “noise” but if the query or underlying data is altered, the “noise” will alter, making attacks harder and quantization more effective.

Redaction thresholds: The owner of the Bunker has the ability to define a redaction threshold.



Activation Bunkers

As the name implies, Activation Bunkers are specifically designed for activation. Like all Bunkers, Activation Bunkers are secure and private, and your original imported data is accessible only to the Bunker creator. However, unlike Insight Bunkers, specific types of data can be flagged for use in activation.

No context

When requesting activation on an audience segment, the chosen activation platform only receives their own IDs, flagged to serve an ad. Without context, it is unclear if these are customers, lapsed customers or targets. This minimises the level of knowledge transfer.

Q Is InfoSum GDPR compliant?

Yes, but GDPR compliant technology should only be considered a starting point. It is with the individual users of the technology to ensure that their use of it is compliant with the principles of GDPR. Our technology ensures that when running analysis across another party’s data, you never take on the role of the data processor. This means you are only responsible for the compliant handling of your data.

Q Do you hash personal data?

Under GDPR, hashing of personal data is usually pseudonymisation, not anonymisation. Therefore, hashed data must still be handled as personal data, under GDPR. Our platform hashes all fields containing personal data and keeps them in control of the data owner. Joining is done by applying a non-reversible mathematical model to the hashes to ensure no personal information is ever exposed.

Q How do you prevent re-identification?

When two or more data points are combined, they can become personal data. For example, an individual’s browsing habits could reveal their identity, sexuality and ethnic origin. We employ various differential privacy concepts, including data rounding, noise addition, redaction thresholds and rate limits to ensure that individuals cannot be re-identified through combinations of data.

Q How do you process the right to erasure?

GDPR requires that individuals be able to request that all instances of their personal data be deleted. If you have shared raw data internally or externally, this becomes increasingly difficult. Where an individual’s data is held in a bunker, permission to analyse can either be rescinded or the data within the bunker can be updated to remove the individual. Find out more about the right to erasure here.

Q Can I flag customers for remarketing?

Typical audience selection platforms utilise hashing techniques, which does not result in anonymised data. Therefore, must still be handled as personal data under GDPR. Our unique execution bunkers are able to match and “tag” identities for re-marketing purposes, without sharing the source data with the third-party.

Q Can I share data with another organisation?

Anytime you pass raw data to another party, even a strategic partner, they become a legal Controller of your data. Once the data has been passed, you no longer have physical control over any onward sharing which can have adverse ramifications if that data is then sold onwards or misused. We never share raw data. Permissions are granted to run statistical analysis only or for tagging. These permissions can be rescinded at any time, without having passed any raw data and sacrificing your control or ownership.

Q Can I use third-party data?

Organisations looking to buy or rent data must be diligent in ensuring data is “lawfully and fairly obtained” and individuals understood their data would be shared with other parties. As we enable organisations to collaborate with partners without sharing raw data. This means they can gain the insights from the combined analysis, without becoming the controller of the third-party data.