Notice to European Users
Last Updated: May 16, 2026
This Notice to European Users supplements, and should be read together with, our Privacy Policy. It applies to individuals located in the European Economic Area, United Kingdom, or Switzerland.
Controller
The controller of your personal data is the Digimarc entity that determines the purposes and means of the relevant processing. Depending on the context, this may be the Digimarc entity that provides or operates the relevant Services, the Digimarc entity that enters into a contract with you or the relevant business customer, the Digimarc entity that employs personnel who provide support or other services, or another Digimarc entity identified in an applicable agreement, notice, or communication.
The following table identifies the controller for common processing contexts:
| Processing context | Controller |
| Websites and general online interactions | Digimarc LLC |
| Mobile applications offered directly to individuals | Digimarc LLC, EVRYTHNG Ltd. |
| Contracting, billing, and business-customer relationship management | Digimarc LLC, EVRYTHNG Ltd. |
| Marketing communications and events | Digimarc LLC |
| Customer support and service communications | Digimarc LLC, Digimarc GmbH, EVRYTHNG Ltd. |
| Services provided to a business customer where the Digimarc entity processes personal data under that customer’s instructions | The relevant business customer is generally the controller, and Digimarc LLC or EVRYTHNG Ltd. is generally the processor. Digimarc LLC or EVRYTHNG Ltd. may be an independent controller for any separate processing for which that Digimarc entity determines the purposes and means, such as account administration, billing, security, legal compliance, or permitted business operations. |
You may contact us at privacy [at] digimarc [dot] com with questions about the applicable controller or our processing of your personal data.
Where required, our representative in the European Economic Area is:
Digimarc GmbH
Im Mediapark 8
50670 Köln
Germany
privacy [at] digimarc [dot] com
Where required, our representative in the United Kingdom is:
EVRYTHNG Ltd.
c/o RWK Goodman
69 Carter Lane
London EC4V 5EQ
United Kingdom
privacy [at] evrythng [dot] com
Business-customer processing
Where we process personal data on behalf of a business customer, we generally act as processor, and the business customer generally acts as controller. In that case, privacy requests concerning customer-controlled personal data should be directed to the relevant business customer.
Where we receive a request that relates to personal data we process solely on behalf of a business customer, we may refer the request to that business customer or assist the business customer in responding, as required by applicable law and our agreement with that business customer. Where we independently determine the purposes and means of processing, we will respond to requests as controller in accordance with applicable law.
Legal bases for processing
Depending on the context, we may process your personal data based on one or more of the following legal bases:
Consent
We process your personal data where you have provided consent, consistent with the scope of that consent. Where our processing is based on consent, you may withdraw your consent at any time.
Where required by applicable law, we obtain consent before using non-essential cookies or similar technologies, including advertising, retargeting, social media, video, lead-generation, or similar technologies. You may withdraw or adjust your consent through the Cookie Settings tool linked in the footer of this website.
Contract
We process your personal data where necessary to enter or perform a contract with you or to take steps at your request before entering a contract.
Legitimate interests
We process your personal data where necessary for our legitimate interests, including to provide, operate, maintain, analyze, and improve the Services; support mobile application functionality; provide verification, analytics, and anti-counterfeit monitoring; communicate with you; conduct marketing; manage our business relationships; support AI-enabled features; protect our rights and interests; and operate our business, except where those interests are overridden by your interests or fundamental rights and freedoms.
Legal obligations
We process your personal data where necessary to comply with legal obligations, lawful requests, and legal process.
Examples of processing purposes and legal bases
Depending on the context, we generally rely on the following legal bases for the processing purposes described below:
| Processing purpose | Legal basis |
| Providing, operating, maintaining, and supporting the Services | Contract, where processing is necessary to provide Services requested by or contracted for by you; legitimate interests for related service administration and operations |
| Creating and managing accounts and user access | Contract, where necessary to provide account-based Services; legitimate interests for account administration, security, and access management |
| Providing mobile application functionality | Contract, where necessary to provide requested app features; legitimate interests for app administration, diagnostics, and improvement; consent where required |
| Processing precise geolocation | Consent where required; contract where precise location is necessary to provide a feature you request; legitimate interests only where permitted and not overridden by your rights and freedoms |
| Providing authenticity verification, analytics, and anti-counterfeit monitoring | Contract, where necessary to provide requested verification functionality; legitimate interests for analytics, anti-counterfeit monitoring, service improvement, and business operations; legal obligations where applicable |
| Responding to support requests and communications | Contract, where related to Services requested by or contracted for by you; legitimate interests for support administration and customer service |
| Sending service-related communications | Contract, legitimate interests, or legal obligations, depending on the nature of the communication |
| Sending marketing communications | Consent where required; legitimate interests where permitted, including for business-to-business marketing to existing or prospective business contacts |
| Essential cookies and similar technologies | Legitimate interests, or contract where necessary to provide requested Services or functionality |
| Non-essential analytics cookies and similar technologies | Consent where required; legitimate interests where permitted |
| Advertising, retargeting, social media, video, lead-generation, and similar cookies or technologies | Consent where required |
| Operating AI-enabled features | Contract, where necessary to provide an AI-enabled feature you request; consent where required; legitimate interests for security, troubleshooting, and service improvement where permitted |
| Security, fraud prevention, abuse prevention, and troubleshooting | Legitimate interests; legal obligations where applicable |
| Compliance with legal obligations and legal process | Legal obligations; legitimate interests where processing is necessary to respond to requests or protect legal interests not strictly required by law |
| Establishing, exercising, or defending legal claims | Legitimate interests; legal obligations where applicable |
| Corporate transactions and reorganizations | Legitimate interests; legal obligations where applicable |
Where we identify more than one legal basis for a processing purpose, the legal basis that applies depends on the Service, feature, jurisdiction, and context in which the personal data is processed. Where consent is required, we rely on consent. Where processing is necessary to provide a Service or feature requested by or contracted for by you, we may rely on contract. Where we rely on legitimate interests, we do so only where those interests are not overridden by your interests or fundamental rights and freedoms.
Where we rely on legitimate interests, those interests include providing, maintaining, securing, improving, and promoting the Services; managing our business relationships; preventing fraud, misuse, and security incidents; supporting analytics and product development; enforcing agreements; and protecting our rights and interests, except where those interests are overridden by your interests or fundamental rights and freedoms.
Where we rely on consent, you may withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before withdrawal.
Personal data we receive from other sources
We may receive personal data about you from business customers, partners, resellers, distributors, event co-sponsors, data providers, service providers, third-party platforms, integrations, and other sources described in our Privacy Policy. Where required by applicable law, we provide information about that processing within the time required by law or rely on an applicable exception.
Where we process personal data
We may process your personal data in the United States and in other countries where we, our affiliates, service providers, or partners maintain facilities or otherwise process data.
We may transfer personal data from the European Economic Area, United Kingdom, and Switzerland to the United States and other countries that may not provide the same level of data protection as your home jurisdiction. Where required, we use appropriate safeguards for these transfers, such as adequacy decisions, the European Commission’s Standard Contractual Clauses, the UK International Data Transfer Addendum or other UK-approved transfer mechanism, or another transfer mechanism approved under applicable law.
Where required, we also assess whether supplementary measures are appropriate for the relevant transfer, taking into account the nature of the personal data, the transfer mechanism, the recipient, the destination country, and other relevant circumstances.
Some of our websites and mobile applications use third-party cookies, pixels, tags, and similar technologies for analytics, advertising, retargeting, measurement, social media, video, lead-generation, and marketing purposes. These technologies may involve disclosures of personal data to third-party providers, including providers located outside the European Economic Area, United Kingdom, or Switzerland. Where required, we use appropriate transfer mechanisms and obtain consent before using these technologies.
Retention
We retain personal data only for as long as reasonably necessary and proportionate for the purposes described in our Privacy Policy and this Notice to European Users, including to provide and operate the Services, maintain accounts, support mobile application functionality, provide verification and anti-counterfeit monitoring, troubleshoot and secure the Services, improve our products and services, comply with legal obligations, resolve disputes, enforce agreements, and maintain appropriate business records.
The specific retention period for personal data depends on the nature of the data, the context in which it was collected, the purposes for which it is processed, the sensitivity of the data, the risk of harm from unauthorized use or disclosure, applicable legal or contractual requirements, and our operational and recordkeeping needs.
When personal data is no longer reasonably necessary for the purposes described in our Privacy Policy and this Notice to European Users, we delete, anonymize, aggregate, or otherwise process it in accordance with applicable law and our retention practices.
Personal data rights
Depending on your location and subject to applicable conditions and exceptions, you may have one or more of the following rights with respect to your personal data:
- Right of access. You may request information about and access to personal data that we process about you.
- Right of rectification. You may request that we correct personal data that is inaccurate or incomplete.
- Right to withdraw consent. Where our processing is based on consent, you may withdraw consent to future processing.
- Right to object. You may object to our processing of your personal data in certain circumstances.
- Right of erasure. You may request that we delete your personal data.
- Right to restrict processing. You may request that we restrict our processing of your personal data.
- Right to data portability. You may request a copy of certain personal data in a structured, commonly used, machine-readable format where our automated processing is based on consent or contract.
- Right to lodge a complaint. You may have the right to lodge a complaint with a supervisory authority.
You may have the right to lodge a complaint with a supervisory authority in the country where you live or work, or where you believe a violation of applicable data protection law occurred. We encourage you to contact us first so that we can try to address your concern directly.
To exercise these rights, please contact us at privacy [at] digimarc [dot] com. We will respond to your request within the period required by applicable law. We may require that you verify your identity before responding to your request.
If your request concerns personal data that we process on behalf of a business customer, we may direct you to that business customer.
Automated decision-making
We do not use personal data to make decisions based solely on automated processing, including profiling, that produce legal effects concerning you or similarly significantly affect you, unless otherwise disclosed at or before the time of collection.
If we introduce processing that involves solely automated decision-making with legal or similarly significant effects, we will provide any disclosure, choice, human review, or other rights required by applicable law.
Data Protection Officer
We have not appointed a data protection officer. You may contact us regarding data protection matters at privacy [at] digimarc [dot] com.
