GDPR Compliance

1. Scope & Who This Applies To

This GDPR Compliance page applies to all individuals located in the European Union (EU) or European Economic Area (EEA) who interact with the Adverteks platform in any capacity:

Publishers — Website and app operators who monetize inventory through Adverteks SSP
Advertisers — Brands and agencies purchasing ad inventory through Adverteks DSP
End Users — Visitors to publisher websites where Adverteks serves ads

GDPR governs the processing of personal data of individuals in the EEA, regardless of where Adverteks (the data processor/controller) is located. If you are outside the EEA, our Privacy Policy still applies.

2. Data Controller & Data Protection Officer

For publishers and advertisers using the Adverteks platform, Adverteks acts as a data controller — we determine the purposes and means of processing your account and billing data.

For end-user data collected during ad serving on publisher sites, Adverteks acts as both a data controller (for fraud detection and platform security) and data processor (processing data on behalf of publishers for ad delivery).

Data Protection Officer (DPO): Adverteks has designated a Data Protection Officer responsible for overseeing GDPR compliance. Contact our DPO directly at dpo@adverteks.com for any data protection concerns. We respond to all DPO inquiries within 5 business days.

Contact Type	Email	Response Time
Data Protection Officer (DPO)	dpo@adverteks.com	5 business days
Subject Access Requests (SAR)	privacy@adverteks.com	30 days (extendable to 90)
General Privacy Inquiries	privacy@adverteks.com	10 business days
Legal & Compliance	legal@adverteks.com	10 business days

3. Data We Collect

3.1 Publisher & Advertiser Account Data

When you register and use the Adverteks platform, we collect:

Name, email address, and account credentials
Company name, billing address, and VAT/tax identification numbers
Payment information (processed through PCI-compliant payment processors)
Platform usage data — campaigns created, ad tags deployed, revenue earned
Communication history (support tickets, email correspondence)
IP address and device information used to access your account

3.2 End-User Data (Ad Serving)

When Adverteks serves ads on publisher websites, we collect limited technical data from end users for ad delivery, fraud prevention, and targeting:

IP address — truncated to /24 subnet for geo-targeting; not stored in full beyond fraud detection logs (30-day retention)
Device & browser fingerprint — user agent string, device type, screen resolution, browser version
Behavioral signals — page URL, referrer URL, time of visit (not linked to personal identity without consent)
Cookie identifiers — pseudonymous advertising IDs (where consent obtained via publisher's CMP)
Bid request metadata — passed to DSP buyers via OpenRTB 2.x protocol (see Section 6)

Minimization Principle: We apply data minimization throughout. End-user IP addresses are truncated before storage. Full IP addresses are only retained temporarily in security/fraud logs and deleted within 30 days. We do not build persistent individual user profiles without explicit consent.

4. Lawful Basis for Processing

GDPR requires a lawful basis for every data processing activity. The table below documents our processing activities and their legal basis under Article 6 GDPR:

Processing Activity	Data Subjects	Legal Basis	GDPR Article
Account creation and management	Publishers, Advertisers	Contract performance	Art. 6(1)(b)
Payment processing and invoicing	Publishers, Advertisers	Contract performance	Art. 6(1)(b)
Tax compliance and record keeping	Publishers, Advertisers	Legal obligation	Art. 6(1)(c)
Fraud detection and prevention	All	Legitimate interests	Art. 6(1)(f)
Platform security and abuse prevention	All	Legitimate interests	Art. 6(1)(f)
Contextual ad serving (no behavioral profiling)	End Users	Legitimate interests	Art. 6(1)(f)
Behavioral/interest-based ad targeting	End Users	Consent (via publisher CMP)	Art. 6(1)(a)
Analytics and performance reporting	Publishers, Advertisers	Legitimate interests	Art. 6(1)(f)
Customer support communications	Publishers, Advertisers	Contract performance / Legitimate interests	Art. 6(1)(b)/(f)
Marketing and product updates	Publishers, Advertisers	Consent (opt-in) or Legitimate interests (existing customers)	Art. 6(1)(a)/(f)

Where we rely on legitimate interests as a legal basis, we have conducted Legitimate Interests Assessments (LIAs) to ensure our interests do not override the rights and freedoms of data subjects. Documentation is available upon request from our DPO.

Adverteks uses cookies and similar tracking technologies for platform functionality, analytics, and (with consent) advertising. Our full cookie list is documented in the Cookie Policy.

5.1 Cookie Categories

Strictly Necessary Cookies — Required for platform operation (session management, authentication, security). No consent required. Cannot be disabled.
Functional Cookies — Remember your preferences (language, display settings). Enabled with consent.
Analytics Cookies — Aggregate usage statistics to improve platform performance. Enabled with consent.
Advertising Cookies — Pseudonymous identifiers used for behavioral ad targeting. Enabled with consent via publisher CMP only.

5.2 Publisher Consent Management

Publishers deploying Adverteks ad tags on EEA-facing websites must implement a compliant Consent Management Platform (CMP) using the IAB Europe Transparency and Consent Framework (TCF v2.2). Our ad serving infrastructure:

Reads the TC String passed by the publisher's CMP
Only passes behavioral targeting signals to DSP buyers when valid consent (Purpose 1–10) is present
Falls back to contextual-only targeting when consent is absent or rejected
Does not set third-party advertising cookies on end-user browsers without valid consent

5.3 Advertiser Tracking Pixels

Advertisers may implement conversion tracking via Adverteks pixel or postback URL. These tools only fire on advertiser-owned landing pages after ad click, and only where required user consent is present on the destination site.

Adverteks operates a Real-Time Bidding (RTB) exchange connecting publishers with DSP buyers. This is a core part of our business model with specific GDPR implications.

6.1 Data Shared in Bid Requests

When a publisher's ad slot is available for auction, Adverteks broadcasts a bid request to DSP partners containing:

Publisher site domain and ad slot dimensions
Truncated IP address (used for geo-inference only)
User agent string (device/browser type)
Contextual signals (page category, content type)
Consent string (TC String from publisher CMP)
Pseudonymous user ID (only where consent for Purpose 1 obtained)
Audience segments (only where consent for Purpose 3/4 obtained)

6.2 DSP Partner Obligations

All DSP partners accessing our exchange are contractually required to:

Process bid request data solely for the purpose of evaluating and responding to bids
Not use bid request data to build user profiles without valid consent
Comply with GDPR and applicable data protection law
Honor opt-out signals and consent withdrawals within 24 hours
Maintain Data Processing Agreements (DPAs) with Adverteks

6.3 Data Processing Agreements

Adverteks has executed GDPR-compliant Data Processing Agreements with all DSP partners and sub-processors. A list of our key sub-processors is available upon request to dpo@adverteks.com.

7. Data Retention Periods

We retain personal data only as long as necessary for the purpose it was collected, or as required by law. The table below summarizes our standard retention periods:

Data Type	Retention Period	Reason
Publisher/Advertiser account data	Duration of account + 7 years	Contract performance; tax/accounting obligations
Payment and billing records	7 years from transaction date	Legal obligation (tax law)
Full IP addresses (fraud logs)	30 days	Fraud detection; deleted automatically
Truncated IP addresses (geo-data)	90 days aggregated	Analytics and optimization
Ad impression/click logs	90 days (raw); 7 years (aggregated)	Reporting, fraud investigation, billing disputes
Cookie / advertising IDs	13 months from last activity	IAB TCF standard; user opt-out honored within 24h
Support communications	3 years from last interaction	Legitimate interests (service improvement)
Consent records (TC Strings)	5 years	Legal obligation (consent audit trail)
Closed account data	30 days post-closure (then deleted)	Dispute resolution window; then minimized

Automated deletion processes run nightly. Data flagged for deletion is removed within 30 days of the scheduled date. You may request earlier deletion under your Right to Erasure (see Section 8).

8. Your Rights Under GDPR

EU/EEA data subjects have the following rights under GDPR. These rights apply to your personal data held by Adverteks as data controller:

📋

Right of Access (Art. 15)

Request a copy of all personal data we hold about you, including processing purposes, retention periods, and recipients.

✏️

Right to Rectification (Art. 16)

Correct inaccurate or incomplete personal data. Account data can be updated directly in your profile settings.

🗑️

Right to Erasure (Art. 17)

Request deletion of your data where we have no compelling reason to retain it. Also known as the "right to be forgotten."

⏸️

Right to Restriction (Art. 18)

Request that we restrict processing of your data in certain circumstances, such as while accuracy is contested.

📦

Right to Portability (Art. 20)

Receive your data in a structured, machine-readable format (JSON or CSV) to transfer to another service.

🚫

Right to Object (Art. 21)

Object to processing based on legitimate interests, including direct marketing. We stop processing immediately on valid objection.

🤖

Rights re: Automated Decisions (Art. 22)

Not be subject to solely automated decisions with significant legal effects. Request human review of automated decisions that affect you.

↩️

Right to Withdraw Consent (Art. 7)

Withdraw consent at any time where processing is based on consent. Withdrawal does not affect the lawfulness of prior processing.

Response Timelines: We respond to all rights requests within 30 days. For complex requests, we may extend this to 90 days and will notify you within the first 30 days if an extension is needed. We never charge a fee for standard requests.

9. How to Submit a Data Request (SAR)

Submitting a Subject Access Request or exercising any other GDPR right is straightforward. Follow these steps:

Email your request Send an email to privacy@adverteks.com with subject line "GDPR Data Request — [Your Request Type]" (e.g., "GDPR Data Request — Access", "GDPR Data Request — Erasure").
Include identification details Provide your full name, email address associated with your account, and a brief description of what data you want to access, correct, or delete. We may request additional identity verification to protect your data.
Identity verification To prevent unauthorized access, we verify your identity before processing the request. For account holders, we typically verify by sending a confirmation link to the registered email. For end-user requests, additional verification may apply.
Processing begins Once identity is confirmed, we begin processing your request. We will send an acknowledgment email within 3 business days confirming receipt and expected completion date.
Receive your response We deliver data exports in JSON or CSV format via secure email or download link. Erasure confirmations are sent in writing. All requests completed within 30 days (or 90 for complex cases with prior notice).

For end users who are not Adverteks account holders, we can process requests related to data collected through our ad serving infrastructure. Note that we may have limited ability to identify end-user data without a cookie ID or device identifier.

10. International Data Transfers

Adverteks processes data in the United States and may transfer personal data to recipients outside the EEA. We ensure all international transfers are protected by appropriate safeguards:

Standard Contractual Clauses (SCCs) — We use EU Commission-approved SCCs (2021 version) for transfers to countries without an adequacy decision, including the United States.
Adequacy Decisions — For transfers to countries with an EU adequacy decision, no additional safeguard is required.
Binding Corporate Rules (BCRs) — Where applicable for intragroup transfers.

Our infrastructure is hosted on Render.com (US-based) and uses Neon (US-based) for database hosting. Both processors have executed SCCs with Adverteks and maintain their own GDPR compliance programs. Transfer impact assessments are available from our DPO upon request.

11. Children's Data

Adverteks does not knowingly collect personal data from individuals under the age of 16 (or lower age where applicable national law provides). Our platform is a B2B advertising technology service not directed at children.

Publishers using Adverteks ad tags on content directed at children under 16 must:

Not use behavioral targeting segments on such inventory
Ensure their CMP does not solicit consent from minors
Notify Adverteks so we can apply child-safe ad filters to that inventory

If you believe a child has had their data collected through our platform, contact privacy@adverteks.com and we will delete it promptly.

12. Complaints & Supervisory Authority

If you are dissatisfied with how we have handled your personal data or responded to a rights request, you have the right to lodge a complaint with your local data protection supervisory authority.

EEA supervisory authorities include:

Ireland: Data Protection Commission (DPC) — dataprotection.ie
Germany: Federal Commissioner for Data Protection (BfDI) — bfdi.bund.de
France: Commission Nationale de l'Informatique et des Libertés (CNIL) — cnil.fr
Netherlands: Autoriteit Persoonsgegevens (AP) — autoriteitpersoonsgegevens.nl
Other EEA countries: Find your authority at edpb.europa.eu

We always prefer to resolve complaints directly. Before filing a supervisory authority complaint, please contact our DPO at dpo@adverteks.com — we will work with you in good faith to find a resolution.

Contents