Privacy-First By Design
Comprehensive compliance with global privacy regulations including GDPR, CCPA, and emerging frameworks. We believe effective advertising and user privacy are not mutually exclusive.
Regulatory Compliance
GDPR
CompliantEuropean Union
Full compliance with the General Data Protection Regulation including lawful basis, consent management, and data subject rights.
CCPA/CPRA
CompliantCalifornia, USA
Compliance with California Consumer Privacy Act and Privacy Rights Act including opt-out mechanisms and data disclosure.
LGPD
CompliantBrazil
Adherence to Lei Geral de Proteção de Dados requirements for processing Brazilian user data.
PIPEDA
CompliantCanada
Compliance with Personal Information Protection and Electronic Documents Act.
Privacy Features
Consent Management
Full integration with IAB TCF 2.0 and GPP frameworks. We honor user consent choices and only process data with appropriate legal bases.
Data Minimization
We collect only the data necessary for advertising delivery. Personal data is pseudonymized and aggregated wherever possible.
User Rights
Support for data access, deletion, and portability requests. Automated systems handle subject rights requests within regulatory timeframes.
Privacy-First Targeting
Contextual and cohort-based targeting alternatives that deliver personalization without individual tracking.
Secure Processing
Encryption in transit and at rest, access controls, and audit logging protect all data within our systems.
Vendor Management
Strict data processing agreements with all partners. We audit vendor compliance and maintain an approved vendor list.
Privacy-Compliant Data Flow
User Visit
CMP presents consent choices
Consent Check
TCF/GPP string validated
Privacy Filter
Data minimized per consent
Compliant Auction
Privacy-safe ad delivery
Privacy FAQ
We integrate with IAB Transparency and Consent Framework (TCF) 2.0 compliant CMPs. Our systems read consent strings in real-time and only process personal data when appropriate consent or legitimate interest has been established. We support granular consent for different purposes and vendors.
Depending on jurisdiction and use case, we rely on: user consent (obtained via CMP), legitimate interest (for fraud prevention and security), contractual necessity (for service delivery), and legal obligations (for compliance reporting). We document and justify the legal basis for each processing activity.
We provide automated tools for data access, deletion, and portability requests. Requests are processed within regulatory timeframes (typically 30 days). We verify identity before fulfilling requests and maintain logs of all DSAR processing for compliance documentation.
We collect: bid request data (device, context, pseudonymized IDs), auction outcomes, and aggregated performance metrics. Granular bid-level data is retained for 90 days for billing and fraud analysis. Aggregated analytics are retained longer. Personal data is deleted or anonymized according to our retention schedule.
Our privacy team monitors emerging regulations globally. We design systems with privacy-by-default principles that often exceed current requirements. Our architecture supports regional compliance variations, and we update our practices as new regulations take effect (e.g., state privacy laws in the US).
Where international data transfers are necessary, we use approved mechanisms including Standard Contractual Clauses (SCCs) and ensure adequate protections are in place. We maintain data residency options for partners with specific geographic requirements.