Close icon to exit the modal
Search icon

Publift’s Joint Controllers, Processors and Sub-Processors

Current as at 28 January 2025

As at the date of this list, Publift’s joint controller, processor and sub-processor partners include:
Publift’s Ad Network Partners
Partner GDPR role (joint controller; processor; controller) Services include Regions of processing include Personal data includes Time data may be processed for (retention and deletion)? Nature and purpose of the processing include Obligations to keep data secure Data breach notification requirements and handling of regulatory requests Handling of data subject requests and rights Data transferred outside of EU? If so, what mechanisms and protections are in place? Privacy Notice
AppMonet (dba “Adapt MX”) Separate controllers Programmatic advertising services US Device data
Bid request data

Including: anonymous data and technical information including but not limited to cookies and beacon data, metadata, usage data, geo-location data, and streaming data, with regard to the devices and systems used to access the Publift’s content and Publift’s advertising and the activities, preferences and attributes of the users of the Publift’s content and the Publift’s advertising content.
90 days. To provide, manage, maintain, and improve its services (including disclosure of impression-level information to other relevant parties).To provide and improve its services and provide related support, understand how a user interacts with the content and sites, preventing fraud, and customize a user’s experience. In accordance with applicable GDPR laws. In accordance with applicable GDPR laws. In accordance with applicable GDPR laws. In accordance with applicable GDPR laws. See here
Index Exchange Processor of publisher data; controller of Index Exchange data Programmatic advertising services EEA

Asia

North America
Device data
Bid request data

Including: ad response data, bid request data, bid response data, data regarding the advertising campaign of a client, location data based upon an IP address, cookie data, device IDs, any hashed identity tokens and data provided by Index Exchange, Demand Side Platforms, or clients.
Up to 5 years. Process personal data to provide platform services when it is permitted by law and supported by a valid legal justification. In accordance with applicable GDPR laws. In accordance with applicable GDPR laws. In accordance with applicable GDPR laws. In accordance with applicable GDPR laws. See here
Magnite (Formerly Rubicon) Controller Programmatic advertising services EEA

North America

UK

Australia

Asia

South America
Device data
Bid request data


Including:
• usage information
• log information
• device information
• location information
• internet service provider
• deidentified information (encrypted or hashed email addresses)
• derived information.
As long as is necessary for the purpose(s) for which it was originally collected, or for other legitimate business purposes.Some data typically stored for up to 90 days before it is anonymized and aggregated. Collect to enable clients to offer and buy advertising opportunities; to operate and improve technology; to compile statistics and conduct research and development; to prepare reports of visitor activity; to enable standard advertising controls; to analyze and report on ad performance, campaign reporting, and campaign forecasting; to protect, investigate, and deter against fraudulent, unauthorized, or illegal activity.To deliver end users targeted advertising; to create profiles of end users for targeted advertising; to create audience segments. In accordance with applicable GDPR laws. In accordance with applicable GDPR laws. In accordance with applicable GDPR laws. In accordance with applicable GDPR laws. See here
OpenX Controller Programmatic advertising services EEA

North America
Device data
Bid request data

Including: unique online identifiers, online and offline activity and interests, geolocation information, browser, device and service information, ad reporting and delivery information.
For a maximum of 90 days from the last date it was received. To facilitate non-interest based advertising;to facilitate interest-based advertising;to understand activities and preferences; to measure ad performance; to build and improve products, features and models. Materially in accordance with applicable GDPR laws. Materially in accordance with applicable GDPR laws. Materially in accordance with applicable GDPR laws. Materially in accordance with applicable GDPR laws. See here
Teads Controller Programmatic advertising services EEA

Africa

Asia

Australia

UK

North America

South America
Device data
Bid request data

Including: cookie ID; mobile advertising ID; IP address; approx post code; page URL; date and time interacted with ad; browser information; device information; network type or carrier information.
Cookie ID is stored in the browser for 365 days after its creation. Records of activities linked to the cookie ID are stored in the database for 4 months.

Other information such as mobile advertising ID, IP address; approximate postcode; page URL; interactions; date and time; browser information; device information; network type: 4 months.
Collect, use, analyze and process partner data: (i) to perform an agreement; (ii) as part of its business operations, to operate, manage, test, maintain and enhance the technology, service, platform and other products, programs and/or service, including as part of its re/targeting capabilities, to serve interest based ads to users, to combine the partner data with other sourced data; and to share the partner data with its buyers partners. In accordance with applicable GDPR laws. In accordance with applicable GDPR laws. In accordance with applicable GDPR laws. In accordance with applicable GDPR laws. See here
Criteo Co-data controller Programmatic advertising services EEA Device data
Bid request data

Including: non-identifying data to improve the Criteo Technology and other Criteo products, programs, and/or services. This non-identifying data may include on-site user behavior and user/page content data, URLs, statistics, or internal search queries.
Technical data collected for up to 13 months from the date of collection, and expires 13 months after they are last updated.

Opt-out cookie expires after five years.
Display personalised advertising

Display contextual advertising

Sales matching/attribution

Fraud prevention/fight against fraud/IVT

Data model training

Billing

Reporting

Incident resolution
In accordance with applicable GDPR laws. In accordance with applicable GDPR laws. In accordance with applicable GDPR laws. In accordance with applicable GDPR laws. See here
Equativ (fka Smart AdServer) Processor

Controller of Personal Data Processed through certain cookies and processing of Data Subject’s IP address for the purpose of ensuring security, preventing fraud and debugging.
Programmatic advertising services EEA

North America
Device data
Bid request data
Including:
• IP address;
• Server ID;
• Browser ID, OS ID, screen size;
• ISP ID, postal code, phone prefix, country, region, city, DMA zone ID;
• Timestamp, longitude, latitude, connection type;
• Keywords associated with user;
• Timestamp of last visit.
Duration of the Agreement To perform Smart Ad Server’s Services to Publift (including providing, operating, managing, maintaining Smart Adserver’s Platform);

• To perform contextual and/or interest-based advertising;

• To perform optimization in respect to a campaign, including to limit the number of times a Data Subject sees a particular ad;

• To show ads related to the content of the concerned web page;

• To report aggregated statistics.
In accordance with applicable GDPR laws. In accordance with applicable GDPR laws. In accordance with applicable GDPR laws. In accordance with applicable GDPR laws. See here
Sharethrough (formerly District M) Controller Programmatic advertising services EEA

North America

Asia
Device data
Bid request data
Including: cookie identifiers, third party online identifiers, mobile device identifiers, browser and device information, IP addresses.
In accordance with each Party’s data retention policy, and only for the time period necessary to deliver each Party’s Services pursuant to the Terms of Service. For the purposes of delivering personalized advertising to the Data Subject pursuant to the Terms of Service. In accordance with applicable GDPR laws. In accordance with applicable GDPR laws. In accordance with applicable GDPR laws. In accordance with applicable GDPR laws. See here
ConnectAd ConnectAd is processor; Publift is controller Programmatic advertising services EEA Device data
Including: IP (for the time of processing) and cookie ID
30 days, extended on each user contact with a proper TCF consent. Following the IAB TCF Framework (nature and purpose depend on the consent and purpose granted). In accordance with applicable GDPR laws. In accordance with applicable GDPR laws. In accordance with applicable GDPR laws. In accordance with applicable GDPR laws. See here
Kueez Entertainment Ltd Separate controllers Programmatic advertising services EU

UK

US
Device identifiers and internet or electronic network activity (IP addresses, GAID/IDFA, browsing history, timestamps)

Geo-location information (non-precise)
Personal data will be retained (a) as necessary for the parties to achieve the purpose of the agreement;
and (b) subject to each party's retention policy.
To administer the ad campaigns (including for retargeting and behavioral advertising purposes), for the protection against fraudulent activity, for analytics and reporting purposes, and as needed to provide and improve the services. In accordance with applicable GDPR laws. In accordance with applicable GDPR laws. In accordance with applicable GDPR laws. In accordance with applicable GDPR laws. See here
Opti Digital Data processor Curation of ad inventory

Aggregation and enrichment of ads

Utilisation of proprietary ad templates to display ads in various sizes and media types
EU

US
• First-party or third-party IDs (not retained - sent to SSP and other partners)
• IP address: deleted after 30 days
• Browser: anonymised after 30 days
• UserAgent: deleted after 30 days
• Device: anonymized after 30 days
• Country: anonymised after 30 days
• Visited URL (publisher domain): deleted after 30 days
• Previous URL (referral domain): deleted after 30 days
See “Personal Data includes” column Collection, analysis, transfer to advertisers and other partners, storage, backup, deletion In accordance with GDPR In accordance with GDPR In accordance with GDPR In accordance with GDPR N/A, given processor role.
Sonobi Independent controller Programmatic advertising services EU

UK

US
Identity data, i.e. online identifiers (e.g. IDFA, IP address)

User agent

Ad and content click/view information

Segment data such as interests
Up to 60 days from the last date that Sonobi received any data in relation to an end user. To provide the services as permitted under the agreement In accordance with applicable GDPR laws. In accordance with applicable GDPR laws. In accordance with applicable GDPR laws. In accordance with applicable GDPR laws. See here
Adagio Independent controller Programmatic advertising services EU

US
IP address, Device ID, and Unique ID (either generated by Adagio or by a Bidder). The data will be retained for as long as required for the Processing Purposes, and will be deleted immediately after. Retrieval of end-user IP address and end-user specific user IDs (created by either Adagio, Publisher,Publisher’s Suppliers and/or Adagio’s Suppliers) from end-user device and/or Publisher.

Transfer of said personal data to consumer device and/or Adagio’s Suppliers (for consumers in EEA/UK, only if consent has been provided through Publisher).

Creation of fully anonymised aggregates for reporting and optimization purposes.

No personal data is stored by Adagio beyond the time required to execute the tasks described above.

(collectively, the “Processing Purposes”)
In accordance with applicable GDPR laws. In accordance with applicable GDPR laws. In accordance with applicable GDPR laws. In accordance with applicable GDPR laws. See here
Primis Independent controller Programmatic advertising services US

EU
Any direct or indirect identifying information, including without limitation: IP addresses, IFV, IFA, GAID and/or MAID or other similar identifiers (e.g., IDFA/ AAID or any device IDs), privacy string, cookie data or other unique identifiers and information about end-users’ devices, geolocation, inferred interests. Personal Data will be retained by each party for as long as necessary to fulfil the purposes of processing. Serving targeted advertising and associated ad reporting / measurement, ad optimisation and other related services. In accordance with applicable GDPR laws. In accordance with applicable GDPR laws. In accordance with applicable GDPR laws. In accordance with applicable GDPR laws. See here
OneTag Independent controller Advertising services EU/UK

US
• Privacy choice

• Privacy and interaction data

• Non precise location data

• Device identifiers

• Device characteristics

• IP addresses primarily in pseudonymised form (i.e. IP addresses with the last octet replaced with a zero)
OneTag shall retain end user data for a period of a year and a half from the date of collection, at the end of which OneTag shall delete such data. •Store and/or access information on a device [1]

•Use limited data to select advertising [2]

•Create profiles for personalised advertising [3]

•Use profiles to select personalised advertising [4]

•Measure advertising performance [7]

•Understand audiences through statistics or combinations of data from different sources [9]

•Develop and improve services [10]

The numbering corresponds to the IAB TCF framework.
In accordance with applicable GDPR laws. In accordance with applicable GDPR laws. In accordance with applicable GDPR laws. In accordance with applicable GDPR laws. See here
Ogury Independent controller Contextual and identifier-based advertising EU/UK

US
Device and OS related information (Device model and manufacturer, screen’s dimensions, OS version, Virtual Machine name and version, android standby bucket)

Details of the Property and web browser in which the Ogury technologies are incorporated (asset key, App name and version or mobile web address and ad unit)

Context information (Device Internet connection type, User agent, language and country codes, local time, time-zone)

The version number of the Ogury technologies used by the Digital Property

What each Ogury ad is about.

The format of each Ogury ad (e.g., text, image, or video).

Where the Ogury advertisement is displayed within a Digital Property or elsewhere.

End-User interaction with the advertisement (for example, clicks and how long it was displayed for).

End-User interaction with websites after clicking on an Ogury advertisement.

A Device’s unique Advertising ID, such as Google AAID or Apple IDFA.

Cookie IDs

Device IP Address

Up to 13 months. Provision of digital advertising services In accordance with applicable GDPR laws. In accordance with applicable GDPR laws. In accordance with applicable GDPR laws. In accordance with applicable GDPR laws. See here
Xandr Co-Controller and Processor (depending on the processing activities) Targeted advertising and related forecasting and reporting EU/UK

US

AUS
Identifiers: Unique identifiers, other identifiers, hashed email address, IP Address, data that could be used for device fingerprinting, latitude and longitude;

Demographic information: location, age range, gender, other Client-specified demographics (tied to an identifier);

Behavioral data: frequency of identifiers visiting and viewing Sites and viewing and taking actions with respect to Ad Units; and

Interest-Based Data: probabilistic inferences regarding a Data Subject's interests and preferences.
It is usually aggregated or deleted within 33 days (or 93 days for select members), after which time it is aggregated or deleted. Targeted advertising and related forecasting and reporting In accordance with applicable GDPR laws. In accordance with applicable GDPR laws. In accordance with applicable GDPR laws. In accordance with applicable GDPR laws, including SCCs. See here
Kargo Independent Controller Ad targeting, ad serving and data analytics US

EU/UK

Usage data

Tracking data

Aggregate data

Up to 18 months Advertising purposes In accordance with applicable GDPR laws, including SCCs. In accordance with applicable GDPR laws, including SCCs. In accordance with applicable GDPR laws, including SCCs. In accordance with applicable GDPR laws, including SCCs. See here

Are you ready to power-up?

Get started