As at the date of this list, Publift’s joint controller, processor and sub-processor partners include:
Publift’s Ad Network Partners (A-F)
| Partner | GDPR role (joint controller; processor; controller) | Services include | Regions of processing include | Personal data includes | Time data may be processed for (retention and deletion)? | Nature and purpose of the processing include | Obligations to keep data secure | Data breach notification requirements and handling of regulatory requests | Handling of data subject requests and rights | Data transferred outside of EU? If so, what mechanisms and protections are in place? | Privacy Notice |
|---|---|---|---|---|---|---|---|---|---|---|---|
| 33across | Joint controllers | Ad monetisation, cookie deployment, analytics | US, AU, EU | Web usage data, cookies, user interests | In accordance with applicable GDPR laws, including SCCs. | Serving ads, measurement, optimisation | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | See here |
| Adagio | Independent controller | Programmatic advertising services | EU US |
IP address, Device ID, and Unique ID (either generated by Adagio or by a Bidder). | In accordance with applicable GDPR laws, including SCCs | Retrieval of end-user IP address and end-user specific user IDs (created by either Adagio, Publisher,Publisher’s Suppliers and/or Adagio’s Suppliers) from end-user device and/or Publisher. Transfer of said personal data to consumer device and/or Adagio’s Suppliers (for consumers in EEA/UK, only if consent has been provided through Publisher). Creation of fully anonymised aggregates for reporting and optimization purposes. No personal data is stored by Adagio beyond the time required to execute the tasks described above. (collectively, the “Processing Purposes”) |
In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | See here |
| Adapt MX | Separate controllers | Automated ad selling, managed ad services, ad measurement | US, EU | Advertising ID, IP address, device info, user/account IDs, geo-location (if enabled), log data, ad interaction data | In accordance with applicable GDPR laws, including SCCs. | Serving ads, measurement, reporting, interest-based and geo-targeted ads, fraud detection, service improvement | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. . | In accordance with applicable GDPR laws, including SCCs. | See here |
| Admiral | Processor | Adblock analytics, adblocker messaging, revenue recovery, consent management | US, EU | Unique identifiers, geolocation data, IP addresses, URLs | In accordance with applicable GDPR laws, including SCCs. | Providing platform/software services, analytics, ad revenue recovery, consent | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. . | In accordance with applicable GDPR laws, including SCCs. | See here |
| Adshield | Independent Controller | Ad-block detection, ad serving, analytics, and revenue optimisation tools for publisher inventory. | US EU UK |
IP addresses, device IDs (IFV, IFA, GAID, MAID, IDFA, AAID), cookie data, geolocation, inferred interests, and other unique identifiers. | In accordance with applicable GDPR laws, including SCCs. | Serving targeted advertising, ad reporting/measurement, ad optimisation, and related services. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. . | In accordance with applicable GDPR laws, including SCCs. | See here |
| Amazon Ad Network | Separate Controller | Ad monetisation, ad serving, reporting, analytics | US EU UK |
Advertising identifiers (e.g., IDFA, AAID), full IP address, precise location data (with consent) | In accordance with applicable GDPR laws, including SCCs. | Serving ads, optimising ad placement, reporting, analytics | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | See here |
| Assertive Yield | Processor | Yield analytics, monitoring, tag management, revenue forecasting, dynamic flooring, bid request optimisation, traffic shaping, QPS optimisation, Prebid Server | EU US |
Device info, IP address, session IDs, geolocation, ad impression data, technical and behavioral data | For the term of the agreement or as required by law; deletion or return upon request or at end of agreement | Ad analytics, reporting, optimisation, fraud detection, revenue management | ISO 27001 certified datacenters, technical/organisational measures, access controls, encryption, regular audits | Notify controller within 48 hours; cooperate in investigation and remediation | Assist controller; only act on controller’s instructions | Yes; SCCs in place for transfers, EU data processed in EU, non-EU data in US | See here |
| Audience360 | Controller | Ad marketplace, audience extension, data management, programmatic guarantee, reporting | AU NZ |
Demographic, geographic, behavioral data, non-personally identifiable info, identifiers (e.g., ID5, Adfixus), IP address, browser string, URL | In accordance with applicable GDPR laws, including SCCs. | Targeted advertising, audience matching, reporting, campaign management | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | See here |
| Bluebillywig | Processor | Video management system (VMS), ad services, content management, analytics, video hosting, ad delivery | EU Singapore |
Order data (including IP addresses, cookie IDs, referrers, devices), user account info (name, email, gender) | In accordance with applicable GDPR laws, including SCCs. | Video publishing, monetisation, ad delivery, analytics, user account management | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | See here |
| Cloudflare | Processor | Content delivery network (CDN), web application firewall (WAF), advanced certificates, Workers (serverless compute), Workers KV (key-value storage), R2 storage, and related support and technical services. | Asia, Australia/NZ, China, Europe, India, Korea, Middle East & Africa, North America, South America, Taiwan | Customer Account Information, Customer Content, Customer Logs, End User and Administrative User data | In accordance with applicable GDPR laws, including SCCs. | Processing necessary to provide the services to customer. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | See here |
| Confiant | Processor | Real-time impression verification, detection and blocking of malicious and non-compliant ads, including privacy law violations | US EU |
Customer Data (advertisements, ad testing parameters, data provided for verification), may include end user data as part of ad delivery logs | In accordance with applicable GDPR laws, including SCCs. | Verification of digital ads for compliance, detection and blocking of malicious/non-compliant ads, support and associated services | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | See here |
| ConnectAd | Independent controller | Real-time programmatic ad exchange, advertising optimisation, data management, yield optimisation, reporting | EU US |
End users of customer’s digital properties; cookies (session, persistent, LSO, other), unique IDs, interest/activity/profiling data, IP address, hashed email, user agent string/OS/chipset/screen | In accordance with applicable GDPR laws, including SCCs. | To allow ConnectAd to provide the services under the agreement, including ad delivery, optimisation, and reporting | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | See here |
| Criteo | Controller | Digital advertising solutions, including Commerce Grid, Commerce Growth, Commerce Max, Commerce Yield, Curation & Data Provision, and related programmatic ad services. | AU EU US |
Service Data collected via Criteo Technology, which may include cookie IDs, device IDs, IP addresses, user behaviour data, and other information related to ad delivery and optimisation. | In accordance with applicable GDPR laws, including SCCs. | To provide digital advertising services, optimise ad delivery, measure performance, improve Criteo’s technology and products, and comply with contractual obligations. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | See here |
| Datablocks | Controller | Integrated technology platform for managing and receiving digital advertisements, targeted advertising, reporting, and associated services. | US AU EU |
Personally identifiable information (PII), device-identifying information (DII), user profiles, cookies, and tracking data collected from visitors to publisher digital properties. | In accordance with applicable GDPR laws, including SCCs. | To deliver targeted advertising, manage ad sales and reporting, optimise ad delivery, and maintain user profiles for interest-based advertising. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | See here |
| Epilson | Controller | Core ID Services; cross-context behavioural advertising; identity resolution; ad serving; reporting; related digital advertising services | US EU AU |
Personal identifiers; commercial or transactional information; internet or electronic network activity; location (not precise geolocation); device identifiers; advertising IDs; cookie IDs; IP addresses; hashed email addresses; browser/device information; browsing behaviour | In accordance with applicable GDPR laws, including SCCs. | Behavioural advertising; identity resolution; storing/accessing information on a device; personalising ads and content; measuring ad performance; market research; product development; security; fraud prevention; debugging; technical delivery of ads/content | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | See here |
| Exte | Joint Controller | Programmatic advertising; Ad serving, analytics, frequency capping, retargeting, campaign segmentation; Use of cookies, web beacons, and similar technologies | EU AU |
Device identifiers; Device information; IP addresses (with anonymization for most uses; full IP for certain transactional processes); Probabilistic identifiers; Non-precise geolocation data; Privacy preferences; Events related to ads (impressions, engagement, etc.); Website/app environment data (excluding user-submitted content) | Up to 6 years. | Delivery of programmatic advertising; analytics and reporting; frequency capping; retargeting; fraud prevention; brand safety; sharing data with demand/supply-side parties for campaign delivery, measurement, and audit purposes | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | See here |
Publift’s Ad Network Partners (G-M)
| Partner | GDPR role (joint controller; processor; controller) | Services include | Regions of processing include | Personal data includes | Time data may be processed for (retention and deletion)? | Nature and purpose of the processing include | Obligations to keep data secure | Data breach notification requirements and handling of regulatory requests | Handling of data subject requests and rights | Data transferred outside of EU? If so, what mechanisms and protections are in place? | Privacy Notice |
|---|---|---|---|---|---|---|---|---|---|---|---|
| Gamera | Controller | Attribution and analytics platform; measurement code for data collection; reporting; audience curation; integration with ad buying platforms | US EU AU |
IP addresses; device identifiers; cookies; site performance data; revenue data; metadata about site users; content of site pages; geolocation; inferred interests | In accordance with applicable GDPR laws, including SCCs. | Attribution analytics; reporting; audience curation; targeted advertising; integration with third party ad platforms | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | See here |
| Joint Controller and Processor (depending on the activities) | Ad serving; programmatic advertising (AdX, AdSense, Ad Manager); header bidding; reporting; analytics; machine learning bid optimisation; consolidated payments; account management; technical support; beta features (e.g. Exchange Bidding); A/B testing; audience curation; integration with third-party ad platforms | Global | Online identifiers (cookies, device IDs, IP addresses); browsing and usage data; ad interaction data; publisher and end user account information; geolocation (non-precise); pseudonymous identifiers; data collected via tags and SDKs; customer content and logs | In accordance with applicable GDPR laws, including SCCs. | Ad delivery and measurement; reporting; analytics; fraud prevention; security; technical support; product development; market research; audience segmentation; compliance with legal and regulatory requirements | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | See here | |
| iion | Joint controller | Provision of the iion Ad Exchange and related services enabling sellers and buyers (e.g. publishers, ad networks) to market and sell digital and mobile advertising inventory, receive advertisements for display, and access related reporting and analytics. | AU EU US |
Personal data of users and devices as required for ad delivery, targeting, measurement, and reporting, including persistent identifiers, device information, and any data provided by Publift or its clients. No sensitive data or special categories of data are to be collected or processed. | In accordance with applicable GDPR laws, including SCCs. | Ad delivery, targeting, measurement, reporting, analytics, and optimisation of ad exchange services. Data may be used for business purposes as permitted by law and the agreement. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | See here |
| Index Exchange | Independent controller | Provision of the Index Exchange ad exchange platform and related services, including header bidding, real-time bidding, reporting, analytics, and integration with supply partners (e.g. Google, Amazon) | AU EU US CA |
Personal data of users and devices as required for ad delivery, targeting, measurement, and reporting, including persistent identifiers, device information, IP addresses, cookies, and any data provided by Publift or its clients. No special categories of data are to be processed. | In accordance with applicable GDPR laws, including SCCs. | Ad delivery, targeting, measurement, reporting, analytics, optimisation, fraud detection, and honouring data subject preferences (e.g. consent signals). Data may be used for business purposes as permitted by law and the agreement, including sharing with DSPs, clients, and analytics providers. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | See here |
| Infolinks | Independent controller | Digital advertising services, including display of ads on publisher sites and campaign management for web and mobile traffic. | US EU |
Device and advertising IDs; IP and location; browser/device details; behavioural and session data; ad impression/click/conversion data; enriched third-party data; and optional contact details (name, email, phone) | In accordance with applicable GDPR laws, including SCCs. | To deliver and manage digital advertising campaigns on publisher sites, including reporting and payment processing. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | See here |
| IntentIQ | Independent controller | Bid request enhancement using IDs (IIQ, Universal, Client) to enrich ad bid requests and increase revenue. Integration via API, server-to-server, files, or Prebid. | AU US EU |
Universal IDs, Client IDs, IIQ IDs, IP address, user-agent, mobile app IDs, bid stream data, and other personal information as defined in the DPA. | In accordance with applicable GDPR laws, including SCCs. | To enrich bid requests for advertising, increase revenue, and provide analytics/reporting. Data processed as needed to fulfil contractual obligations. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | See here |
| Jounce Media | Processor | Programmatic supply chain market intelligence, supply chain mapping, market insights, benchmarking reports, education modules, dashboard analytics, and provision of raw data for ad hoc analysis, inventory curation, and campaign reporting | North America & Oceania | No direct personal data categories are specified; data processed relates to programmatic supply chain, ads.txt, app-ads.txt, sellers.json, bid requests, and publisher/platform metadata | Time data may be processed for (retention and deletion): In accordance with applicable GDPR laws, including SCCs. | Provision of supply chain mapping, market insights, benchmarking, and analytics to support internal analytics, ad hoc analysis, inventory curation, campaign reporting, and private communication with partners | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | See here |
| Liftoff | Controller | Provision of SDK (Vungle SDK), hosted video advertising system, advertisement reporting tools, and Monetize Platform for video ad insertion within mobile applications; related analytics and reporting services | US | Device data (orientation, volume settings, OS language, device make/model, operating system, mobile carrier, device identifiers), advertisement performance data (impressions, interactions, installs, header information, end user segments/interests) | In accordance with applicable GDPR laws, including SCCs. | To display Liftoff Ads to end users, measure and report ad performance, develop and improve SDK and Monetize Platform, perform internal analytics, and monitor for errors | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | See here |
| Kargo | Independent Controller | Ad targeting, ad serving and data analytics | US EU/UK |
Usage data Tracking data Aggregate data |
Up to 18 months | Advertising purposes | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | See here |
| Kueez Entertainment Ltd | Separate controllers | Programmatic advertising services | EU UK US |
Device identifiers and internet or electronic network activity (IP addresses, GAID/IDFA, browsing history, timestamps) Geo-location information (non-precise) |
Personal data will be retained (a) as necessary for the parties to achieve the purpose of the agreement; and (b) subject to each party's retention policy. |
To administer the ad campaigns (including for retargeting and behavioral advertising purposes), for the protection against fraudulent activity, for analytics and reporting purposes, and as needed to provide and improve the services. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | See here |
| Magnite (Formerly Rubicon) | Controller | Programmatic advertising services | EEA North America UK Australia Asia South America |
Device data Bid request data Including: • usage information • log information • device information • location information • internet service provider • deidentified information (encrypted or hashed email addresses) • derived information. |
As long as is necessary for the purpose(s) for which it was originally collected, or for other legitimate business purposes.Some data typically stored for up to 90 days before it is anonymized and aggregated. | Collect to enable clients to offer and buy advertising opportunities; to operate and improve technology; to compile statistics and conduct research and development; to prepare reports of visitor activity; to enable standard advertising controls; to analyze and report on ad performance, campaign reporting, and campaign forecasting; to protect, investigate, and deter against fraudulent, unauthorized, or illegal activity.To deliver end users targeted advertising; to create profiles of end users for targeted advertising; to create audience segments. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | See here |
| Microsoft Advertising | Co-Controller and Processor (depending on the processing activities) | Targeted advertising and related forecasting and reporting | EU/UK US AUS |
Identifiers: Unique identifiers, other identifiers, hashed email address, IP Address, data that could be used for device fingerprinting, latitude and longitude; Demographic information: location, age range, gender, other Client-specified demographics (tied to an identifier); Behavioral data: frequency of identifiers visiting and viewing Sites and viewing and taking actions with respect to Ad Units; and Interest-Based Data: probabilistic inferences regarding a Data Subject's interests and preferences. |
It is usually aggregated or deleted within 33 days (or 93 days for select members), after which time it is aggregated or deleted. | Targeted advertising and related forecasting and reporting | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws, including SCCs. | See here |
| Media.net | Independent Data Controller | Facilitation of the sale and placement of ads on websites, webpages, and/or applications; measurement and optimisation of digital marketing activities; reporting, fraud mitigation, ad quality monitoring, yield optimisation, and verification of privacy compliance | EU Asia |
Online identifiers (IP addresses, cookie identifiers, device identifiers), user agent, and other data relevant to the relationship with the data subject; no sensitive data or special categories of personal data are processed | Twenty-four (24) months | To provide services including ad placement, measurement, optimisation, reporting, fraud mitigation, ad quality monitoring, yield optimisation, and verification of privacy compliance | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | See here |
Publift’s Ad Network Partners (N-Z)
| Partner | GDPR role (joint controller; processor; controller) | Services include | Regions of processing include | Personal data includes | Time data may be processed for (retention and deletion)? | Nature and purpose of the processing include | Obligations to keep data secure | Data breach notification requirements and handling of regulatory requests | Handling of data subject requests and rights | Data transferred outside of EU? If so, what mechanisms and protections are in place? | Privacy Notice |
|---|---|---|---|---|---|---|---|---|---|---|---|
| Ogury | Independent controller | Contextual and identifier-based advertising | EU/UK US |
Device and OS related information (Device model and manufacturer, screen’s dimensions, OS version, Virtual Machine name and version, android standby bucket) Details of the Property and web browser in which the Ogury technologies are incorporated (asset key, App name and version or mobile web address and ad unit) Context information (Device Internet connection type, User agent, language and country codes, local time, time-zone) The version number of the Ogury technologies used by the Digital Property What each Ogury ad is about. The format of each Ogury ad (e.g., text, image, or video). Where the Ogury advertisement is displayed within a Digital Property or elsewhere. End-User interaction with the advertisement (for example, clicks and how long it was displayed for). End-User interaction with websites after clicking on an Ogury advertisement. A Device’s unique Advertising ID, such as Google AAID or Apple IDFA. Cookie IDs Device IP Address |
Up to 13 months. | Provision of digital advertising services | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | See here |
| OneTag | Independent controller | Advertising services | EU/UK US |
• Privacy choice • Privacy and interaction data • Non precise location data • Device identifiers • Device characteristics • IP addresses primarily in pseudonymised form (i.e. IP addresses with the last octet replaced with a zero) |
OneTag shall retain end user data for a period of a year and a half from the date of collection, at the end of which OneTag shall delete such data. | •Store and/or access information on a device [1] •Use limited data to select advertising [2] •Create profiles for personalised advertising [3] •Use profiles to select personalised advertising [4] •Measure advertising performance [7] •Understand audiences through statistics or combinations of data from different sources [9] •Develop and improve services [10] The numbering corresponds to the IAB TCF framework. |
In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | See here |
| OpenX | Controller | Programmatic advertising services | EEA North America |
Device data Bid request data Including: unique online identifiers, online and offline activity and interests, geolocation information, browser, device and service information, ad reporting and delivery information. |
For a maximum of 90 days from the last date it was received. | To facilitate non-interest based advertising;to facilitate interest-based advertising;to understand activities and preferences; to measure ad performance; to build and improve products, features and models. | Materially in accordance with applicable GDPR laws. | Materially in accordance with applicable GDPR laws. | Materially in accordance with applicable GDPR laws. | Materially in accordance with applicable GDPR laws. | See here |
| Optable | Processor | Data collaboration platform enabling secure matching, identity resolution, audience segmentation, and activation for publishers, advertisers, and agencies. | EU or as directed by Publift | Any information relating to an identified or identifiable natural person, including identifiers, audience data, and user traits. | In accordance with applicable GDPR laws, including SCCs. | Processing is strictly for providing the Services as described in the Agreement and SOW, including data collaboration, identity resolution, and audience activation. No processing for other purposes. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs.. | In accordance with applicable GDPR laws, including SCCs. | See here |
| Opti Digital | Data processor | Curation of ad inventory Aggregation and enrichment of ads Utilisation of proprietary ad templates to display ads in various sizes and media types |
EU US |
• First-party or third-party IDs (not retained - sent to SSP and other partners)
• IP address: deleted after 30 days • Browser: anonymised after 30 days • UserAgent: deleted after 30 days • Device: anonymized after 30 days • Country: anonymised after 30 days • Visited URL (publisher domain): deleted after 30 days • Previous URL (referral domain): deleted after 30 days |
See “Personal Data includes” column | Collection, analysis, transfer to advertisers and other partners, storage, backup, deletion | In accordance with GDPR | In accordance with GDPR | In accordance with GDPR | In accordance with GDPR | N/A, given processor role. |
| Pubmatic | Controller | Online advertising optimization, real-time bidding (RTB), programmatic direct, header bidding wrapper, malware monitoring, analytics, and related services for Publisher Inventory across web, mobile, and other digital properties. | EU UK Switzerland US |
Cookie and mobile ad identifiers (IDFA, ADID, GPID), IP address (truncated), location, age range, gender, user agent/device info, behavioral data (site visits, ad interactions). | In accordance with applicable GDPR laws, including SCCs. | Receipt, storage, use, and processing for the purpose of providing PubMatic Products, business relationships, and account management. End user data is processed for advertising, analytics, and optimization. Publisher personnel data is processed for business relationship and account management. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | See here |
| pubXAI | Processor | Provision of PubX’s price-setting and yield optimisation software (SaaS) for advertising inventory, including related services as agreed in writing. | UK EU US |
Data inputted by the customer for the purpose of using the services | In accordance with applicable GDPR laws, including SCCs. | Provision of SaaS software for price-setting and yield optimisation of advertising inventory, for customer’s internal business operations only. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | See here |
| Primis | Independent controller | Programmatic advertising services | US EU |
Any direct or indirect identifying information, including without limitation: IP addresses, IFV, IFA, GAID and/or MAID or other similar identifiers (e.g., IDFA/ AAID or any device IDs), privacy string, cookie data or other unique identifiers and information about end-users’ devices, geolocation, inferred interests. | Personal Data will be retained by each party for as long as necessary to fulfil the purposes of processing. | Serving targeted advertising and associated ad reporting / measurement, ad optimisation and other related services. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | See here |
| Rich Audience | Independent controller | Programmatic advertising via EXTE Marketplace, Partner Deals, Brand Private Marketplaces, and related ad tech services. Includes use of cookies, web beacons, and device data for ad delivery and analytics. | EU | Device identifiers, device information, IP addresses (anonymised), probabilistic identifiers, non-precise geolocation, privacy preferences. | In accordance with applicable GDPR laws, including SCCs. | Programmatic ad delivery, audience analytics, campaign segmentation, fraud prevention, brand safety, device identification, and ad performance measurement. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | See here |
| Seedtag | Independent controller | Provision of advertising space, implementation of Seedtag Technology, auction management, ad serving, and scraping website content for machine learning (with anonymisation and restrictions) | EU AU US |
Personal data collected via Seedtag Technology, scraped website content (anonymised), signatory data for contract management. | In accordance with applicable GDPR laws, including SCCs. | Ad delivery, auction management, machine learning training (with anonymisation), contract management, and commercial relationship maintenance. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | See here |
| Smile Wanted | Independent Controller | Contextual targeting and curated inventory | EU | IP addresses; device identifiers (e.g., IFV, IFA, GAID, MAID, IDFA, AAID); cookies and other unique identifiers; privacy strings; geolocation data; information about end-users’ devices; inferred user interests; any other direct or indirect identifiers. | For as long as necessary to fulfil the purposes of processing | Serving targeted advertising and associated ad reporting / measurement, ad optimisation and other related services. | Implementation of appropriate physical, technical and organisational measures to protect the Personal Data from (i) accidental or unlawful destruction, and (ii) loss, alteration, unauthorised disclosure of, or access to the Personal Data | Notification within 48 hrs, and otherwise in accordance with GDPR. | Provision of reasonable and timely assistance to enable actioning of data subject requests | In accordance with applicable GDPR laws, including SCCs. | See here |
| Sonobi | Independent controller | Programmatic advertising services | EU UK US |
Identity data, i.e. online identifiers (e.g. IDFA, IP address) User agent Ad and content click/view information Segment data such as interests |
Up to 60 days from the last date that Sonobi received any data in relation to an end user. | To provide the services as permitted under the agreement | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | See here |
| Sovrn | Independent controller | Real-time advertising exchange, yield optimization, data management, reporting, analytics, and integration with third-party ad/data providers. Sovrn may aggregate and license data to third parties | US | Ad delivery, audience analytics, reporting, data aggregation, licensing to third parties, and improvement of services | In accordance with applicable GDPR laws, including SCCs. | Ad delivery, auction management, machine learning training (with anonymisation), contract management, and commercial relationship maintenance. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | See here |
| Teads | Joint controllers | Monetisation of publisher ad inventory via Teads Managed Services and Teads SSP Service (ad exchange, header bidding, programmatic and direct campaigns, reporting, analytics, and integration with third-party ad/data providers) | AU | IP address, online identifiers (cookie/device ID), page URL, user agent, device info, interaction with ads, and other browser/app data | In accordance with applicable GDPR laws, including SCCs. | Ad delivery, audience analytics, reporting, campaign measurement, data aggregation, re/targeting, improvement of services, and sharing with Teads Buyer Partners for campaign performance and targeting | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | See here |
| The Trade Desk | Co-Controller and Processor (depending on the processing activities) | Curation of ad inventory; programmatic advertising services | Primarily US, but also EU and UK | Identifiers; Contact-related data; Device and browser information; Location data; Online activity data; Inferred interests. | Pseudonymous data retained for 18 months before anonymised | Personalizing ads; Delivering ads; Limiting the number of times you see an ad; Measuring effectiveness of ads; Reporting on ad campaigns; Maintaining ad transaction records; Attributing purchases or other actions to ads; Associating devices that might be related to each other; Preventing malicious or invalid activity; Improving the platform and services. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | See here |
| TripleLift | Independent Controllers | Programmatic advertising services | Primarily the United States, leveraging AWS infrastructure; may process data globally with applicable protections. | Device data, bid request data, including: Cookie IDs, mobile advertising IDs, IP addresses, demographic data (age range, gender), geo-location, HTTP header data. | Typically retained for up to 90 days from collection; aggregated or anonymized data retained longer for analytics. | Facilitating advertising through TripleLift’s advertising technology platform services; performing obligations under agreements; related activities necessary or incidental to these services. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | See here |
| Vidazoo | Independent Controller | Video hosting, serving, streaming, ad delivery, marketplace monetisation, reporting, and analytics for publisher sites. | EU US Asia AU Israel |
IDs, privacy strings, tracking data, usage data, approximate location, referred URL, ad/impression/optimisation/delivery/effectiveness/viewability data. | In accordance with applicable GDPR laws, including SCCs. | Collection, storage, organisation, analysis, modification, retrieval, disclosure, communication, and other uses for service delivery and ad optimisation. | Technical and organisational measures: security testing, access controls, encryption, staff confidentiality, annual training, physical security, secure media disposal. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | In accordance with applicable GDPR laws, including SCCs. | See here |
| Xandr | Co-Controller and Processor (depending on the processing activities) | Targeted advertising and related forecasting and reporting | EU/UK US AUS |
Identifiers: Unique identifiers, other identifiers, hashed email address, IP Address, data that could be used for device fingerprinting, latitude and longitude; Demographic information: location, age range, gender, other Client-specified demographics (tied to an identifier); Behavioral data: frequency of identifiers visiting and viewing Sites and viewing and taking actions with respect to Ad Units; and Interest-Based Data: probabilistic inferences regarding a Data Subject's interests and preferences. |
It is usually aggregated or deleted within 33 days (or 93 days for select members), after which time it is aggregated or deleted. | Targeted advertising and related forecasting and reporting | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws. | In accordance with applicable GDPR laws, including SCCs. | See here |
Publift’s Ad Tech Partners
| Partner | GDPR role (joint controller; processor; controller) | Services include | Regions of processing include | Personal data includes | Time data may be processed for (retention and deletion)? | Nature and purpose of the processing include | Obligations to keep data secure | Data breach notification requirements and handling of regulatory requests | Handling of data subject requests and rights | Data transferred outside of EU? If so, what mechanisms and protections are in place? | Privacy Notice |
|---|---|---|---|---|---|---|---|---|---|---|---|
| Intowow | Independent Controllers However, please note that Intowow does not process personal data in the context of the services it provides to Publift. |
Analytics | N/A | None. Intowow processes metadata only (i.e., aggregated campaign and ad performance metrics). Intowow is prohibited from collecting or processing personal data, as defined in GDPR. |
N/A | N/A | N/A | N/A | N/A | N/A | See here |
| InMobi | Independent Controllers | Programmatic Advertising | EU UK US |
Device identifiers or persistent online identifiers (e.g., cookie IDs, IMEI, IDFA, IFA, ADID, GPID, GAID, etc.) IP address Fine location |
Up to 13 months | In order to provide programmatic advertising services under the agreement. | The parties will implement appropriate tech. and org. measures against unauthorised or unlawful processing, ensuring a level of security appropriate to the risk. | Each of InMobi and Publift will inform the other of any personal data breach and provide reasonable assistance as necessary to facilitate the handling of the breach in an expeditious and compliant manner. In the event of a dispute or claim brought by a Supervisory Authority, the parties will inform each other and cooperate. |
The parties will provide such assistance as is reasonably required to enable the other party to comply with data subject rights requests within the time limits imposed by data protection legislation In the event of a dispute or claim brought by a data subject, the parties will inform each other and cooperate. |
Yes. EU SCCs and the UK IDTA. |
See here |
| Blockthrough | Joint Controllers | Programmatic Ad Filtering | EU UK US |
IP address Cookie data Device type and unique device identification numbers Broad geographic location (e.g., country or city-level) |
Data will be deleted as required under applicable data protection laws (e.g., if applicable laws require deletion once consent has been withdrawn, deletion occurs once consent has been withdrawn) | In order to provide programmatic advertising services under the agreement. This includes (a) processing necessary to show advertising to data subjects and execute the bidding process, (b) ensuring the effectiveness of advertising served, and (c) measuring and improving the bidding process. |
The parties mutually commit to implement tech. and org. measures to ensure an adequate level of protection as required under applicable data protection laws (including obligations to provide documentation of such measures upon request) | Each of Publift and Blockthrough will provide to the other all information in connection with a personal data breach without undue delay, as well as cooperation, coordination, and assistance. | Each party will forward data subject rights requests and coordinate their response, agree on the content, and work together to fulfil the request in compliance with applicable data protection laws. | Yes. EU SCCs and the UK IDTA. |
See here |