Privacy Policy

Last updated: 1 January 2025 · Version: 2.1 · Effective: 1 January 2025

This Privacy Policy explains how CyanAds Ltd ("CyanAds", "we", "us", "our") collects, uses, discloses, and protects personal data when you use our website and services. We are committed to full compliance with the EU GDPR, UK GDPR, CCPA/CPRA, and other applicable privacy laws.

01 Introduction

CyanAds operates as both a data controller (for website visitors and direct clients) and a data processor (when processing data on behalf of publisher and advertiser partners). This policy covers both capacities.

By accessing our website or using our services, you acknowledge that you have read this Privacy Policy. If you do not agree, please do not use our services.

02 Who We Are

CyanAds Ltd — Registered in England & Wales
Email: privacy@cyanads.com
Data Protection Officer: dpo@cyanads.com

Where CyanAds acts as a data processor on behalf of publishers and advertisers, the respective partner is the data controller. Please refer to their privacy policies for end-user data information.

03 Data We Collect

3.1 Data You Provide Directly

Name, job title, company name, email address (via contact forms or onboarding)
Payment and billing information (via PCI-compliant third-party processors)
Communications you send us

3.2 Automatically Collected (Website)

IP address (anonymised after 90 days)
Browser type, OS, device type
Pages visited, time on site, referral URL
Cookie identifiers (see Section 11)

3.3 Advertising Technology Data (as Data Processor)

Category	Examples	Purpose
Device Identifiers	Cookie ID, IDFA, GAID (hashed)	Frequency capping, targeting
Technical Signals	Truncated IP, User Agent	Geo-targeting, IVT detection
Contextual Data	Page URL, app bundle, IAB category	Contextual targeting
Bid Request Data	Ad slot dimensions, floor price	Auction processing
Performance Signals	Impressions, clicks, conversions	Optimisation & reporting

We do not create persistent user profiles for targeting without a valid consent or other lawful basis.

04 How We Use Data

To provide, operate, and improve our advertising technology platform
To process and fulfil programmatic advertising transactions
To detect and prevent invalid traffic (IVT) and ad fraud
To respond to enquiries, support tickets, and business communications
To analyse platform performance and conduct internal research
To comply with legal obligations and enforce our Terms of Service
To send relevant product updates (with consent or legitimate interest; opt-out available)

05 Legal Basis for Processing (GDPR)

Processing Activity	Legal Basis
Service delivery to clients & partners	Art. 6(1)(b) — Contract
Fraud prevention & IVT detection	Art. 6(1)(f) — Legitimate Interests
Analytics (anonymised)	Art. 6(1)(f) — Legitimate Interests
Marketing communications	Art. 6(1)(a) — Consent
Legal compliance (tax, audit)	Art. 6(1)(c) — Legal Obligation
Interest-based advertising (AdTech)	Art. 6(1)(a) — Consent via IAB TCF

Where we rely on legitimate interests, we have conducted a balancing test to ensure our interests do not override your rights. You may object to such processing at any time.

06 Data Sharing & Disclosure

We do not sell personal data. We may share data with:

Demand & Supply Partners: Publishers, advertisers, DSPs, SSPs — all bound by contractual data protection obligations.
Service Providers: Cloud hosting, analytics, fraud detection providers acting as processors under DPA agreements.
Legal Authorities: Where required by law, court order, or to protect rights and safety.
Business Transfers: In connection with a merger, acquisition, or asset sale (with prior notice).

07 International Data Transfers

Where data is transferred outside the EEA or UK, we ensure safeguards including:

Standard Contractual Clauses (SCCs — EU Commission Decision 2021/914)
UK International Data Transfer Agreements (IDTAs)
Adequacy decisions where applicable
Transfer Impact Assessments (TIAs) for high-risk transfers

Documentation available on request: dpo@cyanads.com

08 Data Retention

Data Type	Retention Period
Contact / enquiry data	3 years from last contact
Client account data	Contract term + 7 years
Bid log / impression data	90 days (raw); 13 months (aggregated)
Fraud detection signals	6 months
Website analytics	26 months (anonymised after 90 days)
Financial / invoicing records	7 years (legal obligation)

09 Your Rights (EEA / UK)

Right of Access

Request a copy of personal data we hold (DSAR).

Right to Rectification

Request correction of inaccurate data.

Right to Erasure

Request deletion where no lawful basis remains.

Right to Restriction

Limit processing in certain circumstances.

Right to Portability

Receive data in a machine-readable format.

Right to Object

Object to legitimate interests or direct marketing.

Exercise your rights: privacy@cyanads.com. We respond within 30 days. Complaints: ico.org.uk (UK) or your local EU DPA at edpb.europa.eu.

10 California Privacy Rights (CCPA / CPRA)

California residents have rights under CCPA and CPRA including:

Right to Know — categories and specific pieces of personal information collected, used, and shared
Right to Delete — deletion of personal information, subject to exceptions
Right to Opt-Out — CyanAds does not sell personal information. For interest-based advertising: NAI opt-out
Right to Non-Discrimination — we will not discriminate for exercising CCPA rights
Right to Correct — request correction of inaccurate personal information

Submit CCPA requests to privacy@cyanads.com with "CCPA Request" in the subject. Response within 45 days.

In the preceding 12 months, CyanAds has not sold personal information for monetary consideration.

11 Cookies & Tracking

We use cookies and similar tracking technologies. See our full Cookie Policy for details and to manage preferences. In summary:

Strictly Necessary: Required for basic site function — cannot be disabled
Analytics: Usage understanding (consent required)
Marketing: Advertising-related tracking (consent required)

12 Children's Privacy

Our services are not directed to individuals under 16 (or applicable local age of digital consent). We do not knowingly collect data from children. If you believe a child has provided data, contact privacy@cyanads.com immediately.

In our AdTech operations, child-directed inventory is flagged and excluded from behavioural targeting in compliance with COPPA and applicable local law.

13 Security

We implement appropriate technical and organisational measures including:

TLS 1.3 encryption for data in transit; AES-256 for data at rest
Role-based access control (RBAC) and least-privilege principles
Regular penetration testing and security audits
ISO 27001-aligned information security management
72-hour data breach notification procedures (GDPR Article 33)

14 Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email (for registered contacts) and a prominent notice on our website. The "Last Updated" date reflects the most recent revision.

15 Contact Us

Data Protection Enquiries

DPO: dpo@cyanads.com

Privacy: privacy@cyanads.com

General: hello@cyanads.com

UK supervisory authority: ico.org.uk · EU authorities: edpb.europa.eu