ADVERTISING PRIVACY POLICY

This Advertising Privacy Policy explains how Clickio processes personal data of users who visit publisher websites and apps that use Clickio’s advertising technology where we help select and deliver ads through real-time auctions (the “Service”). References to “we”, “us” or “Clickio” are to ALZ Software Ltd (t/a Clickio).

We keep this privacy notice under regular review. This version was last updated on October 31, 2025. Changes to this notice will appear on this page and, where appropriate, will be notified to you.

1. Who we are and how to contact us

   Legal entity: ALZ Software Ltd (t/a Clickio)

   Registered address: 128 City Road, London, UK, EC1V 2NX

   Email: privacy@clickio.com

2. Scope and roles

   This policy applies to our processing when we participate in real-time advertising auctions on publisher websites and apps (“Publisher Properties”).

   Role under GDPR/UK GDPR: For the purposes described below, Clickio acts as an independent controller. We determine certain purposes and means of processing (for example, how we evaluate ad requests and whether and how to respond). For Special Purposes (security, fraud prevention, delivery and consent signalling), we process data under legitimate interests. Where a publisher or partner determines additional purposes, they act as separate controllers for those purposes. This policy does not cover processing by publishers or other vendors. Please consult their privacy notices.

   Children: The Service is not intended for children under the age applicable in your jurisdiction (for example, 13/16). We do not knowingly process data from children for targeted advertising.

3. What data we process and where it comes from

   • Device and network data: IP address, browser type and version (user agent), device type, operating system, language, and connection information.
   • Context and request data: page URL, referrer, time/date, ad space identifiers, auction parameters, ad request metadata, consent banner information (for example, the TCF consent string, CMP ID, TCF version), and your recorded consent choices and legitimate interests status.
   • Identifiers and storage: cookies and similar identifiers (only when we have your consent), pseudonymous identifiers (IDs that don’t directly reveal who you are) from partners via identifier matching, and session identifiers.
   • Geolocation: approximate location (for example, city-level) derived from IP; no precise geolocation.
   • Technical logs: request/response logs, performance, security and fraud indicators.

   We do not intentionally process special categories of personal data nor data about criminal convictions via this Service.

   Sources:

   • Directly from your browser/device via the publisher’s advertising technology implementation (for example, their ad auction setup).
   • From the publisher (for example, ad space context) and from the consent banner (Consent Management Platform or CMP), such as the TCF consent string.
   • From participating advertising partners and identity providers (for example, pseudonymous identifiers that don’t directly reveal who you are), subject to your consent choices.

4. Purposes and legal bases

   We participate in the IAB Europe Transparency & Consent Framework (TCF), an industry standard that enables your privacy choices to be recorded by the site’s Consent Management Platform (CMP) and shared with vendors. Our Global Vendor List (GVL) ID is [to be provided]. We only perform processing aligned with your choices communicated through the TCF and the purposes below:

   • Purpose 1 (Consent) – Store and/or access information on a device: We read/set cookies or similar identifiers solely with valid consent.
   • Purpose 2 (Consent) – Select basic ads: We evaluate and submit bids for non‑personalised/basic ads.
   • Purpose 7 (Consent) – Measure ad performance: We measure delivery and performance of ads we serve.
   • Purpose 10 (Consent) – Develop and improve products: We use aggregated, pseudonymous data to improve our bidding and services.

   Special Purposes (Legitimate interests):

   • Special Purposes 1 – Ensure security, prevent fraud, and debug: Detect invalid traffic, abuse, and ensure the Service functions securely.
   • Special Purposes 2 – Technically deliver ads or content: Process technical data necessary to transmit responses and content.
   • Special Purposes 3 – Save and communicate privacy choices: Read the consent signal (for example, the TCF consent string) from the CMP and communicate it as needed so that we and our partners can verify the appropriate lawful basis and respect those choices during ad delivery. We do not persist the consent signal.

5. Cookies and similar technologies

   We use cookies or similar technologies only with valid Purpose 1 consent. These include identity/ID‑matching cookies and operational cookies required to run auctions and ensure reliability.

   Cookie name	Domain	Purpose	Type	Lifetime
   uid	.clickiocdn.com	Store and/or access information on a device (Purpose 1); Select basic ads (Purpose 2); Measure ad performance (Purpose 7); Develop and improve products (Purpose 10) — with consent	Third‑party	90 days (may be renewed when used)
   p-xxx-uid	.clickiocdn.com	Store and/or access information on a device (Purpose 1); Select basic ads (Purpose 2); Measure ad performance (Purpose 7); Develop and improve products (Purpose 10) — with consent	Third‑party	90 days (may be renewed when used)

   Note: “p‑xxx‑uid” is a pattern-based cookie used for third‑party identifier matching (ID matching) (the “xxx” denotes the partner code). Clickio does not create personalised advertising profiles or select personalised ads.

   Note on device identifiers: If you provide consent, we may perform identifier matching with partners (ID matching), set pseudonymous IDs via cookies, and include such IDs in subsequent ad requests.

   You can manage your choices at any time via the CMP on each Publisher Property. Withdrawing consent will not affect prior lawful processing but will apply going forward.

6. Sharing of data

   • Advertising partners and exchanges: to request bids, transmit responses, and serve ads.
   • Measurement and anti‑fraud providers: to measure delivery and combat invalid traffic (where permitted by your choices recorded in the consent banner).
   • Service providers: hosting, security, logging, and analytics providers under appropriate data protection terms.
   • Legal and compliance: to comply with law, enforce terms, investigate security incidents.

   Other TCF vendors that you consent to via the CMP may process your data for the purposes and lawful bases indicated in your CMP choices.

7. International data transfers

   During the delivery of our services, your data may be transferred to, and processed by us, our service providers and/or partners, in countries outside the European Union (EU) and European Economic Area (EEA) that are subject to different standards of data protection which may not provide the same level of protection as your jurisdiction. In such cases, when these countries do not benefit from an adequacy decision under Article 45 of the GDPR, we take appropriate steps to ensure that transfers of data are in accordance with applicable privacy laws and regulations, such as relying on the EU‑US Data Privacy Framework (DPF) or requiring the recipient to comply with the Standard Contractual Clauses (SCCs) adopted by the European Commission.

8. Retention

   We retain logs and identifiers only as long as necessary for the purposes described and, in any case, for up to 6 months unless a longer period is required by law:

   • Bid/request logs: up to 6 months for troubleshooting, fraud prevention, and compliance.
   • Identifiers/cookies: up to their stated lifetime and no longer than 6 months.

   Retention periods may vary to meet legal/regulatory requirements. Aggregated, non-personal data may be retained longer.

9. Your choices and rights

   • Consent banner (Consent Management Platform or CMP): Use the publisher’s consent banner to grant or withdraw consent for relevant purposes at any time.
   • Browser settings: You may block cookies or clear storage via your browser; some features may not function without storage consent.

   Your rights (GDPR/UK GDPR): Subject to conditions and exemptions, you have the right to request access, rectification, erasure, restriction, objection (including where we rely on legitimate interests), and data portability. Where we rely on consent, you may withdraw it at any time via the CMP.

   To exercise rights, contact us using the details above. You may also lodge a complaint with your local data protection authority or the UK Information Commissioner’s Office (ICO). EU data subjects may contact their competent supervisory authority.

10. Legitimate interests summary

    We rely on legitimate interests for Special Purposes as permitted by the TCF. We apply safeguards such as pseudonymisation, strict access controls, limited retention and no use for personalisation. Full documentation is available upon request.

    • SP1 – Ensure security, prevent fraud, and debug: Purpose: detect and mitigate invalid traffic, abuse, and service faults. Necessity: essential to protect publishers, advertisers, and users from harm. Safeguards: pseudonymisation, strict access controls, limited retention, no use for personalisation; respect for CMP choices for non‑SP processing. Outcome: interests are not overridden by user rights due to minimal intrusion and strong safeguards.
    • SP2 – Technically deliver ads or content: Purpose: process technical data required to transmit requests/responses and render content. Necessity: fundamental to provide the Service. Safeguards: strictly limited to what is necessary, no unrelated enrichment, short retention. Outcome: interests are not overridden by user rights.
    • SP3 – Save and communicate privacy choices: Purpose: read the consent signal from the CMP and communicate it as needed so that we and our partners can verify lawful basis and act accordingly. Necessity: essential to ensure that advertising respects your recorded choices across publishers and partners and to demonstrate accountability. Safeguards: pseudonymisation, integrity protection of consent signals, no persistent storage beyond transient processing, and use strictly for verifying and communicating choices; no use for personalisation. Outcome: interests are not overridden by user rights due to minimal intrusion, strong safeguards, and the benefit of ensuring your choices are respected.