Privacy Policy

Privacy, tracking, and data protection information

This Privacy Policy explains what personal data we process, how our embedded widget collects data on third-party websites, why we process that data, which legal bases apply, and what rights data subjects have under the GDPR and related privacy laws.

Controller and scope

The controller for the processing described in this Privacy Policy is the operator of this platform as identified in the legal notice or imprint. This Policy applies to visitors of this website, registered users of the CMS platform, and end users whose browsers load our embedded widget on third-party publisher websites.

Categories of data processed

Depending on the feature used, we may process IP address, browser type and browser version, operating system, referrer URL, visited pages, widget interactions, timestamp, device type, screen resolution, preferred language, cookies, localStorage identifiers, pseudonymous identifiers, and similar technical signals required to provide analytics, attribution, security, and anti-fraud controls. Even anonymized or truncated IP data may still qualify as personal data under the GDPR.

Fingerprinting disclosure

If device or browser characteristics are combined in order to distinguish repeat traffic, detect abuse, or secure the click attribution system, this may amount to fingerprinting. Where such techniques are used, they are used for security, fraud prevention, attribution integrity, and network protection. We do not use these techniques to intentionally infer sensitive characteristics such as health, religion, or political opinions.

How data is collected

Data is collected through our JavaScript widget hosted on our servers and embedded on third-party websites, through requests triggered when pages load, when widgets render, and when users interact with articles or widget elements, as well as through account usage inside the CMS platform itself.

Purposes of processing

We process data to track article clicks and impressions, attribute interactions between publishers, calculate rankings and analytics, measure widget performance, prevent fraud and manipulation, maintain platform security, troubleshoot technical issues, and optimize the exchange network and user experience.

Legal bases under Art. 6 GDPR

Where cookies, localStorage, cross-site identifiers, or similar tracking technologies require prior consent, processing is based on Art. 6(1)(a) GDPR in conjunction with applicable ePrivacy and TTDSG requirements. For platform security, anti-fraud analysis, log retention, abuse prevention, service operation, and limited analytics required to keep the exchange functional and secure, processing may also be based on Art. 6(1)(f) GDPR, our legitimate interests, provided that no overriding rights and freedoms of the data subject prevail.

Cross-site tracking and publisher responsibility

Because our widget is embedded on third-party publisher websites, interactions may be assigned across multiple domains in order to measure publisher performance and exchange activity. Publishers integrating the widget remain responsible for informing their own website visitors, configuring a compliant consent banner where required, and ensuring that our script is not loaded before the necessary consent has been obtained.

Cookies, localStorage, and TTDSG / ePrivacy compliance

Our services may use cookies, localStorage, or comparable storage and access technologies. Under the TTDSG and the ePrivacy framework, storing information on an end user device or accessing such information usually requires prior consent unless a strict legal exception applies, for example where the access is strictly necessary to provide a service expressly requested by the user. Where consent is required, the widget operator must obtain it before our tracking-enabled code is executed.

Data sharing and recipients

We may share data with hosting providers, infrastructure providers, CDN operators, and other processors that support the operation of the platform. Within the platform, publishers may receive aggregated or account-level performance metrics concerning their own websites, articles, and widgets. We do not intentionally disclose raw end-user browsing histories to other publishers and we do not sell personal data.

Storage duration

Raw technical logs and security signals are retained only for as long as necessary for platform security, abuse prevention, and troubleshooting. Aggregated analytics may be stored longer because they no longer need to identify individual users directly and remain necessary for reporting, balancing, and network optimization. Specific retention periods depend on the type of record, legal obligations, and the need to investigate suspicious activity or enforce contractual rights.

No intentional processing of special categories of data

We do not intentionally collect or process special categories of personal data such as health data, biometric data, religious beliefs, political opinions, or similar sensitive information. Publishers must not intentionally use the platform to submit or derive such data through article exchange or tracking functions.

Data subject rights

Data subjects have the right of access, rectification, erasure, restriction of processing, data portability, and objection to processing where the GDPR provides those rights. Any consent previously given can be withdrawn at any time with effect for the future. Data subjects also have the right to lodge a complaint with a competent supervisory authority, in particular in the Member State of their residence, place of work, or place of the alleged infringement.

Data Processing Agreement and role allocation

Because publishers load our widget on their own websites and transmit user-related data to our systems, a Data Processing Agreement or another role allocation arrangement may be required depending on the concrete processing setup. We make an appropriate agreement available for publishers so that responsibilities regarding instructions, security measures, and data subject handling can be documented in compliance with the GDPR.

International transfers and safeguards

If personal data is processed outside the European Union or European Economic Area, we apply suitable safeguards where required by law, such as Standard Contractual Clauses or equivalent lawful transfer mechanisms.

Changes to this Privacy Policy

We may update this Privacy Policy where legal requirements, tracking methods, service providers, or platform features change. The version published on this website applies from its effective date. Publishers should review this page regularly and update their own privacy notices where necessary.

Ready to join?

Start with a verified publisher account.

Create an account, verify your website, and start submitting articles into the governed exchange network.