Privacy Policy
This Policy explains how Adsafee collects and uses personal data when you visit our website, register an account, or use our ad fraud detection service. We are based in the European Union and operate in line with the EU General Data Protection Regulation (GDPR) and Cyprus data-protection law.
Adsafee provides a real-time ad fraud detection platform for performance advertisers, agencies, affiliate networks, ad networks and publishers. To do that, our software analyses technical signals from advertising traffic in order to identify clicks, impressions and conversions that originate from bots, click farms or other forms of invalid traffic. That analysis necessarily involves processing some technical data that may, in certain circumstances, be considered personal data under European law — in particular IP addresses and device fingerprints.
This Policy is written with two audiences in mind. The first is people whose personal data we process as a controller: visitors to our public website, prospects who contact us, and account holders who use our dashboard. The second is end users whose data is included in advertising traffic that our Subscribers route through the Service. For that second category we act only as a processor on the Subscriber's behalf, and the Subscriber's own privacy policy is the primary source of information — this Policy explains in general terms how we contribute to that processing.
If anything in this Policy is unclear, please write to us at hello@adsafee.com and we will be happy to clarify.
1. Who we are
The data controller responsible for personal data processed in connection with our public website, marketing activities, and account administration is:
Adsafee
Georgiou Katsounotou 6
3036 Limassol, Cyprus
Email: hello@adsafee.com
When you use the Service to analyse traffic on behalf of your own business, you (the Subscriber) are the controller of the personal data contained in that traffic, and Adsafee acts as your processor under Article 28 GDPR. The terms of that processor relationship — including instructions, security measures, sub-processor disclosures, and assistance with data-subject requests — are described in this Policy and in our Terms of Service. If you require a signed data processing addendum to satisfy your own compliance obligations, contact hello@adsafee.com.
1.1 Data protection contact
We have not appointed a formal Data Protection Officer under Article 37 GDPR, as our processing activities do not currently meet the mandatory criteria. You can reach our data-protection contact with any GDPR question, access request, or complaint at hello@adsafee.com with the subject line "Data Protection".
2. What personal data we collect
We distinguish three categories of data.
2.1 Account data (Adsafee as controller)
When you create an account, we collect:
- Identification: full name, business email address, company name, job title (optional);
- Authentication: hashed password, multi-factor-authentication secrets, session tokens;
- Billing: company billing address, VAT number, name and last four digits of the payment card (full card data is held by our payment processor, not by us);
- Support correspondence: messages you send us through email, chat, or support tickets;
- Usage of the dashboard: pages viewed, features used, API calls, log-in timestamps, IP address used to access the dashboard.
2.2 Traffic data (Adsafee as processor for Subscriber)
To perform fraud detection on traffic that you route through the Service, we process technical signals collected from end-user devices, including:
- IP addresses and approximate geolocation (typically country, region, city);
- HTTP headers, user-agent strings, referrers, request timing;
- Device and browser fingerprints, which may include canvas, WebGL, audio context, font, and hardware-concurrency signals;
- Behavioural signals such as mouse movement, scroll depth, dwell time, click coordinates, and keystroke timing where you choose to enable behavioural analysis;
- Click and impression metadata that you supply through tags, server-to-server postbacks or API calls (such as campaign IDs, click IDs, offer IDs, sub-IDs);
- Derived signals (Fraud Signals) generated by our detection engine.
For this category, you (the Subscriber) are the controller. You decide what traffic to route to the Service, on what lawful basis, and what to do with the resulting Fraud Signals. You are responsible for providing notice to and, where necessary, obtaining consent from data subjects.
2.3 Website visitor and marketing data
When you visit adsafee.com (including the blog and documentation), we collect:
- Standard server logs: IP address, browser, operating system, referring URL, pages viewed, timestamps;
- Cookie data and similar identifiers, where you have consented to non-essential cookies. See our Cookie Policy;
- Marketing data: information you submit through contact forms, newsletter sign-ups, or demo requests, and any data we receive from business-network platforms with your consent.
2.4 What we do not collect
We are a business-to-business service and only collect data that is necessary to operate the Service and our business. We do not intentionally collect special categories of personal data within the meaning of Article 9 GDPR (such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic or biometric data, health data, or data concerning a person's sex life or sexual orientation). If, in exceptional circumstances, you provide such data to us through a support ticket or contact form, we will keep it only as long as needed to handle your request.
We do not buy personal data from data brokers, and we do not enrich Account data with third-party profiles.
3. Lawful basis for processing
Article 6 GDPR requires us to identify a lawful basis for each processing activity. We rely on the following:
| Activity | Lawful basis |
|---|---|
| Creating and operating your account; providing the Service; billing | Article 6(1)(b) GDPR — performance of a contract |
| Detecting fraud, abuse, and security incidents on the Service | Article 6(1)(f) GDPR — legitimate interests of Adsafee and our customers in protecting against fraud and ensuring information security |
| Sending service-related notices (downtime, security, policy changes) | Article 6(1)(b) and 6(1)(c) GDPR — contractual necessity and legal obligation |
| Sending marketing emails to business prospects and customers | Article 6(1)(a) GDPR (consent) or Article 6(1)(f) GDPR (legitimate interest, with right to object) |
| Analytics and marketing cookies on adsafee.com | Article 6(1)(a) GDPR — consent collected via the cookie banner |
| Complying with tax, accounting, and other legal obligations | Article 6(1)(c) GDPR — legal obligation |
| Defending or pursuing legal claims | Article 6(1)(f) GDPR — legitimate interest in protecting our rights |
Where we rely on legitimate interest, we have carried out a balancing test and are happy to share a summary on request. The balancing test considers, among other things, the reasonable expectations of data subjects, the nature of the data, the safeguards in place, and the impact on the individuals concerned. You have the right to object to processing based on legitimate interest at any time (see section 9).
3.1 Where the Subscriber chooses the lawful basis
For Traffic Data we process on a Subscriber's behalf, the Subscriber selects and documents the lawful basis. Typical bases are legitimate interest in preventing advertising fraud, contractual necessity (where the end user is a customer of the Subscriber and traffic analysis is part of the service), or consent (in particular where cookies or similar tracking are placed on the end-user device). We support Subscribers in implementing each of those bases through configurable consent signals, granular event filtering, and short retention defaults.
4. How we use personal data
We use personal data for the following purposes:
- Account management: creating and authenticating accounts, providing access to dashboards and APIs, managing user permissions.
- Fraud detection and traffic analysis: producing Fraud Signals from Traffic Data on the Subscriber's behalf.
- Security: monitoring for unauthorised access, abuse, and attacks against the Service itself.
- Billing and accounting: invoicing, tax reporting, dispute resolution.
- Customer support: responding to your questions and incidents.
- Product improvement: analysing aggregate and pseudonymised usage to improve features, reliability and detection accuracy.
- Communications: sending service-related notifications and, where appropriate, marketing communications.
- Compliance: meeting legal, regulatory, and contractual obligations.
We do not use personal data for automated decision-making that produces legal or similarly significant effects on individuals. Fraud Signals are designed to support the commercial decisions of our Subscribers, not to make decisions about identifiable individuals.
4.1 A note on fraud detection
Fraud detection is, by its nature, a use of legitimate interest under Article 6(1)(f) GDPR. The European Data Protection Board has repeatedly recognised that the prevention of fraud is a legitimate purpose, and Recital 47 of the GDPR explicitly mentions it as an example. We have balanced our (and our Subscribers') interest in operating a clean, trustworthy advertising ecosystem against the rights and freedoms of the individuals whose technical signals we analyse. The processing is limited to data that is technically necessary to detect fraud, retention periods are kept short, profiles are not used outside the fraud-detection context, and Subscribers retain the right to override decisions about specific clicks, impressions or users.
6. International transfers
Our primary infrastructure is in the European Union. Some sub-processors may process data outside the European Economic Area, in particular in the United States. Where personal data is transferred outside the EEA, we put appropriate safeguards in place under Chapter V GDPR, including:
- The European Commission's Standard Contractual Clauses (Decision 2021/914);
- The EU–U.S. Data Privacy Framework, where the recipient is self-certified;
- Supplementary technical and organisational measures (such as encryption, pseudonymisation, and access control) where appropriate following a transfer-impact assessment.
You may request a copy of the safeguards by contacting hello@adsafee.com.
7. Data retention
| Data | Retention period |
|---|---|
| Account data (name, email, company, hashed password) | Duration of the account; deleted within 90 days of account closure unless a longer period is required by law |
| Invoices and accounting records | 6 years from the end of the financial year (Cyprus tax law) |
| Traffic Data (raw events, signals) | 12 months by default; configurable by the Subscriber to a shorter period where the plan permits |
| Application and security logs | 90 days |
| Support correspondence | 24 months after the ticket is closed |
| Marketing data (newsletter, prospect lists) | Until you unsubscribe or object; reviewed at least every 24 months |
| Cookie consent records | 13 months from the last consent action |
When we no longer need personal data we delete it or fully anonymise it. Anonymised data may be retained indefinitely for statistical and product-improvement purposes. We rely on industry-standard techniques such as truncation of IP addresses, hashing with a non-recoverable key, and aggregation, and we periodically review our pseudonymisation approach against the latest guidance from the European Data Protection Board.
7.1 Backups and lawful holds
Personal data may persist for a short period in encrypted backup snapshots after the live record has been deleted. Backups are rotated on a defined schedule and are not used for any operational purpose; data restored from a backup is treated according to its original retention rules. Where a regulator, court, or legitimate legal hold requires us to retain data longer than the default period, we will do so for the duration of the obligation and delete the data thereafter.
8. Security
We follow industry best practices to protect personal data against unauthorised access, alteration, disclosure or destruction. Measures include:
- TLS 1.2+ encryption for data in transit and AES-256 encryption for data at rest;
- Role-based access control with least-privilege defaults and mandatory multi-factor authentication for staff;
- Segmented production environments with strict network controls;
- Centralised audit logging of administrative actions;
- Regular internal security testing of customer-facing applications;
- Vendor due-diligence and contractual security commitments with sub-processors;
- An internal incident-response process designed to meet the 72-hour breach-notification requirement under Article 33 GDPR.
No system can be guaranteed to be perfectly secure. You play an important role: choose a strong, unique password, keep your credentials confidential, and notify us immediately of any suspected compromise.
9. Your rights under the GDPR
If you are located in the European Union, the United Kingdom, or another jurisdiction with similar laws, you have the following rights in relation to personal data we hold about you as a controller:
- Access — to know whether we process your personal data and, if so, to obtain a copy and information about the processing;
- Rectification — to have inaccurate or incomplete data corrected;
- Erasure ("right to be forgotten") — to have your data deleted where one of the grounds in Article 17 GDPR applies;
- Restriction — to limit processing in certain situations;
- Portability — to receive your data in a structured, commonly used, machine-readable format and to transmit it to another controller, where Article 20 GDPR applies;
- Objection — to object to processing based on legitimate interest or direct marketing;
- Withdraw consent — where processing is based on consent, you may withdraw consent at any time, without affecting the lawfulness of previous processing;
- Complaint — to lodge a complaint with a supervisory authority. In Cyprus this is the Office of the Commissioner for Personal Data Protection (dataprotection.gov.cy). You may also complain to the supervisory authority in your country of residence or place of the alleged infringement.
To exercise these rights, please email hello@adsafee.com. We will respond within one month of receiving a valid request, with a possible extension of up to two further months for complex requests. We may need to verify your identity before responding.
If you are a data subject of a Subscriber (for example, an end user visiting a website that uses the Service), please address your request to the Subscriber as controller. We will assist the Subscriber in responding.
9.1 How to make a request
Please include enough information for us to identify the data we hold about you and to verify your identity. For account holders, a request sent from the email address on file is usually sufficient. For other individuals, we may ask for proof of identity in proportion to the sensitivity of the data concerned.
We do not charge a fee for handling requests, unless they are manifestly unfounded or excessive (in which case we may charge a reasonable fee or refuse to act, in accordance with Article 12(5) GDPR).
10. Children
The Service is a business-to-business offering and is not directed at children. We do not knowingly collect personal data from individuals under 18 years of age. If we learn that we have inadvertently collected such data, we will delete it as soon as practicable.
11. Changes to this Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. The "Last updated" date at the top of this page shows when the latest changes took effect. For material changes affecting account holders, we will give advance notice by email or in the dashboard.
12. Contact and Data Protection Officer
If you have any questions or concerns about this Policy or our processing of personal data, please contact us:
Adsafee — Data Protection
Georgiou Katsounotou 6
3036 Limassol, Cyprus
Email: hello@adsafee.com
You can also contact the Cyprus supervisory authority at dataprotection.gov.cy.