Privacy Policy of the
ABTShield service
This Privacy Policy (hereinafter: the “Policy”) contains information about the processing of your personal data in connection with the provision of our ABTShield service (hereinafter: the “Service”).
ABTShield is an automated security service designed to analyze internet traffic and detect and protect against bots and sophisticated invalid traffic (SIVT). The service aims to mitigate risks associated with SIVT, including financial losses caused by unwanted costs, fraud involving advertiser budgets and ad fraud schemes, data theft, identity fraud, fake transactions, money laundering, artificial boosting and positioning of disinformation content, orchestrated automated trolling, deceiving users through automated creation of fake posts and reviews, and other harmful activities.
Data Controller
The controller of your personal data is EDGE NPD limited liability company based in Warsaw (registered office address: ul. Czeska 22 A, 03-902 Warsaw), entered into the register of entrepreneurs of the National Court Register kept by the District Court for the Capital City of Warsaw in Warsaw, 13th Commercial Division of the National Court Register under KRS number: 0000441520, holding NIP (tax identification number): 9522122126, REGON number: 146413766, with a share capital of PLN 50,000 (fifty thousand zlotys) fully paid up (hereinafter: the “Administrator“)..
The Administrator may also act as a personal data processor on behalf of another entity or as a joint controller of personal data together with another entity. Regardless of the organizer’s status, the information contained in the Policy applies in every case, irrespective of the capacity in which the Administrator processes personal data.
Contact with the Administrator
For all matters related to the processing of personal data, you may contact the Data Protection Officer appointed by the Administrator via email at: dpo@edgenpd.com:
Personal Data Protection Measures
The Administrator applies modern organizational and technical safeguards to ensure the best possible protection of your personal data and guarantees that it processes them in accordance with the provisions of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter “GDPR”), the Act of 10 May 2018 on the protection of personal data, and other personal data protection regulations.
To ensure full transparency of the Services, the Administrator applies the principles implemented by IAB Europe’s guidelines and policies (“IAB Europe Transparency & Consent Framework”), which aim to create a standard for personal data processing and to unify the rules of their processing for better protection.
Information about the Personal Data Processed
The operation of the Service requires the processing of your personal data, with the data processed being those that do not allow your direct identification. Below you will find detailed information about the purposes and legal bases of the processing.
Purpose of Processing |
Personal Data Processed |
Legal Basis |
Measuring the effectiveness of advertisements in relation to the occurrence of suspicious incidents |
1) Cookie identifier – collected via clients’ or contractors’ websites or received from partners, 2) Other identifiers or internet technologies, such as data from TCP/IP, TLS, HTTP protocol layers, provided they meet security and data pseudonymization requirements, 3) IP address, URL address, device type, and other data describing the characteristics of the device/application (e.g., browser version, language version, device time zone), 4) The frequency and duration of device interactions in connection with the respective monitored service, if available. |
Article 6(1)(f) of the GDPR
(the processing is necessary for the purposes of the legitimate interests pursued by the Administrator)
Purpose of the TCF: a) Measuring the effectiveness of advertisements in relation to security incidents that occurred during a given campaign, b) Storing and/or accessing information on a device, c) Developing and improving the product. |
Processing is necessary to determine how many users viewed the advertisement and whether any suspicious incidents or behaviors affecting the security of the service, within which the Service operates, occurred during the campaign.
The Administrator will process the aforementioned personal data until a valid objection is lodged or the purpose of processing is achieved (whichever occurs first). |
||
|
||
Purpose of Processing |
Personal Data Processed |
Legal Basis |
Increasing understanding of user activity through statistics or a combination of data from various sources |
1) Cookie identifier – collected via clients’ or contractors’ websites or received from partners, 2) Other identifiers or internet technologies, such as data from TCP/IP, TLS, HTTP protocol layers, provided they meet security and data pseudonymization requirements, 3) IP address, URL address, device type, and other data describing the characteristics of the device/application (e.g., browser version, language version, device time zone) 4) The frequency and duration of device interactions in connection with the respective monitored service, if available. |
Article 6(1)(f) of the GDPR
(the processing is necessary for the purposes of the legitimate interests pursued by the Administrator)
Purpose of the TCF: a) Measuring the effectiveness of advertisements in relation to security incidents that occurred during a given campaign, b) Storing and/or accessing information on a device, c) Developing and improving the product. |
Processing is necessary for the purpose indicated above. This purpose is achieved by using identifiers generated through the reception and use of automatically transmitted device characteristics, as well as by applying market research to generate audience insights by linking different devices.
The Administrator will process the aforementioned personal data until a valid objection is lodged or the purpose of processing is achieved (whichever occurs first). |
||
|
||
Purpose of Processing |
Personal Data Processed |
Legal Basis |
Supporting decision-making mechanisms related to the approval or exclusion of products |
5) Cookie identifier – collected via clients’ or contractors’ websites or received from partners, 6) Other identifiers or internet technologies, such as data from TCP/IP, TLS, HTTP protocol layers, provided they meet security and data pseudonymization requirements, 7) IP address, URL address, device type, and other data describing the characteristics of the device/application (e.g., browser version, language version, device time zone), 8) The frequency and duration of device interactions in connection with the respective monitored service, if available. |
Article 6(1)(f) of the GDPR
(the processing is necessary for the purposes of the legitimate interests pursued by the Administrator)
Purpose of the TCF: a) Measuring the effectiveness of advertisements in relation to security incidents that occurred during a given campaign, b) Storing and/or accessing information on a device, c) Developing and improving the product. |
Processing is necessary for the purpose of determining how products can be approved or excluded with regard to their impact on safety and the adverse effects of SVIT.
The Administrator will process the aforementioned personal data until a valid objection is lodged or the purpose of processing is achieved (whichever occurs first). |
||
|
||
Purpose of Processing |
Personal Data Processed |
Legal Basis |
Conducting analyses to detect SVIT |
1) Cookie identifier – collected via clients’ or contractors’ websites or received from partners, 2) Other identifiers or internet technologies, such as data from TCP/IP, TLS, HTTP protocol layers, provided they meet security and data pseudonymization requirements, 3) IP address, URL address, device type, and other data describing the characteristics of the device/application (e.g., browser version, language version, device time zone) 4) The frequency and duration of device interactions in connection with the respective monitored service, if available. |
Article 6(1)(f) of the GDPR
(the processing is necessary for the purposes of the legitimate interests pursued by the Administrator)
Purpose of the TCF: a) Measuring the effectiveness of advertisements in relation to security incidents that occurred during a given campaign, b) Storing and/or accessing information on a device, c) Developing and improving the product. |
Processing is necessary for the Administrator to fulfill its tax obligations (failure to provide the data will result in the Administrator being unable to fulfill these obligations).
The Administrator will process the aforementioned personal data for a period of 5 years from the end of the year in which the tax payment deadline for the previous year has expired. |
||
|
|
|
Purpose of Processing |
Personal Data Processed |
Legal Basis |
Establishing, pursuing, or defending claims related to the detection of a security incident |
1) Cookie identifier – collected via clients’ or contractors’ websites or received from partners, 2) Other identifiers or internet technologies, such as data from TCP/IP, TLS, HTTP protocol layers, provided they meet security and data pseudonymization requirements, 3) IP address, URL address, device type, and other data describing the characteristics of the device/application (e.g., browser version, language version, device time zone) 4) The frequency and duration of device interactions in connection with the respective monitored service, if available
|
Article 6(1)(f) of the GDPR
(The processing is necessary for the purposes of the legitimate interests pursued by the Administrator, in this case the establishment, pursuit, or defense against claims that may arise in connection with the operation of the Service)
Purpose of the TCF: a) Measuring the effectiveness of advertisements in relation to security incidents that occurred during a given campaign, b) Storing and/or accessing information on a device, c) Developing and improving the product.
|
Data processing is necessary for the establishment, pursuit, or defense against claims that may arise in connection with the performance of Agreements concluded with the Administrator and the detection of security incidents within the scope of the Service.
The Administrator will process the aforementioned personal data until the expiry of the limitation periods for claims that may arise in connection with the performance of agreements concluded with the Administrator. |
||
|
|
|
Purpose of Processing |
Personal Data Processed |
Legal Basis |
Developing and improving the operation of the Service |
1) Cookie identifier – collected via clients’ or contractors’ websites or received from partners, 2) Other identifiers or internet technologies, such as data from TCP/IP, TLS, HTTP protocol layers, provided they meet security and data pseudonymization requirements, 3) IP address, URL address, device type, and other data describing the characteristics of the device/application (e.g., browser version, language version, device time zone) 4) The frequency and duration of device interactions in connection with the respective monitored service, if available |
Article 6(1)(f) of the GDPR
(the processing is necessary for the purposes of the legitimate interests pursued by the Administrator)
Purpose of the TCF: a) Developing and improving the product, b) Measuring the effectiveness of advertisements in relation to security incidents that occurred during a given campaign, c) Storing and/or accessing information on a device |
Data processing is necessary to improve the operation of the Service and to determine how to mitigate the negative impact of malicious SVIT sources on specific services, applications, and URLs monitored by the Administrator.
The Administrator will process the aforementioned personal data until a valid objection is lodged or the purpose of processing is achieved. |
||
|
|
|
Purpose of Processing |
Personal Data Processed |
Legal Basis |
Creating analyses and statistics |
1) IP address 2) server date and time 3) information about the web browser 4) information about the operating system
The above data are automatically recorded in the server logs each time the Store is used (managing it without server logs and automatic recording would not be possible). |
Article 6(1)(f) of the GDPR
(the processing is necessary for the purposes of the legitimate interests pursued by the Administrator)
Purpose of the TCF: a) Developing and improving the product, b) Measuring the effectiveness of advertisements in relation to security incidents that occurred during a given campaign, c) Storing and/or accessing information on a device |
Data processing is necessary to examine the performance results of the Service, improve its operation, and determine how to mitigate the negative impact of malicious SVIT sources on specific services, applications, and URLs monitored by the Administrator.
The Administrator will process the aforementioned personal data until a valid objection is lodged or the purpose of processing is achieved. |
Purpose of Processing |
Personal Data Processed |
Legal Basis |
Fulfillment of obligations related to personal data protection |
The contact data you provide in your personal data inquiry (e.g., name and surname, email address, mailing address, phone number) |
Article 6(1)(c) of the GDPR
(The processing is necessary for compliance with a legal obligation to which the Controller is subject, in this case obligations arising from personal data protection regulations) |
Providing the aforementioned personal data is voluntary but necessary for the proper fulfillment by the Administrator of obligations arising from personal data protection regulations, including the exercise of rights granted to you under the GDPR (failure to provide the aforementioned data will result in the inability to properly exercise these rights).
The Administrator will process the aforementioned personal data until the expiration of the limitation periods for claims arising from violations of personal data protection regulations. |
Recipients of Personal Data
The recipients of personal data will be the following external entities cooperating with the Administrator:
- the Administrator’s clients and contractors;
- providers of services enabling data storage;
- […].
Additionally, personal data may be disclosed to public or private entities if such an obligation arises from generally applicable laws, a final court judgment, or a final administrative decision.
The Administrator provides its clients and contractors with information that allows for the differentiation and segmentation of sources generating legitimate traffic compared to advanced illegitimate traffic (SVIT). To properly deliver the Service, the Administrator synchronizes and matches the collected data with the data held by the served clients, contractors, advertising platforms, and their components (such as DMP, DSP, SSP). The Administrator generates automated statistical/aggregate reports that enable clients and contractors to monitor the quality of internet traffic and respond to situations related to potential threats posed by SVIT.
Transfer of Personal Data to a Third Country
In connection with the Administrator’s use of services provided by Google LLC, your personal data may be transferred to the following third countries: the United Kingdom, Canada, the United States, Chile, Brazil, Israel, Saudi Arabia, Qatar, India, China, South Korea, Japan, Singapore, Taiwan (Republic of China), Indonesia, and Australia. The basis for the transfer of data to the aforementioned third countries is:
- In the case of the United Kingdom, Canada, Israel, Japan, and South Korea – decisions of the European Commission recognizing an adequate level of personal data protection in each of the aforementioned third countries;
- In the case of the United States – Commission Implementing Decision (EU) 2023/1795 of 10 July 2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, recognizing an adequate level of personal data protection ensured under the EU-US Data Privacy Framework;
- In the case of Chile, Brazil, Saudi Arabia, Qatar, India, China, Singapore, Taiwan (Republic of China), Indonesia, and Australia – contractual clauses ensuring an adequate level of protection, in accordance with the standard contractual clauses specified in Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
You may obtain from the Administrator a copy of the data transferred to a third country, subject to the reservation mentioned at the bottom of the “Rights” section.
Rights
In connection with the processing of personal data, you have the following rights:
- The right to be informed about which personal data concerning you are processed by the Administrator and to receive a copy of that data (the so-called right of access). The first copy of the data is free of charge; for subsequent copies, the Administrator may charge a fee;
- If the processed data become outdated, incomplete, or otherwise inaccurate, you have the right to request their rectification;
- In certain situations, you may request the Administrator to delete your personal data, for example when:
- the data are no longer necessary for the purposes for which the Administrator informed you;
- you have effectively withdrawn your consent to the processing of data—provided that the Administrator does not have the right to process the data on another legal basis;
- the processing is unlawful;
- konieczność usunięcia danych wynika z ciążącego na Administratorze obowiązku prawnego;
- In cases where personal data are processed by the Administrator based on your given consent or for the performance of a contract concluded with you, you have the right to transfer your data to another controller;
- If personal data are processed by the Administrator based on the consent you have given, you have the right to withdraw that consent at any time (withdrawal of consent does not affect the lawfulness of processing carried out based on the consent before its withdrawal);
- If you believe that the personal data being processed are incorrect, unlawfully processed, or that the Administrator no longer needs certain data, you may request that, for a specified necessary period (e.g., to verify the accuracy of the data or to pursue claims), the Administrator refrains from performing any operations on the data and only stores them;
- You have the right to object to the processing of personal data where the legal basis for processing is the legitimate interests of the Administrator. Upon a valid objection, the Administrator will cease processing personal data for the aforementioned purpose;
- You have the right to lodge a complaint with the President of the Personal Data Protection Office if you believe that the processing of personal data violates the provisions of the GDPR.
The Administrator informs that the type of data processed within the operation of the Service does not allow for the unequivocal identification of a given user due to their pseudonymized nature. In this case, pursuant to Article 11(1) of the GDPR, the Administrator is not obliged to maintain, obtain, or process additional information to identify the data subject and has the right—after prior notification to the user (if possible)—to refuse to fulfill the rights of that user arising from Articles 15–20 of the GDPR (unless the user independently provides the Administrator with information enabling their identification).
Cookies
- The Administrator informs that as part of the Service, it uses cookies installed on your end device. These are small text files that can be read by the Administrator’s system as well as by systems belonging to other entities whose services the Administrator uses.
- The Administrator uses cookies for the following purposes:
- Ensuring the proper functioning of the Service – thanks to cookies, the Service can operate efficiently and be continuously improved,
- Increasing the security of the service using the Service – thanks to cookies, it is possible to detect errors and suspicious activities on certain subpages and marketing actions used by the service, as well as to continuously improve them;
- Creating statistics – cookies are used to analyze how users interact with the service utilizing the Service. This enables continuous improvement of the Service and tailoring its operation to users’ preferences;
- The Administrator informs that the cookies used within the Service are essential for the operation of the website in which they are placed to ensure the security of its activity and do not require your consent for their use.
- The Administrator may place both persistent and temporary (session) cookies on your device. Session cookies are usually deleted when the browser is closed, whereas closing the browser does not delete persistent cookies.
- Information about the cookies used by the Administrator is displayed in the panel located at the bottom of the website where the Service operates. Depending on your choice, you can enable or disable cookies of specific categories (except for essential cookies) and change these settings at any time.
- Data collected through cookies does not allow the Administrator to identify you.
- Through most commonly used browsers, you can check whether cookies have been installed on your end device, as well as, in some cases, delete installed cookies and block their installation by the Service in the future. However, disabling or restricting the handling of cookies may cause significant difficulties in using the website where the Service operates.
- As part of the Service’s operation, the Administrator uses only “first-party cookies” consisting of a random 32-character string to identify the network traffic of individual users on the website where the Service is located.
- Cookies are stored by the Administrator for a period of 365 days, unless the Administrator is required by applicable law to retain them for a longer period.
Final Provisions
In matters not regulated by the Policy, generally applicable personal data protection laws shall apply.
The Policy is effective as of July 18, 2025.