Privacy and cookie policy

This Privacy Policy (hereinafter: “Policy”) provides information on the processing of your personal data in connection with provision by us of the ABTShield service (hereinafter: “Service”). 

ABTShield is an automated security service for analyzing online traffic, designed to detect and protect against bots and sophisticated invalid traffic (“SIVT”). The service aims to mitigate the risks associated with SIVT which include, among others: generating financial losses by generating unwanted costs, embezzling money from advertisers’ budgets and ad fraud, data theft, false identity fraud, fake transactions, money laundering, artificially boosting and positioning disinformation content, organizing automated trolling, deceiving users by automatically creating fake posts and reviews, and other harmful activities.   

 

 

Personal Data Controller

The controller of your personal data is EDGE NPD spółka z ograniczoną odpowiedzialnością with its registered office in Warsaw (registered office address: ul. Czeska 22 A, 03-902 Warsaw), entered in the Register of Entrepreneurs of the National Court Register maintained by the District Court for the Capital City of Warsaw in Warsaw, XIII Commercial Division of the National Court Register under KRS No.: 0000441520, NIP No.: 9522122126, REGON No.: 146413766, with the share capital of PLN 50,000 (fifty thousand zlotys) paid up in full (hereinafter: “Controller”).

The Controller may also act as a data processor on behalf of another entity or as a joint controller of personal data with another entity. Regardless of the status of the organizer, the information contained in the Policy applies in every case, regardless of the status in which the Controller processes personal data.

 

Contact with the Controller

 In all the matters related to personal data processing, you may contact the Data Protection Officer appointed by the Controller by means of: email  at: dpo@edgenpd.com;

 

Data Protection Measures

The Controller applies modern organizational and technical measures to ensure the best possible protection of your personal data and guarantees that it is processed in accordance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter: „GDPR„), the Personal Data Protection Act of 10 May 2018, and other provisions on personal data protection.

In order to ensure full transparency of the Service, the Controller applies the principles implemented by IAB Europe (“IAB Europe Transparency & Consent Framework”), which are aimed at creating a standard for processing personal data and unifying the principles of personal data processing for better protection.

 

Information on the Personal Data Processed

The operation of the Service requires the processing of your personal data, with the reservation that the data that is processed does not allow you to be identified directly. Please find below the detailed information on the purposes of and legal grounds for processing.

Processing objective

Personal data processed

Legal basis

Measuring the effectiveness of advertising in terms of the occurrence of suspicious incidents

1)     Cookie ID -collected through customer or contractor websites or received from partners,

2)     Other identifiers or online technologies, such as data from the TCP/IP, TLS, HTTP protocol layers, as long as they it meets the requirements of data security and pseudonymization,

3)     IP address, URL address, device type, and other data describing the device/application characteristics (e.g. browser version, language version, device time zone),

4)     frequency and timing of device interactions combined with the corresponding monitored service, if available.

art. 6(1)(f) GDPR

 

(processing is necessary for the Controller’s legitimate interest)

 

TCF objective:

a)         Measuring the effectiveness of ads in terms of security incidents that have occurred in a given campaign,

b)         Storing and/or accessing information on the device,

c)         Developing and improving the products.

Processing is necessary to determine how many users have viewed the ad and whether any suspicious incidents or behaviors have occurred within the campaign that affect the security of the website under which the Service is provided.

 

The Controller will process the aforementioned personal data until an effective objection is raised or the purpose of is achieved (whichever comes first).

 

 

Processing objective

Personal data processed

Legal basis

Increasing the understanding of user activity with statistics or a combination of data from different sources

1)      Cookie ID -collected through customer or contractor websites or received from partners,

2)     Other identifiers or online technologies, such as data from the TCP/IP, TLS, HTTP protocol layers, as long as they it meets the requirements of data security and pseudonymization,

3)     IP address, URL address, device type, and other data describing the device/application characteristics (e.g. browser version, language version, device time zone),

4)     frequency and timing of device interactions combined with the corresponding monitored service, if available.

 

 

 

 

art. 6(1)(f) GDPR

 

(processing is necessary for the Controller’s legitimate interest)

 

TCF objective:

a)         Measuring the effectiveness of ads in terms of security incidents that have occurred in a given campaign,

b)         Storing and/or accessing information on the device,

c)         Developing and improving the products.

Processing is necessary for the purpose indicated above. The objective is achieved by using statistics or a combination of data from different sources: by using identifiers generated by receiving and using automatically sent device features; and using market research to generate information about audiences by combining different devices.

 

The Controller will process the aforementioned personal data until an effective objection is raised or the objective of processing is achieved (whichever comes first).

 

 

Processing objective

Personal data processed

Legal basis

Supporting the decision-making mechanisms related to the admission or exclusion of products

5)     Cookie ID -collected through customer or contractor websites or received from partners,

6)     Other identifiers or online technologies, such as data from the TCP/IP, TLS, HTTP protocol layers, as long as they it meets the requirements of data security and pseudonymization,

7)     IP address, URL address, device type, and other data describing the device/application characteristics (e.g. browser version, language version, device time zone),

8)     frequency and timing of device interactions combined with the corresponding monitored service, if available.

art. 6(1)(f) GDPR

 

(processing is necessary for the Controller’s legitimate interest)

 

TCF objective:

a)         Measuring the effectiveness of ads in terms of security incidents that have occurred in a given campaign,

b)         Storing and/or accessing information on the device,

c)         Developing and improving the products.

The processing is necessary for the objective indicated in order to determine how to admit or exclude products with respect to their safety impact and the negative effects of SVIT.

 

The Controller will process the aforementioned personal data until an effective objection is raised or the objective of processing is achieved (whichever comes first).

 

 

Processing objective

Personal data processed

Legal basis

Conducting analysis to detect SVIT

1)     Cookie ID -collected through customer or contractor websites or received from partners,

2)     Other identifiers or online technologies, such as data from the TCP/IP, TLS, HTTP protocol layers, as long as they it meets the requirements of data security and pseudonymization,

3)     IP address, URL address, device type, and other data describing the device/application characteristics (e.g. browser version, language version, device time zone),

4)     frequency and timing of device interactions combined with the corresponding monitored service, if available.

art. 6(1)(f) GDPR

 

(processing is necessary for the Controller’s legitimate interest)

 

TCF objective:

a)         Measuring the effectiveness of ads in terms of security incidents that have occurred in a given campaign,

b)         Storing and/or accessing information on the device,

c)         Developing and improving the products.

Processing is necessary in order for the Controller to comply with its tax obligations (the consequence of failure to do so will be the Controller’s inability to comply with the aforementioned obligations).

 

The Controller will process the above personal data for a period of 5 years from the end of the year in which the deadline for payment of the tax for the previous year expired.

 

 

 

 

Processing objective

Personal data processed

Legal basis

Determining, investigating or defending against claims in connection with the discovery of a security incident

1)     Cookie ID -collected through customer or contractor websites or received from partners,

2)     Other identifiers or online technologies, such as data from the TCP/IP, TLS, HTTP protocol layers, as long as they it meets the requirements of data security and pseudonymization,

3)     IP address, URL address, device type, and other data describing the device/application characteristics (e.g. browser version, language version, device time zone),

4)     the frequency and timing of device interactions combined with the corresponding monitored service, if available

 

art. 6(1)(f) GDPR

 

(processing is necessary for the Controller’s legitimate interests, including in the case of establishing, asserting or defending against claims that may arise in connection with provision of the Service)

 

TCF objective:

a)     Measuring the effectiveness of ads in terms of security incidents that have occurred in a given campaign,

b)     Storing and/or accessing information on the device,

c)     Developing and improving the product.

 

Processing of the data is necessary for the purpose of establishing, asserting or defending against claims that may arise in connection with performance of the Agreements concluded with the Controller and the detection of security incidents in the provision of the Service.

 

The Controller will process the above personal data until expiry of the statute of limitations for claims that may arise in connection with performance of the agreements concluded with the Controller.

 

 

 

 

Processing objective

Personal data processed

Legal basis

Developing and improving the provision of the Service

1)     Cookie ID -collected through customer or contractor websites or received from partners,

2)     Other identifiers or online technologies, such as data from the TCP/IP, TLS, HTTP protocol layers, as long as they it meets the requirements of data security and pseudonymization,

3)     IP address, URL address, device type, and other data describing the device/application characteristics (e.g. browser version, language version, device time zone),

4)     the frequency and timing of device interactions combined with the corresponding monitored service, if available

art. 6(1)(f) GDPR

 

(processing is necessary for the Controller’s legitimate interest)

 

TCF objective:

a)     Developing and improving the product,

b)     Measuring the effectiveness of ads in terms of security incidents that have occurred in a given campaign,

c)     Storing and/or accessing information on the device

Data processing is necessary to improve the provision of the Service and to determine how to reduce the negative impact of malicious SVIT sources on specific services, applications, URLs that are monitored by the Controller.

 

The Controller will process the aforementioned personal data until an effective objection is raised or the objective of processing is achieved.

 

 

 

 

Processing objective

Personal data processed

Legal basis

Creating analyses and statistics

1)     IP address

2)     server date and time

3)     web browser information

4)     operating system information

 

The above data is recorded automatically in the so-called server logs, each time you use the Store (it would be impossible to administer it without using server logs and automatic recording).

art. 6(1)(f) GDPR

 

(processing is necessary for the Controller’s legitimate interest)

 

TCF objective:

a)     Developing and improving the product,

b)     Measuring the effectiveness of ads in terms of security incidents that have occurred in a given campaign,

c)     Storing and/or accessing information on the device

Data processing is necessary to verify and to improve the provision of the Service, as well as to determine how to reduce the negative impact of malicious SVIT sources on specific services, applications, URLs that are monitored by the Controller.

 

The Controller will process the aforementioned personal data until an effective objection is raised or the objective of processing is achieved.

 

Processing objective

Personal data processed

Legal basis

Fulfillment of obligations related to personal data protection

 

the contact information you have provided in your request for personal data (e.g. full name, email address; mailing address; telephone number)

article 6(1)(c) GDPR

 

(processing is necessary in order to fulfill the legal obligation of  the Controller, in this case: obligations under data protection laws)

Provision of the aforementioned personal data is voluntary, but necessary in order for the Controller to properly perform their duties under the data protection laws, including the exercise of rights granted to you by the GDPR (failure to provide the aforementioned data will make it impossible to properly exercise the aforementioned rights).

 

The Controller will process the above personal data until expiry of the statute of limitations for claims for violation of data protection laws.

 

Personal data recipients 

The following external entities cooperating with the Controller will be recipients of the personal data:

  1. Controller’s clients and business partners;
  2. the provider of the data storage service;

In addition, personal data may also be transferred to public or private entities, if such an obligation arises from generally applicable laws, a final and valid court judgment or a final administrative decision.

The Controller provides its clients and business partners with information that allows them to distinguish and segment sources that generate valid traffic versus advanced invalid traffic (SVIT). In order to properly provide the Service, the Controller synchronizes and matches the collected data with the data held by supported customers, business partner, issue platforms and their components (such as DMP, DSP, SSP). The Controller creates automated statistical/summary reports that allow its clients and business partners to monitor the quality of Internet traffic, as well as respond to situations involving potential threats from SVIT.

 

Transfer of Personal Data to a Third Country

Your data will not be transferred to a third country or outside the European Economic Area.

 

Rights

You have the following rights on account of our processing of your personal data:

  • the right to know what personal data concerning you is processed by the Controller and to receive a copy of this data (the so-called right of access). The issue of the first copy of the data is free, while the Controller may charge a fee for subsequent copies;
  • if the processed data becomes obsolete or incomplete (or otherwise incorrect), you have the right to request rectification thereof;
  • in certain situations, you may ask the Controller to delete your personal data, e.g. when:
    1. the Controller ceases to need the data for the purposes they have informed about;
    2. you have effectively withdrawn your consent to data processing – unless the Controller has the right to process the data on another legal basis;
    3. processing is unlawful;
    4. the need to delete the data arises from the Controller’s legal obligation;
  • if your personal data is processed by the Controller on the basis of your consent to processing or for the purpose of performing the Agreement concluded with it, you have the right to transfer your data to another controller;
  • where personal data is processed by the Controller on the basis of your consent to processing, you have the right to withdraw this consent at any time (withdrawal of consent does not affect the lawfulness of processing carried out on the basis of the consent before its withdrawal);
  • if you consider that the processed personal data is incorrect, its processing is unlawful, or the Controller no longer needs certain data, you may request that, for a certain necessary period of time (e.g. to verify the correctness of the data or to assert claims), the Controller not perform any operations on the data, but only store it;
  • you have the right to object to the processing of your personal data, if its processing is based on the legitimate interests of the Controller. If an objection is successfully raised, the Controller will stop processing personal data for the above-mentioned purpose;
  • you have the right to lodge a complaint with the President of the Polish Personal Data Protection Authority if you believe that the processing of your personal data violates the provisions of the GDPR.

The Controller would like to inform that the type of data processed as part of provision of the Service does not allow for unambiguous identification of a given user, due to data pseudonymization. In this case, in accordance with Article 11(1) GDPR, in which the Controller is not obliged to retain, obtain or process additional information in order to identify the data subject, and has the right – after prior notification to the data subject (if possible) – to refuse to exercise that user’s rights under the provisions of Articles 15-20 GDPR (unless the user themselves provide the Controller with identifying information).

 

Cookies

  1. The Controller would like to inform you that the Service uses “cookies” which are installed on your terminal device. These are small text files that can be read by the Controller’s system, as well as by systems of other entities that provide services to the Controller.
  2. The Controller will use cookies for the following purposes:
    1. ensuring the proper provision of the Service – thanks to cookies, it is possible to provide the Service smoothly and improve it on an ongoing basis,
    2. increasing the security of the website using the Service – thanks to cookies, it is possible to detect errors and suspicious activity on certain subpages and marketing activities used by the website, and to improve them on an ongoing basis;
    3. creating statistics – cookies are used for analyzing how users use the Service. This makes it possible to improve the Service on an ongoing basis and adapt its operation to users’ preferences;
  3. The Controller informs that the cookies used as part of the Service are necessary for the operation of the website, in which they have been placed to ensure the security of its operations and do not require your consent to their use.
  4. The Controller may place both persistent and temporary (session) files on your device. Session files are usually deleted when the browser is closed, while closing the browser does not delete persistent files.
  5. Information about the cookies used by the Controller is displayed in the panel at the bottom of the website, within which the Service is provided. Depending on your decision, you can enable or disable cookies of each category (except for essential cookies) and change these settings at any time.
  6. The data collected through cookies does not allow the Controller to identify you.
  7. Using the most popular browsers, you can check whether cookies have been installed on your terminal device, as well as, in some cases, delete installed cookies and block the Service from installing them in the future. However, disabling or restricting cookies may cause quite serious difficulties in using the website on which the Service is provided.
  8. In the provision of the Service, the Controller uses only “first-party cookies” as a string of random 32 characters to identify the network traffic of individual users of the website on which the Service is provided
  9. Cookies are stored by the Controller for a period of 365 days, unless the Controller is required by applicable law to store them for a longer period.

 

 

Final Provisions 

To the extent not regulated by this Policy, the generally applicable data protection laws will apply.

The policy is effective as of 4th of October 2024.