What is GDPR? The General Data Protection Regulation (EU 2016/679) is a comprehensive data protection law that applies to any organisation processing personal data of individuals in the European Economic Area (EEA). WeForAds is committed to full compliance with GDPR as both a Data Controller and Data Processor.
At WeForAds, we take data protection seriously. We are committed to handling all personal data in accordance with GDPR principles: lawfulness, fairness, and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability.
As a programmatic advertising platform, we act as both a Data Controller (for data about our publishers, website visitors, and employees) and as a Data Processor (when processing end-user data on behalf of our publisher clients in the context of ad delivery).
This GDPR notice applies to:
If you are located outside the EEA, some GDPR provisions may not apply to you, though we extend similar protections globally as a matter of policy.
| Data Category | Examples | Role |
|---|---|---|
| Publisher identity data | Name, email, phone, company name | Controller |
| Publisher financial data | Bank details, tax IDs, revenue figures | Controller |
| Platform usage data | Login activity, dashboard interactions, API calls | Controller |
| Website visitor data | IP address, browser type, pages visited, cookies | Controller |
| End-user ad data | Pseudonymous device IDs, bid signals, contextual data | Processor |
| Communication data | Emails, support tickets, call recordings (with consent) | Controller |
We apply the principle of data minimisation — we only collect and process data that is genuinely necessary for the specified purpose.
GDPR requires that every processing activity has a documented lawful basis. Here is how we apply each basis:
| Basis | How We Apply It |
|---|---|
| Art. 6(1)(a) Consent | Marketing emails, non-essential cookies, optional analytics, and personalisation features |
| Art. 6(1)(b) Contract | Processing required to onboard publishers, deliver platform services, and make revenue payments |
| Art. 6(1)(c) Legal obligation | Tax reporting, financial record keeping, regulatory compliance, and responding to lawful government requests |
| Art. 6(1)(f) Legitimate interests | Platform security, fraud detection, IVT prevention, service improvement, and non-commercial communications about platform updates |
Legitimate Interests Assessment (LIA): Where we rely on legitimate interests, we conduct and document a balancing test to ensure our interests do not override your fundamental rights and freedoms. You can request a copy of our LIA at [email protected].
Under GDPR, EEA residents have the following rights. We are committed to honouring each one:
Request a copy of all personal data we hold about you, including processing purposes and recipients.
Request correction of inaccurate or completion of incomplete personal data without undue delay.
Request deletion of your personal data ("right to be forgotten") where no overriding legal obligation applies.
Request that we restrict processing of your data while a dispute or objection is being resolved.
Receive your personal data in a structured, commonly-used, machine-readable format to transfer elsewhere.
Object to processing based on legitimate interests or for direct marketing at any time, with immediate effect for marketing.
Not be subject to solely automated decisions with significant legal or similar effects without human review.
Withdraw consent at any time where processing is based on consent, without affecting prior lawful processing.
To submit a data rights request, contact us at [email protected] with the subject line "GDPR Data Request" and describe the right you wish to exercise. We may need to verify your identity before processing the request.
| Request Type | Standard Response Time | Maximum (GDPR) |
|---|---|---|
| Subject Access Request | Within 14 days | 30 days (extendable to 3 months) |
| Rectification | Within 5 business days | 30 days |
| Erasure | Within 14 days | 30 days |
| Portability | Within 14 days | 30 days |
| Objection / Restriction | Immediately (marketing); 5 days (others) | 30 days |
All requests are handled free of charge. If a request is manifestly unfounded or excessive, we may charge a reasonable administrative fee or decline the request, explaining our reasoning.
If you are not satisfied with our response, you have the right to lodge a complaint with your national data protection authority. For UK residents: Information Commissioner's Office (ICO). For EU residents, find your authority at edpb.europa.eu.
WeForAds is a global platform. Where personal data is transferred from the EEA or UK to countries not deemed adequate by the European Commission, we rely on the following safeguards:
You may request a copy of the specific safeguards in place for any international transfer by contacting [email protected].
We engage the following categories of third-party processors who may process personal data on our behalf. All are bound by Data Processing Agreements (DPAs) meeting GDPR Article 28 requirements:
| Category | Examples | Transfer Mechanism |
|---|---|---|
| Cloud infrastructure | AWS, Google Cloud | SCCs + Adequacy |
| Analytics platforms | Google Analytics | SCCs |
| CRM & communications | HubSpot, Intercom | SCCs |
| Payment processing | Stripe, PayPal | SCCs + Adequacy |
| Email delivery | SendGrid, Mailchimp | SCCs |
| Security & CDN | Cloudflare | SCCs + Adequacy |
Publishers using our platform may request our full sub-processor list at any time by contacting [email protected].
We retain personal data only as long as necessary for the purposes for which it was collected, or as required by law. Our retention schedule:
| Data Category | Retention Period | Legal Basis |
|---|---|---|
| Publisher account records | Contract term + 7 years | Legal obligation (tax) |
| Financial & payment records | 7 years | Legal obligation |
| Contact form submissions | 2 years | Legitimate interests |
| Analytics data | 26 months (anonymised at 13) | Legitimate interests |
| Marketing consent records | Withdrawal + 3 years | Legal obligation |
| Security & fraud logs | 12 months | Legitimate interests |
| Support communications | 3 years from resolution | Legitimate interests |
Upon expiry of the retention period, data is securely deleted or anonymised using industry-standard methods.
In accordance with GDPR Article 32, we implement appropriate technical and organisational measures proportionate to the risk:
In the event of a personal data breach, WeForAds will:
If you believe your personal data has been involved in a security incident, contact us immediately at [email protected].
WeForAds has designated a Data Protection Officer (DPO) responsible for overseeing our GDPR compliance programme. You can contact our DPO directly for any data protection matters:
Within 30 days (Art. 12 GDPR)
You may also contact your local DPA
Related Documents: Privacy Policy · Cookie Policy · Terms of Service