Data Processing Agreement
Last updated: May 20, 2026
This Data Processing Agreement (“DPA”) forms part of the agreement between you (“Customer,” “Controller”) and AdProtektor Inc. (“AdProtektor,” “Processor”) for the use of the AdProtektor click fraud detection and prevention service (the “Service”), as governed by the Terms of Service.
This DPA applies where AdProtektor processes personal data on behalf of the Customer in the course of providing the Service.
1. Definitions
- “Controller” means the Customer, who determines the purposes and means of the processing of personal data by installing the AdProtektor tracking script on their website(s).
- “Processor” means AdProtektor Inc., which processes personal data on behalf of the Controller.
- “Sub-processor” means a third party engaged by the Processor to process personal data on behalf of the Controller.
- “Personal Data” means any information relating to an identified or identifiable natural person collected through the tracking script.
- “Processing” means any operation performed on personal data, including collection, recording, storage, analysis, disclosure, and deletion.
- “Data Protection Laws” means all applicable data protection and privacy legislation, including the GDPR, UK GDPR, and CCPA/CPRA.
2. Scope and Purpose of Processing
AdProtektor processes personal data solely for the purpose of providing the Service as described in the Terms of Service. This includes:
- Collecting behavioral and technical data from website visitors via the tracking script
- Analyzing visitor data to detect and classify fraudulent click activity
- Building behavioral profiles to identify repeat offenders
- Generating threat scores and automated blocking decisions
- Recording sessions of flagged visitors for verification
- Managing IP exclusion lists in the Customer’s Google Ads account (when connected)
- Managing Custom Audience exclusions in the Customer’s Meta (Facebook / Instagram) ad account (when connected)
- Providing analytics, reports, and AI-assisted analysis to the Customer
- When the ConversionOS add-on is enabled: receiving conversion events from the Customer’s website, hashing customer-supplied identifiers, and dispatching those events to the conversion destinations the Customer has configured (Meta Conversions API, GA4 Measurement Protocol, Google Enhanced Conversions for Web)
3. Categories of Personal Data Processed
The following categories of personal data are processed through the Service:
| Category | Examples |
|---|---|
| Network data | IP addresses |
| Device and browser data | User agent, browser type, OS, device type, screen resolution |
| Visitor identifiers | Browser-based fingerprint identifiers |
| Behavioral data | Mouse movements, scroll depth, time on page, click count, engagement signals |
| Session recordings | DOM mutations, mouse positions, scroll events (with input masking) |
| Advertising data | GCLID, WBRAID, GBRAID, fbclid, UTM parameters, keywords |
| Page data | Landing page URL, referrer URL |
| Geolocation data | Country and city derived from IP address |
| Conversion data (ConversionOS add-on only) | Order ID, order value, currency, line items, and SHA-256 hashes of customer-supplied identifiers (email, phone, first / last name) |
Data subjects: Website visitors who access the Customer’s website(s) where the AdProtektor tracking script is installed.
4. Controller’s Obligations
The Controller agrees to:
- Ensure it has a lawful basis for the collection and processing of personal data through the tracking script
- Provide appropriate privacy notices to data subjects, including disclosure of the use of fraud detection services and the types of data collected
- Obtain any required consents from data subjects under applicable Data Protection Laws
- Ensure that its instructions to the Processor comply with applicable Data Protection Laws
5. Processor’s Obligations
AdProtektor agrees to:
- Process personal data only on documented instructions from the Controller, except where required by applicable law
- Ensure that persons authorized to process personal data are subject to confidentiality obligations
- Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk
- Assist the Controller in responding to data subject requests (access, deletion, portability, etc.)
- Assist the Controller in ensuring compliance with data protection impact assessments and prior consultations with supervisory authorities, where required
- At the Controller’s choice, delete or return all personal data upon termination of the Service, and delete existing copies unless retention is required by law
- Make available to the Controller all information necessary to demonstrate compliance with this DPA
6. Sub-processors
The Controller provides general authorization for AdProtektor to engage sub-processors to assist in providing the Service. The following sub-processors are currently engaged:
| Sub-processor | Purpose | Location |
|---|---|---|
| Payment provider | Payment processing | To be confirmed at provider go-live (Tranzila planned) |
| Google LLC (Gemini) | AI-powered traffic analysis | United States |
| Google LLC (Ads API) | IP exclusion list management | United States |
| Meta Platforms, Inc. | Custom Audience exclusion management (Meta Marketing API); Conversions API delivery (only when the ConversionOS add-on is enabled and a Meta destination is configured) | United States |
| Google LLC (GA4 Measurement Protocol, Enhanced Conversions for Web) | Conversion event delivery (only when the ConversionOS add-on is enabled and the corresponding destination is configured) | United States |
| DigitalOcean, LLC | Hosting infrastructure | United States |
AdProtektor will notify the Controller at least 30 days before engaging a new sub-processor by updating this page. If the Controller objects to a new sub-processor, it may terminate the Service within the notice period.
AdProtektor remains fully liable to the Controller for the performance of its sub-processors’ obligations under this DPA.
7. Security Measures
AdProtektor implements the following technical and organizational security measures:
- Encryption in transit: All data transmitted between the tracking script, the application, and our servers is encrypted using TLS
- Access controls: Access to personal data is restricted to authorized personnel on a need-to-know basis
- Input masking: Session recordings automatically mask input field values by default to minimize the collection of sensitive data
- Secure infrastructure: Data is stored on managed infrastructure with regular security updates and monitoring
- Authentication: The application enforces secure authentication practices
8. Data Subject Requests
If AdProtektor receives a request from a data subject to exercise their rights (access, rectification, deletion, portability, restriction, or objection), AdProtektor will promptly notify the Controller and provide reasonable assistance in fulfilling the request.
AdProtektor will not respond directly to a data subject request unless instructed to do so by the Controller, except to direct the data subject to the Controller.
9. Data Breach Notification
In the event of a personal data breach, AdProtektor will:
- Notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach
- Provide sufficient information to enable the Controller to meet its own breach notification obligations under applicable Data Protection Laws
- Take reasonable steps to mitigate the effects of the breach and prevent further unauthorized access
10. Data Retention and Deletion
- During the subscription: Personal data is retained in accordance with the retention periods described in our Privacy Policy (tracking data: up to 90 days; session recordings: up to 90 days).
- Upon termination: Within 30 days of the termination of the Service, AdProtektor will delete all personal data processed on behalf of the Controller, unless retention is required by applicable law. The Controller may request a copy of their data before termination.
11. Audit Rights
The Controller has the right to audit AdProtektor’s compliance with this DPA. To exercise this right:
- The Controller must provide at least 30 days’ written notice
- Audits will be conducted during normal business hours and will not unreasonably interfere with AdProtektor’s operations
- The Controller bears the cost of any audit, unless the audit reveals material non-compliance by AdProtektor
- AdProtektor may satisfy audit requests by providing relevant certifications, reports, or summaries where available
12. International Data Transfers
Personal data processed under this DPA may be transferred to and processed in the United States. For transfers of personal data from the EEA, UK, or Switzerland to countries without an adequacy decision, AdProtektor relies on Standard Contractual Clauses (SCCs) as adopted by the European Commission.
Upon request, AdProtektor will execute the applicable SCCs with the Controller.
13. Liability
Each party’s liability under this DPA is subject to the limitations of liability set out in the Terms of Service.
14. Duration and Termination
This DPA takes effect when the Customer begins using the Service and remains in effect as long as AdProtektor processes personal data on behalf of the Customer. The obligations in this DPA survive the termination of the Service to the extent necessary to complete the deletion of personal data.
15. Contact
For questions about this DPA or to exercise any rights under it, contact us at:
AdProtektor Inc.
Email: support@adprotektor.app