Legal

GDPR Compliance

How LtvAdx supports GDPR for publishers, advertisers, operators, and TV viewers — with privacy-by-design CTV ad serving.

LtvAdx is built for programmatic TV advertising in a privacy-sensitive environment. This page explains how LtvAdx supports compliance with the EU General Data Protection Regulation (GDPR), the UK GDPR, and comparable European privacy laws — for our business customers, TV viewers, and our own website users.

Effective date: June 6, 2026  |  Last updated: June 6, 2026

This page supplements our Privacy Policy. It is not legal advice. Customers should work with qualified counsel to assess compliance in their specific context.

1. Our role under GDPR

LtvAdx acts in different roles depending on the processing activity:

ActivityLtvAdx roleTypical counterpart
CTV/FAST ad delivery (device IDs, impressions, VCR beacons)Data processorPublisher (controller)
Addressable linear ad insertion (household tokens, SCTE-35)Data processorOperator (controller)
Advertiser campaign delivery and reportingData processorAdvertiser (controller)
LtvAdx website, demo forms, product marketingData controllerWebsite visitor / prospect
LtvAdx account administration (dashboard users)Data controllerAuthorized business user
Ad Choices privacy requests / suppressionData controllerViewer exercising privacy rights

When we process personal data on your behalf, we do so only on documented instructions from you (your dashboard configuration, API calls, and applicable agreement), unless required by law.

2. Privacy by design in LtvAdx

CTV and linear TV advertising operates in a household-level, device-native environment. LtvAdx's architecture reflects that reality:

  • Pod-aware serving: ad decisions run at the ad break level in real time — respecting pod position, competitive separation, and separation rules configured by the publisher.
  • Household-level identity: HouseholdID resolves viewers to pseudonymous household segments using IP address, device signals, and optional ACR inputs — not named individuals or email addresses.
  • Platform privacy signals: LtvAdx honours Limit Ad Tracking and equivalent device-level opt-out signals from Roku, Fire TV, Apple TV, Samsung, LG, and Android TV immediately across campaigns.
  • No cross-site web tracking: LtvAdx does not use browser cookies, cross-site profiling, or email-based identifiers for standard CTV ad delivery.
  • Contextual placement: ads are selected based on channel, content category, geography, and campaign rules — not browsing history across unrelated websites.
  • Minimal request data: beyond device and household identifiers, we process coarse geo (country/state/DMA from IP) and platform class from User-Agent for targeting and reporting. IP addresses are used at request time and not stored in viewer profiles.
  • Viewer control: individuals may limit ad targeting via device settings or submit a privacy request through Ad Choices.
  • Encryption and access controls: TLS 1.3 in transit, AES-256 at rest, RBAC, scoped API keys, and audit logging as described in our security documentation.

3. Lawful bases (summary)

Publishers, operators, and advertisers must determine and document their lawful basis for TV advertising. LtvAdx cannot choose this basis on your behalf. In typical deployments:

  • Consent: addressable linear operators and some publishers rely on viewer consent for personalised advertising, obtained through platform consent flows or TCF 2.2 frameworks.
  • Legitimate interests: where permitted, some publishers may rely on balanced legitimate interests for contextual CTV advertising, provided appropriate transparency and opt-out mechanisms exist.
  • Contract: LtvAdx processes dashboard user data and billing data as necessary to perform our contract with business customers.

LtvAdx's own marketing website processing is based on consent (analytics cookies, newsletter signup), contract (demo requests), and legitimate interests (security and product analytics), as detailed in our Privacy Policy.

4. Categories of personal data processed

4.1 Viewer data (processor role)

  • Device advertising identifiers (RIDA, IFA, TIFA — hashed, 30-day TTL)
  • HouseholdID pseudonymous household segment membership
  • Impression, quartile, click, and conversion event metadata
  • Coarse geo (country, state, DMA) and platform category from the ad request
  • Channel and content category for contextual targeting
  • Suppression status if the viewer opted out via Ad Choices or Limit Ad Tracking

We do not require publishers to send viewer names, email addresses, or precise location data for standard CTV integrations.

4.2 Business customer data (controller or processor)

  • Account user names and work emails
  • Billing, wallet, and invoicing records
  • Channel, pod, and placement configuration
  • Campaign, deal, and creative assets
  • API and audit logs

5. Data Processing Addendum (DPA)

LtvAdx offers a GDPR-compliant Data Processing Addendum for business customers who require contractual processor commitments, including:

  • Processing only on documented instructions
  • Confidentiality obligations for personnel with access
  • Security measures appropriate to risk
  • Sub-processor transparency and notification
  • Assistance with data subject requests where feasible
  • Deletion or return of data at end of service (subject to legal retention requirements)
  • Audit and inspection rights on reasonable notice

Request a DPA by emailing legal@ltvadx.com from your registered account email. Our standard DPA incorporates Standard Contractual Clauses (SCCs) for international transfers where required.

6. Sub-processors

LtvAdx uses infrastructure and service providers to host and operate the platform (for example, cloud hosting, database services, content delivery networks, payment processing, and transactional email). We require sub-processors to protect personal data under written agreements.

We maintain a sub-processor list available to customers upon request or as part of the DPA. We will notify business customers of material new sub-processors with an opportunity to object where required by contract.

7. International transfers

LtvAdx is operated from the United States and may process data in the U.S. and other countries where we or our providers maintain facilities. Where personal data is transferred from the EEA, UK, or Switzerland to countries without an adequacy decision, we implement appropriate safeguards — typically SCCs and supplementary measures where a transfer impact assessment indicates they are needed.

8. Data subject rights

8.1 TV viewers

Depending on applicable law, viewers may have the right to:

  • Access personal data processed about them
  • Rectify inaccurate data
  • Erase data in certain circumstances
  • Restrict or object to processing
  • Data portability where applicable
  • Withdraw consent where processing is consent-based
  • Lodge a complaint with a supervisory authority

Limit targeted ads: enable Limit Ad Tracking on your CTV device (see platform instructions on Ad Choices) or submit a privacy request through that page.

Other requests: contact the streaming publisher or operator first — they control the viewer relationship and are usually the controller for viewer data. Publishers and operators can contact LtvAdx support to assist with processor-side deletion or export where technically feasible.

8.2 Business users and website visitors

Submit requests to privacy@ltvadx.com or dpo@ltvadx.com. We will verify identity and respond within one month, extendable where permitted for complex requests.

9. Publisher, operator, and advertiser compliance checklist

Customers using LtvAdx in Europe should ensure, at minimum:

  1. A valid lawful basis exists for serving ads to viewers in each territory where you operate.
  2. Privacy notices clearly explain that TV ads may be served, the role of LtvAdx, and how viewers can limit targeting (link to Ad Choices and device settings where appropriate).
  3. TCF 2.2 consent strings are implemented where required for addressable or personalised CTV advertising.
  4. Data processing agreements are in place between you and LtvAdx when you act as controller and we act as processor.
  5. Records of processing activities reflect LtvAdx as a processor and describe categories of ad delivery event data.
  6. Creative and landing page content complies with local advertising and consumer laws, including identification of commercial content where required.
  7. Data retention settings align with your policies; you export or delete data before account termination where required.
  8. app-ads.txt and sellers.json entries are maintained for supply path transparency where applicable.

10. Retention and deletion

Operational ad event data is retained for reporting and billing periods aligned with your plan (typically 13–25 months unless a longer period is contractually required or needed for disputes). Hashed device identifiers are retained for up to 30 days for frequency capping. Audit logs are retained for 90 days (standard) or up to 365 days (Enterprise). Ad Choices suppression entries are retained to honor opt-outs.

Upon termination of a business account, we delete or return Customer Data within a reasonable period, subject to backup cycles and legal retention obligations. Anonymized aggregate statistics may be retained.

11. Security and breach notification

We maintain technical and organizational measures described in our documentation, including encryption, access controls, and monitoring. If we become aware of a personal data breach affecting Customer Data in our role as processor, we will notify the affected customer without undue delay and provide information reasonably required for the customer to meet its regulatory obligations.

12. Limit Ad Tracking and platform privacy features

CTV platforms provide built-in privacy controls that LtvAdx is designed to honour. When a viewer enables Limit Ad Tracking (Roku), Opt Out of Ads Personalisation (Android TV), or equivalent settings, LtvAdx treats the device as non-addressable for personalised campaigns. Publishers and advertisers should understand that industry-wide CTV reach and frequency metrics may be affected by these platform features.

13. OpenRTB, programmatic partners, and ACR

If you enable OpenRTB 2.6 programmatic demand, limited bid request data may be shared with exchange partners under your configuration. If you enable ACR-based audience segments, aggregated viewing signals may be used for household segmentation. You are responsible for ensuring appropriate legal bases, partner agreements, and transparency for these processing activities. Disable programmatic or ACR features if they are not appropriate for your viewer base or jurisdiction.

14. Supervisory authorities

If you are in the EEA or UK and believe we have not adequately addressed a privacy concern, you have the right to lodge a complaint with your local data protection authority. A list of EU supervisory authorities is available from the European Data Protection Board. UK complaints may be directed to the Information Commissioner's Office (ICO).

15. Contact our privacy team

16. Related documents