会社情報

This Advertiser Data Processing Addendum (“DPA”) is incorporated by reference into the Almedia Advertiser Terms & Conditions (“Terms”) and the applicable Insertion Order or Order Form (“Order Form”) entered into by and between Almedia GmbH, Potsdamer Str. 125, 10783 Berlin, Germany (“Processor” or "Almedia") and the entity identified as the Advertiser in the Order Form (“Controller”).

The Order Form, the Terms and this DPA together form the entire data processing agreement between Controller and Processor (the “Agreement”). Capitalised terms not defined in this DPA have the meaning given in the Order Form or the Terms.

1. Definitions

1.1 “Applicable Laws” means all applicable data protection and privacy laws, including the GDPR, UK GDPR, CCPA (where applicable), and all laws regulating the Processing of Personal Data under the Agreement.

1.2 “Controller Personal Data” means Personal Data processed by Processor on behalf of Controller.
1.3 “Data Protection Laws” means means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other applicable country, including the UK GDPR and, where applicable, the CCPA.
1.4 “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR.
1.5 “GDPR” means the EU General Data Protection Regulation (EU 2016/679).
1.6 Terms such as “Personal Data”, “Processing”, “Controller”, “Processor”, “Data Subject”, “Sub-processor”, and “Supervisory Authority” have the meanings given in the GDPR.
1.7 “Services” means the advertising, attribution, analytics, fraud-detection, billing, optimisation and related services described in the Agreement.

2. Roles of the Parties

2.1 Almedia acts solely as Processor. The Advertiser acts as Controller under the Agreement. If the Advertiser is a processor authorised by a third-party controller, the Advertiser warrants it has authority to instruct Almedia and appoint Almedia as Processor.

2.2 Controller instructs Processor to (i) process Controller Personal Data; and (ii) in particular, transfer Controller Personal Data to any country or territory, all as reasonably necessary for the provision of the Services and consistent with the Agreement and Applicable Laws.

2.3 Processor shall process Controller Personal Data solely for the purposes of performing the Services and in accordance with the Controller’s documented instructions.

2.4 Controller warrants and represents that it is and will remain duly and effectively authorised to give the instruction set out in Section 2.2 and any additional documented instructions pursuant to the Agreement, at all relevant times and for as long as Processor lawfully processes Controller Personal Data.

2.5 The details of the Processing of Controller Personal Data, as required by Article 28(3) GDPR, are set out in Schedule 1 (Details of Processing), which forms an integral part of this DPA.

3. Processor Obligations

3.1 Processor shall process Controller Personal Data only on documented instructions from Controller, unless required otherwise by law.

3.2 Processor shall ensure persons authorised to process Controller Personal Data are subject to enforceable confidentiality obligations.

3.3 Processor shall implement appropriate technical and organisational measures as required by Article 32 GDPR.

3.4 Processor shall not retain Controller Personal Data longer than necessary for providing the Services or as required by law.

3.5 Processor shall not process Controller Personal Data for its own purposes. Processor may only retain and use data in aggregated or anonymised form that does not constitute Personal Data.

4. Sub-Processors

4.1 Subject to this Section 4, Controller authorises Processor to engage Sub-processors solely to the extent necessary for the provision of the Services and only within the categories of processing set out in Schedule 2.

4.2 Processor shall ensure that all Sub-processors are bound by written agreements imposing data-protection obligations that are substantially equivalent to those contained in this DPA and required under Applicable Laws.

4.3 Processor maintains an up-to-date list of all current Sub-processors involved in providing the Services. This list is continuously updated and made available to Controller at: www.freecash.com/en/policies/privacy-eu (or any successor URL communicated to Controller).
4.4 Processor shall provide prior notice (via the Sub-processor list or by email where legally required) before appointing or replacing any Sub-processor for processing activities that materially affect Controller Personal Data.

4.5 Controller may object to the appointment of a new Sub-processor solely on reasonable and documented data-protection grounds. Processor shall work in good faith with Controller to resolve such objections.

4.6 If no mutually acceptable solution can be reached, Controller may suspend the affected Services or terminate them upon written notice. Such suspension or termination shall be Controller’s sole and exclusive remedy in relation to Sub-processor objections.

5. International Transfers

5.1 Processor may transfer Controller Personal Data outside the EEA/UK where legally permitted and subject to appropriate safeguards.

5.2 Approved safeguards may include the EU Standard Contractual Clauses, the UK Addendum/IDTA, or any successor mechanism.

5.3 Processor shall ensure Sub-processors receiving transfers implement adequate safeguards.

6. Data Subject Rights

6.1 Controller is responsible for responding to Data Subject requests.

6.2 Processor shall provide reasonable assistance to Controller, at Controller’s cost, in responding to Data Subject requests.

6.3 Processor shall not respond to Data Subjects directly unless required by law or instructed by Controller.

7. Personal Data Breach

7.1 Processor shall notify Controller without undue delay after becoming aware of a Personal Data Breach affecting Controller Personal Data.

7.2 Processor shall provide information reasonably available to assist Controller in meeting its notification obligations.

7.3 Processor shall cooperate with Controller in relation to remediation.

8. Data Protection Impact Assessments and Audits

8.1 Processor shall provide reasonable assistance with DPIAs and consultations with supervisory authorities, to the extent required by Data Protection Laws.

8.2 Controller may conduct audits or inspections performed by an independent, reputable auditor, subject to: (a) 30 days’ written notice; (b) no more than one audit in any 12-month period unless required by law or following a confirmed incident; (c) Controller bearing all associated costs; and (d) audits occurring during normal business hours without undue disruption.

8.3 Processor may satisfy audit obligations by providing third-party certifications or audit reports if sufficient to demonstrate compliance.

8.4 Controller shall bear all costs and fees associated with audits.

9. Return and Deletion of Data

9.1 Subject to Section 9.2, Processor shall, promptly and in any event within ninety (90) business days of the date of cessation of any Services involving the Processing of Controller Personal Data, delete, pseudonymise or return all copies of Controller Personal Data, in accordance with Controller’s documented instructions, except for any copies that Processor is required to retain under Applicable Laws.

9.2 Subject to the Agreement and Applicable Laws, Processor may retain Controller Personal Data to the extent required or authorised by law, provided that Processor ensures the confidentiality of such Controller Personal Data and processes it only for the purpose(s) for which retention is required or authorised.

10. Liability

The liability limitations and exclusions set out in the Agreement apply equally to this DPA.

11. Governing Law and Jurisdiction

This DPA is governed by the governing law and jurisdiction provisions set out in the Agreement.

12. Order of Precedence

12.1 If there is a conflict between this DPA and the Agreement, this DPA prevails to the extent of the conflict.

12.2 The Order Form prevails over both the Terms and this DPA where expressly stated.

Schedule 1: Details of Processing

Subject Matter: Attribution, analytics, fraud detection, billing validation, and optimisation of advertising campaigns.

Duration: For the term of the Agreement plus any legally required retention.

Nature of Processing: Receipt, collection, structuring, matching, analysis, pseudonymisation, transfer, storage, and deletion of Controller Personal Data.

Purpose of Processing:

• attribution and matching via MMPs

• measurement of clicks, impressions, installs, and events

• fraud detection and mitigation

• settlement and billing validation

• campaign optimisation and reporting

• technical support

Data Subjects:

• end-users interacting with advertising materials

• Advertiser personnel with platform access

Categories of Personal Data:

• End-user data (app/web): advertising identifiers (IDFA/GAID), IP address, user-agent, OS version, device model, install timestamps, click timestamps, coarse geo information, post-install events, fraud-analysis signals.

• Advertiser personnel data: name, email, login activity.

Sensitive and Special Categories of Personal Data: Advertiser shall not send Processor any Sensitive or Special Categories of Personal Data, as defined in the Data Protection Laws.

Schedule 2: Sub-Processors

Processor may engage Sub-processors only within the following categories of processing, and solely to the extent necessary for the provision of the Services:

1. Cloud hosting and infrastructure providers (including servers, storage, content delivery, and related infrastructure services

2. Data analytics, attribution, and measurement support tools (including technical tools used to receive, process, or validate attribution signals)

3. Fraud-detection and traffic-quality vendors (including systems analysing device, behavioural, or technical signals for fraud prevention)

4. Security, logging, and monitoring providers (including tools for access control, anomaly detection, incident monitoring, and threat prevention)

5. Customer support and communication services (including ticketing, email, and communication platforms used to interact with Controller personnel)

6. Backup, redundancy, and business continuity providers

7. Internal development, auditing, and operational tooling (used solely to support Processor’s internal operations and delivery of the Services)

Processor maintains an up-to-date and authoritative list of all current Sub-processors, including their identities, locations, and processing purposes, at: www.freecash.com/en/policies/privacy-eu (or any successor URL communicated to Controller).

This list is continuously updated in accordance with Section 4 of this DPA.