• Japanese convenience translation below / の自然で契約文書向きな日本語は、次がベストです

This Link Data Processing Addendum (“DPA”) is incorporated by reference into the Almedia Link Terms & Conditions (“Terms”) and the applicable Insertion Order or Order Form (“Order Form”) entered into by and between Almedia GmbH, Potsdamer Str. 125, 10783 Berlin, Germany (“Controller” or "Almedia") and the entity identified as the Publisher in the Order Form (“Processor” or "Publisher").

The Order Form, the Terms and this DPA together form the entire data processing agreement between Controller and Processor (the “Agreement”). Capitalised terms not defined in this DPA have the meaning given in the Order Form or the Terms.

1. Definitions

1.1 “Applicable Laws” means all applicable data protection and privacy laws, including the GDPR, UK GDPR, CCPA (where applicable), and all laws regulating the Processing of Personal Data under the Agreement.

1.2 “Personal Data” means any personal data processed by Processor on behalf of Controller under the Agreement. Personal Data includes, where applicable, identifiers and event data relating to the linking of end-user accounts with Controller’s services, including Freecash account identifiers, linking tokens, reward attribution events, and technical identifiers generated in connection with such linking.

1.3 “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other applicable country, including the UK GDPR and, where applicable, the CCPA.

1.4 “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR.

1.5 “GDPR” means the EU General Data Protection Regulation (EU 2016/679).

1.6 Terms such as “Personal Data”, “Processing”, “Controller”, “Processor”, “Data Subject”, “Sub-processor”, and “Supervisory Authority” have the meanings given in the GDPR.

1.7 “Services” means the advertising, attribution, analytics, fraud-detection, billing, optimisation and related publisher services described in the Agreement.

2. Roles of the Parties

2.1 Almedia acts as Controller. The Advertiser acts as Processor under the Agreement.

2.2 Controller instructs Processor to (i) process Personal Data; and (ii) in particular, transfer Personal Data to any country or territory, all as reasonably necessary for the provision of the Services and consistent with the Agreement and Applicable Laws.

2.3 Processor shall process Personal Data solely for the purposes of performing the Services, strictly in accordance with Controller’s documented instructions, and shall not determine the purposes or means of Processing independently.

2.4 Controller warrants and represents that it is and will remain duly and effectively authorised to give the instruction set out in Section 2.2 and any additional documented instructions pursuant to the Agreement, at all relevant times and for as long as Processor lawfully processes Personal Data.

2.5 The details of the Processing of Personal Data, as required by Article 28(3) GDPR, are set out in Schedule 1 (Details of Processing), which forms an integral part of this DPA.

2.6 The Parties acknowledge and agree that, with respect to all Personal Data processed under the Agreement (including in connection with Link Integration), Processor acts solely as a processor on behalf of Controller and not as a joint controller or independent controller.

3. Processor Obligations

3.1 Processor shall process Personal Data only on documented instructions from Controller, unless required otherwise by law.

3.2 Processor shall ensure persons authorised to process Personal Data are subject to enforceable confidentiality obligations.

3.3 Processor shall implement appropriate technical and organisational measures as required by Article 32 GDPR.

3.4 Processor shall not retain Personal Data longer than necessary to provide the Services, unless retention is required or permitted by Applicable Laws or necessary to establish, exercise or defend legal claims, enforce the Agreement, or prevent fraud and protect the security of the Services. In such cases Processor shall restrict processing to those purposes and apply appropriate access controls.

3.5 Processor shall not process Personal Data for its own purposes. In particular, Processor shall not use Personal Data to build user profiles, account graphs, behavioural models, or audience segments, nor to enrich its own datasets or services, nor for analytics, monetisation, or optimisation outside the documented instructions of Controller. Processor may only retain and use data in aggregated or anonymised form that does not constitute Personal Data.

4. Sub-Processors

4.1 Subject to this Section 4, Controller authorises Processor to engage Sub-processors solely to the extent necessary for the provision of the Services and only within the categories of processing set out in Schedule 2.

4.2 Processor shall ensure that all Sub-processors are bound by written agreements imposing data-protection obligations that are substantially equivalent to those contained in this DPA and required under Applicable Laws.

4.3 Processor maintains an up-to-date list of all current Sub-processors involved in providing the Services, including their identities, locations, and processing purposes, and shall make such list available to Controller upon request.

4.4 Processor shall provide prior notice by email before appointing or replacing any Sub-processor for processing activities that materially affect Personal Data.

4.5 Controller may object to the appointment of a new Sub-processor solely on reasonable and documented data-protection grounds. Processor shall work in good faith with Controller to resolve such objections.

4.6 If no mutually acceptable solution can be reached, Controller may suspend the affected Services or terminate them upon written notice. Such suspension or termination shall be Controller’s sole and exclusive remedy in relation to Sub-processor objections.

5. International Transfers

5.1 Processor may transfer Personal Data outside the EEA/UK where legally permitted and subject to appropriate safeguards, including transfers necessary to support Link Integration and reward attribution..

5.2 Approved safeguards may include the EU Standard Contractual Clauses, the UK Addendum/IDTA, or any successor mechanism.

5.3 Processor shall ensure Sub-processors receiving transfers implement adequate safeguards.

6. Data Subject Rights

6.1 Controller is responsible for responding to Data Subject requests.

6.2 Processor shall provide reasonable assistance to Controller in responding to Data Subject requests.

6.3 Processor shall not respond to Data Subjects directly unless required by law or instructed by Controller.

7. Personal Data Breach

7.1 Processor shall notify Controller without undue delay after becoming aware of a Personal Data Breach affecting Personal Data.

7.2 Processor shall provide information reasonably available to assist Controller in meeting its notification obligations.

7.3 Processor shall cooperate with Controller in relation to remediation.

8. Data Protection Impact Assessments and Audits

8.1 Processor shall provide reasonable assistance with DPIAs and consultations with supervisory authorities, to the extent required by Data Protection Laws.

8.2 Controller may conduct audits or inspections performed by an independent, reputable auditor, subject to: (a) 30 days’ written notice, (b) no more than one audit in any 12-month period unless required by law or following a confirmed incident, (c) Controller bearing all associated costs, and (d) audits occurring during normal business hours without undue disruption.

8.3 Processor may satisfy audit obligations by providing third-party certifications or audit reports if sufficient to demonstrate compliance.

9. Return and Deletion of Data

9.1 Subject to Section 9.2, Processor shall, promptly and in any event within sixty (60) days of the date of cessation of any Services involving the Processing of Personal Data, delete, pseudonymise or return all copies of Personal Data, in accordance with Controller’s documented instructions, except for any copies that Processor is required to retain under Applicable Laws.

9.2 Subject to the Agreement and Applicable Laws, Processor may retain Personal Data to the extent required or authorised by law, provided that Processor ensures the confidentiality of such Personal Data and processes it only for the purpose(s) for which retention is required or authorised.

10. Liability

The liability limitations and exclusions set out in the Agreement apply equally to this DPA.

11. Governing Law and Jurisdiction

This DPA is governed by the governing law and jurisdiction provisions set out in the Agreement.

12. Order of Precedence

12.1 In the event of a conflict between this DPA and any other part of the Agreement, this DPA shall prevail to the extent such conflict relates to the Processing of Personal Data or compliance with Data Protection Laws.

12.2 Subject to Section 12.1, the Order Form shall prevail over the Terms and this DPA where expressly stated.

Schedule 1: Details of Processing

Subject Matter: Attribution, analytics, fraud detection, billing validation, optimisation of advertising campaigns, and account linking and reward attribution in connection with Link Integration.

Duration: For the term of the Agreement plus any legally required retention.

Nature of Processing: Receipt, collection, structuring, matching, analysis, pseudonymisation, transfer, storage, and deletion of Controller Personal Data.

Purpose of Processing:

• attribution and matching via MMPs

• measurement of clicks, impressions, installs, and events

• fraud detection and mitigation

• settlement and billing validation

• campaign optimisation and reporting

• technical support

• linking of end-user accounts between Publisher properties and Controller services

• validation and attribution of reward-eligible in-game engagement

• prevention of duplicate, fraudulent, or manipulated reward claims

Data Subjects:

• end-users interacting with advertising materials

• Advertiser personnel with platform access

Categories of Personal Data:

• End-user data (app/web): advertising identifiers (IDFA/GAID), IP address, user-agent, OS version, device model, install timestamps, click timestamps, coarse geo information, post-install events, fraud-analysis signals, Freecash account identifier or pseudonymous linking token, account-linking timestamps and status flags, reward eligibility and attribution events.

• Advertiser personnel data: name, email, login activity.

Sensitive and Special Categories of Personal Data: Advertiser shall not send Processor any Sensitive or Special Categories of Personal Data, as defined in the Data Protection Laws.

Schedule 2: Sub-Processors

Processor may engage Sub-processors only within the following categories of processing, and solely to the extent necessary for the provision of the Services:

1. Cloud hosting and infrastructure providers (including servers, storage, content delivery, and related infrastructure services

2. Data analytics, attribution, and measurement support tools (including technical tools used to receive, process, or validate attribution signals)

3. Fraud-detection and traffic-quality vendors (including systems analysing device, behavioural, or technical signals for fraud prevention)

4. Security, logging, and monitoring providers (including tools for access control, anomaly detection, incident monitoring, and threat prevention)

5. Customer support and communication services (including ticketing, email, and communication platforms used to interact with Controller personnel)

6. Backup, redundancy, and business continuity providers

7. Internal development, auditing, and operational tooling, solely to support Processor’s internal operations necessary for delivery of the Services and not for independent product development or data exploitation.

Processor maintains an up-to-date and authoritative list of all current Sub-processors, including their identities, locations, and processing purposes, which will also be communicated to Controller).

This list is continuously updated in accordance with Section 4 of this DPA.