Legal

Data Processing Addendum

DATA PROCESSING AGREEMENT

Last updated: November 19th, 2025

This DPA is as referenced in the Terms and incorporated into the Agreement. The Parties agree that this DPA is entered into concurrently with the Terms on the Effective Date.

In the event of any conflict or inconsistency between any of the terms of the Agreement, the following order of precedence shall apply to the extent of that conflict:

  • (i) the EU SCCs and/or the UK Addendum (as applicable)
  • (ii) the DPA;
  • (iii) the Terms; and
  • (iv) the Order Form.

BACKGROUND 🔗

A. You are the controller of certain personal data relating to End Users.

B. You have engaged LoopMe to provide certain digital advertising services pursuant to the Terms. In providing the Services, LoopMe will collect and process certain personal data relating to End Users, also as a controller.

C. You and LoopMe are therefore entering into this DPA to ensure the protection of personal data of End Users processed in connection with the Services.

1. DEFINITIONS 🔗

1.1. Capitalised terms used in this DPA and not otherwise defined shall have the respective meanings assigned to them in the Terms.

1.2. The following terms shall have the following meanings:

"CCPA" means the California Consumer Privacy Act of 2018 as amended, including as amended by the California Privacy Rights Act of 2020, together with all implementing regulations.
"Data" means personal data of End Users which LoopMe collects directly from Your Supply Inventory in connection with the Services, as more particularly described in Schedule 1.
"EEA" means the European Economic Area.
"European Data Protection Laws" means any applicable data protection, privacy or data security laws, rules, regulations, policies and industry self-regulatory regimes in any relevant European jurisdiction relating to the collection, use, processing, sharing, storage, and/or disclosure of Personal Data or other information, including but not limited to: (i) the General Data Protection Regulation 2016/679 ("GDPR"); (ii) the EU e-Privacy Directive (Directive 2002/58/EC) (iii) the EU Regulation 2016/679 as it forms part of the law of England and Wales by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the "UK GDPR"); (iv) the UK’s Privacy and Electronic Communications (EC Directive) Regulations 2003; (v) any laws or regulations ratifying, implementing, adopting, supplementing or replacing the GDPR; (vi) in the United Kingdom (UK), the Data Protection Act 2018 ("DPA 2018"); (vii) any laws and regulations implementing or made pursuant to EU Directive 2002/58/EC (as amended by 2009/136/EC);
"EU SCC" means the Module One standard Controller to Controller contractual clauses for the transfer of EEA Personal Data to Controllers established in Third Countries set out in the European Commission Decision 2021/914 dated 4 June 2021 https://ec.europa.eu/info/sites/default/files/sccs_word.zip (and for these purposes, the provision relating to Modules 2, 3 and 4 of the standard contractual clauses are deleted) as amended or replaced from time to time.
"Ex-EEA Transfer" means a transfer of Personal Data subject to GDPR by a Party to a Party (or its premises) in a Restricted Country
"Ex-UK Transfer" means a transfer of Personal Data subject to UK GDPR by a Party to a Party (or its premises) in a Restricted Country.
"Permitted Purpose" means the purpose described in Schedule 1.
"Restricted Country" means any country outside the UK or EEA which is not deemed adequate by (for Personal Data subject to GDPR) the European Commission pursuant to article 45 of GDPR or (for Personal Data subject to UK GDPR) by the Secretary of State in accordance with the relevant provisions of the UK GDPR and the DPA 2018, or an adequacy decision recognised pursuant to paragraphs 4 and 5 of Schedule 21 of the DPA 2018.
"Signal" means a TCF Framework signal indicating the transparency, consent and/or objection status of a particular end-user in respect of processing for one or more TCF Purposes by a particular TCF Vendor.
"Schedule 1" means Schedule 1 to this DPA.
"TCF Framework" means the IAB Europe's Transparency and Consent Framework v 2.2, as may be updated and amended from time to time.
"TCF Purposes" means the purposes for processing of personal data as defined within the TCF Requirements and as set out in Schedule 1.
"TCF CMP" means a consent management platform that has registered as a "CMP" (as defined in the TCF Requirements) with the TCF Framework in accordance with the TCF Requirements.
"TCF Requirements" means the: (i) terms and conditions; (ii) applicable policies; and (iii) technical specifications; governing participation in the TCF Framework.
"TCF Vendor" means a third party that has registered as a "Vendor" (as defined under the TCF Requirements) with the TCF Framework in accordance with the TCF Requirements.
"UK Addendum" means the UK International Data Transfer Addendum to the EU SCCs for the transfer of UK Personal Data to Third Countries issued by the UK Information Commissioner's Office ("ICO") and in force on 21 March 2022 (available as at the date of this DPA at https://ico.org.uk/media/for-organisations/documents/4019535/addendum-international-data-transfer.docx) as may be amended, replaced or superseded by the ICO from time to time.
GDPR definitions: "controller", "processor", "data subject", "personal data", "processing" (and "process") and "special categories of personal data" shall have the meanings set out in the EU and UK GDPR.
In respect of Sections 8 (CCPA) and 9 (Opt-Out Personal Information), "Business", "Business Purpose", "Consumer", "Cross-Context Behavioral Advertising", "Personal Data", "Personal Information", "Processor", "Sale", "Sell", "Service Provider", "Share", "Targeted Advertising", and "third party" shall have the meanings set out in Data Protection Laws in the U.S.

2. NATURE AND SCOPE OF PROCESSING. 🔗

In connection with the Services, You permit LoopMe to collect certain Data from End Users for LoopMe to process strictly in accordance with the Permitted Purpose.

3. ROLES AND COMPLIANCE WITH LAW. 🔗

3.1. The Parties acknowledge and agree that they are each independent controllers of Data processed pursuant to the Agreement.

3.2. Each Party shall be individually and separately responsible for ensuring its processing of Personal Data complies with Data Protection Laws.

3.3. Without prejudice to the foregoing each Party represents and warrants to:

  • 3.3.1. maintain a publicly accessible privacy notice on its respective Supply Inventory that satisfies the requirements of all applicable Data Protection Laws; and

  • 3.3.2. only process Data in respect of which it has established a lawful basis under the applicable Data Protection Laws.

3.4. You shall:

  • 3.4.1. implement on Your Supply Inventory a TCF CMP which: (a) complies with the TCF Requirements; (b) displays LoopMe as a TCF Vendor that may process Data of End Users for the TCF Purposes and serves LoopMe's privacy notice; (c) displays any other TCF Vendors that LoopMe works with in connection with its provision of advertising services as notified to You by LoopMe; (d) enables LoopMe to receive Data from You always with an accompanying Signal; and

  • 3.4.2. at all times comply with the TCF Requirements applicable to TCF Publishers.

3.5. LoopMe shall:

  • 3.5.1. maintain a valid TCF Vendor registration;

  • 3.5.2. comply with the TCF Requirements applicable to TCF Vendors;

  • 3.5.3. process Data solely in accordance with the Permitted Purpose; and

  • 3.5.4. with respect to Data subject to the CCPA ("CCPA Data"), comply with all applicable sections of the CCPA, providing the same level of privacy protection as required of a Business (as that term is defined in Section 8) by the CCPA.

4. COOPERATION AND DATA SUBJECT RIGHTS. 🔗

  • 4.1. In the event either Party receives any correspondence, enquiry or complaint from a data subject, regulator or other third party ("Correspondence") related to: (a) the disclosure of Data by You to LoopMe for the Permitted Purpose; or (b) the processing of Data by LoopMe pursuant to this DPA; such Party shall promptly inform the other Party giving full details of the same, and the Parties shall cooperate reasonably and in good faith in order to respond to the Correspondence in accordance with any requirements under applicable Data Protection Laws.

  • 4.2. Each Party shall be responsible for complying with any data subject rights exercised against it in respect of Data, save that, if You receive a request from an End User in relation to processing of Data collected via Your Supply Inventory either by LoopMe or for the Permitted Purposes, You shall pass on such data subject request to LoopMe.

  • 4.3. For the purposes of Sections 4.1 and 4.2, You shall inform LoopMe of any Correspondence and/or data subject requests by emailing privacy@loopme.com, save that if You receive a request from an End User to opt-out of LoopMe’s personalised advertisements, You shall direct the End User to LoopMe's Opt Out Page at https://legal.loopme.com/privacy-center/loopme-opt-out.

5. DATA SECURITY. 🔗

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, each Party shall maintain appropriate technical and organisational measures for the protection of the security, confidentiality and integrity of the Data that it (or its processors) process. In assessing the appropriate level of security, the Parties have taken account of the risks that are presented by Processing in the manner anticipated by this Agreement, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

6. COMPLIANCE. 🔗

Each Party will, upon reasonable request, provide information to demonstrate its compliance with this DPA to the extent necessary for the other Party to meet its own legal obligations.

7. INTERNATIONAL TRANSFERS. 🔗

7.1. Neither Party shall process any Data, or transfer the Data (nor permit any Data to be processed or transferred) to any Restricted Country unless it has taken such measures as are necessary to ensure there is adequate protection and appropriate safeguards for such Personal Data in accordance with Data Protection Laws when it is transferred or accessed in a Restricted Country. Such adequate protection and appropriate safeguards may include, where specified by LoopMe, You or the applicable third party:

  • 7.1.1. taking such steps, and/or providing such legally binding assurances, as may reasonably be required by LoopMe on an on-going basis; and/or

  • 7.1.2. entering into the EU SCCs (and, where applicable, the UK Addendum) with LoopMe or You.

7.2. The Parties agree that in the event of an ex-EEA Transfer, the transferring Party shall comply with the data exporter’s obligations in the EU SCCs and the receiving Party shall comply with the data importer’s obligations in the EU SCCs, and the EU SCCs are deemed to have been executed by the Parties and incorporated into (and form part of) this DPA, with the following amendments:

  • 7.2.1. Clause 7 (docking clause) of the EU SCCs shall be included;

  • 7.2.2. the governing law for the purposes of Clause 17 (governing law) of the EU SCCs shall be the law of the Republic of Ireland;

  • 7.2.3. the relevant courts for the purposes of Clause 18 (choice of forum and jurisdiction) of the EU SCCs shall be the courts of the Republic of Ireland;

  • 7.2.4. Annexes IA, IB and IC to the EU SCCs shall be deemed to have been completed with the information in Schedule 1, Annex I Sections A, B and C respectively;

7.3. The Parties agree that in the event of an Ex-UK Transfer, such transfer shall be conducted pursuant to the EU SCCs as supplemented and amended by the UK Addendum, which will be deemed to be executed by the Parties and incorporated into and form part of this DPA, with the Part 1 tables to the UK Addendum completed as follows:

  • 7.3.1. Table 1 shall be deemed completed with the information from Schedule 1, and the start date shall be the Effective Date;

  • 7.3.2. In Table 2, the first option shall be selected and the relevant version of the "Approved EU SCCs" referenced in that option shall be the EU SCCs referenced in Clause 7.2 above (as amended in accordance with Clause 7.2);

  • 7.3.3. Table 3 shall be deemed completed with the information from Schedule 1;

  • 7.3.4. Table 4 shall be deemed completed such that the Importer has the right to end the UK Addendum as set out in Section 19 of Part 2 of the UK Addendum; and

  • 7.3.5. the transferring Party shall comply with the data exporter’s obligations in the UK Addendum, and the receiving Party shall comply with the data importer's obligations in the UK Addendum, and if there is any conflict between this DPA and the UK Addendum, the UK Addendum shall prevail.

8. CCPA. 🔗

LoopMe is a Business under the CCPA and a third party with respect to You. LoopMe is prohibited from retaining, using, or disclosing the Opt Out CCPA Data for any purpose other than for the specific purpose of providing the Services, including as set out in Schedule 1, or as otherwise permitted by the CCPA. With respect to CCPA Data, You may take reasonable and appropriate steps to ensure that LoopMe processes CCPA Data in a manner consistent with the CCPA by exercising Your rights under Section 6 above. If You reasonably believe that LoopMe is engaged in unauthorised processing of CCPA Data, You will immediately notify LoopMe of such belief via email to privacy@loopme.com, and the Parties will work together in good faith to remediate the allegedly violative processing activities, if necessary. LoopMe will notify You without undue delay, if it makes a determination that it can no longer meet its obligations under the CCPA with respect to CCPA Data.

9. OPT-OUT PERSONAL INFORMATION. 🔗

Notwithstanding Section 3.1, to the extent that LoopMe receives and interprets CCPA Opt-Out of Sale, Sharing, or Targeted Advertising signals or similar from any source (including but not limited to, the IAB CCPA Compliance Framework or Global Privacy Platform) (“Opt-Out Personal Information”), LoopMe will act as a Service Provider or Processor, as applicable under Data Protection Laws. The following terms shall apply solely to LoopMe’s processing of Opt-Out Personal Information:

9.1. Processing Purposes. LoopMe will process Opt-Out Personal Information only for purposes permitted of Service Providers, including without limitation showing contextual advertising, frequency capping, measurement and reporting purposes, Business Purposes generally, or otherwise as permitted by Data Protection Laws. LoopMe will not: (a) use Opt-Out Personal Information for purposes of displaying targeted ads (including any practice that would be considered Cross-Context Behavioral Advertising or Targeted Advertising); (b) process the Opt-Out Personal Information for any purpose other than as a Service Provider or Processor, as applicable under Data Protection Laws, on Your behalf and in accordance with this Section 9; (c) process the Opt-Out Personal Information for a commercial purpose other than as necessary to comply with this Section 9; (d) Sell or Share any Opt-Out Personal information; (d) process the Opt-Out Personal information outside of the direct business relationship between You and LoopMe; or (e) combine Opt-Out Personal Information with any other Personal Information or Personal Data it collects (directly or via any third party) other than as expressly permitted under Data Protection Laws for Service Providers or Processors.

9.2. Compliance. In connection with its processing of Opt-Out Personal Information, LoopMe will comply with obligations applicable to it as a Service Provider or Processor under Data Protection Laws and provide the same level of privacy protection as is required by Data Protection Laws. If LoopMe determines it can no longer meet its obligations under this Section 9, LoopMe will notify You without undue delay. If You reasonably believe that LoopMe is processing Opt-Out Personal Information in a manner that exceeds the scope of this Section 9, You may notify LoopMe of such belief via email to privacy@loopme.com, and the Parties will work together in good faith to remediate the allegedly violative processing activities, if necessary.

9.3. Confidentiality. LoopMe will subject persons authorised by LoopMe to process Opt-Out Personal Information to appropriate confidentiality obligations.

9.4. Security. LoopMe will secure Opt-Out Personal Information in accordance with its obligations under Section 5 of this DPA.

9.5. Return or Disposal. Upon the earlier of any request by You or without undue delay following termination of the Agreement, LoopMe will delete, return, or de-identify Opt-Out Personal Information in its possession or control, unless retention of the Opt-Out Personal Information is required by applicable law. Without limiting the foregoing, LoopMe will retain Opt-Out Personal Information for no longer than thirty (30) days.

9.6. Assistance.

  • 9.6.1. Consumer Rights Assistance. You shall be responsible for responding to requests from Consumers to exercise their right(s) under Data Protection Laws relating to Opt-Out Personal Information (a "Consumer Request"). You will inform LoopMe of any Consumer Request that LoopMe must comply with and provide the information necessary for LoopMe to comply with the request. LoopMe will, to the extent permitted by Data Protection Laws, notify You without undue delay if LoopMe receives a Consumer Request. To the extent You do not have the ability to address the Consumer Request, LoopMe will, upon Your’s reasonable request, provide commercially reasonable efforts to assist You in responding to such Consumer Request, to the extent the response to such Consumer Request is required under Data Protection Laws.

  • 9.6.2. Security Incident Notice and Assistance. LoopMe will notify You without undue delay after becoming aware of a Security Incident affecting Opt-Out Personal Information. LoopMe will further take commercially reasonable steps to mitigate the effects and minimize any impact from such Security Incident. Taking into account the nature of processing and the information available to LoopMe, LoopMe will assist You in complying with Your notification obligations imposed under Data Protection Laws and related to the notified Security Incident. For purposes of this Section 9.6.2, "MSecurity Incident" shall mean "Breach of the Security of the System", "Security Breach", "Breach of Security", "Breach of System Security", and analogous variations of the foregoing, each only as applicable and as defined by Data Protection Laws.

  • 9.6.3. Other Compliance Assistance. Taking into account the nature of processing and the information available to LoopMe, LoopMe will provide commercially reasonable efforts to assist You in ensuring compliance with the obligations related to data protection assessments.

9.7. Audits

  • 9.7.1. General Assistance. Subject to Section 9.7.3, LoopMe will make available to You information necessary to demonstrate LoopMe’s compliance with its obligations in this Section 9. Any such information will be deemed the confidential information of LoopMe under the Agreement.

  • 9.7.2. LoopMe Reports. LoopMe may procure summaries of independent audits by third parties, using appropriate and accepted audit procedures, to assess LoopMe’s adherence to an appropriate and accepted control standard or framework (collectively, "Reports"). Subject to the confidentiality obligations set forth in the Agreement, LoopMe will provide You with a copy of LoopMe’s then-current Reports as reasonably requested. If the Agreement does not include a provision protecting LoopMe’s confidential information, then the Reports will be made available to You subject to a mutually agreed upon non-disclosure agreement covering the Reports.

  • 9.7.3. Audits. You agree to exercise Your audit rights by first requesting the Reports as described in Section 9.7.2. You will only request additional information or an on-site audit of LoopMe to the extent the information provided by LoopMe is not reasonably sufficient to enable You to evaluate LoopMe’s compliance with this Section 9 and/or Data Protection Laws. You will provide no less than thirty (30) days' advance notice of Your request for an on-site audit and will cooperate in good faith with LoopMe to schedule any such audit on a mutually agreed upon date and time (such agreement not to be unreasonably withheld by either Party). Any such on-site audit must occur during LoopMe’s normal business hours and be conducted by You or a nationally recognized independent auditor. If You rely on a third-Party auditor, You will be responsible for ensuring that the auditor will: (a) comply with reasonable and applicable on-site policies and procedures provided by LoopMe, (b) sign a standard confidentiality agreement with LoopMe, and (c) not unreasonably interfere with LoopMe’s business activities. You will provide a written copy of any audit findings to LoopMe, and the results of the audit will be the confidential information of LoopMe.

9.8. Subprocessors. You authorise LoopMe to use subcontractors to process Opt-Out Personal Information in connection with LoopMe’s processing (each, a “Subprocessor”). LoopMe will provide You with notice of Subprocessors in existence as of the Effective Date in Schedule 1. LoopMe will only add or remove a Subprocessor after providing You with reasonable prior notice, of at least fifteen (15) days, and an opportunity to object. You may object to LoopMe’s use of a new Subprocessor within ten (10) days of receiving such notice by sending an e-mail to privacy@loopme.com indicating Your desire to object to any such change. If You object to the change in Subprocessors, the Parties will cooperate in good faith to resolve Your objection. If the Parties are unable to resolve Your objection within ten (10) days, then either Party may terminate the Agreement only with respect to those services that LoopMe indicates cannot be provided without the objected-to Subprocessor. LoopMe will enter into a written contract with each Subprocessor imposing substantially equivalent data protection obligations upon any Subprocessor as those applicable to LoopMe under this Section 9. LoopMe will remain liable for any acts or omissions of its Subprocessors.

10. TERM AND TERMINATION. 🔗

This DPA shall commence on the Effective Date and shall continue as long as You utilise the Services. Clauses 4 and 10 of this DPA shall survive termination or expiry of this DPA.

Schedule 1 to the LoopMe Controller-to-Controller Publisher DPA

Capitalised terms used in this Schedule 1 and not otherwise defined herein shall have the meanings ascribed in the Order Form, Terms and/or DPA.

ANNEX I TO THE STANDARD CONTRACTUAL CLAUSES 🔗

A. LIST OF PARTIES 🔗

Data exporter(s):

  • Name: Partner entity as identified in the Order Form
  • Address: Partner address as set out in the Order Form
  • Contact person’s name, position and contact details: Partner contact details as set out in the Order Form
  • Activities relevant to the data transferred under these Clauses: Provision of the Services
  • Signature and date: Effective Date
  • Role (controller/processor): Controller

Data importer(s):

  • Name: LoopMe entity as identified in the Order Form
  • Address: LoopMe address as set out in the Order Form
  • Contact person’s name, position and contact details: LoopMe contact details as set out in the Order Form</p>
  • Activities relevant to the data transferred under these Clauses: Provision of the Services
  • Signature and date: Effective Date
  • Role (controller/processor): Controller

B. DESCRIPTION OF TRANSFER 🔗

Categories of data subjects whose personal data is transferred

  • The Data processed concern the following categories of data subjects: End Users

Categories of personal data transferred

  • The Data processed concern the following categories of personal data:
    • Bid request unique identifier
    • IP address
    • Device and advertising identifiers
    • Browser and device type (desktop/mobile, brand, model, OS)
    • Device location
    • Device time zone
    • Digital Property / content visited and events
    • Other information provided or inferred about end users, including demographic or interest-based segments (e.g., age range, gender, interests), when linked to device identifiers or sessions

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

  • N/A

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis)

  • The Personal Data is transferred on a continuous basis during the Term.

Nature of the processing

  • collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, alignment or combination, restriction, erasure or destruction.

Purpose(s) of the data transfer and further processing (thePermitted Purpose(s))

  • In respect of each End User, the TCF Purposes for which LoopMe has satisfied a lawful basis to process Data, as indicated by means of a transparency consent and/or objection status of such End User contained in a Signal. As at the date of this DPA, the TCF Purposes include (as more particularly described in the TCF Requirements):

    • Purpose 1: Store and/or access information on a device
    • Purpose 2: Select basic ads
    • Purpose 3: Create a personalised ads profile
    • Purpose 4: Select personalised ads
    • Purpose 5: Create a personalised content profile
    • Purpose 6: Select personalised content
    • Purpose 7: Measure ad performance
    • Purpose 8: Measure content performance
    • Purpose 9: Apply market research to generate audience insights
    • Purpose 10: Develop and improve products
    • Special Purpose 1: Ensure security, prevent fraud, and debug
    • Special Purpose 2: Technically delivery ads or content
    • Feature 1: Match and combine offline data sources
    • Feature 2: Link different devices
    • Feature 3: Receive and use automatically send device characteristics for identification
    • Special Feature 1: Use precise geolocation data
    • Special Feature 2: Actively scan device characteristics for identification

  • In pursuing these TCF Purposes, LoopMe may share Data with other third parties that have also satisfied a lawful basis to process Data by the same means.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

  • The later of 13 months from the date of collection, or for the Term of the Agreement (unless earlier deletion is required by data exporter).

C. COMPETENT SUPERVISORY AUTHORITY 🔗

Identify the competent supervisory authority/ies in accordance with Clause 13 of the SCCs

  • (i) for Personal Data protected by the GDPR, determined in accordance with Clause 13 of the EU SCCs;
  • (ii) for Personal Data protected by the Swiss DPA, the Federal Data Protection and Information Commissioner; and
  • (iii) for Personal Data protection by UK Privacy Law, the Information Commissioners Office

ANNEX II TO THE STANDARD CONTRACTUAL CLAUSES 🔗

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

LoopMe has in place appropriate technical and organisational measures for the processing of personal data. Such security measures and procedures adopted by LoopMe are in adherence to best practice and reflect the requirements of a robust security framework. LoopMe’s technical and organisational measures are detailed in an appendix to LoopMe’s DPA and are available upon request.

Previous Versions: