Privacy Policy

If you are a resident of Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) and, where applicable, substantially similar provincial laws in Alberta and British Columbia (PIPA), and Quebec's Act Respecting the Protection of Personal Information in the Private Sector (as modernised by Law 25 / Bill 64, fully in force September 2023) apply to our handling of your personal information.

Consent. We obtain your meaningful consent before collecting, using, or disclosing your personal information, except where permitted or required by law. Consent may be express or implied depending on the sensitivity of the information and the context. You may withdraw consent at any time (subject to legal or contractual restrictions) by contacting us — we will inform you of the implications of withdrawal.

Your rights under Canadian law include:

• Access — Request access to your personal information held by us and how it has been used or disclosed.
• Correction — Challenge the accuracy or completeness of your personal information and request correction.
• Withdrawal of consent — Withdraw consent to the processing of your personal information.
• De-indexing (Quebec) — Request that information published about you online be de-indexed or re-anonymised where it causes you harm and where you do not have a legitimate interest in its dissemination.
• Portability (Quebec) — Request a copy of your personal information in a structured, commonly used, and technological format, or request that it be transmitted to a third party.
• Automated decision-making (Quebec) — Be informed when a decision is made about you solely via automated processing and request human review.

Breach notification. In the event of a privacy breach that poses a real risk of significant harm, we will notify the Office of the Privacy Commissioner of Canada (OPC) and/or the Commission d'accès à l'information (CAI) in Quebec, as applicable, and affected individuals in accordance with applicable timelines.

Cross-border transfers. When your personal information is transferred outside Canada, we ensure it receives comparable protection through contractual privacy agreements or other appropriate safeguards.

Privacy Officer. We have designated a Privacy Officer accountable for compliance with Canadian privacy law. Contact: [email protected].

Complaints. If you are unsatisfied with our response, you may escalate to the Office of the Privacy Commissioner of Canada (OPC) or, if you are in Quebec, the Commission d'accès à l'information (CAI).

If you are in the European Economic Area, the GDPR grants you the following rights in addition to those described in Section 7:

Data Controller. AdvertsReward acts as the data controller for personal data collected from publishers and visitors to advertsreward.com. For End-User data processed on behalf of publishers via the widget, AdvertsReward acts as a data processor.

Legal bases. We rely on the following lawful bases under Article 6 GDPR: (a) contract performance (Art. 6(1)(b)) for account and payment processing; (b) legitimate interests (Art. 6(1)(f)) for fraud prevention and security; (c) legal obligation (Art. 6(1)(c)) for tax and regulatory compliance; (d) consent (Art. 6(1)(a)) for non-essential cookies and marketing. You can withdraw consent at any time without affecting the lawfulness of prior processing.

Special categories. We do not intentionally process special-category personal data (Art. 9 GDPR). If you voluntarily provide such data (e.g., health-related information in a support request), we process it only with your explicit consent.

Automated decision-making. We do not make decisions that produce legal or similarly significant effects on you based solely on automated processing.

Data retention periods. Account data is retained for the duration of the account plus up to 6 years for financial record-keeping obligations. Log data is retained for 90 days. You may request earlier deletion where no legitimate purpose overrides your interests.

International transfers. Transfers of personal data outside the EEA are based on Article 46 GDPR safeguards — primarily Standard Contractual Clauses (Commission Decision 2021/914). Where an adequacy decision covers the destination country, we rely on that decision.

Right to lodge a complaint. You have the right to lodge a complaint with your national data protection supervisory authority (e.g., the CNIL in France, BfDI in Germany, ICO in Ireland for cross-border complaints). Find your authority at edpb.europa.eu.

If you are in the United Kingdom, the UK GDPR (retained EU law as amended by the Data Protection Act 2018 and the Data Protection, Privacy and Electronic Communications Regulations 2019) applies to our processing of your personal data. The rights and protections described in Section 11.2 (EEA / GDPR) apply equally to UK residents, with the following UK-specific provisions:

Supervisory authority. The UK's data protection supervisory authority is the Information Commissioner's Office (ICO). You have the right to lodge a complaint with the ICO if you believe we have mishandled your personal data: ico.org.uk/make-a-complaint. We encourage you to contact us first at [email protected] so we can attempt to resolve your concern.

International transfers from the UK. Transfers of your personal data out of the UK are carried out under the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, or where the Secretary of State has issued a UK adequacy regulation for the destination country.

Right to object. You have the right to object to our processing of your personal data based on legitimate interests (UK GDPR Art. 21). We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or for the establishment, exercise, or defence of legal claims.

Response timeline. We will respond to verifiable data rights requests within one calendar month. We may extend this by a further two months for complex or numerous requests and will notify you accordingly.

If you are in Switzerland, the revised Federal Act on Data Protection (nDSG / revDSG, SR 235.1), which entered into force on 1 September 2023, governs our processing of your personal data. The nDSG is closely aligned with the EU GDPR and the rights described in Section 11.2 apply with the following Swiss-specific additions:

Supervisory authority. The Federal Data Protection and Information Commissioner (FDPIC) supervises compliance with the nDSG. You may lodge a complaint or request an investigation at edoeb.admin.ch.

International transfers. We transfer personal data outside Switzerland only to countries with adequate data protection (as recognised by the FDPIC), or under appropriate safeguards such as the Swiss Standard Data Protection Clauses (SDPCs) approved by the FDPIC, or other safeguards specified in Art. 16–17 nDSG.

Data protection impact assessments (DPIA). Where we introduce processing activities likely to result in a high risk to the personality or fundamental rights of individuals, we conduct a data protection impact assessment in accordance with Art. 22 nDSG.

Breach notification. In the event of a data security breach likely to result in a high risk to the personality or fundamental rights of individuals, we will notify the FDPIC as soon as reasonably practicable (Art. 24 nDSG) and affected individuals where required.

Your rights. You have the right to information about how your data is processed, the right to data portability, rectification, erasure, and restriction of processing under Arts. 25–32 nDSG. Requests may be submitted to [email protected].

If you are in India, the Digital Personal Data Protection Act, 2023 (DPDP Act) governs our processing of your digital personal data. AdvertsReward operates as a Data Fiduciary under the DPDP Act.

Consent. We process your personal data based on your free, specific, informed, unconditional, and unambiguous consent given via a clear affirmative action (Section 6 DPDP Act). A notice providing itemised details of the personal data sought and the purpose of processing is presented at or before collection.

Your rights as a Data Principal include:

• Right of access (Section 11) — Obtain a summary of personal data processed and the processing activities undertaken.
• Right to correction and erasure (Section 12) — Request correction of inaccurate or misleading personal data; request erasure of personal data no longer necessary for the purpose it was collected.
• Right to grievance redressal (Section 13) — Have grievances addressed by our Grievance Officer within a prescribed timeframe.
• Right to nominate (Section 14) — Nominate another individual to exercise your rights in the event of your death or incapacity.
• Right to withdraw consent — Withdraw consent at any time; withdrawal will not affect the lawfulness of processing carried out before withdrawal.

Children's data. We do not process personal data of children (individuals below 18 years) without verifiable parental consent. We do not undertake behavioural monitoring or targeted advertising directed at children.

Cross-border transfers. We transfer personal data to countries or territories as permitted by the Central Government under Section 16 of the DPDP Act. We will update this section as the government's list of permissible countries is notified.

Grievance Officer. To raise a grievance under the DPDP Act, contact our Grievance Officer at [email protected]. If you are unsatisfied with our response, you may escalate to the Data Protection Board of India once it is constituted and operational.

Breach notification. In the event of a personal data breach, we will notify the Data Protection Board of India and affected Data Principals in accordance with Section 8(6) of the DPDP Act and any rules made thereunder.

If you are located in Mainland China, the Personal Information Protection Law (PIPL, effective 1 November 2021), the Data Security Law (DSL, effective 1 September 2021), and the Cybersecurity Law (CSL, effective 1 June 2017) collectively govern our handling of your personal information. AdvertsReward acts as a Personal Information Processor under PIPL.

Legal bases (Art. 13 PIPL). We process your personal information under the following lawful bases: (a) your separate, informed, and voluntary consent (the primary basis); (b) necessity for concluding or performing a contract to which you are a party; (c) necessity for fulfilling our legal obligations or duties; (d) necessity to protect your vital interests or those of others in emergency situations; or (e) other circumstances prescribed by law or regulation. Where we process based on consent, you may withdraw at any time via [email protected].

Sensitive personal information (Art. 28–32 PIPL). We do not intentionally collect sensitive personal information (including biometric data, religious beliefs, specially designated status, medical health, financial accounts, or location information). If such data is provided, separate explicit consent is obtained, and its processing is limited to the stated purpose.

Your rights (Arts. 44–50 PIPL) include:

• Right to know and decide — To be informed of and decide on the processing of your personal information, including the right to restrict or refuse processing.
• Right of access and copy (Art. 45) — Request access to and a copy of your personal information; we must provide it within 15 days.
• Right to portability (Art. 45) — Request transmission of your personal information to a designated processor where technically feasible and in compliance with CAC-specified conditions.
• Right to correction (Art. 46) — Request correction or supplementation of inaccurate or incomplete personal information.
• Right to deletion (Art. 47) — Request deletion of your personal information upon withdrawal of consent, cessation of our services, expiry of the agreed retention period, or where processing violates law or our agreement.
• Right to explanation (Art. 48) — Request an explanation of our personal information processing rules.
• Right to refuse automated decisions (Art. 24) — Refuse decisions that have a material impact on your rights and interests made solely by automated means; request human decision-making where automated decisions are used for personalised push information or commercial marketing.

Cross-border transfers (Arts. 38–43 PIPL). Personal information collected inside Mainland China is transferred abroad only through one of the following mechanisms: (i) a security assessment organised by the Cyberspace Administration of China (CAC); (ii) a personal information protection certification conducted by a CAC-designated body; or (iii) a standard contract concluded with the overseas recipient and filed with the CAC. We will provide you with information about out-bound transfer mechanisms upon request.

Breach notification. In the event of a personal information security incident, we will immediately take remedial measures and notify you and the relevant regulatory authorities in accordance with Art. 57 PIPL and MIIT's personal information security incident reporting requirements (within 72 hours where required).

Personal information protection officer (Art. 52 PIPL). Where required by law, we designate a personal information protection officer. Contact: [email protected].

Complaint channel. If you believe we have violated your rights under PIPL, you may file a complaint with the relevant personal information protection authority, including the Cyberspace Administration of China (CAC) or a competent authority designated by law.