Skip to content
TopAdsROI
Hukum

Privacy Policy

How TopAdsROI collects, uses, and protects information across the fourteen markets we serve (APAC + North America + the UK).

Last updated: · Version 1.0

This policy is provided in good faith and reflects our practices as of the last-updated date. Where local law in your market grants you stronger rights, those rights apply.

1. Who we are

TopAdsROI ("we", "us", "our") provides server-side ad-measurement infrastructure (server-side Google Tag Manager, Meta Conversions API, TikTok Events API, LINE Conversion API) deployed inside our customers' own cloud — Google Cloud, AWS, Azure, or private. For the purposes of this policy:

  • Visitors of this website: we are the data controller for the limited information described below.
  • Our customers' end-users: their ad-measurement data resides exclusively inside the customer's own cloud (Google Cloud, AWS, Azure, or private). The customer is the controller and data custodian; in normal operation we have no access to it and act as a deployment service provider — not a data processor — for that data plane. See the Data Processing Addendum for the narrow, support-only circumstances under which we may briefly act as a limited-scope processor.

2. What we collect (this website)

  • Form submissions: name, work email, company, role, primary market, monthly event volume, and free-text message you provide on the demo request form.
  • Technical data: IP address (truncated before storage), user agent, referrer, request timing, and Cloudflare-derived country code.
  • Cookies and similar technologies: see Cookie Policy. Strictly-necessary cookies only by default; analytics and marketing cookies require explicit consent.

3. Why we collect it (lawful basis)

  • Performance of a contract / pre-contract (GDPR Art. 6(1)(b), AU APP 6, NZ IPP 10): responding to your demo request and onboarding you as a customer.
  • Legitimate interests (GDPR Art. 6(1)(f)): site security, fraud prevention, abuse mitigation. We balance this against your privacy and never use the data for profiling without consent.
  • Consent (GDPR Art. 6(1)(a), TH PDPA, JP APPI): analytics and marketing cookies, newsletter subscription.
  • Legal obligation: tax records, regulator requests, accounting requirements.

4. Who we share with

We share only the minimum data necessary, with vetted sub-processors. The current list is on our Sub-processors page. As of last update, it includes:

  • Cloudflare (CDN, DDoS protection, Pages hosting, Analytics Engine for aggregate visit telemetry — see § 5b for the schema)
  • HubSpot (CRM, demo request handling)
  • Slack (internal team notifications, no PII forwarded)
  • Sentry (error monitoring, scrubbed of PII)
  • Stripe (subscription billing — only for customers on automated billing plans; billing contact and payment instrument)

See the Sub-processors page for the complete, current list. We do not sell personal information. We do not share it with ad platforms from this website (we are the producer of an ad-measurement product, not an advertiser).

5. Storage and retention

  • Demo requests: 24 months from last interaction, then deleted unless required by law (e.g. accounting).
  • Server logs: 90 days, then aggregated and deleted.
  • Visitor analytics (see § 5a admin telemetry and § 5b marketing beacon): IP address is hashed before storage with a daily-rotating salt; rolling 30-day retention enforced by an automated daily cleanup job; raw IP not retained except for active security incidents.
  • Default-on security telemetry (see § 5c): for forensic readiness this logs raw IP address + User-Agent + network metadata under legitimate interest, retained 365 days, with access restricted to super-admin role. This is the one exception to the hashing rule above and is detailed in full in § 5c.
  • Cookies: see Cookie Policy for per-cookie retention.
  • Backups: rolling 35 days, encrypted at rest.

You may request earlier deletion at any time (see Section 6).

5a. Admin telemetry

For our administrative dashboard at admin.topadsroi.com we record server-side telemetry on visits to administrative endpoints. The purpose is site security, abuse detection and operational monitoring. We rely on legitimate-interest legal basis (GDPR Art. 6(1)(f), AU APP 6, JP APPI Art. 17, US CCPA/CPRA security exception §1798.140(e)(2), CA PIPEDA s.5(3) reasonable-purpose, comparable in other APAC markets).

What is recorded for each request:

  • IP address — hashed with SHA-256 plus a daily-rotating per-deployment salt. The same IP gets a different hash each UTC day, which prevents long-term tracking while still letting us correlate same-day repeat visits.
  • Country / region / city as resolved by Cloudflare's edge.
  • User-Agent string (truncated, plus a SHA-256 hash for fingerprint correlation).
  • Path requested, referer header, autonomous-system number (ASN), Cloudflare data-center code, Cloudflare Ray ID, cookie-consent state if known.

What is not recorded by default: raw IP addresses, browser fingerprints beyond what is in the User-Agent, behavioural profiles, advertising identifiers. Raw IP capture is reserved for active security incidents declared by a super-administrator and is automatically disabled within 24 hours.

Right to object: you can object to legitimate-interest processing under GDPR Art. 21 and equivalent provisions by emailing [email protected]; we will assess and respond within 30 days.

5b. Marketing-page visit beacon (opt-in)

The public marketing site (the pages you are reading) is served as pre-rendered static HTML and is not, by default, recorded server-side. If — and only if — you grant analytics consent in the cookie banner, your browser will send a small "visit beacon" to /api/visit-beacon on each navigation so we can measure aggregate page popularity, locale distribution, and referring sources. The server independently verifies your consent by reading the same-site topadsroi_cookie_consent_v2 cookie our banner sets when you choose your preferences; payloads without a matching cookie are discarded.

What the beacon records:

  • Hashed IP address (same daily-rotating SHA-256 scheme as §5a — never raw).
  • Path visited, plus a strictly allow-listed subset of URL query parameters used for marketing attribution: utm_source, utm_medium, utm_campaign, utm_term, utm_content, utm_id, fbclid, ttclid, gclid, msclkid, li_fat_id, twclid, ref, lang. All other query keys are dropped before storage to avoid inheriting personal data placed in URLs by third parties. We also store the language code (e.g. en, zh-Hant).
  • The origin and pathname of the referring page reported by your browser (if any). We strip any query string or fragment from the referrer before storage to avoid inheriting personal data placed in third-party URLs.
  • Country / region / city / ASN / Cloudflare data-center resolved at the edge.
  • User-Agent — only its SHA-256 hash; the raw User-Agent string is discarded before storage on this code path.

What the beacon does not record: raw IP, raw User-Agent, behavioural profile, scroll/click events, advertising identifiers, free-text input.

Lawful basis: consent (GDPR Art. 6(1)(a), TH PDPA, VN PDPL Decree 13/2023, JP APPI Art. 17, AU APP 3.3 with consent, US CCPA/CPRA opt-out + Global Privacy Control honoring §1798.135, CA PIPEDA Schedule 1 Principle 4.3 with Quebec Law 25 explicit consent, comparable in other APAC markets). The beacon never fires until you grant analytics consent and will not be sent on subsequent navigations once you withdraw it. In-flight network requests already despatched cannot be recalled, but no further beacons are issued.

Storage layers: beacon rows live in our Cloudflare D1 database (forensic detail; rolling 30-day window enforced by an automated daily cleanup job, deleted permanently after 30 days) and are simultaneously written to a Cloudflare Analytics Engine dataset for unbounded aggregate trend reporting. The Analytics Engine copy contains only the same hashed identifiers (no raw IP, no raw User-Agent, no free-text input) and is queried by our admins via aggregate SQL for traffic trend dashboards; rows in this aggregate copy are subject to a five-visit minimum-group threshold (k-anonymity) before they appear in any chart, to protect individuals in low-traffic markets.

How to withdraw or delete:

  • Withdraw consent for future visits: use the "Cookie preferences" link in the footer to revoke analytics consent, or clear the topadsroi_cookie_consent_v2 entry from your browser's storage.
  • Withdraw or request deletion by email: send a request to [email protected] stating the approximate visit date(s), country and ASN. Because we store only a daily-rotating hash of your IP — never raw IP — we cannot positively identify your historical rows from your current IP alone (GDPR Art. 11(2) caveat); we will purge the best-fit matches within 30 days regardless.
  • Right to lodge a complaint: where GDPR or UK GDPR applies, you may complain to your local supervisory authority — see Section 13 for jurisdiction-specific contacts.

5c. Default-on security telemetry (legitimate interest)

Separate from the §5b opt-in marketing beacon, our marketing site fires a default-on security telemetry ping to /api/anon-ping on every visit. This logs forensically-useful metadata so that — when our infrastructure is audited, attacked, or abused — we can produce traceable evidence to authorities and protect our other visitors. This processing is not for marketing or profiling; it is strictly for site security, fraud prevention, abuse mitigation, and forensic readiness.

What this telemetry does record:

  • UTC server timestamp of the request.
  • Path visited (e.g. /features, /zh-Hant/pricing).
  • Locale code derived from the path.
  • Host the request hit.
  • Raw IP address (IPv4 or IPv6, as observed at the Cloudflare edge).
  • User-Agent string (truncated to 500 characters).
  • Country / region / city as resolved by Cloudflare's edge geolocation (no GPS / device location is consulted).
  • Autonomous-system number (ASN) and AS organization (your ISP / network).
  • Cloudflare data-center code (colo) and Cloudflare Ray ID (request trace identifier).
  • Cloudflare bot management score, if present (1 = certain bot, 99 = certain human).

What this telemetry never records: browser fingerprint (canvas, WebGL, fonts), scroll/click/dwell behavioural data, cookies (we do not read your third-party cookies), localStorage contents, query-string parameters, screen size, full language list, or any free-text input. We do not place tracking pixels, do not pass this data to third parties, and do not use it for marketing analytics or behavioural profiling.

Lawful basis: legitimate interest in site security, fraud prevention, and abuse mitigation, which is recognised across our fourteen markets (APAC + North America + the UK) and the EU under the following frameworks:

  • 🇹🇼 Taiwan 個人資料保護法 §20.II.1 (法律規定) and §20.II.2 (避免危害當事人或他人權益).
  • 🇯🇵 Japan APPI 個人情報保護法 Art. 17(2)(2) and (4) — public safety / necessity.
  • 🇸🇬 Singapore PDPA Schedule 1 Part 2 §1(d) — prevention of fraud / abuse (Legitimate Interests exception, 2021 amendment).
  • 🇲🇾 Malaysia PDPA — narrower legitimate-interest framework; Malaysian visitors who object can email [email protected] with subject line "MY PDPA opt-out" and we will exclude their IP range from logging within 7 days.
  • 🇹🇭 Thailand PDPA §24(5) — legitimate interest.
  • 🇻🇳 Vietnam PDPL Decree 13/2023 Art. 17.4 — public safety.
  • 🇮🇩 Indonesia UU PDP §20(2)(d), (f) — legal / public-interest basis.
  • 🇵🇭 Philippines DPA §13(c) — fraud prevention.
  • 🇦🇺 Australia Privacy Act 1988 APP 3.4(b), (c) — necessary to lessen / prevent serious threat or as required by law.
  • 🇳🇿 New Zealand Privacy Act 2020 IPP 2(2)(d) — fraud / harm prevention.
  • 🇭🇰 Hong Kong PDPO DPP 1 + 3 + s.58 — crime prevention exemption.
  • 🇪🇺 EU GDPR Art. 6(1)(f) (legitimate interests) and Recital 49 (network and information security explicitly named as a legitimate interest); a Legitimate Interest Assessment (LIA) document is maintained on file and available on request to [email protected].
  • 🇺🇸 United States — CCPA/CPRA §1798.140(e)(2) security exception and the equivalent legitimate-interest / security carve-outs in the state comprehensive privacy statutes (VCDPA, CPA, CTDPA, and others).
  • 🇨🇦 Canada — PIPEDA s.5(3) reasonable-purpose provision and the Quebec Law 25 security / fraud-prevention basis.
  • 🇬🇧 United Kingdom — UK GDPR Art. 6(1)(f) and Recital 49, read with the Data Protection Act 2018 and the Data (Use and Access) Act 2025 low-risk-analytics framing.

Anti-abuse safeguards on the endpoint itself: same-origin allow-list (the endpoint refuses requests from any host other than our own), browser-shaped User-Agent heuristic (rejects curl, wget, python-requests, headless automation), per-IP rate limit of 600 requests/hour, admin-host reverse-block, 4 KB body cap.

Storage and retention: rows live in our Cloudflare D1 database (`topadsroi_visits`). For security telemetry, retention is 365 days (longer than the 30-day marketing-analytics window in §5b because forensic investigation often surfaces months later). Rows are tagged consent_state = 'anonymous' for query-time separation. Access to raw IP / raw User-Agent / referer fields is restricted to super-admin role only, and every super-admin query that touches these fields is itself logged in our audit-log table.

How to opt out: this telemetry is fired by our /beacon.js script. To suppress it: (a) block /api/anon-ping in your browser's network settings or via an extension such as uBlock Origin / NextDNS, (b) use a privacy-focused browser (Brave / Tor) which already blocks first-party telemetry endpoints, or (c) email [email protected] with proof of your IP / ASN and we will purge matching rows within 30 days under our standard data-subject access process. Note: blocking the endpoint stops future logging but does not retroactively delete; use the email path for retroactive deletion.

6. Your rights

Subject to your local law, you can:

  • Access the personal information we hold about you.
  • Correct it if inaccurate.
  • Delete it ("right to be forgotten" / erasure).
  • Restrict our processing, or object to it.
  • Receive a portable copy.
  • Withdraw consent at any time, where processing is based on consent.
  • Lodge a complaint with the regulator in your market (see Section 13).

Email [email protected]. We will verify your identity and respond within 30 days (or the period required by your local law, whichever is shorter).

7. Cross-border transfers

Where data needs to leave its country of origin (for example, demo requests from EU residents being processed in our HubSpot account), we rely on:

  • Standard Contractual Clauses where applicable (EU SCCs, UK IDTA); for Australian data, binding contractual undertakings under Privacy Act APP 8 (Australia has no formal SCC-equivalent instrument).
  • Adequacy decisions where available.
  • Your explicit consent where strictly necessary.

Customer end-user data (belonging to TopAdsROI's B2B clients, deployed inside their own cloud) does not cross borders — it stays in the cloud region the customer chooses (commonly Sydney, Tokyo, or Singapore for APAC; US regions for North America; London for the UK). TopAdsROI does not move it between regions. That's the entire premise of this product.

8. Cookies

See the dedicated Cookie Policy.

When you visit our marketing site, we determine the simplest cookie dialog that still meets your jurisdiction's minimum legal requirements. We read the cf-ipcountry and cf-region headers attached to your request by Cloudflare's edge — the same data already disclosed in §5c. Based on detected country/state, you see one of three banner variants:

  • Strict bucket (EU 27 + UK + EEA + Switzerland + Japan + Thailand + Vietnam + Indonesia + Philippines + Australia + New Zealand + Canada-Quebec + Korea + any unlisted country): two-button "Accept all" + "Reject all" with equal prominence (GDPR Art. 7(3) requirement). Default state for analytics and marketing is OFF — affirmative click required.
  • Opt-out bucket (US California / Virginia / Colorado / Connecticut / Utah / Texas / Oregon / Iowa / Tennessee / Indiana / Maryland / Delaware / New Jersey / Montana / New Hampshire / Minnesota; Singapore; Canada non-Quebec): two-button "Accept" + "Reject". Marketing analytics defaults to OFF; you can opt-in via Accept.
  • Minimal bucket (Taiwan / Hong Kong / Malaysia / US states without privacy law / Mexico): single "Accept" button with link to this Cookie Policy.

Global Privacy Control (GPC) honoring: if your browser sends the Sec-GPC: 1 header (Brave default-on, Firefox in settings, DuckDuckGo, EFF Privacy Badger), and you are in Strict or Opt-out bucket, we automatically opt you out of all marketing analytics and skip the banner entirely. Server-side enforcement is independent of cookie state — even if you later override and grant consent via "Cookie preferences", any subsequent request still carrying Sec-GPC: 1 will be treated as opt-out. To override, disable GPC at the browser level.

Storage: your consent is stored in a first-party cookie topadsroi_cookie_consent_v2 (server-set via Set-Cookie HTTP header to bypass Safari ITP 7-day client-write cap). Cookie lifetime:

  • Accept all → 400 days (industry maximum, browser-enforced cap per RFC 6265bis §5.5; Chrome 104+ / Safari / Firefox)
  • Reject / GPC opt-out → 365 days (legal requirement to allow withdrawal)
  • Rolling refresh: each visit, the endpoint /api/cookie-jurisdiction re-issues the cookie with a new 400-day Max-Age — so for returning visitors with Accept-all, the cookie effectively never expires unless you stop visiting for 400 consecutive days.

Withdraw at any time: footer "Cookie preferences" link clears your stored consent and re-shows the banner.

9. Security

See the dedicated Security page. Highlights:

  • TLS 1.3 in transit, AES-256 at rest.
  • SHA-256 hashing of PII before any analytics storage.
  • OIDC + audience verification on all internal automation routes.
  • SOC 2 Type II in progress; ISO 27001 on roadmap for 2026.

10. Children

This website is for B2B audiences. We do not knowingly collect data from anyone under 16 (or the equivalent age in your jurisdiction). If you believe we have, contact us and we will delete it.

11. Changes to this policy

Material changes will be announced 30 days in advance via email to customers and via a banner on this site. Non-material changes (clarifications, typo fixes) are versioned and dated below.

12. Contact

Data Protection Officer: [email protected]
General privacy: [email protected]

13. Jurisdiction-specific notices

Australia

Under the Australian Privacy Act 1988 (as amended in 2024), our Australian Privacy Principles (APP) Compliance contact is the DPO above. The Office of the Australian Information Commissioner (OAIC) handles complaints we cannot resolve.

New Zealand

The Office of the Privacy Commissioner (privacy.org.nz) is the relevant supervisory authority. We comply with the Privacy Act 2020 and the 2023 amendments.

European Union (and EEA)

Where the EU GDPR applies, the DPO is the controller's representative. EU data subjects can lodge complaints with their local supervisory authority. (UK-specific notice now lives in its own section below following Phase 50.)

Japan

We comply with the APPI as amended in 2022, including external transmission rules and third-party-disclosure consent requirements.

Thailand

Under the PDPA 2019, this policy is provided in Thai on the corresponding language page. Cross-border transfer disclosures are above.

Singapore

Aligned with PDPA 2012 and the Do-Not-Call register. Our Singapore DPO contact is the same as above.

Other APAC markets

  • Hong Kong — Personal Data (Privacy) Ordinance (PDPO, Cap. 486) including the 2021 doxxing amendments; complaints to the Office of the Privacy Commissioner for Personal Data (PCPD).
  • Taiwan — 個人資料保護法 (Personal Information Protection Act, PIPA); complaints to the National Development Council and sectoral regulators.
  • Malaysia — Personal Data Protection Act 2010 as amended by Act A1716 (2024); complaints to the Personal Data Protection Department (JPDP).
  • Vietnam — Personal Data Protection Decree 13/2023/ND-CP and the Cybersecurity Law 2018; complaints to the Ministry of Public Security A05 cybersecurity division.
  • Indonesia — UU 27/2022 Personal Data Protection Law (UU PDP); complaints to the Personal Data Protection Authority once seated, or to the Ministry of Communication and Informatics interim.
  • Philippines — Data Privacy Act of 2012 (Republic Act 10173) and NPC Circulars; complaints to the National Privacy Commission (NPC).

Per-market DPO contact details and specific data-subject access workflows are available on request to [email protected].

🇺🇸 United States

For California residents we comply with the CCPA/CPRA as amended (Cal. Civ. Code §§ 1798.100 et seq.) including the right to know, delete, correct, opt out of sale/sharing, and limit use of sensitive personal information. We honour Global Privacy Control (GPC) signals as a valid opt-out request. For Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon, Montana, Iowa, Tennessee, Indiana, Delaware, New Hampshire, New Jersey, Minnesota, Maryland, Kentucky, Rhode Island, and other states with comprehensive privacy statutes, we provide the rights and protections required by each, including profiling opt-out and sensitive-data restrictions where applicable. We do not sell personal information for monetary consideration, and "sharing" for cross-context behavioural advertising is suppressed when a verified opt-out (including GPC) is received. Submit requests to [email protected]; we verify identity before fulfilment.

🇨🇦 Canada

We comply with PIPEDA (Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5) for inter-provincial commercial activity and with the substantially-similar provincial regimes — Alberta PIPA, British Columbia PIPA, and Quebec Law 25 (Act to modernize legislative provisions as regards the protection of personal information). For Quebec residents we provide the additional rights established by Law 25, including portability (since 2024-09), an opt-out of automated decision-making with material effect, mandatory transparency on cross-border transfers, and consent for biometric data. Our designated Privacy Officer for Canadian inquiries is the DPO above. Complaints may be lodged with the Office of the Privacy Commissioner of Canada (priv.gc.ca) or the Commission d'accès à l'information du Québec.

🇬🇧 United Kingdom

For UK residents we comply with the UK GDPR (the EU General Data Protection Regulation as retained and amended in UK domestic law) read together with the Data Protection Act 2018 (c.12) and the Privacy and Electronic Communications Regulations 2003 (PECR, as amended). We also apply the recent Data (Use and Access) Act 2025 as it comes into force, including the elevated PECR fine maxima and the statutory exception for low-risk analytics where applicable. Cookies and similar technologies are deployed under PECR Reg 6 strict opt-in; non-essential cookies will not be set until you provide consent through the cookie banner, and we honour Global Privacy Control (GPC) signals as a valid opt-out. Where any service of ours is "likely to be accessed by children" within the meaning of the ICO Children's Code (Age-appropriate Design Code) we apply default-high-protection settings, including suppression of behavioural-advertising profiling. Cross-border transfers between the UK and the European Economic Area continue to be covered by the EU adequacy decision for the UK renewed in December 2024 (in force until December 2031), so no Standard Contractual Clauses are required for those flows. Data subject rights (access, rectification, erasure, restriction, portability, objection, automated-decision review) are exercised by writing to [email protected]; we verify identity before fulfilment. Complaints may be lodged with the Information Commissioner's Office (ico.org.uk).

This document is the master English version. Translations are provided for convenience; in case of conflict, the English version controls except where local law requires otherwise.