Skip to content
TopAdsROI
법률

Privacy Policy

How TopAdsROI collects, uses, and protects information across the eleven Asia-Pacific markets we serve.

Last updated: · Version 1.0

This policy is provided in good faith and reflects our practices as of the last-updated date. Where local law in your market grants you stronger rights, those rights apply.

1. Who we are

TopAdsROI ("we", "us", "our") provides server-side ad-measurement infrastructure (server-side Google Tag Manager, Meta Conversions API, TikTok Events API, LINE Conversion API) deployed inside our customers' own Google Cloud Platform tenancies. For the purposes of this policy:

  • Visitors of this website: we are the data controller for the limited information described below.
  • Our customers' end-users: their ad measurement data is processed inside the customer's GCP. We are the processor; the customer is the controller. See the Data Processing Addendum for that relationship.

2. What we collect (this website)

  • Form submissions: name, work email, company, role, primary market, monthly event volume, and free-text message you provide on the demo request form.
  • Technical data: IP address (truncated before storage), user agent, referrer, request timing, and Cloudflare-derived country code.
  • Cookies and similar technologies: see Cookie Policy. Strictly-necessary cookies only by default; analytics and marketing cookies require explicit consent.

3. Why we collect it (lawful basis)

  • Performance of a contract / pre-contract (GDPR Art. 6(1)(b), AU APP 6, NZ IPP 10): responding to your demo request and onboarding you as a customer.
  • Legitimate interests (GDPR Art. 6(1)(f)): site security, fraud prevention, abuse mitigation. We balance this against your privacy and never use the data for profiling without consent.
  • Consent (GDPR Art. 6(1)(a), TH PDPA, JP APPI): analytics and marketing cookies, newsletter subscription.
  • Legal obligation: tax records, regulator requests, accounting requirements.

4. Who we share with

We share only the minimum data necessary, with vetted sub-processors. The current list is on our Sub-processors page. As of last update, it includes:

  • Cloudflare (CDN, DDoS protection, Pages hosting, Analytics Engine for aggregate visit telemetry — see § 5b for the schema)
  • Google Cloud Platform (Firestore, BigQuery — for our customers' tenancies; we do not store your website-visitor data here)
  • HubSpot (CRM, demo request handling)
  • Slack (internal team notifications, no PII forwarded)
  • Sentry (error monitoring, scrubbed of PII)

We do not sell personal information. We do not share it with ad platforms from this website (we are the producer of an ad-measurement product, not an advertiser).

5. Storage and retention

  • Demo requests: 24 months from last interaction, then deleted unless required by law (e.g. accounting).
  • Server logs: 90 days, then aggregated and deleted.
  • Visitor analytics (see § 5a admin telemetry and § 5b marketing beacon): IP address is hashed before storage with a daily-rotating salt; rolling 30-day retention enforced by an automated daily cleanup job; raw IP not retained except for active security incidents.
  • Cookies: see Cookie Policy for per-cookie retention.
  • Backups: rolling 35 days, encrypted at rest.

You may request earlier deletion at any time (see Section 6).

5a. Admin telemetry

For our administrative dashboard at admin.topadsroi.com we record server-side telemetry on visits to administrative endpoints. The purpose is site security, abuse detection and operational monitoring. We rely on legitimate-interest legal basis (GDPR Art. 6(1)(f), AU APP 6, JP APPI Art. 17, comparable in other APAC markets).

What is recorded for each request:

  • IP address — hashed with SHA-256 plus a daily-rotating per-deployment salt. The same IP gets a different hash each UTC day, which prevents long-term tracking while still letting us correlate same-day repeat visits.
  • Country / region / city as resolved by Cloudflare's edge.
  • User-Agent string (truncated, plus a SHA-256 hash for fingerprint correlation).
  • Path requested, referer header, autonomous-system number (ASN), Cloudflare data-center code, Cloudflare Ray ID, cookie-consent state if known.

What is not recorded by default: raw IP addresses, browser fingerprints beyond what is in the User-Agent, behavioural profiles, advertising identifiers. Raw IP capture is reserved for active security incidents declared by a super-administrator and is automatically disabled within 24 hours.

Right to object: you can object to legitimate-interest processing under GDPR Art. 21 and equivalent provisions by emailing [email protected]; we will assess and respond within 30 days.

5b. Marketing-page visit beacon (opt-in)

The public marketing site (the pages you are reading) is served as pre-rendered static HTML and is not, by default, recorded server-side. If — and only if — you grant analytics consent in the cookie banner, your browser will send a small "visit beacon" to /api/visit-beacon on each navigation so we can measure aggregate page popularity, locale distribution, and referring sources. The server independently verifies your consent by reading the same-site topadsroi_cookie_consent_v1 cookie our banner sets when you choose your preferences; payloads without a matching cookie are discarded.

What the beacon records:

  • Hashed IP address (same daily-rotating SHA-256 scheme as §5a — never raw).
  • Path visited, plus a strictly allow-listed subset of URL query parameters used for marketing attribution: utm_source, utm_medium, utm_campaign, utm_term, utm_content, utm_id, fbclid, ttclid, gclid, msclkid, li_fat_id, twclid, ref, lang. All other query keys are dropped before storage to avoid inheriting personal data placed in URLs by third parties. We also store the language code (e.g. en, zh-Hant).
  • The origin and pathname of the referring page reported by your browser (if any). We strip any query string or fragment from the referrer before storage to avoid inheriting personal data placed in third-party URLs.
  • Country / region / city / ASN / Cloudflare data-center resolved at the edge.
  • User-Agent — only its SHA-256 hash; the raw User-Agent string is discarded before storage on this code path.

What the beacon does not record: raw IP, raw User-Agent, behavioural profile, scroll/click events, advertising identifiers, free-text input.

Lawful basis: consent (GDPR Art. 6(1)(a), TH PDPA, VN PDPL Decree 13/2023, JP APPI Art. 17, AU APP 3.3 with consent, comparable in other APAC markets). The beacon never fires until you grant analytics consent and will not be sent on subsequent navigations once you withdraw it. In-flight network requests already despatched cannot be recalled, but no further beacons are issued.

Storage layers: beacon rows live in our Cloudflare D1 database (forensic detail; rolling 30-day window enforced by an automated daily cleanup job, deleted permanently after 30 days) and are simultaneously written to a Cloudflare Analytics Engine dataset for unbounded aggregate trend reporting. The Analytics Engine copy contains only the same hashed identifiers (no raw IP, no raw User-Agent, no free-text input) and is queried by our admins via aggregate SQL for traffic trend dashboards; rows in this aggregate copy are subject to a five-visit minimum-group threshold (k-anonymity) before they appear in any chart, to protect individuals in low-traffic markets.

How to withdraw or delete:

  • Withdraw consent for future visits: use the "Cookie preferences" link in the footer to revoke analytics consent, or clear the topadsroi_cookie_consent_v1 entry from your browser's storage.
  • Withdraw or request deletion by email: send a request to [email protected] stating the approximate visit date(s), country and ASN. Because we store only a daily-rotating hash of your IP — never raw IP — we cannot positively identify your historical rows from your current IP alone (GDPR Art. 11(2) caveat); we will purge the best-fit matches within 30 days regardless.
  • Right to lodge a complaint: where GDPR or UK GDPR applies, you may complain to your local supervisory authority — see Section 13 for jurisdiction-specific contacts.

6. Your rights

Subject to your local law, you can:

  • Access the personal information we hold about you.
  • Correct it if inaccurate.
  • Delete it ("right to be forgotten" / erasure).
  • Restrict our processing, or object to it.
  • Receive a portable copy.
  • Withdraw consent at any time, where processing is based on consent.
  • Lodge a complaint with the regulator in your market (see Section 13).

Email [email protected]. We will verify your identity and respond within 30 days (or the period required by your local law, whichever is shorter).

7. Cross-border transfers

Where data needs to leave its country of origin (for example, demo requests from EU residents being processed in our HubSpot account), we rely on:

  • Standard Contractual Clauses (EU SCCs, UK IDTA, AU equivalent).
  • Adequacy decisions where available.
  • Your explicit consent where strictly necessary.

Your customers' end-user data does not cross borders — it stays in your GCP region (Sydney, Tokyo, or Singapore). That's the entire premise of this product.

8. Cookies

See the dedicated Cookie Policy.

9. Security

See the dedicated Security page. Highlights:

  • TLS 1.3 in transit, AES-256 at rest.
  • SHA-256 hashing of PII before any analytics storage.
  • OIDC + audience verification on all internal automation routes.
  • SOC 2 Type II in progress; ISO 27001 on roadmap for 2026.

10. Children

This website is for B2B audiences. We do not knowingly collect data from anyone under 16 (or the equivalent age in your jurisdiction). If you believe we have, contact us and we will delete it.

11. Changes to this policy

Material changes will be announced 30 days in advance via email to customers and via a banner on this site. Non-material changes (clarifications, typo fixes) are versioned and dated below.

12. Contact

Data Protection Officer: [email protected]
General privacy: [email protected]

13. Jurisdiction-specific notices

Australia

Under the Australian Privacy Act 1988 (as amended in 2024), our Australian Privacy Principles (APP) Compliance contact is the DPO above. The Office of the Australian Information Commissioner (OAIC) handles complaints we cannot resolve.

New Zealand

The Office of the Privacy Commissioner (privacy.org.nz) is the relevant supervisory authority. We comply with the Privacy Act 2020 and the 2023 amendments.

European Union / United Kingdom

Where GDPR or UK GDPR apply, the DPO is the controller's representative. EU data subjects can lodge complaints with their local supervisory authority.

Japan

We comply with the APPI as amended in 2022, including external transmission rules and third-party-disclosure consent requirements.

Thailand

Under the PDPA 2019, this policy is provided in Thai on the corresponding language page. Cross-border transfer disclosures are above.

Singapore

Compliant with PDPA 2012 and the Do-Not-Call register. Our Singapore DPO contact is the same as above.

Other markets (HK, TW, MY, VN, ID, PH)

We comply with PDPO (Cap. 486), the Personal Information Protection Act, PDPA 2010 (as amended in 2024), PDPL Decree 13/2023, UU PDP 2022, and DPA 2012 respectively. Per-market DPO contact details are available on request.

This document is the master English version. Translations are provided for convenience; in case of conflict, the English version controls except where local law requires otherwise.