Privacy Policy of Madington Ad Delivery

At Madington, we value your privacy as much as we value creating high-impact experiences and unique ads. This policy is all about how we take care of your information.

This Privacy Policy describes how Madington AB ("we", "us", or "our") collects, uses, shares, and safeguards your information. This policy applies to all users ("you") of our AdTech services, and is in compliance with the General Data Protection Regulation (GDPR) and the IAB Europe Transparency Consent Framework (TCF) v2.2.

Madington is registered as Vendor ID 486 in the IAB Europe Global Vendor List (GVL).

1. The Info We Collect

When your device or browser makes an ad request to our platform, we collect some data. This includes stuff like your IP address, info about your device (like the browser or operating system you're using), screen size, and a rough idea of where you are geographically.

We do NOT collect or store:

• Raw Transparency and Consent (TC) strings
• Persistent user identifiers or fingerprints
• Cookies or cross-site tracking data
• Personally identifiable information (PII) in our measurement pixels

2. How We Use Your Info

Here's what we do with the information:

• We use it to create ads that are impactful but not distressing – because nobody likes an ad that's a downer.
• We help publishers make money from their inventory.
• We share stats with our clients – but don't worry, it's all aggregated and doesn't identify you.
• We keep an eye on things to make sure our platform is working as it should.

3. TCF Purposes and Legal Bases

Under the IAB Europe Transparency and Consent Framework (TCF) v2.2, we process data for specific purposes with defined legal bases. Here's how we operate:

Purpose 7 — Measure Ad Performance

What it does: Allows measurement of how ads perform, including metrics like viewability, engagement, and interaction rates.

Legal basis: Requires explicit user consent. Legitimate Interest alone is NOT sufficient.

How we handle consent:

• When consent is granted, performance tracking (viewability pixels, engagement beacons) proceeds normally.
• When consent is denied or unavailable, ALL performance tracking is immediately halted — we do not buffer or store measurement events for later processing.
• User-initiated events (clicks) are always processed regardless of consent state.

Publisher restrictions: Publishers may require specific legal bases (consent or legitimate interest) for this purpose via their Consent Management Platform (CMP) configuration.

Special Purpose 1 — Ensure Security, Prevent Fraud, and Fix Errors

What it does: Allows detection of invalid traffic, fraud prevention, and security monitoring.

Legal basis: Framework-granted under TCF. This is non-objectable and does not require user consent.

What we track: Only operational metadata for our General Invalid Traffic (GIVT) detection system — no personal data, no raw TC strings, no user identifiers.

Special Purpose 2 — Deliver and Present Advertising

What it does: Enables the technical delivery of ads and confirmation that an ad was served.

Legal basis: Framework-granted under TCF. This is non-objectable and does not require user consent.

Billable impression measurement: A minimal marker pixel records that an ad was delivered. This pixel contains only:

• Publishment identifier (for billing attribution)
• Session correlator (for de-duplication, not user tracking)
• Timestamp

No personal data or raw consent signals are included in this measurement.

4. Served vs Billable Impressions

We distinguish between two types of impression counts:

Served impressions: Counted when our ad loader script is requested. This is consent-independent — it simply records that an ad delivery was attempted. No personal data is collected for this count.

Billable impressions: Counted when Special Purpose 2 permits delivery confirmation. Since SP2 is framework-granted, this occurs for all standard ad deliveries. Billable impressions are exact (100% counted) and used for invoicing.

The separation ensures we respect consent requirements while maintaining accurate business records.

5. Legitimate Interests - Why We Do What We Do

We're an ad serving company, and sometimes, we need to process certain personal data to make our services work. But we're not going rogue here - it's all above board and in line with the General Data Protection Regulation (GDPR). We've made sure we're not stepping on your rights and freedoms.

Here's a quick rundown of the specific reasons why we might need to process your data:

• Fraud Prevention and Security: We're on the lookout for any funky business. By monitoring activity on our platform, we can spot and stop any unusual or potentially fraudulent activity, which keeps our services safe and sound.
• Product Error Identification: Nobody's perfect, and neither is our product. If we find any glitches or errors based on your use of our services, we'll get right on fixing them. It helps us make our services better and your user experience smoother.
• Detection and Prevention of Manipulated Human Activity: We keep things fair and square. By analyzing activity patterns, we can detect and stop any manipulated or artificial activity. This ensures that we're always providing accurate reporting for our advertisers and publishers.
• General Invalid Traffic Detection and Blocking: We're all about quality control. We use data to detect and block invalid traffic, which keeps our services top-notch.
• System/Platform Operability: Just like a well-oiled machine, we need certain data to keep our system and platform running smoothly.
• Ad Requests: We use data to receive and respond to these requests as quickly and accurately as possible.
• Ad Delivery: We process data to technically provide our service of delivering ads to users. It's all part of the job!
• User Interactions with Ads: We love it when you interact with our ads! When you do, we process this info to make sure you're directed to the right landing page.
• Ad Delivery Logging: We keep track of when an ad has been delivered, but don't worry - we don't record any personal data about you in the process.

We hope that gives you a clear picture of why we process your data. If you have any more questions, feel free to reach out at any time!

6. Consent Signal Processing

We integrate with Consent Management Platforms (CMPs) in real-time to determine your consent preferences. Here's how it works:

1. Initial state: When an ad loads, we assume a conservative default (performance tracking disabled) until we hear from the CMP.
2. CMP callback: When your CMP provides a consent signal, we immediately evaluate it against TCF rules.
3. Re-evaluation: If your consent preferences change during a session, we re-evaluate and adjust our processing accordingly.

Important: We never buffer or store measurement events while waiting for consent. If consent is denied, those events are permanently dropped — not queued for later. This ensures GDPR compliance at every step.

Consent sources (in order of preference):

• CMP: Real-time consent signal from your browser's CMP
• Ad-tag macros: Consent information passed through the ad request
• Default: Conservative defaults applied when no signal is available

7. Domains Used for Data Collection and Processing

In the course of providing our services, we utilize specific domains to efficiently collect and process data. This section outlines the domains we use and the purpose behind their utilization.

1. Ad Distribution CDN - deliver.madington.io, delivered-by-madington.com: We use this as our Content Delivery Network (CDN) for advertising distribution. This includes:

   • /adsbymadington.js — Ad loader script (served impression count)
   • /m.gif — Billable impression marker (Special Purpose 2)
   • /g.gif — Invalid traffic marker (Special Purpose 1)

2. Ad Performance Tracking - track.madington.io, track.streamedby.com: Used for tracking the performance of our ads when Purpose 7 consent is granted. This involves collecting data that helps us understand how users interact with the ads we serve.

3. Video streaming - ibv.streamedby.com, ibv.madington.io: Used to deliver streamed video content to our users.

8. Sharing Your Info

We're not in the business of selling your data. We only share your data if the law or government authorities tell us to.

9. Keeping Your Info

We don't hold onto your data forever. We anonymise and aggregate it, and then we can keep it indefinitely, provided it can't be linked back to you. We get rid of any technical access logs as soon as we're done processing them.

Specific retention practices:

• Session correlators are ephemeral and not stored beyond the immediate delivery context
• CloudFront access logs are processed for analytics and then deleted
• Aggregated impression counts are retained for billing and reporting but contain no personal data

10. Your Rights

Under the GDPR, you have several rights regarding your personal data:

• Right to access: You can request information about what personal data we process about you.
• Right to rectification: You can request correction of inaccurate personal data.
• Right to erasure: You can request deletion of your personal data under certain circumstances.
• Right to restrict processing: You can request that we limit how we use your data.
• Right to data portability: You can request your data in a portable format.
• Right to object: You can object to processing based on legitimate interests.
• Right to withdraw consent: For processing based on consent (like Purpose 7), you can withdraw your consent at any time through your browser's CMP.

How to exercise your rights: If you want to exercise any of these rights, contact our Data Protection Officer at dpo@madington.com.

Note on TCF consent: Your consent preferences for Madington (Vendor ID 486) can be managed through any TCF-compliant Consent Management Platform on participating publisher websites.

11. Keeping Your Info Safe

We take security seriously. We use encryption in transit and at rest, control who has access to data, and have special measures in place to keep your data separate and secure.

12. International Data Transfers

Occasionally, it may be necessary to transfer your data to countries other than the one in which you reside. These countries may have data protection and privacy laws that differ from those of your country. However, rest assured that we ensure your data is protected in accordance with this Privacy Policy. All data transfers are strictly confined to the European Economic Area (EEA).

13. Cookies and Other Tracking Technologies

We don't use cookies or any other tracking technologies. You can browse without the crumbs!

14. Children's Privacy

We don't knowingly collect data from children under the age of 13 (or under 16 in the EU), in compliance with laws like the Children's Online Privacy Protection Act (COPPA) or the GDPR's provisions for children's data.

15. Updates to This Policy

From time to time, we may update this policy. We'll always let you know about any changes by posting the new policy on this page.

Last updated: March 2026

16. Got a Question?

If you have any questions about this policy, feel free to get in touch with us at dpo@madington.com. We're here to help!