Privacy Policy: LightAd DSP

Effective Date: January 2026

1. Introduction

Three Spring Media LTD (“LightAd”, “we”, “us”, or “our”) operates the LightAd Demand-Side Platform (the “Platform”). We provide technology that helps advertisers purchase digital advertising space across Web, In-App, and Connected TV (CTV) environments.

We operate under a Privacy-First mandate. Our technology is built to minimize the collection of personal data and maximize the use of privacy-preserving signals provided by modern browsers and operating systems.

2. IAB Transparency & Consent Framework (TCF 2.3)

LightAd is currently in the process of registering with the IAB Europe Transparency & Consent Framework and intends to operate as a Vendor on the Global Vendor List (GVL).

2.1 Compliance Standards

We adhere to TCF v2.3 specifications. This means:

• No Legitimate Interest for Personalization: We do not rely on “Legitimate Interest” for Purposes 3, 4, 5, and 6 (Personalized ads, profiles, and measurement). These activities only occur where explicit, affirmative consent is granted.
• Verification of Disclosure: Our systems technically verify that LightAd has been disclosed to the user by the Consent Management Platform (CMP) before any data processing occurs.
• Signal Honoring: If a TC String indicates a withdrawal of consent, our bidder automatically ceases all data processing for that user session.

3. Data Collection & Processing in 2026

As third-party cookies are deprecated, we utilize the following privacy-safe data streams:

3.1 Browser & OS Privacy APIs

• Google Privacy Sandbox: We process “Topics” and “Protected Audiences” to serve relevant ads without tracking individual browsing history.
• Apple AdAttributionKit: We use aggregated attribution signals for mobile app installs.

3.2 Identifiers (With Consent Only)

• Pseudonymous IDs: Encrypted identifiers (e.g., ID5, UID2.0) provided via authenticated traffic.
• Technical Data: Truncated IP addresses (for coarse geolocation only) and device characteristics.

3.3 Contextual Data

We prioritize non-personal data, such as the content of the website or app, time of day, and general geographic region (City/Zip Code level).

4. Purpose and Legal Basis (Granular Disclosure)

In compliance with IAB requirements, we declare the following purposes:

5. Global User Rights

We provide a unified interface for users to exercise their rights, regardless of jurisdiction.

5.1 European Union (GDPR) & United Kingdom

Users have the right to access, delete, and port their data. Under TCF 2.3, you have the “Right to Object” to processing based on legitimate interests via the CMP settings on any partner website.

5.2 United States (CPRA, VCDPA, etc.)

We honor the comprehensive privacy laws of all US states (including CA, VA, CO, CT, UT, TX, OR, NJ).

• Global Privacy Control (GPC): We honor GPC signals as a valid opt-out of “Sale/Sharing” and “Targeted Advertising.”
• No Sensitive Data: LightAd does not process sensitive personal information (e.g., precise location, health, or ethnicity).

6. Data Retention & Security

• Retention: In accordance with strict 2026 standards, we retain ad-level personal data for a maximum of 13 months. Aggregated, non-identifiable data may be kept longer for historical reporting.
• Security: We utilize industry-standard encryption (AES-256) and secure “Data Clean Rooms” for any cross-partner data matching.

7. International Data Transfers

Transfers of personal data from the EEA/UK to the United States are conducted under the EU-U.S. Data Privacy Framework (DPF) or through the execution of Standard Contractual Clauses (SCCs).

8. Contact Us

For inquiries regarding your data or our IAB TCF status:

Email: [email protected]