Legal

Legitimate Interest Claim

Ad Tech Company OÜ ("Floxis") relies on legitimate interest as the legal basis for a limited set of technically necessary processing activities. This document describes the scope of that claim and the balancing assessment carried out under GDPR Art. 6(1)(f) in connection with our participation in the IAB Europe Transparency & Consent Framework (TCF).

Back to Privacy Policy

Last updated: June 3, 2026

1. Who we are

Ad Tech Company OÜ ("Floxis", "we") operates a white-label real-time bidding (RTB) ad exchange that connects publisher/supply-side inventory with advertiser/demand-side buyers. Our services include publisher monetization and programmatic traffic reselling. In connection with this activity Floxis acts as an independent data controller for a limited set of operational processing activities described below, and participates as a vendor under the IAB Europe Transparency & Consent Framework (TCF).

Privacy Policy: https://floxis.tech/privacy  ·  Contact: [email protected]

2. Scope of this claim

Under the TCF, Floxis relies on legitimate interest (Art. 6(1)(f) GDPR) as the legal basis only for the following Special Purposes, which are technically necessary to operate the exchange and cannot be served by consent-based purposes. All consent-based purposes (Purposes 1, 2, 3, 4, 7 — personalised advertising and ad measurement) rely on the user's consent, not legitimate interest, and are outside the scope of this claim.

TCF Special Purpose Relied upon What we actually do
SP1 — Ensure security, prevent and detect fraud, and fix errors Yes (LI) IP / IPv6 / user-agent block-list filtering for invalid-traffic (IVT) and fraud prevention; creative malware/quality scanning (GeoEdge); enforcement of COPPA, GPP, US-Privacy and consent restrictions; debugging and error correction in the bid pipeline.
SP2 — Deliver and present advertising and content Yes (LI) Routing each bid request to eligible demand partners, running the auction, returning the winning ad to the publisher, and firing win-notice / impression-tracking pixels so the ad can be delivered and billed.
SP3 — Save and communicate privacy choices Yes (LI) Storing the user's consent / opt-out signals (__fxConsent, __fxDnt cookies) and forwarding GDPR/TCF, GPP and US-Privacy signals downstream so partners honour them.

We do not rely on legitimate interest to create or use profiles for personalised advertising, to select personalised ads, or to build audiences — those activities run on consent only.

3. Legitimate interest balancing assessment

For each Special Purpose above we have carried out a three-part assessment (purpose test, necessity test, balancing test):

Purpose test — is there a legitimate interest?

Operating a secure, fraud-free, functioning advertising exchange is a recognised legitimate interest of Floxis, our publisher and advertiser customers, and end users (who are protected from fraud and malware). Recital 47 GDPR expressly recognises fraud prevention as a legitimate interest, and Recital 49 recognises network and information security.

Necessity test — is the processing necessary?

  • Security/fraud (SP1): detecting invalid traffic and malicious creatives is impossible without inspecting the technical signals (IP, user-agent, creative markup) that identify the abusive request. No less-intrusive means achieves the same protection.
  • Ad delivery (SP2): an ad cannot be delivered, rendered or counted without routing the request and firing delivery/measurement pixels. This is the core technical function the publisher has engaged us to perform.
  • Privacy-choice storage (SP3): honouring a user's choice across requests is only possible if that choice is stored and transmitted. Processing here is strictly necessary to respect the user's own preference.

Balancing test — do our interests override the individual's rights?

  • We process only the technical data already present in the bid request plus a pseudonymous identifier; we do not collect data directly from users and do not use special-category data.
  • Data minimisation and retention limits apply (user-level identifiers retained up to 90 days; raw request/event records expire after 7 days; see the Privacy Policy and Device Storage Disclosure for per-cookie lifetimes).
  • COPPA traffic has device/user identifiers stripped; precise geolocation is only processed where the user has opted in (Special Feature 1).
  • Users can object via the __fxDnt opt-out cookie and via the standard TCF interface; opt-out is honoured in full for the consent-based purposes. For security and fraud prevention (SP1), where we continue processing despite an objection we do so only on compelling legitimate grounds (Article 21(1) GDPR) and limit it to what is strictly necessary.

On balance, the limited, technical, pseudonymous processing required to keep the exchange secure, functional and respectful of user choices does not override the fundamental rights and freedoms of the individual.

4. Your rights

You have the right to object to processing based on legitimate interest, and to access, rectification, erasure, restriction and portability under the GDPR. To exercise these rights contact [email protected]. You can also withdraw consent at any time through the consent interface (CMP) presented on participating sites.