1. Scope
This Privacy Policy applies to personal data processed by Floxis in connection with:
- visits to our website and public-facing pages;
- communications with us, including sales, support, partnership, and vendor inquiries;
- accounts, dashboards, APIs, and related business services;
- information we process on our own behalf in operating, securing, supporting, and improving our business.
This Privacy Policy does not replace any separately negotiated agreement, data processing addendum, or other contract between Floxis and a customer, vendor, or partner. Where such an agreement applies, it may govern certain aspects of the processing relationship.
2. Our role
Our role depends on the context of the processing.
When you interact with us directly, for example by visiting our website, requesting a demo, contacting us by email, or engaging with us as a business representative, Floxis generally acts as an independent controller of the personal data processed for those purposes.
When a customer uses our services, Floxis may process personal data on the customer’s behalf and under the customer’s documented instructions, in which case Floxis may act as a processor, service provider, or comparable role under applicable law and the relevant contract.
In some cases, the roles of the parties may depend on the specific service configuration, technical workflow, contractual allocation of responsibilities, and applicable law. Nothing in this Privacy Policy should be interpreted as expanding Floxis’s role beyond what is actually established by the relevant facts, agreements, and law.
Where Floxis acts as an independent controller, such role is performed by the legal entity operating the Floxis services as described in this Privacy Policy.
3. Information we collect
The types of personal data we process depend on how you interact with Floxis and how our services are configured.
- Business contact information, such as name, business email address, company name, job title, phone number, and professional contact details.
- Account and authentication information, such as usernames, login details, role-based access settings, account identifiers, and authentication records.
- Communications and support data, such as messages, requests, support tickets, meeting notes, and records of business communications with us.
- Technical and device information, such as IP address, browser type, device type, operating system, language settings, referral URLs, timestamps, and similar diagnostic or connection data.
- Service and log data, such as server logs, API logs, request and response metadata, event records, configuration data, error logs, and security-related records.
- Billing and transaction-related information, such as invoicing contact details, payment status, transaction references, and accounting records, but not necessarily full card data where payments are handled by third-party providers.
- Customer-provided or customer-directed data, to the extent a customer submits data to our services or instructs us to process it under the applicable agreement.
4. Sources of information
We may collect personal data from the following sources:
- directly from you or your organization;
- automatically from your use of our website or services;
- from customers, partners, vendors, or other parties that interact with us in a business context;
- from identity, authentication, hosting, analytics, communications, or other service providers that support our operations;
- from lawful public sources, such as company websites or professional profiles.
5. How we use information
We may use personal data where relevant to:
- provide, operate, host, maintain, and support our website, products, APIs, dashboards, and related services;
- set up, administer, and secure customer or internal accounts;
- respond to inquiries, demo requests, sales communications, onboarding, and support requests;
- monitor, detect, prevent, and investigate abuse, misuse, fraud, security incidents, and technical issues;
- debug, test, troubleshoot, develop, and improve our services and internal operations;
- document business relationships, permissions, settings, transactions, and service events;
- comply with legal, regulatory, tax, accounting, contractual, and compliance obligations;
- establish, exercise, or defend legal claims;
- carry out other lawful business purposes compatible with the context in which the data was collected.
Floxis does not represent in this Privacy Policy that it independently exploits customer data for advertising, resale, profiling, or unrelated commercial purposes. Any such activity, if ever offered, would be subject to a separate legal basis, appropriate contractual framework, actual technical implementation, and applicable law.
7. Programmatic advertising and the IAB Transparency & Consent Framework (TCF)
Ad Tech Company OÜ participates in the IAB Europe Transparency & Consent Framework (TCF) and complies with its Policies and Technical Specifications.
Floxis operates a real-time bidding (RTB) ad exchange for publisher monetization and programmatic traffic reselling. When you visit a website or app that uses Floxis to fill advertising, Floxis processes a limited set of personal data to run the ad auction and deliver advertising. For this specific activity Floxis acts as an independent data controller and participates as a vendor in the IAB Europe Transparency & Consent Framework (TCF). Our processing in this context is governed by the choices you express through the consent interface (Consent Management Platform, "CMP") shown on participating sites.
What we process
When a participating publisher sends an ad request, we may process:
- IP address (IPv4/IPv6) — for coarse geolocation, fraud/invalid-traffic detection and routing;
- Device characteristics — user-agent, device type, operating system, language;
- Device and advertising identifiers — e.g. mobile advertising IDs (IFA/IDFA/GAID) and a pseudonymous
Floxis identifier (
__fxId) which, where cookie syncing is enabled, is used to match users across our supply and demand partners (cookie syncing is not currently active and will be enabled as our integrations go live); - Authentication-derived identifiers — pseudonymous identifiers derived by third parties from a logged-in or hashed-email signal (e.g. UID2 or RampID), received from the publisher/SSP in the bid request and forwarded to demand partners;
- Approximate (non-precise) location — country/region derived from IP;
- Precise (GPS) location — only where you have opted in (TCF Special Feature 1);
- Browsing/interaction data — the page/app context and ad interactions such as clicks;
- Privacy choices — your consent / opt-out signals.
We do not ask you for, or knowingly collect, name, email or other directly identifying information through the exchange, and we do not process special-category data for advertising.
Why we process it (purposes and legal bases)
| Purpose | Legal basis |
|---|---|
| Store and/or access information on your device (Purpose 1) | Consent |
| Use limited data to select advertising (Purpose 2) | Consent |
| Create profiles for personalised advertising (Purpose 3) | Consent |
| Use profiles to select personalised advertising (Purpose 4) | Consent |
| Measure advertising performance (Purpose 7) | Consent |
| Ensure security, prevent fraud, and fix errors (Special Purpose 1) | Legitimate interest |
| Deliver and present advertising (Special Purpose 2) | Legitimate interest |
| Save and communicate your privacy choices (Special Purpose 3) | Legitimate interest |
Our legitimate-interest processing is described in detail in our Legitimate Interest Claim.
Cookies and device storage we use
For programmatic advertising Floxis sets the following first-party cookies on .floxis.tech. A full,
machine-readable disclosure is published at https://floxis.tech/vendor-storage.json.
| Cookie | Purpose | Lifetime |
|---|---|---|
__fxId |
Pseudonymous Floxis advertising identifier (cookie sync / user matching, where enabled) | 30 days |
__fxConsent |
Stores your TCF consent string | 30 days |
__fxDnt |
Records your opt-out ("do not track") choice | 365 days |
__fxSp |
Tracks which supply partners have been synced | 90 days |
__fxDp |
Tracks which demand partners have been synced | 90 days |
We receive mobile advertising identifiers from the publisher/SSP in the server-to-server bid request; we do not ourselves read other storage on your device.
How long we keep it
User-level advertising data (including the pseudonymous identifier and partner-match records) is retained for up to 90 days (the pseudonymous identifier is refreshed on activity, so its lifetime runs from your last use); raw request/event logs expire after 7 days; on-device storage follows the per-cookie lifetimes above. After these periods the data is deleted or irreversibly de-identified.
Sharing
To run the auction, eligible bid requests (including the technical data above and your TCF/GPP (Global Privacy Platform)/US-Privacy signals) are shared with demand partners (DSPs); where cookie syncing is enabled, identifiers are also matched with supply and demand partners for that purpose. Each partner is an independent controller responsible for its own processing and is listed with its own purposes and legal bases in the TCF Global Vendor List.
Your choices
- Manage or withdraw consent at any time through the CMP on participating sites.
- Set the Floxis opt-out (
__fxDnt) to stop consent-based advertising processing. - Precise geolocation is processed only if you opt in to Special Feature 1.
- Exercise your GDPR rights (access, erasure, objection, etc.) via [email protected].
8. Legal bases for processing
Where the GDPR or another applicable law requires a legal basis, Floxis may rely on one or more of the following, depending on the context:
- performance of a contract or steps taken at your request before entering into a contract;
- compliance with a legal obligation;
- our legitimate interests or those of a third party, where not overridden by the relevant individual’s interests or fundamental rights and freedoms;
- consent, where required by law and validly obtained.
Where Floxis processes personal data on behalf of a customer, the customer is generally responsible for determining the appropriate legal basis, transparency notices, permissions, and other compliance requirements for that processing, unless the parties expressly agree otherwise in writing.
Our legitimate interests may include ensuring the security and integrity of our systems, preventing fraud and abuse, maintaining service reliability, improving performance, and managing business operations.
9. Disclosure of information
We may disclose personal data to:
- hosting, infrastructure, security, communications, analytics, identity, payment, support, and other service providers that help us operate our business and services;
- professional advisers such as lawyers, auditors, accountants, insurers, and consultants;
- affiliates or entities within our corporate group, where relevant to internal administration or service delivery;
- actual or prospective investors, buyers, financing sources, or transaction counterparties in connection with a merger, acquisition, financing, reorganization, sale of assets, or similar corporate event, subject to appropriate confidentiality protections where applicable;
- regulators, courts, law enforcement authorities, or other third parties where required or permitted by law, regulation, legal process, or enforceable governmental request;
- other parties where necessary to protect the rights, safety, property, systems, users, customers, or legal interests of Floxis or others.
We do not state in this Privacy Policy that we disclose personal data to downstream advertising participants, exchanges, bidders, or other ecosystem participants as part of our default website operations. If a customer-specific service configuration later requires disclosures to other parties, such disclosures would be governed by the relevant service design, contractual terms, and applicable law.
10. Customer responsibilities
Customers are responsible for their own use of our services, including where applicable:
- deciding what data to collect, send, store, or make available through the services;
- ensuring they have an appropriate legal basis and any required notices, permissions, or consents;
- responding to data subject requests where they are the controller or primary decision-maker;
- configuring the services in a lawful and appropriate manner for the jurisdictions in which they operate;
- ensuring the lawfulness, accuracy, and appropriateness of the data they provide to Floxis.
Floxis does not warrant that any particular customer implementation, workflow, or configuration will satisfy every legal requirement in every jurisdiction, and customers remain responsible for obtaining their own legal advice regarding their obligations.
11. Data retention
We retain personal data for as long as reasonably necessary for the purposes described in this Privacy Policy, including to provide services, maintain security, preserve logs, comply with legal and contractual obligations, resolve disputes, enforce agreements, and keep business and financial records.
Retention periods vary based on the type of information, the purpose of processing, contractual commitments, technical needs, risk considerations, and applicable law.
Where we process data on behalf of a customer, retention may also depend on the customer’s instructions and the applicable service agreement.
12. International transfers
Floxis and its service providers may process personal data in countries other than the country in which the data was originally collected.
Where required by applicable law, we implement an appropriate transfer mechanism or safeguard for cross-border transfers, which may include adequacy decisions, contractual safeguards, or other lawful transfer tools.
Where transfers are made to countries not subject to an adequacy decision, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses or equivalent mechanisms.
13. Data security
We implement reasonable administrative, technical, and organizational measures designed to protect personal data against unauthorized access, loss, misuse, alteration, or disclosure, taking into account the nature of the data and the risks involved.
However, no method of transmission, storage, or processing is completely secure, and Floxis does not guarantee absolute security.
14. Privacy rights
Depending on your location and the applicable law, you may have rights regarding your personal data, including the right to request access, correction, deletion, restriction, objection, portability, and, where relevant, withdrawal of consent.
You may also have the right to lodge a complaint with a competent supervisory authority.
If Floxis processes your personal data on behalf of a customer, you should generally direct your request to that customer first. We may assist our customer in responding where required by law, contract, or technical feasibility.
15. Children’s privacy
Our website and services are intended for business and professional use and are not directed to children. We do not knowingly collect personal data from children for our own independent business purposes through the website.
16. Third-party services
Our website or services may link to, integrate with, or rely on third-party websites, products, or services. Those third parties operate under their own terms and privacy practices, and Floxis is not responsible for their content, availability, security, or privacy practices.
17. Changes to this Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our business, services, legal obligations, or privacy practices.
When we do, we will post the revised version on this page and update the “Last updated” date above. Where required by applicable law, we will take additional steps to notify users or obtain consent.
18. Contact us
Floxis
Floxis is a technology brand and service offering operated by a legal entity established in the European Union.
General inquiries: [email protected]
Privacy requests: [email protected]
Legal entity details
The services and Floxis platform described in this Privacy Policy are operated by Ad Tech Company OÜ, Estonia.
Address: Harju maakond, Tallinn, Kesklinna linnaosa, Narva mnt 5, 10117.