Privacy Policy

1. Introduction

Oprello GmbH ("Oprello," "we," "us," or "our") operates a mobile advertising exchange and supply-side platform (SSP). This Privacy Policy explains how we collect, use, disclose, and protect information when you use our SDK, dashboard, website, or related services (collectively, the "Services").

By integrating our SDK or using our Services, you agree to the practices described in this policy. If you are a publisher integrating our SDK, you are responsible for disclosing our data practices to your end users and obtaining any required consent.

2. Data We Collect

2.1 Data Collected via the SDK

When our SDK is integrated into a publisher's mobile application, we may collect:

• Device Information: device type, manufacturer, model, operating system and version, screen size and resolution, device language, and connection type (Wi-Fi/cellular). Device battery level and charging status (used for ad format optimization).
• Advertising Identifiers: IDFA (iOS, when authorized via ATT) or Google Advertising ID (Android), along with limit-ad-tracking status.
• Location Information: IP address (used for approximate geolocation at the country/region level). When the publisher's app has granted location permission, precise GPS coordinates (latitude, longitude) may also be collected for targeted advertising. Under GDPR or CCPA opt-out, precise location is suppressed to country-level only.
• Network Information: carrier name, mobile country code (MCC), mobile network code (MNC).
• App Information: app bundle identifier, app name, app version, and app store ID.
• Ad Interaction Data: impressions served, clicks, video completion events, and reward events.
• User Agent: the browser/WebView user agent string for rendering ad creatives.

2.2 Data Collected via the Dashboard

When publishers register and use our dashboard:

• Account information: email address, company name.
• Authentication data managed by our authentication provider (Supabase Auth).
• Usage data: pages visited, reports generated.

2.3 Data Collected via the Website

Our marketing website (oprello.com) collects only the data you voluntarily submit through our contact form: name, email address, and message content.

3. How We Use Data

• Ad Serving: to request, select, and deliver relevant advertisements to end users.
• Auction Mechanics: to conduct real-time bidding auctions by sending bid requests to demand-side platforms (DSPs) containing device and app information.
• Measurement & Reporting: to track impressions, clicks, and other ad events for publisher reporting and billing.
• Fraud Prevention: to detect and prevent invalid traffic, click fraud, and other forms of ad fraud.
• Service Improvement: to improve our platform, optimize ad delivery, and develop new features.
• Communication: to respond to inquiries and provide support.

4. Data Sharing

We share data with the following categories of third parties:

• Demand-Side Platforms (DSPs): device, app, and contextual information is shared via OpenRTB 2.5 bid requests to enable programmatic ad auctions. DSPs use this data to evaluate and bid on ad impressions.
• Publishers: aggregated reporting data (impressions, revenue, eCPM) is shared with the publisher who integrated our SDK.
• Infrastructure Providers: we use third-party services for hosting, analytics storage, and email delivery. These providers process data on our behalf under data processing agreements.
• Legal Requirements: we may disclose data when required by law, legal process, or government request.

We do not sell personal information to third parties.

5. GDPR (European Economic Area)

5.1 Legal Basis

• Legitimate Interest: for serving non-personalized ads, fraud prevention, and measurement.
• Consent: for serving personalized ads. Our SDK supports IAB TCF v2.2 consent strings and automatically reads consent status from CMP storage.

5.2 Your Rights

If you are in the EEA, you have the right to:

• Access the personal data we hold about you.
• Request correction of inaccurate data.
• Request deletion of your data.
• Object to or restrict processing.
• Data portability.
• Lodge a complaint with your local supervisory authority.

5.3 Data Protection Officer

Our Data Protection Officer can be contacted for any questions regarding the processing of your personal data or to exercise your data rights under GDPR:

Data Protection Officer: Oprello GmbH Data Protection
Email: privacy@oprello.com

5.4 Contact

For GDPR-related requests, contact us at privacy@oprello.com or legal@oprello.com.

6. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the following rights under the CCPA and CPRA:

• Right to Know: you may request the categories and specific pieces of personal information we have collected.
• Right to Delete: you may request deletion of your personal information.
• Right to Correct: you may request correction of inaccurate personal information we hold about you.
• Right to Opt-Out of Sale: you may opt out of the "sale" of personal information. Our SDK supports the IAB US Privacy string for signaling opt-out status.
• Right to Opt-Out of Sharing: you may opt out of the sharing of personal information for cross-context behavioral advertising.
• Right to Limit Use and Disclosure of Sensitive Personal Information: you may request that we limit our use and disclosure of sensitive personal information to purposes necessary to provide the Services.
• Non-Discrimination: we do not discriminate against you for exercising your privacy rights.

Categories of personal information collected: identifiers (device IDs, IP addresses), internet activity (ad impressions, clicks), and geolocation data (approximate, derived from IP; precise GPS when publisher app has location permission).

Global Privacy Control (GPC): We recognize and honor Global Privacy Control signals as valid opt-out requests under the California Consumer Privacy Act. When a GPC signal is detected, we treat it as a request to opt out of the sale or sharing of personal information.

7. COPPA (Children's Privacy)

We do not knowingly collect personal information from children under the age of 13. Our SDK supports the COPPA flag, which publishers must set when their app is directed at children. When the COPPA flag is enabled:

• No advertising identifiers (IDFA/GAID) are collected or transmitted.
• Personalized advertising is disabled.
• The COPPA signal is passed through to all DSP partners in bid requests.

8. Data Retention

• Ad serving data (impressions, clicks, device data): retained for 12 months, then deleted or anonymized.
• Aggregated daily summary data: retained indefinitely. This data is aggregated across multiple users and ad requests, and individual users cannot be identified from it when traffic volumes are sufficient.
• Financial records (revenue, billing): retained for 7 years as required by applicable law.
• Dashboard account data: retained for the duration of the business relationship and deleted upon request.
• Consent records: IP addresses and user agents recorded in consent acceptance records are retained for the duration required by applicable law to demonstrate valid consent.

9. International Data Transfers

Your personal data may be processed outside the European Economic Area (EEA), including in the United States, by our infrastructure providers and demand-side platform partners.

Where data is transferred outside the EEA, we ensure appropriate safeguards are in place, including EU Standard Contractual Clauses (SCCs), to protect your data in accordance with GDPR requirements.

Categories of data that may be transferred internationally include:

• Device identifiers (advertising IDs, device model, OS version)
• IP addresses (used for approximate geolocation)
• Ad interaction data (impressions, clicks, video events)

Data recipients include cloud infrastructure providers (hosting and analytics storage) and demand-side platforms (DSPs) that participate in programmatic ad auctions.

10. Data Security

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. This includes encryption in transit (TLS), access controls, and regular security reviews.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify publishers of material changes via email or dashboard notification. The "Effective Date" at the top indicates when the policy was last revised.

12. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us: