LOOP AGENCY PRIVACY STATEMENT

1. INTRODUCTION

Loop Agency (“we”, “us”, or “our”) is committed to protecting and respecting your privacy.

We process Personal Data in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”), California Consumer Privacy Act (“CCPA“), and applicable data protection laws. That means among other things that: 

  • we clearly state the purposes for which we process Personal Data. We do this through this Privacy Statement; 
  • we limit our collection of Personal Data to only the Personal Data that is necessary for legitimate purposes; 
  • we take appropriate security measures to protect all Personal Data and demand the same of parties that process Personal Data on our behalf; 
  • we respect the right of Data Subjects to offer, correct or delete their Personal Data upon request.

We are responsible for certain processing of Personal Data, both as Data Controller and Data Processor on behalf of client companies. This Privacy Statement applies to Personal Data we process in our capacity as Data Controller. When we act as Data Processor, the client’s privacy notice governs the use of Personal Data. In this Privacy Statement we explain which Personal Data we process and for what purposes and means. We recommend our customers and visitors to carefully read this Privacy Statement. 

This Privacy Statement was last updated in Jan, 2026. 

2. PROCESSING OF PERSONAL DATA

We act solely as data processor on behalf of our customers as the data controller, meaning our customers determine the purposes and means of the data processing and are ultimately responsible for compliance with all applicable laws and regulations for the protection of the Personal Data. Said data processing is necessary to provide our services in accordance with the obligations towards our customers, which obligations serve as the required legal basis pursuant to Article 6 GDPR.  Pursuant to Article 30 GDPR, as data processor we have a record of processing activities in place. This record is part of our information security policy and, like other important privacy documents, we ensure the record of processing activities to be regularly evaluated and updated where necessary. 

Without prejudice to the existing contractual arrangements with our customers, we will treat all Personal Data in strict confidence and inform employees and sub-processors involved in the processing of our Personal Data about the confidential nature of Personal Data. We ensure that these employees and sub-processors sign an adequate confidentiality agreement and – where applicable – data processing agreement. 

In some cases we may collect Personal Data directly from data subjects when they (register to) use our services, post on our blog, contact our support team, and visit our website. In doing so, we may use the Personal Data we have collected from them for purposes related to our services – including but not limited – to: 

  • verify Data Subjects’ identity; 
  • administer our Services; 
  • notify Data Subjects of new or changed services offered in relation to our Services; 
  • carry out marketing or training relating to our Services; 
  • assist with the resolution of technical support issues or other issues relating to our Services; 
  • comply with laws and regulations in applicable jurisdictions; 
  • address dispute resolution and anti-fraud issues; 
  • communicate with Data Subjects.  

The types of Personal Data and categories of Data Subjects processed are as follows: 

  • Types of Personal Data:  
  • User IP-address; 
  • User device ID; 
  • HTTP referrer (an optional HTTP header field that identifies the address of the webpage which is linked to the resources being requested; 
  • User-agent string identifying the user’s browser and device type;
  • Unique identifier for bid request. 
  • Categories of Data Subjects: 
  • Visitors on the internet; 
  • Customers of publisher/affiliate partners. 

By using our Services, Data Subjects consent to their Personal Data being collected, held and used in this way and for any other use they authorise. We will only use Personal Data for the purposes described in this Privacy Statement or with express permission of a Data Subject. The Companies guarantee that the processing of Personal Data will be solely based on one of the legal grounds set forth in Article 6 GDPR. 

3. LEGAL BASIS

The processing of the Personal Data is necessary for the provision of our Services and/or based on individual permission. We also conduct statistical research with Personal Data. In those events we have a legal interest in conducting research in order to improve our Services. 

4. RETENTION PERIOD

We will store Personal Data that falls under a legal retention obligation in accordance with the duration of this legal retention obligation. For example, we retain Personal Data that forms part of the statutory basic administration for a period of five to seven years after the termination of the relevant commercial agreement. In all other cases we will keep the Personal Data for a maximum period of 1 (one) year after the end of the relevant commercial agreement, unless the Privacy Statement of an affiliated company contains a deviating retention period for that particular affiliated company. We recommend our customers and visitors to carefully read the applicable Privacy Statement(s) as well. When Personal Data is no longer needed, it will be securely deleted or anonymised. 

  1. 5. PERSONAL DATA COLLECTED

The following Personal Data might be collected from Data Subjects: 

  • name, email and telephone number; 
  • user agent, IP address, browser, operating system, click behaviour and campaigns. 
  • We do not collect any special categories of Personal Data (this includes details about race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about health and genetic and biometric data). Nor do we collect any information about criminal convictions and offences. 

6. HOW PERSONAL DATA IS STORED

We collect Personal Data from and about Data Subjects as follows: 

  • Direct interactions. You may give us your identity by filling in forms or by corresponding with us. This includes Personal Data you provide when you: (a) create an account on a partner website; (b) subscribe to services; (c) request marketing to be sent to you; or (d) give us some feedback. 
  • Automated technologies or interactions. As you interact with us may automatically collect technical data about your equipment, browsing actions and patterns by using cookies, server logs and other similar technologies.

7. INVOLVEMENT OF AND SHARING WITH THIRD PARTIES

As Data Controller we can engage other parties as Data Processors to perform an aspect or part of our Services to our customers and users; this could be a platform we use for our Services. Where third parties require access to Personal Data in order to support the delivery of our Services, we have implemented appropriate contractual, technical, and organisational safeguards to ensure that such third parties process the Personal Data only for the agreed purposes and in line with our instructions. 

Furthermore, we will not provide Personal Data to other parties without permission of Data Subjects, unless this is legally required or permitted. For example, it is possible that investigative authorities request Personal Data from us in the context of fraud investigations. In that case, the Companies are legally obliged to provide this Personal Data. 

When we share Personal Data with third parties that are considered separate Data Controllers, each party shall be able to determine the purpose and means of processing the Personal Data held under its control in accordance with its privacy notice. With respect to the separate controllership of each party and without the intention of entering into a joint-controllership as defined in Article 26 GDPR, we shall enter into a partner agreement with such separate Data Controllers, that sets out the framework for the sharing of Personal Data between the parties and defines the principles and procedures that the parties shall adhere to and the responsibilities the parties owe to each other. The shared Personal Data will only be processed as far as is necessary according to the purposes and in order to fulfil the obligations as set out in the partner agreement and the parties guarantee that the processing of Personal Data will be solely based on one of the legal grounds set forth in Article 6 GDPR. 

8. SECURITY

We have implemented the following security measures to protect Personal Data: 

  • our system is accessible from the Companies’ network and via a secure VPN connection; 
  • we use secure connections (HTTPS) to ensure the safety of data transfers; 
  • we take organisational access measures; 
  • we take physical access measures; 
  • we have placed a reversed proxy for dealing with DDoS attacks. 

9. INDIVIDUAL RIGHTS REGARDING PERSONAL DATA

In the situation where we are Data Controller for the collection of the Personal Data and therefore directly responsible, a Data Subject can address us in writing for: 

  • Access to Personal Data. The Data Subject can ask us whether we process its Personal Data. If that is the case, we will explain which Personal Data we process, how we process it and for which purposes. One can also request a copy of its Personal Data we process; 
  • Correction of Personal Data. If a Data Subject feels that the Personal Data we process is incorrect or incomplete, he or she can request us to supplement or edit the Personal Data; 
  • Deletion of Personal Data. A Data Subject can request us to delete its Personal Data we process. We will delete the Personal Data without unreasonable delay after receiving such a request, if: the Personal Data is no longer needed for the purpose we processed it; the Data Subject no longer give us permission to process it, if permission was the base for processing it; the Personal Data was processed by us as part of direct marketing; the Data Subject objects against the processing of it and there is no reason (anymore) why we should still be permitted to process the Personal Data; there is a legal reason to delete the Personal Data. 
  • Limitation to processing Personal Data. In some cases, the Data Subject might want a limitation to the processing of its Personal Data. In that case, one can request us to limit the Personal Data we process. We will comply with such a request if (after investigation) it turns out to be possible, for example if one doesn’t want all of its Personal Data deleted, but other Personal Data is no longer necessary for the original purpose. 
  • Portability of Personal Data. In accordance with Article 20 GDPR and Section 1798.100(e) and 1798.105(c) CCPA, the Data Subject can request a copy of its Personal Data we process.  
  • Right to Object and withdraw. A Data Subject can also indicate the right to object or withdrawal in case of disagreement with our processing of the Personal Data. If a Data Subject believes that we do not handle its Personal Data properly, he or she can submit a complaint to us. In the event the parties cannot resolve it and our response to the complaint does not lead to an acceptable result, the Data Subject has the right to submit a complaint about us to the Dutch Data Protection Authority (“Autoriteit Persoonsgegevens”). More information about this regulatory body and the submission of complaints can be found at www.autoriteitpersoonsgegevens.nl. To exercise these rights, the Data Subject can contact us via the contact details at the bottom of this Privacy Statement. We will send a written response within 4 weeks. 

10. THIRD PARTY WEBSITES

This Privacy Statement does not apply to third-party websites that are linked to our website through links. We cannot guarantee that these third parties will handle Personal Data in a reliable or secure manner. We recommend that visitors read the applicable privacy notice before using such third-party website. 

11. CHANGE OFPRIVACY STATEMENT

We reserve the right to make changes to this Privacy Statement. It is recommended that visitors regularly consult this Privacy Statementso that they are aware of these changes. The date of the latest version will be shown at the top of the Privacy Statement. Significant changes will be communicated to you where required by law. 

12. COOKIE POLICY

We use cookies on our websites and in our apps. Any visitor can deactivate cookies for all sites in its browser. 

  • What are cookies? Cookies are small, simple text files and are sent to the visitor’s computer, tablet or mobile phone when visiting a website. Cookies increase the user friendliness when visiting our websites or using our apps. 
  • Why do we use cookies? We use cookies to anonymously monitor the number of visitors on the site, which pages are visited and what kind of information requests are made. The cookies that we use, do not contain name or address data; just data concerning the use are stored (pages visited, technical details and IP address). This data is used to analyse the use and visit, so we can optimise our websites and apps, and can be of even better service to the visitor in the future. Naturally, we will handle this information carefully. 
  • What happens when cookies are turned off? If cookies are turned off, we have less insight in the use of our website and cannot optimise it to be of even better service to visitors in the future. 
  • Turning off cookies. If a visitor would rather not use cookies, he or she can turn them off at any moment or remove them from the browser. Instructions for changing the settings of a browser can be found under ‘Help’ in the toolbar of most browsers. To grant visitors of websites more choice in how their Personal Data is used by Google Analytics, they can also download the Google Analytics Opt-out Browser Add-on. 

13. CHILDRENS PRIVACY

Our services are not directed to children under 16. We do not knowingly collect Personal Data from children. Where required by law, we will obtain parental consent before collecting data from minors.  

14. CROSS-BORDER TRANSFERS

Where Personal Data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, such as: adequacy decisions by the European Commission, or Standard Contractual Clauses (SCCs). Consumers’ personal information may be transferred outside of Quebec (for Quebec consumers) or outside of Canada (for non-Quebec consumers). We ensure any transfer of personal information by us which is undergoing processing or is intended for processing after transfer outside of Quebec, or outside of Canada to a third country, shall take place only if, subject to the other provisions of this Privacy Statement, all applicable laws on data protection are complied with. 

15. CONTACT INFORMATION

General Contact Information 

  • This website is operated and maintained by Yep Ads B.V. with its registered address at Weteringschans 109, 1017 SB Amsterdam, the Netherlands.  
  • Tel. +31 (0)20 240 2530 

Contact details Data Protection Officer 

Email: dpo@yepads.com 

Mr. Philippe van Wijnen