Data Processing Agreement
Last updated: [DATE]
This Data Processing Agreement (“DPA”) supplements the Publisher Agreement and Platform Agreement (each, the “Agreement”) between you and Banche Labs, Inc. (“Banche Labs,” “we,” “us,” or “our”) and governs the processing of personal data in connection with the Chosen ad network (https://chosen.ad).
This DPA applies where the EU General Data Protection Regulation (GDPR), the UK GDPR, or other applicable data protection laws require a written agreement between parties regarding the processing of personal data.
1. Definitions
- “Personal Data” means any information relating to an identified or identifiable natural person, as defined under applicable data protection law.
- “Processing” means any operation performed on Personal Data, including collection, recording, storage, use, disclosure, and deletion.
- “Data Subject” means an identifiable natural person whose Personal Data is processed.
- “Applicable Data Protection Law” means the GDPR, UK GDPR, and any other data protection law applicable to the processing of Personal Data under this DPA.
- “Standard Contractual Clauses” (“SCCs”) means the standard contractual clauses for the transfer of personal data approved by the European Commission.
2. Controller Relationship
2.1 Joint Controller — Ad Serving
For the purposes of serving ads on your property or Platform (including impression delivery, click tracking, and ad display), you and Banche Labs act as joint controllers. Each party independently determines the means and purposes of processing within its domain:
- You determine that ads will be shown on your property, where and how they are placed, and what consent mechanisms are presented to your visitors.
- Banche Labs determines which ads are served, how impressions and clicks are recorded, and how ad selection data is processed.
2.2 Independent Controller — Network Operations
For the following purposes, Banche Labs acts as an independent controller. You do not direct or determine these processing activities:
- Algorithmic matching and ad ranking
- Group formation and boundary curation
- Identity synthesis and behavioral clustering
- Network-level aggregate analysis and quality scoring
- Fraud detection and prevention across the network
- Cross-site frequency capping, conversion attribution, and audience profiling within the Chosen network
2.3 Respective Obligations
Each party is independently responsible for complying with Applicable Data Protection Law for the processing it controls. Neither party will process Personal Data received from the other in a manner incompatible with this DPA.
3. Personal Data Processed
| Data category | Source | Controller |
|---|---|---|
| Visitor IP address | Collected by SDK on your property | Joint |
| Geography (derived from IP) | Derived by Banche Labs | Banche Labs |
| Device, browser, OS information | Collected by SDK | Joint |
| Page URL and content context | Collected by SDK | Joint |
| Impression and click events | Collected by SDK | Joint |
| Session identifiers (chosen_session) | Set by SDK | Joint |
| Persistent cross-site identifier (chosen_id) | Set by SDK | Banche Labs |
| Curator selection data (which ads shown, selected, timing) | Collected by Chosen | Banche Labs |
| Frequency capping and attribution data | Derived by Banche Labs | Banche Labs |
| Third-party audience enrichment (demographics, interests) | Obtained by Banche Labs from commercial data providers | Banche Labs |
4. Purposes of Processing
Personal Data processed under this DPA may be used only for:
- Serving ads and recording impressions and clicks (joint)
- Operating the ad selection and curation system (Banche Labs)
- Frequency capping across publisher sites within the Chosen network (Banche Labs)
- Conversion attribution (Banche Labs)
- Audience profiling and ad matching (Banche Labs)
- Algorithmic matching, group formation, and quality scoring (Banche Labs)
- Fraud detection and prevention (Banche Labs)
- Aggregate reporting to advertisers and publishers (Banche Labs)
- Improving the Chosen ad network (Banche Labs)
Neither party will process Personal Data for purposes beyond those stated in this DPA and the Agreement without prior written consent of the other party.
5. Your Obligations
You are responsible for:
- Legal basis. Establishing a valid legal basis for the collection and sharing of Personal Data with Banche Labs, including obtaining any required consent from Data Subjects (e.g., cookie consent under the ePrivacy Directive, consent for third-party data sharing under GDPR).
- Transparency. Disclosing Chosen’s data collection in your privacy policy, including the categories of data collected, the purposes of processing, and the identity of Banche Labs as a recipient or joint controller.
- Cookie consent. Implementing appropriate consent mechanisms for the Chosen SDK’s cookies and persistent identifiers before they are set, where required by Applicable Data Protection Law.
- Data Subject requests. Forwarding to Banche Labs any Data Subject requests (access, deletion, objection, etc.) that relate to Banche Labs’ processing, promptly and in any event within 5 business days of receipt.
6. Banche Labs’ Obligations
Banche Labs is responsible for:
- Processing in accordance with this DPA. Processing Personal Data only for the purposes stated in Section 4.
- Data Subject requests. Responding to Data Subject requests that relate to our processing within the timeframes required by Applicable Data Protection Law (generally 30 days under GDPR). We will cooperate with you to fulfill requests that span both parties’ processing.
- Transparency. Maintaining a public Privacy Policy at https://chosen.ad/privacy that discloses our data practices.
- Subprocessor management. Maintaining a list of subprocessors and providing at least 30 days’ notice before adding a new subprocessor. You may object to a new subprocessor within that notice period; if we cannot resolve the objection, you may terminate the Agreement. All subprocessors are bound by written agreements imposing data protection obligations no less protective than this DPA.
- Data minimization. Not processing more Personal Data than necessary for the stated purposes.
- Retention. Retaining Personal Data only as long as necessary for the purposes stated in Section 4, and deleting or anonymizing it thereafter, subject to legal retention obligations.
7. Security
Both parties shall implement appropriate technical and organizational measures to protect Personal Data against unauthorized access, alteration, disclosure, or destruction. These measures shall include, at a minimum:
- Encryption of Personal Data in transit (TLS)
- Access controls limiting processing to authorized personnel
- Regular review and testing of security measures
- Secure deletion of Personal Data when no longer needed
8. Data Breach Notification
Each party shall notify the other without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach affecting Personal Data processed under this DPA. The notification shall include:
- A description of the nature of the breach
- The categories and approximate number of Data Subjects affected
- The likely consequences of the breach
- The measures taken or proposed to address the breach
Both parties shall cooperate to fulfill any notification obligations to supervisory authorities and Data Subjects under Applicable Data Protection Law.
9. International Data Transfers
Banche Labs is based in the United States. Where Personal Data is transferred from the European Economic Area, the United Kingdom, or Switzerland to the United States or other countries without an adequacy decision, the transfer is subject to appropriate safeguards:
- Standard Contractual Clauses. The SCCs (Module One: Controller to Controller) are incorporated into this DPA by reference and apply to such transfers. The parties agree to execute the SCCs as a separate document if required by a supervisory authority.
- Supplementary measures. Banche Labs implements supplementary technical and organizational measures (including encryption and access controls) to ensure an essentially equivalent level of protection.
10. Audits and Compliance
Upon reasonable written request (no more than once per year), Banche Labs will provide you with information reasonably necessary to demonstrate compliance with this DPA. This may include summaries of security audits, subprocessor lists, and processing records.
Banche Labs is not required to disclose proprietary algorithms, trade secrets, or information that would compromise the security of other participants.
11. Term and Termination
This DPA remains in effect for the duration of the Agreement. Upon termination of the Agreement, Banche Labs will delete or anonymize Personal Data received under this DPA within 90 days, except where retention is required by law or where the data has been aggregated and anonymized such that it no longer constitutes Personal Data.
12. Liability
Each party’s liability under this DPA is subject to the limitation of liability provisions in the Agreement.
13. Conflict
In the event of a conflict between this DPA and the Agreement, this DPA prevails with respect to the processing of Personal Data.
14. Contact
For data protection inquiries related to this DPA, contact:
Banche Labs, Inc.
chosen-privacy@banchelabs.com