VelisAds Network

Privacy Policy

Effective date: February 17, 2026 | Version: 2026.02-global

This Privacy Policy explains how personal data is collected, processed, shared, retained, and protected across VelisAds Network services, with rights handling for users, publishers, and partners.

Implementation should always be validated against the laws of the regions where services are offered.

Scope and Applicability

  1. Applies to data collected through account creation, login, support, reporting, and ad operations.
  2. Applies to identifiers such as email, IP address, device signals, and cookie-derived preferences.
  3. Applies to controller and processor activities performed directly or through approved subprocessors.
  4. Applies to global user interactions, with local privacy rights enforced where legally required.
  5. Applies to manual and automated processing activities used for fraud and service reliability.
  6. Applies to data handling in production, backup, and compliance evidence systems.

Mandatory Requirements

Lawful Basis and Notice

  • Every processing purpose must have a documented lawful basis before data collection begins.
  • Privacy notices must explain data categories, purposes, sharing, and rights options.
  • Purpose expansion requires updated notice and legal review before release.
  • Consent requests must avoid coercive or deceptive design patterns.

Data Minimization and Access Control

  • Only data needed for declared operational purposes may be collected.
  • Access must follow least privilege, role-based controls, and monitoring logs.
  • Sensitive data requires additional controls, approvals, and justification.
  • Data quality checks must prevent stale, inaccurate, or duplicate records.

User Rights Handling

  • Verified requests for access, correction, deletion, and portability must be supported.
  • Identity verification is required before disclosing personal data.
  • Response timelines must match legal obligations in the applicable jurisdiction.
  • Where requests are denied, the legal reason must be documented and communicated.

Prohibited Practices

  1. Collecting personal data without a clear lawful purpose and documented basis.
  2. Using personal data for undisclosed profiling or unauthorized targeting.
  3. Selling or sharing data in conflict with consent or statutory opt-out rights.
  4. Ignoring valid rights requests from authenticated users.
  5. Retaining personal data indefinitely without legal or operational justification.
  6. Transferring data to unvetted vendors without contractual safeguards.
  7. Masking or suppressing evidence related to privacy incidents.
  8. Bypassing regional privacy controls for convenience or growth targets.

Governance, Monitoring, and Enforcement

  1. Data inventories and processing records must be reviewed and updated regularly.
  2. Privacy impact assessments are required for new high-risk processing activities.
  3. Incident response includes triage, legal review, notification, and remediation tracking.
  4. Personnel handling user data must complete recurring privacy training.
  5. Audit logs must support rights-handling and purpose-limitation verification.
  6. Subprocessor onboarding requires due diligence and contractual accountability.
  7. Material policy updates are versioned and announced with effective dates.
  8. Persistent non-compliance may trigger account restriction or service suspension.

Global Source Links and Standards

  1. EU GDPR Regulation (EU) 2016/679
  2. EU ePrivacy Directive 2002/58/EC
  3. California Privacy Protection Agency (CPPA)
  4. EDPB Guidelines
  5. FTC Privacy and Data Security Guidance
  6. ICO UK GDPR Guidance
  7. NIST Privacy Framework
  8. ISO/IEC 27701 Overview

Operational Interpretation and Regional Mapping

These requirements should be interpreted as global baseline controls for a live ad operations platform. Teams must map each requirement to local legal obligations, contractual duties, and traffic-source constraints before enabling production delivery at scale.

When regional regulations impose stricter standards, the stricter standard applies. Where legal ambiguity exists, operations should default to least-risk handling and documented escalation to legal or compliance owners.

Policy-to-Workflow Mapping

  • Map each policy control to one concrete workflow checkpoint.
  • Define accountable owner, review cadence, and evidence source.
  • Link policy failures to clear remediation and rollback actions.
  • Track policy exceptions with expiry and approval metadata.

Evidence and Audit Quality

  • Keep verifiable logs for approvals, enforcement, and account state changes.
  • Maintain immutable records for policy acceptance and version changes.
  • Preserve incident evidence with timestamp accuracy and actor context.
  • Support regulator and partner audits with structured evidence retrieval.

Release and Change Governance

  • Run policy impact review before major workflow or billing changes.
  • Gate high-risk releases behind compliance and security readiness checks.
  • Document rollback criteria for policy or abuse regressions.
  • Communicate material policy updates with effective-date clarity.

Extended Compliance Checklist

  1. Confirm access controls for admin, publisher, advertiser, and support roles.
  2. Verify domain ownership, sitemap coverage, and install-code integrity before launch.
  3. Validate ad creatives, landing behavior, and category eligibility rules.
  4. Ensure budget, spend, and settlement paths align with billing model selection.
  5. Run fraud and abuse controls for both ad-serving and click attribution pathways.
  6. Confirm user data handling for consent, retention, and rights-response timelines.
  7. Check payout safeguards, webhook integrity, and transaction audit visibility.
  8. Review security events, incident triage flow, and postmortem documentation quality.
  9. Ensure policy pages remain reachable, indexable, and version-consistent in sitemap.
  10. Require periodic policy refresh training for operational and support teams.

Policy FAQ for Operations Teams

How often should this policy be reviewed?

Review before each major release and at recurring governance intervals, especially when billing logic, targeting controls, or verification workflows change.

What happens if live behavior conflicts with policy text?

Live enforcement should default to safer behavior immediately, then trigger incident review and documented correction to either implementation or policy wording.

How should teams handle partner-specific requirements?

Apply partner requirements as stricter overlays where needed, while preserving baseline platform controls and maintaining auditable policy-to-process mapping.