Advertising Policy
Last Updated: 11th June 2026
1. General Information
This Internet Advertising Privacy Policy (“Advertising Policy”) describes how Fivecell Research Group Limited (“Fivecell,” “we,” “our,” or “us”) processes data in connection with our advertising intelligence, analytics, measurement, and audience insights services (the “Services”).
This policy applies to:
Data we receive from third-party data partners under data licence agreements
Pseudonymous identifiers and signals received through the digital advertising supply chain
Data processed through our SaaS platform in connection with audience intelligence and market analytics
This policy does not apply to data collected through our own corporate website, which is covered by our Privacy Policy and relates only to strictly necessary cookies.
2. How We Receive Data
Fivecell does not place advertising cookies, pixels, software development kits (“SDKs”), or similar tracking technologies on user devices, and does not operate a consumer-facing website or app that collects personal data for advertising purposes.
Instead, we receive pseudonymous identifiers and associated signals, such as cookie IDs, mobile advertising identifiers, IP addresses, and behavioural or contextual data, that have already been collected by other parties within the digital advertising supply chain, including:
Publishers and supply-side platforms (“SSPs”), via programmatic bid requests (OpenRTB)
Data licensors and data partners, under contractual data licence agreements
Other technology vendors operating within the advertising ecosystem
When we receive such data, it is accompanied by a Transparency & Consent String (“TC String”) generated by the originating party’s Consent Management Platform (“CMP”), which confirms whether the relevant end user has consented to, or has not objected to Legitimate Interests processing by, Fivecell for the purposes described in Section 5 below.
Consent Chain Verification for Third-Party Data
We require by contract that our data partners have obtained valid legal bases, including, where applicable, TCF-compliant consent, for the processing purposes for which data is provided to us. We do not knowingly onboard data from partners who cannot demonstrate appropriate consent or a valid legal basis. Our data partner agreements include data processing addenda that reflect TCF obligations and require partners to notify us of any material changes to their consent collection practices.
Where we receive ID5 IDs from data vendors, we additionally rely on the ID5 identity framework’s own consent requirements, which require that the originating publisher or data partner has obtained valid consent for identity resolution before an ID5 ID is generated and provided to us.
2.1 Our Two Processing Activities
Fivecell carries out two related but distinct processing activities using the data we receive:
Activity A: SaaS Platform (Audience and Spatial Intelligence).
We process received data, including device identifiers, behavioural signals, and precise location data where available, to produce audience intelligence and spatial analytics outputs for our clients, and to develop and improve our platform.
All location-based outputs are processed through a signal-noise algorithm that deliberately obscures precise positioning, so no output ever reveals or exposes an individual’s exact location.
This activity is described in Section 5 below and corresponds to TCF Purposes 9 and 10.
Activity B: Data Licensing to Clients.
Separately, we license underlying data to our enterprise clients under data licence agreements. We determine which clients receive such data and under what contractual terms. This activity is enabled by our data vendors’ disclosed consent, which covers the provision of data to third parties for analytics and programmatic advertising purposes, and is governed by our data licence agreements with clients. This activity is described in Section 10 below.
These two activities rely on different legal bases and are governed by different safeguards, as set out below.
3. Our Role in the IAB Europe Transparency & Consent Framework
Fivecell Research Group Limited is in the process of registering as a vendor on the IAB Europe Global Vendor List (“GVL”), which forms part of the IAB Europe Transparency & Consent Framework (“TCF”). The TCF is an industry framework that enables publishers, technology vendors, and advertising platforms to communicate user consent and privacy preferences in a standardised way across the digital advertising ecosystem.
Upon successful registration, Fivecell will be assigned a GVL Vendor ID and our entry will be publicly accessible at https://vendor-list.consensu.org. This policy will be updated to reflect our Vendor ID at that time.
In anticipation of and in alignment with our TCF obligations, we already operate in accordance with the principles of the Framework. In practical terms, this means:
We declare the specific TCF Purposes, Special Purposes, and Features for which we process data, along with the Legal Basis for each.
We read and honour the TC String passed to us in advertising bid requests, and process data only where the TC String confirms the required legal basis has been established for our Vendor ID.
We do not process personal data for purposes not declared in our GVL entry unless we have a separate independent lawful basis under applicable law.
We operate a suppression and opt-out architecture that propagates user choices to our downstream data partners and sub-processors.
Once our GVL registration is confirmed, this section will be updated to include our Vendor ID and a direct link to our GVL entry. For further information about the TCF, visit https://iabeurope.eu/transparency-consent-framework/.
4. Why We Do Not Declare TCF Purpose 1
TCF Purpose 1 (Store and/or access information on a device) covers the placement of cookies, device identifiers, and similar technologies on a user’s device. Because Fivecell does not place such technologies, we only receive identifiers already placed by other parties, Purpose 1 is not used by Fivecell.
The consent (or Legitimate Interests basis) for the original placement of an identifier is established by the party that places it, through its own CMP. Our processing of that identifier is governed entirely by the TC String we receive, which confirms whether the required legal basis extends to Fivecell’s declared purposes for our Vendor ID.
As we do not yet hold a GVL Vendor ID, our current reliance on the consent established for this identifier rests on our data vendors’ disclosed-purpose consent, which covers provision of data to third parties, including Fivecell, for analytics purposes. Upon completion of our GVL registration, this will additionally be confirmed via Vendor-ID-specific TC String signals once our data vendors’ CMP configurations are updated.
5. Processing Purposes and Legal Bases
The following table maps our advertising data processing activities to the standardised IAB Europe TCF Purpose taxonomy. Where we rely on Legitimate Interests, we have conducted a Legitimate Interests Assessment (“LIA”) which is available to regulators upon request.
TCF Reference | Description of Our Activity | Legal Basis | Can You Object? |
|---|---|---|---|
Purpose 3: Create profiles for personalised advertising | Combining identifiers and behavioural signals received via the supply chain to build audience interest profiles | Consent (established upstream, confirmed via TC String) | Yes, withdraw via CMP |
Purpose 4: Use profiles to select personalised advertising | Using audience profiles to determine relevant advertising | Consent (established upstream, confirmed via TC String) | Yes, withdraw via CMP |
Purpose 7: Measure advertising performance | Reporting on ad impressions, clicks, conversions, and campaign reach for advertisers and agencies | Legitimate Interests | Yes, object via CMP or direct request |
Purpose 9: Understand audiences through statistics | Producing aggregated audience reports and market intelligence outputs for commercial clients | Legitimate Interests | Yes, object via CMP or direct request |
Purpose 10: Develop and improve services | Research and development activities relating to our SaaS platform and data models | Legitimate Interests | Yes, object via CMP or direct request |
Special Purpose 1: Ensure security, prevent and detect fraud, and fix errors | Identifying invalid traffic, fraud, and errors to protect platform and client integrity | Legitimate Interests | N/A. Special Purpose |
Special Purpose 3: Save and communicate privacy choices | Recording and propagating opt-outs and consent signals across our systems and to partners | Legitimate Interests | N/A. Special Purpose |
Special Feature 1: Use precise geolocation data | We receive precise location data (latitude/longitude) from data vendors, used as an input to Activity A (generalised audience and spatial analytics) | Consent: established by the upstream vendor’s disclosed consent; to be confirmed via Vendor-ID-specific TC String signal upon GVL registration. | N/A. Special Feature 1 is consent-based. Manage via CMP consent withdrawal, not objection. |
In addition to the above, we declare the following TCF Features, which describe data processing capabilities used in connection with the above purposes but which do not independently require consent or a separate legal basis:
TCF Feature | Description |
|---|---|
Feature 1: Match and combine data from other data sources | We may combine data received from licensed data partners and the digital advertising supply chain to enrich audience profiles |
Feature 2: Link different devices | Where our systems associate signals from different devices with the same user, whether through deterministic or probabilistic methods, or through the use of pre-linked ID graph data received from data vendors, we declare this capability in connection with Purposes 3, 7, 9, and 10 |
Feature 3: Identify devices based on information transmitted automatically | We receive device signals (including User-Agent, Device OS, Device Make, Device Model, Carrier, and IP address) that are transmitted automatically as part of normal bid-stream and data feed communication, and use these signals in connection with audience modelling, device classification, measurement, and fraud detection |
6. Categories of Data We Process
The categories of data we may receive and process as part of our advertising intelligence activities include:
Cookie IDs and mobile advertising identifiers (received from third parties)
IP addresses
Device characteristics
Probabilistic identifiers
Browsing and interaction data (page views, clicks, conversions)
Audience segment classifications and interest categories
Industry classification and campaign metadata
Precise location data (latitude and longitude), where provided by our data vendors
Non-precise location data (country, city, zip code; and IP-derived location used as a fallback)
We do not collect contact details (such as name, email address, or telephone number) as part of these activities.
We receive data from our data vendors in the following structures: Mobile Advertising IDs (MAIDs), The Trade Desk IDs (TTD IDs), and ID5 IDs, in feed types including MAIDs + URL (ID graph), MAIDs + Bundle ID, TTD ID + URL, and ID5 ID + URL. Depending on the feed, attributes received may include: URL or Bundle ID (always present); and where available, User ID, Domain or App Name, Timestamp, User-Agent, Device OS, Device Make, Device Model, Language, Carrier, full IP address, Country, City, Zip Code, and Latitude/Longitude.
7. Special Purposes: Security and Fraud Prevention
We process data for the purpose of ensuring security, preventing and detecting fraud, and fixing errors. This includes identifying invalid traffic, bot activity, and anomalous patterns in the data we receive, in order to protect the integrity of our platform and the accuracy of the services we provide to clients. This processing is carried out on the basis of Legitimate Interests, as recognised under Recital 47 GDPR.
8. Data Retention
We retain data received and processed in connection with our advertising intelligence activities in accordance with the following schedule:
TCF Reference | Data Type | Retention Period |
|---|---|---|
Purpose 3 | Audience segment data, identifiers received from partners | 12 months from last signal received |
Purpose 4 | Ad targeting parameters and profile associations | 12 months from last activity |
Purpose 7 | Campaign measurement and attribution logs | 25 months |
Purpose 9 | Aggregated and anonymised insight outputs | 36 months |
Purpose 10 | Analytical usage data, product telemetry | 24 months |
Purpose 9 / 10 input | Precise location data (lat/long) prior to generalisation | 24 months |
Special Purpose 1 | Security and fraud detection logs | 12 months, or as required by applicable law |
Special Purpose 3 | Hashed identifiers, consent and objection records | Indefinite retained to demonstrate accountability for privacy choices received and acted upon |
Feature 1: Match and combine data from other data sources | Multi-source identifiers and contextual data combined to enrich audience profiles | Retained per the parent Purpose the enriched data is used for maximum 36 months (Purpose 9). No additional retention beyond the parent Purpose period. |
Feature 2: Link different devices | Device association records, ID graph data received from partners | Retained per the parent Purpose the linked data is used for maximum 36 months (Purpose 9). No additional retention beyond the parent Purpose period. |
Feature 3: Identify devices based on information transmitted automatically | User-agent strings, IP addresses, device characteristics used for passive device identification | Retained per the parent Purpose the identification data is used for maximum 25 months (Purpose 7). No additional retention beyond the parent Purpose period. |
Special Feature 1: Use precise geolocation data | Precise location data (latitude/longitude) received from data vendors | Raw inputs (Activity A): 24 months. Generalised outputs (Activity A): governed by Purpose 9 / Purpose 10 retention above. Activity B: governed by the relevant data licence agreement. |
Legal compliance and dispute records | Contracts, correspondence, opt-out records | 6 years from the end of the relevant relationship |
Suppression lists (opt-out records) | Hashed identifiers of opted-out users | Indefinitely, to ensure opt-outs remain effective |
Activity B: Data licensed to clients | Underlying data, including precise location, licensed under data licence agreements | Governed by the relevant data licence agreement, not by Fivecell’s own retention schedule once delivered |
9. Automated decision making
Our processing of data for the purposes described in this policy does not involve automated decision-making that produces legal effects concerning individuals or significantly affects them, within the meaning of Article 22 GDPR. Outputs of our processing, such as audience segments and campaign performance reports, are used by our clients to inform advertising and marketing decisions, but do not result in automated decisions being made about specific identified individuals without human involvement.
10. Activity B: Data Licensing to Clients
In addition to Activity A (described above), we separately license underlying data to enterprise clients under data licence agreements. This activity is enabled by our data vendors' disclosed consent, which covers the provision and licensing of data to third parties for analytics purposes. We determine which clients receive such data and under what contractual terms, and we require clients to handle such data in accordance with applicable law and the terms of our data licence agreements.
This activity is separate from, and does not affect, the generalisation safeguards described in Activity A above.
Where you have exercised an objection or opt-out right in relation to Activity A processing, and you wish to understand how this applies to data already licensed to a client under Activity B, please see our Your Privacy Rights page or contact us at contact us at legal@fivecellgroup.com.
11. Special Categories of Data and Special Features
We do not knowingly process special categories of personal data (as defined under Article 9 GDPR) as part of our advertising intelligence activities.
Where we use precise geolocation data, we do so only on the basis of explicit user consent obtained through a TCF-compliant CMP. This corresponds to TCF Special Feature 1 (Use precise geolocation data). Users may withdraw consent at any time through the CMP of the app or website where their data was originally collected.
12. Children's Privacy
These Services are not directed at children, and we do not knowingly process data relating to individuals under the age of 16 (or such other age as may apply under local law).
13. Contact and Further Information
This policy should be read alongside our Privacy Policy, Internet Advertising Transparency & Data Processing Disclosure, and Your Privacy Rights pages.
For questions about this policy, contact us at legal@fivecellgroup.com.