Internet Advertising Transparency & Data Processing Disclosure
Last Updated: 11th June 2026
1. Introduction and Scope
This page explains how Fivecell Research Group Limited (“Fivecell,” “we,” “our,” or “us”) processes data in connection with our advertising intelligence, analytics, measurement, and audience insights activities, including in connection with industry transparency frameworks such as the IAB Europe Transparency & Consent Framework (“TCF”), where applicable.
This page should be read alongside our Privacy Policy, Advertising Policy, Our Legitimate Interests, and Your Privacy Rights pages.
Fivecell Research Group Limited is in the process of registering as a vendor on the IAB Europe Global Vendor List (“GVL”), which forms part of the TCF. The GVL is the central registry of technology vendors participating in the TCF, and lists the specific purposes for which each vendor processes data, the legal basis relied upon, and applicable data retention periods.
Upon successful registration, our complete GVL entry will be publicly accessible at https://iabeurope.eu/vendor-list-tcf/ and searchable through the user interface of any TCF-compliant CMP. This disclosure will be updated at that time to include our Vendor ID and a direct link to our entry.
2. How We Receive Data
Fivecell does not place advertising cookies, pixels, software development kits (“SDKs”), or similar tracking technologies on user devices, and does not operate a consumer-facing website or app that collects personal data for advertising purposes. Our own website (fivecellgroup.com) uses only cookies that are strictly necessary for it to function.
Instead, we receive pseudonymous identifiers, such as cookie IDs, mobile advertising identifiers, and similar device identifiers that have already been collected by other parties (publishers, supply-side platforms, data vendors, or other technology vendors) within the digital advertising supply chain, typically as part of programmatic advertising bid requests (OpenRTB) or under data licence agreements.
Because we do not place identifiers ourselves, TCF Purpose 1 (Store and/or access information on a device) is not used by Fivecell and is not declared in our GVL entry.
The consent for the original placement of an identifier is established by the party that places it, through its own CMP or disclosed consent practices.
Current State and Target State of Consent Signalling
As Fivecell does not yet hold a GVL Vendor ID, our current receipt of data rests on the disclosed-purpose consent obtained by our data vendors, each of whom is an IAB-registered vendor whose consent disclosures cover the provision of data to third parties, including Fivecell, for analytics purposes. This includes Special Feature 1 (Use precise geolocation data) signals, where our data vendors provide precise location data (latitude/longitude) under their own disclosed consent.
Upon completion of our GVL registration, our systems are designed to additionally check incoming TC Strings for Vendor-ID-specific consent and Legitimate Interests signals corresponding to our declared Purposes, Special Purposes, and Special Features, once our data vendors’ CMP configurations are updated to include our Vendor ID. In practical terms, both now and once registration is complete, this means:
We receive consent and Legitimate Interests signals from our data vendors, currently via their disclosed-purpose consent and, upon GVL registration, additionally via a standardised TC String.
We read the available signal before processing any personal data in advertising contexts to confirm that the applicable legal basis has been established for each intended purpose.
We do not process data where the available signal indicates that consent has not been given or a valid Legitimate Interests basis does not exist for the purpose in question.
We propagate consent withdrawal and objection signals to our downstream data partners within 7 days of receipt.
3. Our Two Processing Activities
Fivecell carries out two related but distinct processing activities using the data we receive:
Activity A: SaaS Platform (Audience and Spatial Intelligence).
We process received data, including device identifiers, behavioural signals, and precise location data where available, to produce audience intelligence and spatial analytics outputs for our clients, and to develop and improve our platform. All location-based outputs are processed through a signal-noise algorithm that deliberately obscures precise positioning, so no output ever reveals or exposes an individual’s exact location. No output of our SaaS platform exposes an individual’s precise location. This activity corresponds to TCF Purposes 9 and 10.
Activity B: Data Licensing to Clients.
Separately, we license underlying data to our enterprise clients under data licence agreements. We determine which clients receive such data and under what contractual terms. This activity is enabled by our data vendors’ disclosed consent, which covers the provision of data to third parties for analytics purposes.
These two activities rely on different legal bases and are governed by different safeguards, as set out below.
4. Our Declared TCF Purposes, Special Purposes, Features, Special Features, and Legal Bases
The following table sets out the TCF Purposes, Special Purposes, Features, and Special Features that we intend to declare in our Global Vendor List entry upon registration, together with the legal basis relied upon for each, the data types involved, and our retention periods.
TCF Reference | Name | Our Use Case | Legal Basis | Data Types Involved | Retention |
|---|---|---|---|---|---|
Purpose 3 | Create profiles for personalised advertising | Aggregating identifiers and behavioural signals received via the supply chain to build audience segments | Consent (established upstream, confirmed via TC String) | Online identifiers received from partners, behavioural data, contextual signals | 12 months |
Purpose 4 | Use profiles to select personalised advertising | Matching audience profiles to advertising inventory for campaign delivery | Consent (established upstream, confirmed via TC String) | Audience segment IDs, campaign targeting parameters | 12 months |
Purpose 7 | Measure advertising performance | Logging impressions, clicks, and conversions; reporting campaign KPIs | Legitimate Interests | Campaign metadata, conversion signals, aggregate counts | 25 months |
Purpose 9 | Understand audiences through statistics | Producing aggregated, generalised audience and spatial intelligence reports for clients (Activity A) | Legitimate Interests | Anonymised/aggregated audience and location data (generalised) | Generalised outputs: 36 months. Raw location inputs: 24 months |
Purpose 10 | Develop and improve services | R&D into audience modelling, spatial analytics methodology, and calibration of the locational generalisation safeguard (Activity A) | Legitimate Interests | Aggregated signal data, research datasets, precise location data used for calibration | 24 months |
Special Purpose 1 | Ensure security, prevent and detect fraud, and fix errors | Detecting invalid traffic and protecting platform integrity | Legitimate Interests | Access logs, technical signals, anomaly records | 12 months |
Special Purpose 3 | Save and communicate privacy choices | Recording and propagating consent withdrawal and objection signals | Legitimate Interests | Hashed identifiers, privacy preference records | Indefinite retained to demonstrate accountability for privacy choices received and acted upon |
Feature 1 | Match and combine data from other data sources | Enriching audience profiles by combining licensed, supply-chain, and publicly available data | Disclosed Feature. No independent legal basis required; used in support of Purposes 3, 7, 9, and 10 | Multi-source online identifiers, contextual data | Per parent purpose, maximum 36 months (Purpose 9). |
Feature 2 | Link different devices | Where our systems associate signals from different devices with the same user, whether through deterministic or probabilistic methods or through pre-linked ID graph data received from data vendors | Disclosed Feature. No independent legal basis required; used in support of Purposes 3, 9, and 10 | Device association records, ID graph data received from partners | Per parent purpose, maximum 36 months (Purpose 9). |
Feature 3 | Identify devices based on information transmitted automatically | Using device signals transmitted automatically as part of normal bid-stream and data feed communication (including User-Agent, Device OS, Device Make, Device Model, Carrier, and IP address) for device classification, audience modelling, measurement, and fraud detection | Disclosed Feature. No independent legal basis required; used in support of Purposes 7, 9, 10, and Special Purpose 1 | User-agent strings, IP addresses, device characteristics | Per parent purpose, maximum 25 months (Purpose 7). |
Special Feature 1 | Use precise geolocation data | We receive precise location data (latitude/longitude) from data vendors, used as an input to Activity A (generalised audience and spatial analytics) | Consent — established by the upstream vendor’s disclosed consent; to be confirmed via Vendor-ID-specific TC String signal upon GVL registration. This basis cannot be Legitimate Interests under the TCF. | Precise location data (latitude/longitude) | Raw inputs: 24 months. Not retained in generalised form beyond Purpose 9/10 outputs. |
Suppression lists | All purposes | Hashed identifiers of opted-out users maintained to enforce opt-outs on an ongoing basis across all future processing | Legal obligation / All purposes | Hashed identifiers of opted-out users | Indefinitely retained to ensure opt-outs remain effective |
Legal compliance and dispute records | Legal obligation | Contracts, correspondence, regulatory records | Legal obligation (Article 5(2) GDPR accountability principle) | Contracts, correspondence, opt-out records | 6 years from the end of the relevant relationship |
Activity B: Data licensed to clients | N/A (separate basis) | Underlying data licensed to enterprise clients under data licence agreements | Enabled by upstream vendor disclosed consent covering redistribution | Underlying data | Governed by the relevant data licence agreement, not by Fivecell’s own retention schedule once delivered |
Purpose 1 (Store and/or access information on a device) is Not Used. Fivecell does not place cookies, device identifiers, or similar technologies on user devices for advertising purposes.
5. The Generalisation Safeguard
Where our SaaS platform produces audience or spatial intelligence outputs based on location data, we apply locational noise through a signal-noise algorithm that deliberately obscures precise positioning, so no output ever reveals or exposes an individual's exact location. This means that no output of our SaaS platform can be used to identify an individual's precise location. This safeguard is a core part of how we balance our legitimate interest in providing spatial analytics against the privacy interests of the individuals whose data contributes to our insights, and is reviewed and calibrated on an ongoing basis as part of our Purpose 10 (Develop and improve services) activities.
This safeguard applies to Activity A only. It does not apply to data licensed under Activity B (see Section 7 below).
6. How We Process Transparency & Consent Signals
When we receive data through the programmatic supply chain or under data licence agreements, we receive consent and Legitimate Interests information from the originating party, currently via their disclosed-purpose consent, and additionally via a TC String once our GVL registration is complete. The TC String, where available, encodes:
Whether GDPR applies to the user in question.
Which vendors the user has consented to (or not objected to under Legitimate Interests).
Which specific purposes consent has been given for or Legitimate Interests objections have been registered.
Before processing any personal data for advertising purposes, our systems check the available signal to confirm that:
The applicable legal basis (consent or non-objected Legitimate Interests) has been established for the intended TCF Purpose.
The signal is valid and has not expired.
The CMP or disclosure that generated the signal is itself compliant.
Where the available signal does not confirm the required legal basis for a given purpose, we do not process data for that purpose. We may still process data where strictly necessary for Legitimate Interests purposes that the user has not objected to, or for our Special Purposes (fraud prevention and security, and saving and communicating privacy choices).
Special Feature 1 Signal Checking
Once our GVL registration is complete and Special Feature 1 is declared, our systems will additionally check the TC String for a Vendor-ID-specific Special Feature 1 consent signal before processing precise location data for any purpose. This is in addition to, not instead of, the disclosed-purpose consent obtained by our data vendors described in Section 2 above.
Consent Withdrawal and Objection Propagation
When a user withdraws consent or registers an objection, an updated signal is generated and our systems process this on an ongoing basis. Suppression of processing following a consent withdrawal or objection is applied within 7 days.
As we are currently in the process of registering as a vendor on the GVL, our systems are being built and tested against TCF technical specifications in advance of that registration being finalised.
7. Activity B: Data Licensing to Clients
In addition to Activity A (described above), we separately license underlying data to enterprise clients under data licence agreements. This activity is enabled by our data vendors' disclosed consent, which covers the provision and licensing of data to third parties for analytics purposes. We determine which clients receive such data and under what contractual terms, and we require clients to handle such data in accordance with applicable law and the terms of our data licence agreements.
This activity is separate from, and does not affect, the generalisation safeguard described in Section 5 above.
Where you have exercised an objection or opt-out right in relation to Activity A processing, and you wish to understand how this applies to data already licensed to a client under Activity B, please see our Your Privacy Rights page or contact us at legal@fivecellgroup.com.
8. Categories of Data We Process
We may receive and process the following categories of data as part of our advertising intelligence activities:
Mobile advertising identifiers (MAIDs), The Trade Desk IDs (TTD IDs), and ID5 IDs received from third parties, not placed by Fivecell
Full IP addresses
Device characteristics (OS, make, model, user-agent, language, carrier)
Probabilistic identifiers
Browsing and interaction data (URL/Bundle ID, domain or app name, timestamp, clicks, conversions)
Precise location data (latitude and longitude), where provided by our data vendors
Non-precise location data (country, city, zip code; and IP-derived location used as a fallback where precise coordinates are unavailable or invalid)
Audience segment classifications (interest-based and location-based, inferred)
Campaign metadata
We do not collect contact details (such as name, email address, or telephone number) as part of these activities.
9. Special Purposes: Security and Fraud Prevention
We process data for the purpose of ensuring security, preventing and detecting fraud, and fixing errors. This includes identifying invalid traffic, bot activity, and anomalous patterns in the data we receive, in order to protect the integrity of our platform and the accuracy of the services we provide to clients. This processing takes place on the basis of Legitimate Interests, as recognised under Recital 47 GDPR.
10. High-Level Ecosystem Map
All technology partners and data vendors who provide data to us in connection with our advertising services are either (a) registered or registering vendors on the IAB Europe Global Vendor List, in which case their Vendor IDs are available on the GVL, or (b) subject to contractual data licence agreements that impose equivalent obligations including consent disclosure requirements. A current list of our principal data vendors and sub-processors is available on request from legal@fivecellgroup.com.
Recipients of data licensed under Activity B are not part of the TCF-governed vendor ecosystem described above; their receipt of data is governed by our data licence agreements with them, as described in Section 7 above.
11. International Transfers
Where personal data is transferred outside the EEA or UK, we ensure that an appropriate transfer mechanism is in place, such as a finding of adequacy or Standard Contractual Clauses, together with a transfer impact assessment and any additional safeguards identified as necessary.
12. Reducing Duplication and User-Defined Controls
We support mechanisms to reduce duplicate processing and respect user-defined privacy controls, including:
Global Privacy Control ("GPC"): recognised and honoured as described in our Your Privacy Rights page
Signal-based suppression: opt-outs and objections registered via any TCF-compliant CMP, or received via our data vendors' disclosed consent mechanisms, are propagated across our systems
Suppression lists: hashed identifiers of opted-out users are maintained indefinitely to ensure opt-outs remain effective across our data partners
13. Vendor Identity and Contact Information
Fivecell Research Group Limited
Dimostheni Severi 12, Office 601, 1080 Nicosia, Republic of Cyprus
For business partnership, ad operations, and technical integration enquiries: finance@fivecellgroup.com
14. Contact and Supervisory Authorities
For questions or concerns about our advertising data practices or our participation in the IAB Europe TCF, please contact:
Privacy & Data Compliance Team
Fivecell Research Group Limited
Dimostheni Severi 12, Office 601, 1080 Nicosia, Cyprus
Email: legal@fivecellgroup.com
We aim to respond to all privacy enquiries within 30 days.
Our lead supervisory authority for GDPR purposes is the Office of the Commissioner for Personal Data Protection of Cyprus (www.dataprotection.gov.cy). Matters relating to the TCF framework may also fall under the jurisdiction of the Belgian Data Protection Authority (https://www.dataprotectionauthority.be/citizen), which has supervisory responsibility over IAB Europe.