Privacy policy
Last Updated: 11th June 2026
1. Introduction
Fivecell Research Group Limited (“Fivecell,” “we,” “our,” or “us”) is committed to protecting and respecting your privacy. This Privacy Policy explains how Fivecell collects, uses, stores, transfers, or otherwise processes personal data in connection with:
Our websites
Our software-as-a-service (“SaaS”) platform providing advertising intelligence, market research, and analytics services
Our business development activities and contacts
We are committed to transparency regarding our data practices in accordance with the EU General Data Protection Regulation (“GDPR”), and other applicable data protection laws in the jurisdictions in which we operate.
By accessing or using our websites or services, you acknowledge that you have read and understood this Privacy Policy.
2. Who We Are
Fivecell Research Group Limited is a company registered in the Republic of Cyprus.
Registered Address: Dimostheni Severi 12, Office 601, 1080 Nicosia, Cyprus
Data Protection Officer (“DPO”)
Fivecell has appointed a Data Protection Officer as required under Article 37 of the GDPR. The DPO is responsible for overseeing our data protection compliance, including our participation in the IAB Europe Transparency & Consent Framework.
Contact details for our DPO:
Email: legal@fivecellgroup.com
Postal Address: Data Protection Officer, Fivecell Research Group Limited, Dimostheni Severi 12, Office 601, 1080 Nicosia, Cyprus
Our lead supervisory authority for GDPR purposes is the Office of the Commissioner for Personal Data Protection of Cyprus (www.dataprotection.gov.cy), given our establishment in the Republic of Cyprus. Matters relating to the IAB Europe Transparency & Consent Framework may also fall within the jurisdiction of the Belgian Data Protection Authority (www.dataprotectionauthority.be/citizen), which supervises IAB Europe as the Managing Organisation of the Framework.
3. Our Role: Controller and Processor
Depending on the activity, Fivecell may act as a data controller (where we determine the purposes and means of processing) or as a data processor (where we process data solely on behalf of and in accordance with the instructions of a client).
Where we act as a processor, the relevant client is responsible for providing notices to individuals whose data is shared with us as recipients. This Privacy Policy describes our practices where Fivecell acts as a controller.
In respect of both the production of generalised audience and location insights through our SaaS platform, and the licensing of underlying data to our clients, Fivecell acts as a controller, determining the purposes and means of processing in each case independently.
4. Categories of Personal Data We Process
Depending on the context of your interaction with us, we may collect or process the following categories of personal data:
If you interact with our website (e.g. as a prospective client, job applicant, or business contact):
Full name
Business email address and account information
Telephone number
Subscription and communication preferences
Technical data collected via our website (strictly necessary cookies only — see Section 5 below):
Browser type and version
Operating system
Language settings
Session identifiers required for the website to function
Data we receive in connection with our advertising intelligence platform:
As described in detail in our Internet Advertising Transparency & Data Processing Disclosure, Fivecell does not collect personal data directly from website visitors through our own website for advertising purposes, and does not place advertising cookies, pixels, or similar tracking technologies. Instead, we receive pseudonymous identifiers and associated signals from third parties within the digital advertising supply chain, including data licensors, supply-side platforms, and other technology vendors, for the purposes described in Section 6 below.
These signals may include:
Cookie IDs, mobile advertising identifiers, and privacy-preserving identifiers such as ID5 IDs (received from third parties, not placed by Fivecell)
IP addresses
Device characteristics
Browsing and interaction data (e.g. page views, clicks, conversion events)
Precise location data (latitude and longitude), where provided by our data vendors
Audience segment classifications and interest categories
Campaign metadata
Some of this data is used by us to produce generalised audience and location insights through our SaaS platform (see Section 6 below). Separately, we may license underlying data to our enterprise clients under data licence agreements. See our Internet Advertising Transparency & Data Processing Disclosure for full details of both activities.
Special Categories of Personal Data:
We do not knowingly collect, infer, or process special categories of personal data as defined under Article 9 GDPR (including data revealing racial or ethnic origin, political opinions, religious beliefs, health data, sexual orientation, or biometric data for identification purposes) as part of our advertising intelligence activities. The IAB Europe Transparency & Consent Framework, within which we operate, is not designed or intended to facilitate the processing of such data. If we become aware that special category data has been inadvertently collected, we will delete it promptly and take appropriate remedial action.
5. Cookies and Similar Technologies on Our Website
Fivecell’s own website (fivecellgroup.com) uses only cookies that are strictly necessary for the website to operate, for example, cookies used to maintain your session and ensure the security of our website. These cookies do not require consent under the ePrivacy Directive and cannot be switched off.
Fivecell does not place advertising or tracking cookies on its own website, and does not use its own website to collect personal data for advertising purposes.
If you have arrived at our website from an advertising context, or if you are seeking information about how Fivecell processes data received through the digital advertising supply chain, please see our Internet Advertising Transparency & Data Processing Disclosure and Section 6 below.
6. Participation in the IAB Europe Transparency & Consent Framework
Fivecell Research Group Limited is in the process of registering as a vendor on the IAB Europe Global Vendor List (“GVL”), which forms part of the IAB Europe Transparency & Consent Framework (“TCF”). The TCF is an industry-wide framework that enables publishers, advertisers, and technology vendors to communicate user consent and privacy preferences in a standardized way across the digital advertising ecosystem, in compliance with the GDPR, the ePrivacy Directive, and the UK’s equivalent legislation.
Upon successful registration, Fivecell will be assigned a GVL Vendor ID and our entry will be publicly accessible at https://vendor-list.consensu.org. This policy will be updated to reflect our Vendor ID at that time.
How We Receive Data
Fivecell does not place advertising cookies, pixels, or similar tracking technologies on user devices, and does not itself store or access information on a user’s device for advertising purposes (TCF Purpose 1 is therefore not used by Fivecell). Instead, we receive pseudonymous identifiers, such as cookie IDs and mobile advertising IDs, that have already been collected by other parties (publishers, supply-side platforms, or other technology vendors) through the programmatic advertising supply chain.
When we receive such identifiers, they are accompanied by a Transparency & Consent String (“TC String”) generated by the originating party’s Consent Management Platform (“CMP”), which confirms whether the end user has consented to processing by Fivecell, or has not objected to Legitimate Interests processing by Fivecell, for the purposes set out below. We process data only where the TC String confirms the required legal basis has been established for our Vendor ID.
In anticipation of and in alignment with our TCF obligations, we already operate in accordance with the principles of the Framework. Once our GVL registration is complete, in practical terms this will mean:
We declare the specific TCF Purposes, Special Purposes, and Features for which we process data, along with the Legal Basis for each, as set out in the table below.
Where users provide or withdraw consent, or register an objection to Legitimate Interests processing, through a TCF-compliant CMP, we read and honour those signals via the TC String passed to us.
We do not process personal data for purposes beyond those declared below unless we have a separate and independent lawful basis under applicable law.
We operate a suppression and opt-out architecture that propagates user choices to our downstream data partners and sub-processors.
Special Feature 1 — Precise Geolocation Data
Some of the data we receive from our data vendors includes precise location data (latitude and longitude). Under the TCF, this is classified as Special Feature 1 (Use precise geolocation data), which requires explicit opt-in consent and cannot be based on Legitimate Interests. This consent is obtained by our data vendors at the point of original data collection (for example, via an app’s location permission), and their consent disclosures cover the provision of this data to third parties, including Fivecell, for analytics purposes.
Within our SaaS platform, precise location data is used only as an input. All location-based outputs are processed through a signal-noise algorithm that deliberately obscures precise positioning, so no output ever reveals or exposes an individual’s exact location.
Where we rely on Legitimate Interests, we have conducted and documented a Legitimate Interests Assessment (“LIA”) for each applicable purpose. You have the right to object to processing based on Legitimate Interests, see Section 9 (Your Rights) for how to do so.
Once our GVL registration is confirmed, this section will be updated to include our Vendor ID and a direct link to our GVL entry. For further information about the TCF, visit https://iabeurope.eu/transparency-consent-framework/.
As Fivecell does not yet hold a GVL Vendor ID, our current receipt of data rests on the disclosed-purpose consent obtained by our data vendors, each of whom is an IAB-registered vendor whose consent disclosures cover the provision of data to third parties, including Fivecell, for analytics purposes. Upon completion of our GVL registration, our systems are designed to additionally check incoming TC Strings for Vendor-ID-specific consent and Legitimate Interests signals corresponding to our declared Purposes, Special Purposes, and Special Features, once our data vendors’ Consent Management Platform configurations are updated to include our Vendor ID.
Our Intended TCF Purposes, Special Purposes, Features, and Legal Bases:
TCF Reference | Description | Legal Basis |
|---|---|---|
Purpose 3: Create profiles for personalised advertising | Combining identifiers and behavioural signals received via the supply chain to build audience interest profiles | Consent (established upstream, confirmed via TC String) |
Purpose 4: Use profiles to select personalised advertising | Using audience profiles to determine relevant advertising | Consent (established upstream, confirmed via TC String) |
Purpose 7: Measure advertising performance | Reporting on ad impressions, clicks, conversions, and campaign reach | Legitimate Interests |
Purpose 9: Understand audiences through statistics | Producing aggregated audience reports and market intelligence | Legitimate Interests |
Purpose 10: Develop and improve services | Research and development relating to our SaaS platform and data models | Legitimate Interests |
Special Purpose 1: Ensure security, prevent and detect fraud, and fix errors | Detecting invalid traffic and protecting platform integrity | Legitimate Interests |
Special Purpose 3: Save and communicate privacy choices | Recording and propagating user privacy choices across our systems | Legitimate Interests |
Feature 1: Match and combine data from other data sources | Combining data received from licensed data partners and the supply chain to enrich audience profiles | Disclosed Feature |
Feature 2: Link different devices | Associating signals from different devices with the same user, whether through deterministic or probabilistic methods or through pre-linked ID graph data received from data vendors | Disclosed Feature |
Feature 3: Identify devices based on information transmitted automatically | Using device signals transmitted automatically as part of normal bid-stream and data feed communication (including User-Agent, Device OS, Device Make, Device Model, Carrier, and IP address) for device classification, audience modelling, measurement, and fraud detection | Disclosed Feature |
Special Feature 1: Use precise geolocation data | We receive precise location data (latitude/longitude) from data vendors, used as an input to generalised audience and spatial analytics | Consent (established by the upstream vendor’s disclosed consent; to be confirmed via Vendor-ID-specific TC String signal upon GVL registration) |
7. Data Retention
We retain personal data only for as long as necessary for the purpose for which it was collected, and in accordance with our obligations under applicable law. The following schedule sets out our standard retention periods by processing activity:
Processing Activity | TCF Reference | Data Type | Retention Period |
|---|---|---|---|
Audience profile creation | Purpose 3 | Segmentation data, interest classifications, identifiers received from partners | 12 months from last signal received |
Personalised advertising | Purpose 4 | Ad targeting parameters and profile associations | 12 months from last activity |
Campaign measurement and attribution | Purpose 7 | Impression logs, click logs, conversion events | 25 months, to support multi-year campaign analysis and regulatory audit |
Market research and audience insights | Purpose 9 | Aggregated and anonymised insight outputs | 36 months |
Platform improvement and development | Purpose 10 | Analytical usage data, product telemetry | 24 months |
Raw (pre-generalisation) location data: Activity A inputs | Purpose 9 / 10 input | Precise location data (lat/long) prior to generalisation | 24 months |
Fraud prevention and security logs | Special Purpose 1 | Access logs, anomaly records | 12 months, or as required by applicable law |
Privacy choice records | Special Purpose 3 | Hashed identifiers, consent and objection records | Indefinite retained to demonstrate accountability for privacy choices received and acted upon |
Data combination and enrichment | Feature 1: Match and combine data from other data sources | Multi-source identifiers and contextual data combined to enrich audience profiles | Retained per the parent Purpose the enriched data is used for — maximum 36 months (Purpose 9). No additional retention beyond the parent Purpose period. |
Cross-device linking (if applicable) | Feature 2: Link different devices | Device association records, ID graph data | Retained per the parent Purpose the linked data is used for — maximum 36 months (Purpose 9). No additional retention beyond the parent Purpose period. |
Passive device identification (if applicable) | Feature 3: Identify devices based on information transmitted automatically | User-agent strings, IP addresses, device characteristics used for identification | Retained per the parent Purpose the identification data is used for — maximum 25 months (Purpose 7). No additional retention beyond the parent Purpose period. |
Precise geolocation processing | Special Feature 1: Use precise geolocation data | Precise location data (latitude/longitude) received from data vendors | Raw inputs: 24 months. Generalised outputs (Activity A): governed by Purpose 9 / Purpose 10 retention above. Activity B: governed by the relevant data licence agreement. |
Legal compliance and dispute records | Legal obligation | Contracts, correspondence, opt-out records | 6 years from the end of the relevant relationship |
Suppression lists (opt-out records) | All purposes | Hashed identifiers of opted-out users | Indefinitely, to ensure opt-outs remain effective |
Data licensed to clients: Activity B | N/A (separate basis) | Underlying data, including precise location, licensed under data licence agreements | Governed by the relevant data licence agreement, not by Fivecell’s own retention schedule once delivered |
8. International Transfers
Where personal data is transferred outside the European Economic Area ("EEA") or the United Kingdom, we ensure that an appropriate transfer mechanism is in place, such as:
A finding of adequacy by the European Commission or the UK Government in respect of the destination country, or
Standard Contractual Clauses ("SCCs") approved by the European Commission, together with a transfer impact assessment and any additional safeguards identified as necessary.
We maintain a schedule of our international transfers and the safeguards relied upon, available on request.
9. Your Rights
Depending on your location, you may have the following rights in relation to your personal data:
The right to request access to your personal data
The right to request correction of inaccurate personal data
The right to request erasure of your personal data
The right to restrict certain types of processing
The right to object to processing based on Legitimate Interests
The right to data portability
The right to withdraw consent at any time where processing is based on consent
Rights in the Context of TCF-Based Processing
Where we process your personal data as a result of consent or a Legitimate Interests determination communicated through an IAB Europe TCF-compliant CMP, you may exercise your rights, including withdrawing consent or objecting to Legitimate Interests processing, by revisiting the privacy or cookie settings on any website where you originally provided consent. Changes made through a CMP will be communicated to us automatically via an updated TC String.
If you wish to exercise rights directly with Fivecell, please contact us at legal@fivecellgroup.com. We will respond within 30 days as required by applicable law, and within 45 days where the request is complex.
You also have the right to lodge a complaint with a supervisory authority, see Section 2 above for the relevant authorities.
10. Sharing of Personal Data
We may share personal data with:
Our data partners and licensors, under appropriate contractual safeguards
Clients to whom we provide advertising intelligence or SaaS services, where we act as a processor
Service providers who support our infrastructure, security, and operations
Regulatory or governmental authorities, where required by law, court order, or to protect our legal rights
We require all recipients to handle personal data in accordance with applicable law and, where relevant, the requirements of the IAB Europe TCF.
11. Children's Privacy
Our services are not directed at children, and we do not knowingly collect personal data from individuals under the age of 16 (or such other age as may apply under local law). The TCF Policies and our own practices do not contemplate the processing of children's data, and we do not declare such processing in our GVL entry.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or our participation in the IAB Europe TCF. We will update the "Last Updated" date at the top of this page and, where changes are material, provide additional notice as appropriate.
13. Contact Us
If you have any questions about this Privacy Policy or our data practices, please contact us at:
Fivecell Research Group Limited
Dimostheni Severi 12, Office 601, 1080 Nicosia, Cyprus
Email: legal@fivecellgroup.com