Thank you! We’ve received your message and will contact you soon.
full control of your digital advertising. Try Free for 14 Days
Thank you! We’ve received your message and will contact you soon.
Last updated: 28 April 2026
EPOM SERVICES LTD (“Epom”, “we”, “us”, “our”) provides programmatic advertising technology. This Privacy Policy (“Policy”) explains what personal information we collect, why we collect it, what we do with it, who we share it with, how long we keep it, and the rights you have under data-protection law.
This Policy is written for two audiences:
Site visitors and customers — people who visit epom.com or sign up for an Epom account.
End users of advertising — people who see ads delivered through Epom's Services on third-party websites and mobile apps.
Read the section that applies to you, or the whole Policy. If anything is unclear, write to us at support@epom.com.
The data controller for the personal information described in this Policy is:
EPOM SERVICES LTD
79 Spyrou Kyprianou Avenue, Protopapas Building, 2nd floor office 201
3076 Limassol, Cyprus
Email: support@epom.com
Epom is registered as a Vendor with the IAB Europe Transparency & Consent Framework (TCF) Global Vendor List under Vendor ID 849. You can verify our registration and the purposes for which we are authorised to process personal information at iabeurope.eu/vendor-list.
How we use terms in this Policy. “Personal information” (and, where applicable, “personal data”) means any information relating to an identified or identifiable natural person, as defined in GDPR Article 4(1) or in the equivalent law that applies to you. “Process” / “processing”, “controller”, “processor” and “data subject” have the meanings given to them in GDPR Article 4 or in the equivalent law that applies to you. The “Site” means the website at epom.com. The “Services” means the products and services listed in Section 2. The “Customer” means a paying customer of Epom holding an Epom account, including a publisher, ad network, advertiser, agency or white-label operator. The “Policy” means this Privacy Policy. References to “you” mean the natural person whose personal information is being described in the relevant section.
This Privacy Policy applies to:
epom.com — our marketing website, including landing pages, blog, glossary, sign-up flow and contact forms.
Customer accounts and the customer-facing parts of the Epom platform that paying customers use to manage their business with Epom.
White-label deployments of Epom Ad Server, white-label SSP installations and customer-operated implementations of the Epom Mobile SDK — only with respect to Epom's own processing activities in the role described below.
Other Epom products and separately operated services — including Epom's programmatic marketplace and any product that publishes its own privacy policy — are governed by the privacy policy of that specific product or service. This Privacy Policy does not describe their processing activities; please refer to the policy of the product you are using.
Epom's role under data-protection law depends on the Service involved:
epom.com and Epom Customer accounts. Epom is the data controller. We decide what personal information is collected from Site visitors and Customers and how it is used.
White-label deployments of Epom Ad Server, white-label SSP installations and Customer-operated implementations of the Epom Mobile SDK. Epom is by default a data processor acting on the instructions of the Customer (the publisher, ad network or white-label operator), who is the controller. Epom processes personal information in such deployments only in accordance with the agreement that the Customer has with us, which incorporates the data-protection terms required by applicable law. The Epom Ad Server provides the Customer with the option to declare Epom (TCF Vendor ID 849) as a vendor in the Customer's Consent Management Platform; where the Customer enables that option, Epom additionally acts as an independent data controller for the personal information processed under that vendor registration, in accordance with the IAB Transparency & Consent Framework. The publisher and each demand-side bidder are independent controllers for the data each of them processes; we are not joint controllers within the meaning of GDPR Article 26.
End users interacting with a white-label deployment should refer to the privacy policy of the operator of that deployment for the controller's contact details and for the exercise of their rights against the controller. This Policy describes only Epom's own processing activities, not those of our white-label Customers.
3.1 Information you provide directly (Site visitors and customers)
When you sign up for an account, request a demo, fill in a contact form or contact our sales or support team, we collect:
full name and contact details (email, phone number, business website);
account credentials (username; passwords are stored only as one-way salted hashes and we do not see them in plain text);
billing and tax information for paying Customers (company name, billing address, VAT or other tax identifier);
messages you send us through email, support tickets, chat or any other channel.
3.2 Information collected automatically when you visit epom.com
Whenever your browser loads any page of epom.com we collect:
IP address and approximate location derived from it (country, region and city);
browser and device information (User-Agent, operating system, screen size, timezone, language preference);
pages viewed, time on page, scroll depth, clicks and the page that referred you to us;
cookies and similar identifiers — see Section 8.
3.3 Information processed in programmatic advertising (end users of advertising)
When an ad is served through Epom's Services on a third-party website or mobile app, the following may be processed about you for the purposes set out in Section 4:
a pseudonymous identifier — a cookie ID on the web, a mobile-advertising identifier (IDFA on iOS, AAID on Android) where the publisher and the operating system permit it, or a similar identifier;
the URL of the page or the app bundle identifier where the ad opportunity arises, and the surrounding ad slot information (size, format, position);
device data: User-Agent, operating system, device type and model, screen size, language preference, timezone;
IP address and approximate location at city level derived from it. We do not process precise geolocation data (such as GPS coordinates) about end users; precise geolocation is excluded from Epom's ad-serving processing even where a publisher's app or a user's device is technically able to provide it;
connection type and mobile carrier where available;
a single yes / no signal that we detect client-side, indicating whether your browser is in private (incognito) mode;
the IAB TCF consent string and the IAB Additional Consent string supplied to us by the publisher's Consent Management Platform;
bid-stream data passed to demand-side bidders — the contextual and pseudonymous data above, sent to the buyers we work with so they can decide whether to bid;
aggregated impression, click, conversion, viewability and fraud-detection records.
What we do not collect. Through the programmatic advertising path we do not knowingly collect:
your real name, postal address, phone number, government-issued identifiers or financial-account details;
special-category data under GDPR Article 9 (data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data, data concerning health, data concerning sex life or sexual orientation);
data from segments specifically targeting children under the age of 16.
Mobile applications integrating an Epom Android or iOS SDK can read advertising identifiers (IDFA / AAID) where the operating system and the application permissions you have granted to the app allow this. The Epom SDK does not request, collect or transmit precise geolocation data (GPS coordinates) to Epom's servers.
Sources of personal information (GDPR Article 14(2)(f); California Civil Code § 1798.130). For information we do not collect directly from you, the sources are: (a) your browser or device, when it loads pages or apps that include Epom code; (b) the publisher or app operator on whose property you encounter the ad and that publisher's Consent Management Platform; (c) Epom Customers using the Services to deliver advertising; (d) demand-side platforms participating in our bid stream; and (e) the sub-processors listed in Section 6 (for example, fraud-detection and creative-scanning providers).
Whether providing personal information is required (GDPR Article 13(2)(e)). For Site visitors and Customers, providing the personal information described in Section 3.1 is necessary for us to create and operate your Epom account and to respond to your sign-up, demo or contact request; if you do not provide it we will not be able to provide the corresponding part of the Services. For end users of advertising, you are not required to provide any personal information to Epom; the data described in Section 3.3 is collected automatically when an ad opportunity is presented, and you can refuse it through the cookie controls and TCF consent mechanisms described in Section 9.
The list below maps every purpose for which we process personal information to the corresponding IAB TCF purpose, where one applies. The TCF purposes are publicly defined at iabeurope.eu/transparency-consent-framework.
Storing and accessing identifiers on your device. Setting and reading cookies, mobile-advertising IDs and similar identifiers needed for everything below (TCF Purpose 1).
Using limited data to select advertising. Choosing an ad to show using the page context and limited data that does not include your prior browsing behaviour across other sites and apps (TCF Purpose 2).
Measuring advertising performance. Counting impressions, clicks, conversions and viewability; producing reports for publishers and advertisers; detecting invalid traffic and fraud (TCF Purpose 7).
Delivering and presenting advertising. Rendering the ad creative on the page or in the app, including reasonable technical adaptations such as responsive layouts (TCF Special Purpose 2).
Matching and combining offline data sources. Linking pseudonymous identifiers across first-party datasets that our partners control, where they have a lawful basis to do so (TCF Feature 1).
Operating and securing the Services. Authenticating users; detecting and preventing fraud, abuse and security incidents; debugging issues; capacity planning. Internal processing, not a TCF purpose.
Customer relationship management. Communicating with paying customers, sending invoices, supporting their use of their Epom account. Internal processing, not a TCF purpose.
Marketing of our own Services. Sending newsletters and product updates to customers and to people who have opted in, and showing re-marketing ads on epom.com. You can unsubscribe or opt out at any time. Not a TCF purpose.
Legal compliance and dispute resolution. Keeping the records required by tax, accounting and other applicable laws; responding to law-enforcement and regulatory requests; defending or bringing legal claims. Not a TCF purpose.
Profiling and automated decision-making. The activities described above include profiling within the meaning of GDPR Article 4(4): we use automated processing of pseudonymous data to evaluate aspects relating to you (such as inferred interests or device context) in order to select, deliver and measure advertising. This profiling does not produce legal effects concerning you or similarly significantly affect you within the meaning of GDPR Article 22(1), and we do not take solely automated decisions about you that have such effects.
Use of artificial intelligence and machine learning. The automated processing described above may involve machine-learning models for tasks such as click-through-rate prediction, fraud detection and ad-creative scanning. Epom does not deploy artificial-intelligence systems that fall within the “high-risk” categories listed in Annex III of Regulation (EU) 2024/1689 (the EU AI Act); we do not use AI to make decisions concerning your access to essential private or public services, employment, education, credit, social benefits, law enforcement, migration or similar areas. The output of our models is used solely for advertising selection, performance measurement and platform-integrity purposes.
How we process consent signals. Where the publisher's Consent Management Platform supplies us with an IAB TCF consent string, Epom parses the string and processes personal information for TCF Purposes 1, 2, 7 and Feature 1 only where valid consent has been signalled for Epom. Where the publisher additionally supplies a Google Additional Consent (AC) string, Epom takes that AC string into account in line with Google's published Additional Consent Mode specification when working with Google ad-tech vendors that are not yet enrolled in the IAB TCF. If a consent signal is missing, malformed or has expired, we treat the affected purposes as unconsented and limit processing to what is permitted without consent (such as TCF Special Purpose 2 — delivering and presenting advertising, and the limited fraud-prevention measures permitted under it).
We process personal information only where we have a valid legal basis under GDPR Article 6, the UK GDPR, the UK Data Protection Act 2018 and the Swiss Federal Act on Data Protection. The basis depends on the purpose:
Consent (Article 6(1)(a) GDPR). For setting non-essential cookies and similar identifiers and for processing pseudonymous data for personalised advertising (TCF Purposes 1, 2, 7 and Feature 1). Consent is captured by the publisher's IAB-compliant Consent Management Platform and signalled to us in the TCF consent string. You can withdraw your consent at any time through the same Consent Management Platform; withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
Legitimate interests (Article 6(1)(f) GDPR). For site analytics on epom.com, fraud and invalid-traffic detection, basic non-personalised ad delivery, debugging and securing the Services. Our legitimate interest is in operating, improving and protecting the Services and our Customers' investment in them. Before we rely on legitimate interests for any processing operation, we balance our interests against your rights and freedoms, taking into account the pseudonymous nature of the data and the safeguards in place. You can object on grounds relating to your particular situation — see Section 12.
Contract (Article 6(1)(b) GDPR). For creating an account, providing the Services to paying customers, billing and supporting the contractual relationship.
Legal obligation (Article 6(1)(c) GDPR). For tax records, accounting records, statutory retention obligations and responses to law-enforcement requests.
Soft opt-in for marketing emails to existing Customers (Article 6(1)(f) GDPR + Recital 47; ePrivacy Directive Article 13(2)). For sending product-update emails and similar communications about products and services comparable to those a Customer already uses. Marketing emails include an unsubscribe mechanism, and you can opt out at any time by following the instructions in the email or by writing to support@epom.com. For marketing to non-Customers we rely on your prior consent (Article 6(1)(a) GDPR).
Data-protection principles (GDPR Article 5). In addition to relying on a valid legal basis for each processing operation, Epom processes only the personal information that is necessary for the purposes described in Section 4 (data-minimization principle, Article 5(1)(c)), keeps the data accurate (Article 5(1)(d)), retains it no longer than is necessary for those purposes in line with Section 10 (storage-limitation principle, Article 5(1)(e)), and processes it in a manner that ensures appropriate security in line with Section 14 (integrity and confidentiality, Article 5(1)(f)). We can demonstrate compliance with these principles on request (accountability principle, Article 5(2)).
We share personal information only:
With our Customers. Publishers, ad networks, advertisers, agencies and white-label operators using the Services receive performance reports and aggregated data relating to their own activities; white-label operators of Epom Ad Server receive the personal information of users their deployment serves, in their capacity as the controller for that deployment. Customers receive only the data they need for their own use of the Services, on the terms of their agreement with Epom.
With demand-side bidders. When an ad opportunity is auctioned in the bid stream, the pseudonymous identifier and contextual data described in Section 3.3 are sent to the demand-side platforms and ad networks we work with so they can decide whether to bid for the impression. Buyers receive bid requests under the contractual frameworks that apply to programmatic advertising — which may include bilateral seat agreements with Epom, the OpenRTB protocol terms and, where applicable, IAB-published frameworks such as the Multi-State Privacy Agreement (MSPA) — under which buyers undertake to use the data only for the bidding decision and the resulting ad delivery. Epom is not in a position to audit each bidder's downstream use of the data in real time and is therefore dependent on the contractual framework and on industry-level enforcement for ongoing compliance.
With sub-processors. Companies we engage to provide infrastructure on our behalf under data-processing agreements that limit them to acting on our instructions, including:
cloud-hosting providers (compute, storage, content-delivery network) established and operating data centres in the European Economic Area, so your data is not subject to extraterritorial access laws of third countries;
creative-scanning providers that screen advertising creatives delivered through our Services for malware and policy violations on our behalf;
device-, IP- and bot-intelligence providers used for fraud and invalid-traffic detection;
website-analytics providers used to compile aggregate platform-performance reports for the Site and the Epom platform;
consent-management-platform providers that operate the cookie-consent banner described in Section 8;
tag-management and CAPTCHA providers used to load and protect content on the Site;
email and customer-communications providers used to send transactional and marketing emails on our behalf and to manage support correspondence;
customer-relationship-management and billing providers used to administer Customer accounts, invoices and payments;
error-monitoring and observability providers used to detect, diagnose and resolve technical issues with the Services.
The current named list of our sub-processors is available on request to support@epom.com and is the canonical reference. Save for sub-processors whose identity is necessarily user-visible (such as the Consent Management Platform named in Section 8), this Policy does not name individual vendors in this Section, as their identity may change without advance public notice.
With authorities and in legal proceedings. Where we are required to do so by law, a court order or another legally binding request, or to investigate, prevent or respond to fraud, security incidents or violations of our terms.
In connection with a corporate transaction. If Epom is involved in a merger, acquisition, financing, reorganisation or sale of assets, personal information may be transferred to the counter-party subject to confidentiality obligations and to the continuation of this Policy. We will notify active Customers and post a notice on the Site of any such transfer. Because Epom retains personal information about end users for only three days (see Section 10), individual notification of end users is generally not feasible; the Site notice and the relevant Customer's privacy notice are the channels through which end users will be informed.
We do not engage in the traditional sale of personal information for monetary consideration. However, the broad statutory definitions of “sale” and “sharing” under the California Consumer Privacy Act (as amended by the CPRA) and similar US state laws may capture some of the disclosures described above (in particular, disclosures to demand-side bidders). For US residents, the rights and opt-out mechanisms that apply to such disclosures are described in Section 13.
We notify our Customers of intended changes to the list of sub-processors that act on their behalf, in line with the data-protection terms in our agreement with them.
Third-party websites and services. The Site and the Services may contain links to, or embed content from, third-party websites and services that are not operated by Epom. This Policy applies only to Epom's own processing; we do not control, and are not responsible for, the privacy practices of any third party to whose website or service we link or whose content we embed. We encourage you to review the privacy notice of any third party before providing it with your personal information.
The core infrastructure that hosts our raw event logs and aggregated analytics is located within the European Economic Area (EEA), with our cloud-hosting provider established in the EEA. The main personal-information processing carried out by Epom therefore takes place inside the EEA.
Some of the sub-processors listed in Section 6 — in particular consent-management, tag-management, CAPTCHA, content-delivery, website-analytics and certain creative-scanning providers — are established in the United States or in other countries outside the EEA, and process limited personal information (typically request-level metadata such as IP address and User-Agent, and aggregate usage data) on infrastructure outside the EEA. For each transfer of personal information outside the EEA we rely on:
a European Commission adequacy decision under GDPR Article 45 (for example, the EU-US Data Privacy Framework where the recipient is self-certified, or the adequacy decisions for the United Kingdom, Switzerland and Israel); or
the Standard Contractual Clauses adopted by the European Commission in 2021 (Decision 2021/914/EU), supplemented where necessary by additional safeguards such as encryption, pseudonymisation, contractual audit rights and a Transfer Impact Assessment.
You can request a list of countries to which your personal information may be transferred and a copy of the safeguards in place by emailing support@epom.com.
We use cookies, mobile-advertising identifiers, web beacons (also called tracking pixels), local storage and similar technologies to identify devices, count impressions and clicks, prevent fraud, deliver advertising and measure its performance, and to keep you logged in to your Epom account.
Consent Management Platform on the Site. When you visit epom.com for the first time you are presented with a cookie-consent banner served by our Consent Management Platform (Cookiebot by Cybot A/S). The banner allows you to grant or refuse consent separately for each category of cookies described below. Strictly-necessary cookies are exempt from the consent requirement under ePrivacy Directive Article 5(3) and are set without consent; all other categories are set only after you grant consent through the banner. You can revisit your consent choices at any time using the banner's re-open control on the Site, and your withdrawal will take effect immediately for future visits.
The cookies we set fall into the following categories (the labels in parentheses are those used by our Consent Management Platform):
Strictly necessary (CMP category: Necessary). Required for the parts of the Service you have actively requested — for example, authentication when you log in to the Epom platform and session continuity for active users. Strictly-necessary cookies are exempt from the consent requirement under ePrivacy Directive Article 5(3).
Functional (CMP category: Preferences). Remember your preferences and choices to provide a more consistent experience. Set only with your consent.
Analytics (CMP category: Statistics). Help us understand how visitors and Customers use our Site and our platform so that we can improve them. Set only with your consent.
Advertising (CMP category: Marketing). Used in the programmatic advertising path described in Section 3.3. They store a pseudonymous identifier so that ads can be selected, capped, attributed and measured. Epom advertising cookies have a maximum lifetime of up to 24 months from the time they are set or last refreshed (individual cookies may have shorter lifetimes). Set only with your consent (signalled to us through the IAB TCF consent string and through our Consent Management Platform on the Site).
Non-cookie identifiers. As declared in Epom's IAB Global Vendor List entry
(usesNonCookieAccess: true), where cookies are unavailable or have been blocked
Epom may also use non-cookie technical signals to identify a browser or device. These signals
can include device fingerprints derived from publicly available client characteristics (such
as User-Agent string, screen dimensions, timezone offset and language preference) and tokens
stored in the browser's local storage. Non-cookie identifiers are processed under the same
legal bases (Section 5), retention windows (Section 10) and opt-out controls (Section 9) as
cookies, and are subject to the same TCF consent signalling.
Cookie refresh. As declared in Epom's IAB Global Vendor List entry
(cookieRefresh: true), the expiry timestamp of an Epom advertising cookie may be
refreshed each time your browser interacts with one of our ad-serving domains. Each refresh
resets the 24-month maximum to the time of the latest interaction. If you continue to receive
ads served through Epom, the cookie may therefore persist beyond 24 months from its original
creation, but will always expire within 24 months of your last interaction with our networks.
Cookie declaration. A current and machine-readable list of all cookies set on epom.com — including their names, purposes, providers and lifetimes — is generated by our Consent Management Platform and accessible from the cookie-consent banner on the Site (the Cookie Declaration). For cookies set on the ad-serving and CDN domains listed in Sections 16 and 17, the categories described above apply; the “Forget me” mechanism in Section 9 is the central control for those cookies.
Web beacons are small transparent images or pieces of JavaScript that, in combination with cookies, record events such as ad impressions and clicks. They contain no personally identifying information on their own.
Browser controls. You can clear or block cookies in the privacy preferences of your browser. Use the official help pages of the browser you use:
Safari (macOS): support.apple.com — manage cookies in Safari
Microsoft Edge: support.microsoft.com — delete cookies in Microsoft Edge
Blocking cookies may limit your ability to use parts of our Services and may cause us to serve only generic, non-personalised ads.
Mobile-advertising identifiers. You can reset or limit your mobile-advertising identifier in the device settings:
Android (AAID): support.google.com/android/answer/9047289
iOS (IDFA): support.apple.com — control how Apple personalises your experience
TCF consent. Where Epom processes your personal information through the IAB Transparency & Consent Framework, you can grant or withdraw your consent at any time through the Consent Management Platform of the publisher whose website or app you are using.
Epom “Forget me” opt-out. Click the “Forget me” button below to:
clear cookies set by Epom on the epom.com domain in your current browser;
set a special OPT-OUT=1 cookie on epom.com that lasts for approximately 24 months;
send opt-out signals to the ad-serving networks operated by Epom and its customers under our Services (the domains listed in Sections 16 and 17) so that those networks also stop assigning new identifiers to your browser and clear identifiers they have already assigned, on the next request your browser makes to them.
Epom may still serve generic, non-personalised advertising to a browser that has opted out, in line with TCF Purpose 2. Because the opt-out is tied to the identifiers presented by the browser you click “Forget me” from, you need to repeat the step in each browser and on each device you use.
Industry-wide opt-out tools. You can opt out from behavioural advertising delivered by Epom and many other vendors at the same time using IAB Europe's Your Online Choices service at youronlinechoices.com or the Network Advertising Initiative's opt-out page at optout.networkadvertising.org.
Our standard retention period for any personal information we process is three days from the date of collection. This is the data-retention value declared by Epom in the IAB Europe Global Vendor List under Vendor ID 849 and applies by default to all personal information described in Section 3, including in raw event logs (impressions, clicks and conversions with cookie / mobile-advertising identifiers, IP address, User-Agent and similar). After three days, the personal-information fields are either aggregated and stripped of identifiers (see the aggregated-analytics bullet below) or deleted.
The exceptions to the three-day default are:
Cookies and similar identifiers stored on your device — the cookie file itself can persist in your browser or device for up to 24 months from the time it is set or last refreshed. This is the browser-side lifetime of the cookie file; the personal information we process server-side based on a cookie is still held only for the three-day window above. The 24-month browser lifetime matches the “Cookie Max Age” value declared by Epom in the IAB Europe Global Vendor List.
Aggregated analytics records — up to 24 months. By the time data reaches this stage it has been stripped of all user-level identifiers (IP address, User-Agent, cookie ID, mobile-advertising ID and similar) and consists exclusively of site- and banner-level metrics (impressions, clicks, conversions and revenue per site, ad slot, creative or campaign). It is no longer personal data within the meaning of GDPR Recital 26 and is retained to produce platform-performance reports and trend analyses.
Information about paying customers (account, billing, communications) — for the duration of the contract plus six years for accounting and tax records, in line with Cyprus tax-law retention requirements, after which the records are deleted or anonymised. This is a statutory minimum that we cannot shorten.
Marketing leads and prospects — up to 24 months from the date of the last interaction unless you ask us to delete the record sooner. Sales-funnel records are processed separately from the TCF-bound advertising data path, on the legal basis of consent or legitimate interest, and the three-day default does not apply to them.
Records subject to legal hold (litigation, regulatory request) — for as long as the hold remains in effect.
When a retention period ends we delete the data or aggregate it such that it can no longer reasonably be associated with you, in line with GDPR Recital 26 on the concept of anonymisation.
The Services are not directed to children, and we do not knowingly collect personal information from any person below the applicable age threshold for child-data protection, namely:
under 16 in the European Economic Area and Switzerland, or such other age between 13 and 16 as the relevant EEA member state has set under GDPR Article 8 (for example, France 15; Spain, Italy and Germany 14; Belgium 13);
under 13 in the United Kingdom, in line with section 9(1) of the UK Data Protection Act 2018;
under 13 in the United States, in line with the Children's Online Privacy Protection Act (COPPA);
any higher age threshold required by other applicable law.
Because Epom operates as a technology supplier in the advertising supply chain and does not interact with end users directly, we cannot reliably identify the age of an individual whose browser or device requests an ad. We rely on our Customers (publishers, ad networks, advertisers and white-label operators) to ensure that the inventory and audience segments they supply or target through Epom are not directed to children, and we expect our Customers to honour this expectation through their own privacy practices and their agreements with us. We do not knowingly build profiles of children, and we do not knowingly create, supply or sell audience segments that target children.
If you are a parent or guardian and you believe a child has provided personal information to Epom, or that a Customer has used Epom to target advertising at a child, please contact us at support@epom.com. We will delete any personal information we hold about the child without undue delay and notify any Customer involved in the relevant processing.
If you are located in the European Economic Area, the United Kingdom or Switzerland, the General Data Protection Regulation (Regulation (EU) 2016/679) and equivalent local laws grant you the rights described below in respect of personal information that Epom processes about you. Epom facilitates the exercise of these rights free of charge, except where a request is manifestly unfounded or excessive.
Right to be informed (Articles 13 and 14 GDPR). You have the right to be told what personal information Epom collects about you, why we collect it, the legal basis for processing, how long we retain it and with whom we share it. This Privacy Policy is intended to provide that information.
Right of access (Article 15 GDPR). You have the right to confirm whether Epom processes personal information about you and to obtain a copy of that information together with details of how it is processed.
Right to rectification (Article 16 GDPR). You have the right to have inaccurate personal information corrected and incomplete information completed.
Right to erasure (Article 17 GDPR). Also known as the “right to be forgotten”, you have the right to request deletion of your personal information where, for example, it is no longer necessary for the purposes for which it was collected, you have withdrawn your consent, or you have validly objected to the processing. This right does not apply where one of the exceptions in GDPR Article 17(3) applies, including where processing is necessary for compliance with a legal obligation, for the establishment, exercise or defence of legal claims, or for reasons of public interest.
Right to restrict processing (Article 18 GDPR). You have the right to ask Epom to limit how your personal information is used, for example while we verify a rectification request or evaluate an objection.
Right to object (Article 21 GDPR). You have the right to object, on grounds relating to your particular situation, to processing based on Epom's legitimate interests. You also have an unconditional right to object to processing for direct marketing purposes; if you exercise that right we will stop the relevant processing.
Right to data portability (Article 20 GDPR). Where Epom processes your personal information by automated means on the basis of your consent or a contract, you have the right to receive that information in a structured, commonly used, machine-readable format (typically JSON or CSV) and to transmit it to another controller where technically feasible. For end users whose only relationship with Epom is a pseudonymous identifier (cookie or mobile-advertising ID), the personal information available for portability is limited to the request-level fields associated with that identifier (typically IP address, User-Agent, page or app context and timestamp) and is only available within the three-day retention window described in Section 10. After that window, no personal information remains for us to port.
Right to withdraw consent (Article 7(3) GDPR). Where Epom's processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
Right to lodge a complaint (Article 77 GDPR). If you believe Epom's processing of your personal information infringes data-protection law, you have the right to lodge a complaint with a supervisory authority. EPOM SERVICES LTD is established in Cyprus, and our lead supervisory authority is the Office of the Commissioner for Personal Data Protection of the Republic of Cyprus (dataprotection.gov.cy). You may also lodge a complaint with the supervisory authority in your country of residence, place of work, or the place of the alleged infringement.
Right to compensation (Article 82 GDPR). If you have suffered material or non-material damage as a result of an infringement of the GDPR, you have the right to receive compensation from the controller or processor responsible for the damage.
To exercise any of these rights, please write to support@epom.com with the subject line “GDPR Request”. We will respond within one month of receipt; for complex or numerous requests we may extend this period by up to two further months and will inform you of the extension and the reasons. We may ask you to verify your identity before we act on a request, to ensure that personal information is not disclosed to unauthorised persons.
If you are an end user of advertising and your only relationship with Epom is through a pseudonymous cookie or mobile-advertising identifier, please include in your request the identifier we hold about you (for example, the value of an Epom cookie copied from your browser's developer tools, or the IDFA / AAID shown in your device settings) so that we can locate the corresponding records. Without this information we may be unable to identify the data that relates to you and will explain this in our response.
Please note that Epom may retain and use your personal information as necessary to comply with its legal obligations, resolve disputes and enforce Epom's agreements. After Epom deletes your personal information, residual copies may take a period of time before they are deleted from Epom's active servers and may remain in its backup systems. This deletion will not change or delete personal information which may have already been shared with third parties as permitted in this Policy or any other agreement between you and Epom.
Epom conducts periodic assessments of its data-processing and privacy practices to ensure that they comply with this Policy, updates the Policy when necessary and ensures that the Policy is properly displayed and accessible.
If you are a resident of a US state that has enacted a comprehensive consumer-privacy law (which, at the time of this Policy, includes California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Tennessee, Indiana, Delaware, New Jersey, New Hampshire, Minnesota, Maryland, Rhode Island and Kentucky, with additional states in the process of implementing similar laws), the disclosures and rights described in this Section apply to the personal information that Epom processes about you in its role as a business or controller (see Section 2). The exact list of rights and the precise terminology vary by state. For personal information processed by Epom as a service provider, contractor or processor on behalf of a Customer, please contact that Customer directly. Sector-specific laws (HIPAA, GLBA, FCRA, COPPA and similar) apply where relevant in addition to the rights described here.
The rights commonly available under US state privacy laws include:
Right to know what personal information we have about you, the sources, purposes and categories of recipients, and to receive a copy. Under California Civil Code § 1798.110(a) this includes the right to receive the specific pieces of personal information Epom holds about you, in addition to the categories.
Right to delete your personal information, subject to permitted exceptions (legal compliance, fraud prevention and similar).
Right to correct inaccurate personal information (available in California, Virginia, Colorado and most newer state laws).
Right to opt out of the sale or sharing of personal information and of targeted advertising. Under California's CCPA / CPRA, “sale” and “sharing for cross-context behavioural advertising” are defined broadly, and the programmatic advertising activities described in Section 3.3 may fall within those definitions. You may opt out at any time using the “Forget me” mechanism in Section 9, which propagates an opt-out signal across the ad-serving networks listed in Sections 16 and 17. We are working to recognise and process universal opt-out mechanisms such as the Global Privacy Control (GPC) browser signal as applicable law requires; in the meantime the “Forget me” mechanism is the recommended way to opt out from advertising delivered through Epom.
Right to limit the use and disclosure of sensitive personal information (California CPRA and similar laws). “Sensitive personal information” under California CPRA § 1798.140(ae) is a broader category than special-category data under GDPR Article 9 and includes government identifiers, account log-in credentials, precise geolocation, racial or ethnic origin, religious beliefs, union membership, contents of mail, email and text messages, genetic data, biometric data used for unique identification, and data concerning health, sex life or sexual orientation. Through the programmatic advertising path Epom does not collect or process any of these categories of information. In particular, we do not process precise geolocation data — only city-level approximate geolocation derived from IP address. The only category of CPRA “sensitive personal information” that Epom processes at all is the account log-in credentials of its Customers (see Section 3.1), which we use solely to operate the Customer's account, do not use to infer characteristics, and do not disclose to third parties.
Right to opt out of profiling in furtherance of decisions that produce legal or similarly significant effects (Colorado, Connecticut and other newer state laws). As described in Section 4, Epom's profiling for advertising does not produce legal or similarly significant effects on you, so this right does not lead to a practical opt-out beyond the controls already described in Section 9.
Right to non-discrimination for exercising any of the rights above.
Categories of personal information collected and disclosed in the previous twelve months (as required by California Civil Code § 1798.130). The categories of personal information we collect, the sources from which we collect it, the business and commercial purposes for which we collect it, and the categories of recipients with whom we share it, are described in detail in Sections 3, 4 and 6 of this Policy. In summary:
Categories collected: identifiers (cookie IDs, mobile-advertising IDs, IP address); internet or other electronic network activity (page or app context, ad interactions); approximate geolocation at city level only, derived from IP address (we do not collect precise geolocation as defined under California CPRA); and inferences drawn from any of the above to create a profile reflecting preferences.
Sources: as described in Section 3, after the “What we do not collect” list.
Business and commercial purposes: as described in Section 4.
Recipients: demand-side bidders, our Customers and our sub-processors, as described in Section 6.
We do not sell personal information for monetary consideration; some of these disclosures may nonetheless qualify as “sale” or “sharing” under California's broad statutory definitions and equivalent provisions in other US state laws. Through the programmatic advertising path we do not collect or process the categories of “sensitive personal information” defined in California CPRA § 1798.140(ae). Account log-in credentials of Customers (described in Section 3.1) are processed only for the security and operation of the Customer's account; they are not used to infer characteristics, are not disclosed to third parties, and the right to limit their use and disclosure under CPRA does not change how we handle them in practice.
“Do Not Sell or Share My Personal Information”. California residents may exercise the right to opt out of the sale or sharing of personal information by using the “Forget me” button in Section 9. Browser-based opt-out signals such as the Global Privacy Control (GPC) are taken into account as applicable law requires; we are working to fully recognise and process such signals across the Services.
To exercise any right under your state's privacy law, write to support@epom.com with the subject line “US Privacy Request”. We will verify your identity using information we already have about you (such as the cookie or mobile-advertising identifier that you can copy from your browser or device settings) and respond within the timeframe required by the applicable state law (typically 45 days, extendable once). Where your state law permits, you may designate an authorised agent to submit a request on your behalf.
Other jurisdictions. To the extent that data-protection laws of other jurisdictions apply to Epom's processing of your personal information — including, without limitation, Brazil's Lei Geral de Proteção de Dados (LGPD), Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and Quebec's Act respecting the protection of personal information in the private sector (Law 25), Australia's Privacy Act 1988, Japan's Act on the Protection of Personal Information (APPI), South Korea's Personal Information Protection Act (PIPA), Singapore's Personal Data Protection Act (PDPA), India's Digital Personal Data Protection Act 2023 (DPDPA) and similar laws — we comply with their requirements where they apply, and the rights described in Sections 12 and 13 are extended to you to the extent required by your local law. Contact us at support@epom.com for jurisdiction-specific questions and we will respond within the timeframe required by your local law.
Epom applies technical and organisational measures appropriate to the risk to protect personal information against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. These measures include access controls, encryption in transit and at rest where appropriate, network segmentation, vulnerability management and regular security testing. Epom's core processing infrastructure is located in the European Economic Area, as described in Section 7; the limited transfers of personal information to sub-processors outside the EEA are governed by the safeguards described in that Section.
Personal-data breach notification. In the event of a personal-data breach that is likely to result in a risk to your rights and freedoms, Epom will notify the lead supervisory authority without undue delay and, where feasible, no later than 72 hours after becoming aware of it, in accordance with GDPR Article 33. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify affected individuals without undue delay, in accordance with GDPR Article 34, in clear and plain language.
Records of processing and impact assessments. Epom maintains internal records of its processing activities to the extent required by GDPR Article 30. Where Epom assesses that a new or materially changed processing operation is likely to result in a high risk to the rights and freedoms of data subjects, Epom carries out a Data Protection Impact Assessment under GDPR Article 35 and consults the lead supervisory authority where Article 36 requires.
Epom may work with Google to deliver advertising to its Customers. Where Google's technology is used, Google's own privacy practices also apply — see policies.google.com/technologies/partner-sites. In Epom's Services that allow Customers to monetise Google inventory, Customers are contractually required to follow Google's policies, including the prohibition on retargeting on Google inventory; Epom does not enable behavioural targeting based on its own cookies in those configurations.
The list below identifies the ad-serving domains operated by Epom and its customers under our Services. Cookies set on these domains are used in the programmatic advertising path described in Section 3.3 and are governed by your TCF consent and by the controls described in Section 9.
The list below identifies the content-delivery-network domains used to deliver advertising creatives served through Epom's Services.
We may amend this Policy from time to time to reflect changes in the Services, in applicable law, or in our practices. The current version is always available at epom.com/privacy-policy with the “Last updated” date at the top. For changes that materially affect your rights or the way your personal information is processed, we will provide reasonable advance notice (typically at least 30 days, except where applicable law or a regulator requires us to act sooner), for example by email to active Customers or by a prominent banner on the Site, and where the change is based on consent we will obtain renewed consent before the change takes effect.
Severability and no third-party beneficiaries. If any provision of this Policy is held by a court or supervisory authority to be invalid or unenforceable, that provision will be modified to the minimum extent necessary to make it enforceable, and the remaining provisions will continue in full force. This Policy does not create rights for any third party who is not a data subject of the personal information described here. Nothing in this Policy is intended to waive any non-waivable statutory right that you have under applicable data-protection law.
For all data-protection enquiries, including the exercise of any of the rights described in Sections 12 (GDPR) and 13 (US state laws), please email support@epom.com (subject line “GDPR Request” or “US Privacy Request” as appropriate).
EPOM SERVICES LTD
79 Spyrou Kyprianou Avenue, Protopapas Building, 2nd floor office 201
3076 Limassol, Cyprus
Email: support@epom.com