Data Protection Addendum for User Acquisition Services

Effective version: 18 May 2026

This Data Protection Addendum (the "DPA") applies between:

1. the client of ADN identified in the IO ("Client"); and

2. ADN TopCo, as identified in the IO ("ADN").

Client and ADN are each a "Party" and together the "Parties".

This DPA is hosted online by ADN and is incorporated by reference into the IO signed by the Parties. By signing the IO, the Parties agree that this DPA forms part of the IO and governs the privacy and data protection terms applicable to the Services. This DPA does not need to be separately signed.

The version of this DPA made available by ADN at the URL referenced in the IO as of the IO effective date applies to that IO, as may be updated in accordance with Section 18.

If the Parties enter into more than one IO incorporating this DPA by reference, this DPA applies separately to each such IO.

1. Scope

1.1. This DPA governs the processing of Personal Data by the Parties in connection with the Services.

1.2. The Parties agree that the Services are provided on an independent controller-to-independent controller basis. Each Party determines its own purposes and means of processing in relation to the Personal Data it processes in connection with the Services.

1.3. ADN does not act as Client's processor, service provider, contractor, agent, fiduciary or representative in relation to the Services. ADN does not process Personal Data on behalf of Client.

1.4. Where Client provides or makes available Client Audience Data to ADN, directly or through a Client-authorised MMP, attribution partner, API, SDK, postback or other technical integration, for a retargeting, custom audience, suppression, exclusion, already-installed user exclusion, lookalike, reactivation, reengagement or similar audience activation campaign, ADN processes such Client Audience Data as an independent controller and not as Client's processor.

1.5. The IO will set out the campaign-specific terms applicable to the Services and, where relevant, Client Audience Data, including the campaign type, relevant app(s), data categories, data source, MMP or attribution partner, transfer method, territories, and any specific restrictions or conditions.

1.6. Nothing in this DPA restricts ADN from processing Personal Data as an independent controller for the purposes described in Section 6.2, the IO and any other lawful purposes permitted under Applicable Privacy Laws.

2. Definitions

2.1. "Client Audience Data" means Personal Data provided, uploaded, transmitted, made available or authorised by Client to ADN, directly or through a Client-authorised MMP, attribution partner, API, SDK, postback or other technical integration, for a campaign involving retargeting, custom audience, suppression, exclusion, already-installed user exclusion, lookalike modelling, reactivation, reengagement or other audience activation. Client Audience Data includes any exclusion list, suppression list, already-installed user list, install status, app ownership status, app install signal, app event, MMP postback, attribution partner signal, audience membership data, reactivation audience or reengagement audience made available to ADN by Client or a Client-authorised third party. Client Audience Data may include hashed email addresses, hashed phone numbers, advertising identifiers, customer IDs, device identifiers, segment IDs, event data, audience membership data, suppression lists, consent signals and technical metadata, as specified in the relevant IO.

2.2. "Client Properties" means Client's apps, websites, landing pages, app store pages, accounts, SDKs, pixels, APIs, MMP integrations, CMPs, databases, audience tools, campaign tools and any other digital property, system or integration controlled by Client or a Client-authorised third party.

2.3. "ADN Network Data" means Personal Data collected, received, generated or otherwise processed by ADN through its network, integrations, publishers, sub-publishers, supply partners, demand partners, measurement systems, reporting systems, anti-fraud tools, platform, logs or business operations.

2.4. "ADN Supply Partners" means publishers, app publishers, sub-publishers, supply-side partners, inventory providers, exchanges, mediation partners, SDK integration partners or other third-party partners that make advertising inventory, SDK-based signals or related signals available to ADN or through ADN's network.

2.5. "Applicable Privacy Laws" means all privacy, data protection, electronic communications, online advertising, consumer privacy and direct marketing laws and regulations applicable to a Party's processing of Personal Data under the IO, including, where applicable and without limitation, the GDPR, the ePrivacy Directive and national implementing laws, the UK GDPR, the CCPA/CPRA, US state privacy laws, and any equivalent or successor laws.

2.6. "CCPA/CPRA" means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, and its implementing regulations.

2.7. "Data Protection Authority" means any competent supervisory authority, regulator or governmental body responsible for enforcing Applicable Privacy Laws.

2.8. "Data Subject" means an identified or identifiable natural person to whom Personal Data relates.

2.9. "GDPR" means Regulation (EU) 2016/679.

2.10. "IO" means the insertion order, campaign order, statement of work or other ordering document signed by the Parties that incorporates this DPA by reference and governs ADN's provision of the Services to Client.

2.11. "Personal Data" means any information relating to an identified or identifiable natural person, and includes "personal information", "personal data" or equivalent terms under Applicable Privacy Laws.

2.12. "Personal Data Breach" means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

2.13. "Restricted Data" means Sensitive Data, children's data, precise geolocation data, biometric data, health data, financial account data, government identifier data, data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sex life or sexual orientation, criminal offence data, and any other data subject to heightened legal, contractual or platform restrictions.

2.14. "Services" means ADN's user acquisition, ad network, media buying, advertising, campaign management, ad delivery, attribution, measurement, reporting, optimisation, retargeting, custom audience, suppression, exclusion, reactivation, fraud prevention, billing and related services under the IO.

2.15. "Sensitive Data" means special categories of personal data under Article 9 GDPR, criminal offence data under Article 10 GDPR, sensitive personal information under the CCPA/CPRA and any equivalent category under Applicable Privacy Laws.

2.16. "UK GDPR" means the GDPR as incorporated into UK law by the European Union (Withdrawal) Act 2018.

2.17. The terms "controller", "processor", "processing", "process", "business", "third party", "service provider", "contractor", "sell", "share" and "targeted advertising" have the meanings given to them under the Applicable Privacy Laws relevant to the processing at issue.

2.18. Capitalised terms used but not defined in this DPA have the meaning given to them in the IO.

3. Order of Precedence

3.1. If there is any conflict between this DPA and the IO in relation to the processing of Personal Data, this DPA prevails, unless the IO expressly identifies the relevant provision of this DPA and states that it overrides that provision.

3.2. The commercial terms, payment terms, liability caps, exclusions, audit restrictions, confidentiality provisions, governing law and dispute resolution provisions in the IO apply to this DPA unless this DPA expressly states otherwise or Applicable Privacy Laws require otherwise.

4. Controller-to-Controller Relationship

4.1. For the Services, including any processing of Client Audience Data, Client and ADN each act as an independent controller.

4.2. Client is independently responsible for:

1. its apps, websites, landing pages, app store pages, products, services, users, customers, prospects and marketing activities;

2. the collection, use, disclosure and transfer of Personal Data through its properties, SDKs, pixels, MMP integrations, APIs, CMPs and other tools;

3. the selection of campaign parameters, targeting criteria, audience segments, territories, platforms, creatives, claims, budgets, caps and performance goals;

4. the lawfulness of any Personal Data, campaign setting or request, audience, suppression list, event data, consent signal or other data that Client provides or makes available to ADN;

5. the provision of privacy notices, cookie notices and any other legally required disclosures to Data Subjects; and

6. the collection, recording, maintenance, transmission and honouring of all required consents, permissions, opt-outs, withdrawals, objections and preference signals relating to Client Properties, Client Audience Data, Client-controlled campaign setting or request and Personal Data provided or made available by Client or a Client-authorised third party to ADN.

4.3. ADN is independently responsible for its processing of ADN Network Data and for the processing it determines in connection with its network, platform, integrations and the purposes described in Section 6.2.

4.4. ADN does not process ADN Network Data on behalf of Client. ADN may combine, compare, analyse, enrich, aggregate, de-identify or otherwise use ADN Network Data for ADN's own lawful business purposes, subject to Applicable Privacy Laws.

4.5. The Parties do not intend to create a joint controllership arrangement. No Party is authorised to make privacy representations, regulatory commitments, admissions, settlement offers or public statements on behalf of the other Party.

4.6. Where Client provides or makes available Client Audience Data to ADN, Client discloses such Client Audience Data to ADN as an independent controller. ADN may process Client Audience Data as an independent controller for the purposes described in Section 6.2 and the IO, subject to any mandatory restrictions expressly agreed in the relevant IO. Client-controlled campaign settings or requests do not constitute processor instructions.

5. Client Obligations and Warranties

5.1. Client represents, warrants and undertakes that:

1. Client has a valid legal basis for collecting, using, sharing, disclosing, making available and transferring Personal Data collected through Client Properties, included in Client Audience Data or otherwise provided or made available by Client or a Client-authorised third party to ADN;

2. Client has provided Data Subjects with all legally required privacy notices, cookie notices, consent notices and disclosures in relation to Client Properties, Client Audience Data, Client-controlled campaign settings or requests, advertising, personalised advertising, measurement, attribution, retargeting, custom audiences, partner sharing, international transfers and Data Subject rights;

3. Client has obtained and will maintain all consents, permissions, opt-ins and authorisations required under Applicable Privacy Laws and applicable platform rules for Client Properties, Client Audience Data, Client-controlled SDKs, local storage, mobile advertising identifiers, pixels, device identifiers, personalised advertising, attribution, measurement, cross-app tracking, retargeting, audience activation and any Personal Data provided or made available by Client or a Client-authorised third party to ADN;

4. Client complies with all platform, industry framework and privacy signal requirements applicable to Client Properties, Client Audience Data and Client-controlled technologies, including ATT, Android/Google requirements, TCF, GPP, US privacy signals, opt-out signals and suppression signals where applicable, and all such signals provided to ADN by Client or a Client-authorised third party are accurate, complete, current, valid and technically usable;

5. Client will not provide or make available Restricted Data to ADN unless ADN has given prior written approval and the Parties have agreed appropriate additional terms;

6. Client will not provide Personal Data relating to children, teens or age-restricted users where the relevant processing is prohibited or requires additional consents, notices, platform permissions or safeguards that have not been implemented;

7. Client's audiences, segments, suppression lists, exclusion lists and targeting parameters are lawful, non-discriminatory, not misleading, not based on prohibited criteria and not inconsistent with platform rules;

8. Client has configured its CMPs, MMPs, SDKs, pixels, APIs, postbacks, consent tools and attribution tools correctly and in a manner that avoids transmitting unlawful, excessive, inaccurate or unauthorised Personal Data to ADN;

9. Client will promptly notify ADN if any Personal Data, Client Audience Data, audience, segment, consent, signal, privacy-related request or campaign setting relevant to the processing of Personal Data becomes invalid, unlawful, inaccurate, disputed, withdrawn, restricted, suppressed, subject to an opt-out or otherwise non-compliant with Applicable Privacy Laws; and

10. Client will maintain evidence of its notices, consents, legal bases, preference signals and compliance decisions and will provide such evidence to ADN on reasonable request where needed for a Data Protection Authority inquiry, platform audit, partner inquiry, Data Subject complaint, dispute or incident.

5.2. ADN may rely on Client's data, campaign settings, parameters, requests, consents, signals, representations and warranties. ADN is not required to verify the lawfulness, validity, completeness, accuracy or regulatory sufficiency of Client's data, campaign settings, parameters, requests, consents, signals or other information unless their unlawfulness is manifest.

5.3. Client is solely responsible for any failure, delay, under-delivery, loss of performance, loss of measurement, reduced reach, rejected traffic, suspended campaign or platform restriction resulting from missing, invalid, incomplete, inconsistent or expired notices, consents, permissions, signals or campaign settings relating to Client Properties, Client Audience Data, Client-controlled campaign settings or requests or Personal Data provided or made available by Client or a Client-authorised third party to ADN.

5.4. Client is not responsible under this DPA for collecting consent on digital properties controlled solely by ADN Supply Partners, except to the extent Client controls the relevant user interface, SDK, CMP, integration, audience, privacy-related request, data disclosure or campaign setting.

6. ADN Obligations as Independent Controller

6.1. ADN will process Personal Data in accordance with Applicable Privacy Laws that apply to ADN's own processing.

6.2. ADN may process Personal Data for the following purposes:

1. providing, operating, managing and improving the Services;

2. ad delivery, ad selection, campaign execution, custom audience activation, audience matching, suppression, exclusion, already-installed user exclusion, retargeting, reactivation, reengagement, frequency capping, pacing, targeting and optimisation;

3. attribution, measurement, reporting, analytics, forecasting, modelling and performance assessment;

4. identity resolution, creation and maintenance of device graphs, linking of advertising identifiers, vendor identifiers, device identifiers, successor identifiers and other pseudonymous identifiers, and creation, use and improvement of pseudonymous user profiles for ad delivery, frequency capping, attribution, measurement, optimisation, fraud prevention, modelling, model training and service improvement, in each case subject to Applicable Privacy Laws and applicable consent or preference signals;

5. fraud prevention, traffic quality control, invalid traffic detection, bot detection, click spam detection, click injection detection, SDK spoofing detection, device farm detection and abuse prevention;

6. security, integrity, availability and resilience of ADN's network, systems, platform and partner ecosystem;

7. billing, payment, tax, accounting, reconciliation, chargeback handling and financial recordkeeping;

8. support, troubleshooting, debugging, maintenance and error correction;

9. compliance with laws, platform rules, partner requirements, court orders, regulatory requests and internal policies;

10. enforcement of ADN's rights, contractual terms, platform policies and network rules;

11. dispute resolution, claims handling, legal defence and preservation of evidence; and

12. creation, use and commercialisation of aggregated, de-identified or anonymised data, provided that ADN does not attempt to re-identify such data except as permitted by law.

6.3. ADN may disclose Personal Data to its affiliates, suppliers, hosting providers, cloud providers, security vendors, fraud prevention vendors, analytics providers, publishers, sub-publishers, supply partners, demand partners, MMPs, platforms, professional advisers, auditors, authorities, investors, acquirers and other third parties where reasonably necessary for the purposes described in this DPA.

6.4. ADN may determine its own retention periods for Personal Data processed as an independent controller, taking into account reporting, attribution, billing, fraud prevention, security, tax, accounting, legal defence, compliance and business needs.

6.5. ADN will implement reasonable contractual, operational or technical measures designed to require ADN Supply Partners, where they control the relevant digital property, user interface, SDK, CMP or consent collection flow, to provide applicable transparency notices, collect legally required consents or permissions, honour applicable opt-outs and transmit applicable consent and preference signals to ADN.

6.6. ADN may rely on consent and preference signals received from ADN Supply Partners, CMPs, supply-side platforms, exchanges, mediation partners and other network participants, unless ADN has actual knowledge that such signals are invalid or unlawfully generated.

6.7. As between Client and ADN, ADN is not responsible for any failure by an ADN Supply Partner to provide notices, collect consents, honour choices or transmit accurate signals, except to the extent such failure is directly caused by ADN's material breach of this DPA or Applicable Privacy Laws.

7. Consent, Preference Signals and Platform Requirements

7.1. Client is responsible for collecting, maintaining, documenting and transmitting all legally required consents, opt-ins, opt-outs, objections, withdrawals, ATT permissions, TCF strings, GPP strings, US privacy strings, "Do Not Sell or Share" signals, suppression signals and equivalent preference signals relating to Client Properties, Client Audience Data, Client-controlled campaign settings or requests and any Personal Data provided or made available by Client or a Client-authorised third party to ADN.

7.2. For users in the EEA, the United Kingdom or Switzerland, Client must obtain valid consent where required for storing or accessing information on a user's device through Client Properties or Client-controlled technologies, and for collecting, sharing or using Personal Data from Client Properties or Client Audience Data for personalised advertising, retargeting, measurement or attribution.

7.3. Where the TCF is used by Client or a Client-authorised third party, Client must ensure that all applicable vendors, purposes, features, special features and legal bases are properly disclosed and signalled before any relevant Personal Data is disclosed to ADN.

7.4. Where Apple App Tracking Transparency applies to Client Properties or Client-controlled tracking, Client must ensure that tracking permissions are obtained and honoured and that ADN receives only data that may lawfully be used for the relevant advertising purpose.

7.5. Where US state privacy laws apply, Client must determine whether the disclosure or making available of Personal Data from Client Properties, Client Audience Data or Client-controlled systems to ADN constitutes a sale, sharing, targeted advertising or equivalent activity, and must provide all notices and choices required by applicable law.

7.6. Where Personal Data or device access originates from digital properties controlled by ADN Supply Partners, ADN will use reasonable measures designed to require the relevant ADN Supply Partner or its CMP to provide applicable transparency notices, collect required consents where legally required and transmit applicable consent and preference signals to ADN.

7.7. ADN is responsible, as an independent controller, for using reasonable measures designed to respect consent and preference signals that ADN receives and is technically able to process in connection with ADN Network Data.

7.8. ADN may reject, suppress, filter, treat as non-consented, suspend or decline to process any request, impression, click, install, event, audience, segment or campaign where ADN reasonably determines that required signals are missing, invalid, incomplete, inconsistent, expired or technically unusable.

8. Restricted Data

8.1. Client must not provide or make available Restricted Data to ADN without ADN's prior written approval.

8.2. ADN may reject, delete, quarantine, block, ignore or return any data that ADN reasonably believes is Restricted Data or otherwise presents an unacceptable legal, platform, security, reputational or operational risk.

8.3. Client is responsible for ensuring that Restricted Data is excluded from all campaigns, audiences, events, postbacks, files, APIs, SDKs and integrations unless ADN has expressly agreed otherwise in writing.

9. Data Subject Requests

9.1. Each Party is responsible for handling Data Subject requests it receives in its capacity as an independent controller.

9.2. Client is responsible for Data Subject requests relating to Client's apps, websites, user accounts, customer relationships, audiences, consents, opt-outs, campaign setting or request and Personal Data collected or provided by Client.

9.3. ADN is not required to re-identify any Data Subject, maintain Personal Data solely for the purpose of responding to a request, or respond to a request where ADN cannot reasonably verify the Data Subject or identify the relevant Personal Data.

9.4. If a Data Subject request received by ADN relates primarily to Client's relationship with the Data Subject, ADN may direct the Data Subject to Client.

10. Security

10.1. Each Party will implement appropriate technical and organisational measures designed to protect Personal Data against unauthorised or unlawful processing and against accidental loss, destruction or damage, taking into account the nature, scope, context and purposes of processing and the risks to Data Subjects.

10.2. ADN will implement security measures appropriate to its own processing as an independent controller, taking into account the nature, scope, context and purposes of processing and the risks to Data Subjects. ADN may modify its security measures from time to time, provided that it does not materially reduce the overall level of protection required under Applicable Privacy Laws.

10.3. Client is responsible for the security of its systems, users, accounts, credentials, API keys, SDKs, pixels, MMP integrations, CMP configurations, file transfers, campaign settings, audience uploads and authorised personnel.

11. Personal Data Breaches

11.1. For Personal Data processed by each Party as an independent controller, each Party is responsible for assessing and complying with its own breach notification obligations under Applicable Privacy Laws.

11.2. Neither Party is required under this DPA to notify the other Party of a Personal Data Breach affecting Personal Data processed by that Party as an independent controller, unless such notification is mandatory under Applicable Privacy Laws or required by the IO.

11.3. Any public communication, regulatory submission or Data Subject communication that names or refers to the other Party, its affiliates, partners or suppliers requires the other Party's prior written approval, unless prohibited by Applicable Privacy Laws. Where prior approval is not legally possible, the communicating Party must consult the other Party in advance to the extent legally permitted.

12. International Processing

12.1. This DPA does not include standard contractual clauses, an international data transfer addendum or any other transfer mechanism. Any transfer mechanism required under Applicable Privacy Laws must be addressed separately, including in the IO where applicable.

12.2. Each Party may process Personal Data in the countries where that Party, its affiliates, suppliers, infrastructure providers, partners, publishers, sub-publishers or professional advisers are located, subject to Applicable Privacy Laws and any transfer mechanism required by such laws.

12.3. If a transfer mechanism becomes required, invalid, unavailable or insufficient for any processing under the IO, ADN may suspend the affected transfer or Service, implement an appropriate transfer mechanism, change the relevant processing location or terminate the affected Service in accordance with the IO.

13. US State Privacy Laws

13.1. The Parties act as independent businesses, controllers or third parties under US state privacy laws.

13.2. Client is responsible for determining whether its disclosure or making available of Personal Data to ADN constitutes a sale, sharing, targeted advertising, cross-context behavioural advertising or equivalent activity.

13.3. Client must provide all notices, consents, opt-outs, contractual disclosures and preference signal compliance required for any disclosure or making available of Personal Data from Client Properties, Client Audience Data or Client-controlled systems to ADN.

13.4. ADN may process Personal Data received in a controller-to-controller context for its own lawful business purposes, subject to Applicable Privacy Laws and any mandatory restrictions expressly agreed in the relevant IO.

13.5. ADN will not be deemed Client's service provider, contractor or processor under US state privacy laws in relation to the Services or any Client Audience Data.

14. Audit and Information Rights

14.1. As independent controllers, the Parties have no general audit rights over each other's systems, networks, partners, publishers, sub-publishers, algorithms, fraud controls, security controls, source code, commercial terms, pricing, client data or confidential information.

14.2. ADN may provide Client with reasonable information about ADN's privacy and security practices where required to support Client's compliance assessment, provided that ADN may withhold or redact information to protect security, confidentiality, trade secrets, partner information, other clients' data or legal privilege.

15. Suspension

15.1. ADN may suspend, restrict, reject, filter, block or terminate any campaign, audience, integration, transfer or processing operation immediately if ADN reasonably believes that:

1. Client's Personal Data, Client Audience Data, privacy-related requests, consents, permissions, opt-outs, preference signals, audience configuration or data protection documentation are unlawful, invalid, incomplete, inaccurate, expired, withdrawn, disputed, suppressed, inadequately documented or otherwise non-compliant with Applicable Privacy Laws;

2. the relevant processing may breach Applicable Privacy Laws, applicable privacy-related platform requirements, consent requirements, preference signal requirements or this DPA;

3. the processing may expose ADN, its affiliates, partners, publishers, sub-publishers, customers or suppliers to legal, regulatory, data protection, privacy, security or confidentiality risk;

4. a Data Protection Authority, privacy regulator, platform privacy requirement, MMP privacy requirement, publisher privacy requirement, partner privacy requirement or Applicable Privacy Law requires or recommends suspension; or

5. Client breaches this DPA or any privacy or data protection obligation in the IO.

15.2. Suspension does not relieve Client from payment obligations for Services already provided or non-cancellable commitments already incurred.

16. Liability

16.1. This DPA does not create any separate liability, indemnity, exclusion, limitation or cap regime between the Parties.

16.2. Any liability, indemnification, exclusion, limitation, cap, remedy or allocation of risk arising out of or relating to this DPA, the Services, Personal Data, privacy, data protection, security, international processing, Personal Data Breaches, audits, Data Subject requests or regulatory claims is governed exclusively by the IO.

16.3. Nothing in this DPA limits any mandatory rights of Data Subjects or any mandatory liability that cannot be excluded or limited under Applicable Privacy Laws.

17. Term and Termination

17.1. This DPA remains in force for as long as ADN processes Personal Data in connection with the Services.

17.2. Termination or expiry of the IO automatically terminates this DPA in respect of that IO, except for provisions that by their nature should survive, including provisions relating to retention, international processing, audit restrictions, liability and ADN's independent controller processing.

17.3. ADN may retain Personal Data after termination to the extent permitted or required for billing, tax, accounting, legal compliance, fraud prevention, security, dispute handling, enforcement of rights, audit, backup or other legitimate business purposes.

18. Miscellaneous

18.1. ADN may update this DPA where reasonably necessary to reflect changes in Applicable Privacy Laws, platform rules, partner requirements, international processing requirements, Services, technical architecture, security standards or operational practices.

18.2. ADN will notify Client of material changes by reasonable means. Changes required to comply with Applicable Privacy Laws, platform requirements, security requirements, international processing requirements or partner requirements may take effect immediately. Other material changes will take effect no earlier than fifteen (15) days after notice. If Client objects to a change that is necessary for compliance or service continuity, ADN may suspend or terminate the affected Services in accordance with the IO. For clarity, any amendment, replacement or update of this DPA made in accordance with this Section 18 does not require a separate written amendment signed by the Parties.

18.3. If any provision of this DPA is invalid or unenforceable, the remaining provisions remain in effect and the invalid or unenforceable provision will be replaced by a valid provision that most closely reflects the original commercial and legal intent.

18.4. ADN's failure to enforce any provision of this DPA is not a waiver.

18.5. Notices relating to this DPA must be sent to the contacts set out in the IO and will be deemed received in accordance with the notice provisions of the IO.