Privacy Policy
Last updated: May 18, 2026
ADN TopCo, operating under the trade name Helix ("Helix", "we", "us", "our"), operates a mobile advertising network that delivers personalized advertisements through a software development kit ("SDK") integrated into third-party mobile applications ("Partner Apps"). This Privacy Policy explains how we collect, use, share, and protect personal data in connection with the Helix SDK and related processing activities.
ADN TopCo is the data controller for the processing activities described in this Privacy Policy.
1. Scope
This Privacy Policy applies to end users ("you", "users") of any mobile application in which the Helix SDK is integrated. It applies also to your data collected indirectly through mediation platforms and mobile measurement partners. It covers all personal data processed by Helix in connection with the delivery, measurement, and optimization of digital advertising, including real-time bidding, identity resolution, and machine-learning-based ad pricing.
This Privacy Policy does not cover processing carried out independently by Partner Apps, publishers, advertisers, mediation platforms, mobile measurement partners or other third-party partners.
2. Data We Collect
In connection with the Helix SDK and related processing activities, we may collect or receive the following categories of personal data:
Category | Examples |
Device and advertising identifiers | Identifier for Advertisers (IDFA), Google Advertising ID (GAID), Identifier for Vendors (IDFV), AppSet ID |
Network and connectivity data | IP address, connection type |
Device metadata | Operating system, device model, manufacturer, screen resolution, user agent |
Ad interaction and delivery data | Mobile application, impression events, click events, viewable impression data, video completion events, bid and auction results, post-click navigation data, billing information |
App usage and session data | App session, app open/close events, session duration, session count, in-app purchase history |
Attribution data | Install events, post-install activity, campaign attribution, revenue data |
Privacy and consent signals | Limit Ad Tracking status, consent information (TCF string, GDPR flag), Do Not Sell preference, US Privacy string |
We collect data directly through the Helix SDK operating on the user's device, and indirectly through mediation platforms that enrich ad requests with OpenRTB-compliant parameters, as well as through mobile measurement partners that provide attribution and post-install event data.
3. Purposes of Processing and Legal Basis
Purpose | Data processed | Legal basis |
Real-time bidding (RTB) and ad delivery: Processing ad requests, participating in programmatic auctions, selecting and rendering advertisements, and reporting on delivery metrics. | Device and advertising identifiers, network and connectivity data, device metadata, privacy and consent signals, ad interaction and delivery data | Consent |
Attribution and measurement: Measuring campaign performance and attributing installs to advertising interactions via mobile measurement partners. | Device and advertising identifiers, attribution data | Consent |
Identity resolution (ID Graph): Reconciling multiple device identifiers collected across event streams to establish a unified user identity graph and assign a internal reference identifier for consistent cross-session identification. | Device and advertising identifiers | Consent |
Feature computation and behavioral profiling: Aggregating raw event data into user-level behavioral features across configurable time windows, keyed on an internal identifier. Feature categories include app usage patterns, ad engagement metrics, session-derived features, and purchase history. | Device and advertising identifiers, ad interaction and delivery data, app usage and session data, attribution data | Consent |
Audience insights and statistical analysis: Producing aggregate reports and statistical analyses about advertising audiences, including reach, frequency, and audience composition metrics. These insights are used to help publishers and advertisers understand campaign performance at a population level and do not result in individual-level decisions. | Device and advertising identifiers, ad interaction and delivery data, attribution data | Consent |
Service development and improvement: Developing, testing, and improving the Helix SDK, bidding algorithms, and related advertising technology through product research, machine learning experimentation, and performance benchmarking. | Device and advertising identifiers, ad interaction and delivery data, app usage and session data, attribution data | Consent |
Security, fraud prevention, and error detection: Detecting and preventing invalid traffic, click fraud, SDK spoofing, and other fraudulent or malicious activity, as well as identifying and resolving technical errors to ensure the operational integrity of our services. | Device and advertising identifiers, network and connectivity data, device metadata, ad interaction and delivery data | Consent or legitimate interest, where applicable |
Processing and storing privacy preferences: Receiving, verifying, and storing consent and privacy preference signals (including TCF consent strings, opt-out signals, and platform-level privacy flags) transmitted by publishers and consent management platforms, and ensuring that downstream processing respects those signals. | Privacy and consent signals | Legal obligation |
Where this Article refers to legal bases, those legal bases apply only in jurisdictions where they are required or recognized under applicable law, such as the European Economic Area, the United Kingdom, Switzerland and similar jurisdictions. More generally, Helix respects consent, opt-out and other equivalent preference signals transmitted by publishers, including signals collected through the Partner App's consent management platform (CMP) and, where applicable, in accordance with the IAB Transparency & Consent Framework (TCF).
4. Profiling and Automated Decision-Making
Our feature computation pipeline constitutes profiling under Article 4(4) GDPR. It creates pseudonymous behavioral features associated with an internal identifier, based on historical app usage, ad engagement, session activity and purchase-related events made available to us. These features may be used to train and run machine-learning models that predict outcomes such as install probability or expected post-install value. The resulting predictions are used by our Bid Pricing Engine to determine whether, and at what price, Helix may bid for an ad opportunity.
This automated processing may influence which advertisements you see and how Helix prices a given ad opportunity. It does not determine your access to a service, credit, employment, housing, education or a similar matter, and we do not consider it to produce legal effects or similarly significant effects within the meaning of Article 22 GDPR.
Where required by applicable law, you may request meaningful information about this profiling, withdraw consent for personalized advertising, opt out of targeted advertising or object to processing based on legitimate interests.
5. Data Retention
Personal data is retained for a maximum period of 13 months from the date of collection or from the date of the user's last recorded activity, whichever is later. At the end of the applicable retention period, personal data is deleted or irreversibly anonymized.
Certain intermediate datasets used exclusively for model training purposes are ephemeral and are not persisted beyond the duration of the training cycle.
6. Data Recipients
We share personal data with the following categories of recipients, solely to the extent necessary for the purposes described in this Privacy Policy:
Cloud infrastructure providers: Host and process data on our behalf within the European Union. Act as data processors under a Data Processing Agreement.
Mediation partners: Receive ad request data as part of the programmatic bid request flow and return auction results. Mediation partners are selected and configured by the publisher of each Partner App. Helix does not control which mediation partners are involved in a given ad transaction. Act as independent data controllers.
Mobile measurement partners: Provide attribution, install measurement, and post-install analytics services. Mobile measurement partners are selected by the advertiser and integrated into their own campaign measurement stack. Helix does not control which mobile measurement partners are involved in a given data flow. Act as independent data controllers.
Publisher partners: Publishers of Partner Apps that integrate the Helix SDK. Act as independent data controllers responsible for obtaining user consent at the point of collection.
Legal and regulatory authorities: We may disclose personal data to competent authorities where required by applicable law, regulation, legal process, or enforceable governmental request.
Data subjects may obtain information about, or the identity of, the specific mediation partners and mobile measurement partners involved in the processing of their data by consulting the privacy policy or legal notices of the relevant publisher or advertiser, including any information made available within the Partner App or on advertisements displayed to them.
7. International Data Transfers
Your personal data may be transferred to, and processed in, countries outside the European Economic Area (EEA) and the United Kingdom (UK). Where such transfers occur, we ensure an adequate level of protection through one or more of the following safeguards:
Standard Contractual Clauses (SCCs) adopted by the European Commission, supplemented by additional technical and organizational measures where appropriate.
EU-U.S. Data Privacy Framework (DPF), where the recipient is certified under the DPF.
Adequacy decisions issued by the European Commission under Article 45 GDPR, where applicable.
You may request a copy of the applicable transfer safeguards by contacting us at dpo@helix.com.
8. Data Security
We implement appropriate technical and organizational measures to protect personal data against unauthorized access, loss, alteration, or disclosure. These measures include encryption of data at rest and in transit, network access controls, identity and access management policies based on the principle of least privilege, and regular security monitoring. Access to personal data is restricted to authorized personnel on a need-to-know basis.
9. Children and sensitive data
These processing activities are not intended to collect or process sensitive personal data as defined under applicable data protection laws.
We do not knowingly collect personal data from children or serve personalized advertising to children where prohibited by applicable law. Publishers and partners integrating the Helix SDK are responsible for ensuring compliance with applicable age-related requirements in their apps and inventory.
Where we receive a signal indicating that personalized advertising is restricted for a given user or context, we process the ad request accordingly.
10. Your Privacy Rights
10.1. Rights Under EU/UK Data Protection Law (GDPR / UK GDPR)
If you are located in the European Economic Area or the United Kingdom, you have the following rights regarding your personal data:
Right of access: You may request confirmation of whether we process your personal data and obtain a copy of such data.
Right to rectification: You may request correction of inaccurate personal data or completion of incomplete data.
Right to erasure: You may request deletion of your personal data where there is no compelling reason for its continued processing.
Right to restriction of processing: You may request that we restrict the processing of your personal data in certain circumstances.
Right to data portability: You may request to receive your personal data in a structured, commonly used, and machine-readable format.
Right to object: You may object to processing based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds.
Right to withdraw consent: Where processing is based on consent, you may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
Rights related to profiling and automated decision-making: You have the right to obtain meaningful information about the logic involved in automated processing, including profiling, and to contest decisions based on such processing.
Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement. In France, the competent authority is the Commission Nationale de l'Informatique et des Libertés (CNIL).
10.2. Rights Under U.S. State Privacy Laws
The following section applies if you are a resident of a U.S. state with applicable consumer privacy legislation.
10.2.1. California (CCPA/CPRA)
Under the California Consumer Privacy Act, as amended by the California Privacy Rights Act, California residents have the following rights:
Right to know: You may request the categories and specific pieces of personal information we have collected about you, the categories of sources from which we collected it, the business or commercial purpose for collecting or selling it, and the categories of third parties with whom we share it.
Right to delete: You may request that we delete personal information we have collected from you, subject to certain exceptions.
Right to correct: You may request correction of inaccurate personal information we maintain about you.
Right to opt out of sale or sharing: You may direct us not to sell your personal information or share it for cross-context behavioral advertising.
Right to limit the use of sensitive personal information: Where applicable, you may limit the use of sensitive personal information to purposes permitted under the CCPA/CPRA.
Right to non-discrimination: We will not discriminate against you for exercising any of your privacy rights.
For the purposes of the CCPA/CPRA, the transfer of device identifiers and associated data to mediation partners in the context of real-time bidding may constitute a "sale" or "sharing" of personal information. You may opt out of this processing at any time as described in Section 10.3 below.
10.2.2. California Shine the Light (Civil Code § 1798.83)
California Civil Code § 1798.83 permits California residents to request information about personal data disclosed to third parties for their direct marketing purposes. Helix does not disclose personal information to third parties for their own direct marketing purposes.
10.2.3. Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and other U.S. states
If you reside in Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Indiana, Tennessee, Delaware, New Hampshire, New Jersey, Nebraska, Minnesota, Maryland, Kentucky, or another state with applicable consumer privacy legislation, you may have the following rights, to the extent provided by your state's law:
Right to access: You may confirm whether we are processing your personal data and access such data.
Right to delete: You may request deletion of personal data you have provided to us or that we have obtained about you.
Right to correct: You may request correction of inaccuracies in your personal data.
Right to data portability: You may obtain a copy of your personal data in a portable and readily usable format.
Right to opt out of targeted advertising: You may opt out of the processing of your personal data for purposes of targeted advertising.
Right to opt out of sale: Where applicable, you may opt out of the sale of your personal data.
Right to opt out of profiling: You may opt out of profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.
Right to appeal: If we decline to take action on your request, you may appeal our decision. We will inform you of the appeal process at the time of our response.
10.3. How to Exercise Your Rights
You can manage your privacy preferences through the following channels:
Consent Management Platform (CMP): Adjust your consent preferences directly within the Partner App that integrates our SDK. Changes to your TCF consent choices are reflected in real time in our processing.
Device settings: Reset or limit your advertising identifier at the operating system level:
iOS: Settings > Privacy & Security > Tracking (disable "Allow Apps to Request to Track"); or Settings > Privacy & Security > Apple Advertising (disable "Personalized Ads").
Android: Settings > Privacy > Ads > Delete advertising ID or opt out of Ads Personalization.
Contact our DPO: For any request related to your privacy rights, you may contact us at dpo@helix.com. We will respond within 30 days (or within the timeframe required by applicable law). We may ask you to provide sufficient information to verify your identity before processing your request.
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our processing activities, legal requirements, or operational practices. When we make material changes, the "Last updated" date at the top of this policy will be revised. We encourage you to review this Privacy Policy periodically.
12. Contact Us
If you have any questions about this Privacy Policy or our data practices, please contact us at:
Email: dpo@helix.com.
Address: 12 Place Dauphine, 75001 - Paris, France.