Effective Date: April 2, 2026
Last Updated: April 2, 2026
1. Introduction
This Privacy Policy (the “Policy”) explains how Customer Direct Group and its affiliated entities (the “Company,” “we,” “us,” or “our”) process data in connection with the use of the website customerdirectgroup.com (the “Website”) and the services, platform, and related technologies made available through it (collectively, the “Services”).
The Company operates a performance marketing platform that connects advertisers, brands, agencies, publishers, and media partners. In the course of providing the Services, the Company may process certain data, including data relating to end users interacting with marketing campaigns.
This Policy is intended to provide transparency regarding the Company’s role in the data ecosystem, the types of data that may be processed, and the responsibilities of the parties involved.
2. Role of the Company
The Company acts primarily as a data processor (or service provider under applicable laws) on behalf of its business clients, including advertisers and publishers (the “Clients”), who may act as data controllers.
In this capacity, the Company processes personal data solely on documented instructions from its Clients and does not independently determine the purposes or means of processing such data. The Company does not own, control, or make independent decisions regarding personal data collected through marketing campaigns conducted via the Platform.
Where personal data is collected through publisher-owned landing pages, forms, or other channels, such data is collected under the responsibility of the relevant publisher or advertiser acting as a data controller. The Company’s role is limited to facilitating the transmission, routing, processing, and technical handling of such data within the scope of the Services.
The Company does not establish direct relationships with end users whose data may be processed through the Platform and does not provide direct consumer-facing services in this context.
3. Categories of Data Processed
In connection with the Services, the Company may process various categories of data, depending on the specific campaign, integration, and instructions received from Clients.
Such data may include technical data, such as IP addresses, device identifiers, browser information, timestamps, and interaction data related to user activity. The Company may also process campaign-related data, including click data, conversion data, attribution parameters, and tracking identifiers.
Where applicable and as instructed by Clients, the Company may process limited personal data submitted by end users through forms or lead generation flows operated by publishers or advertisers. This may include information such as names, contact details, or other data fields defined by the Client.
The Company does not independently collect personal data from end users and does not require users of the Website to submit personal information in order to access general informational content.
4. Purpose and Nature of Processing
The Company processes data solely for the purpose of providing the Services, including facilitating performance marketing activities, enabling tracking and attribution, supporting campaign optimization, and generating reporting and analytics.
Processing activities may include the collection, transmission, storage, organization, structuring, and retrieval of data, as well as the technical delivery of such data between publishers, advertisers, and other authorized parties.
The Company does not process data for its own independent marketing purposes and does not use personal data to build user profiles or target individuals outside of the scope defined by its Clients.
5. Legal Basis for Processing
As the Company acts as a data processor, it does not independently determine the legal basis for the collection or processing of personal data. Instead, the Company relies on the legal bases established by its Clients, who act as data controllers.
Clients represent, warrant, and undertake that they have established and maintain a valid legal basis for the collection, use, and processing of personal data in accordance with all applicable data protection laws and regulations, including, where required, obtaining valid and informed consent from data subjects or relying on another lawful ground for processing.
Clients further warrant that they provide all necessary notices, disclosures, and transparency to data subjects regarding the collection and use of their personal data, including clear information about the involvement of third-party processors such as the Company.
The Company processes personal data solely on the documented instructions of its Clients and does not verify, audit, or independently assess the adequacy or validity of the legal basis relied upon by Clients. The Company shall not be responsible or liable for any failure by Clients to comply with applicable data protection laws, including any failure to obtain valid consent or otherwise establish a lawful basis for processing.
To the extent required under applicable law, Clients agree to indemnify and hold harmless the Company from and against any claims, liabilities, damages, or regulatory actions arising from or related to their failure to establish or maintain a lawful basis for processing personal data.
6. Data Sharing and Transfers
The Company may transmit or make available data to Clients and their authorized partners as part of the Services. This includes routing data from publishers to advertisers and enabling access to campaign performance data through the Platform.
The Company may also engage third-party service providers (sub-processors) to support the delivery of the Services, including hosting providers, infrastructure providers, and analytics tools. Such sub-processors are contractually bound to process data in accordance with applicable data protection laws.
The Company does not sell personal data and does not share data for purposes unrelated to the provision of the Services.
7. International Data Transfers
Due to the global nature of the Services, data processed by the Company may be transferred to and processed in jurisdictions outside of the country where the data was originally collected.
Where such transfers occur, the Company implements appropriate safeguards, including contractual protections, to ensure that data is protected in accordance with applicable laws.
Clients are responsible for ensuring that any cross-border transfers are compliant with applicable legal requirements.
8. Data Retention
The Company retains data only for as long as necessary to fulfill the purposes for which it was processed, including the provision of the Services, performance tracking, analytics, dispute resolution, fraud prevention, and compliance with contractual and legal obligations.
Retention periods may vary depending on the nature of the data, the type of Services provided, and the instructions received from Clients acting as data controllers. In particular, certain data may be retained for longer periods where necessary to support reconciliation processes, validation of traffic and performance metrics, handling of disputes, enforcement of contractual rights, or compliance with applicable laws and regulatory requirements.
The Company does not determine retention periods for personal data independently where it acts as a data processor and instead follows the documented instructions of its Clients. Clients are responsible for defining appropriate retention periods and ensuring that such periods comply with applicable data protection laws.
Upon expiration of the applicable retention period, or upon receiving valid instructions from the relevant data controller, the Company will delete, anonymize, or otherwise securely dispose of the data, unless continued retention is required by law or reasonably necessary to protect the legitimate interests of the Company, including in connection with legal claims or ongoing disputes.
The Company implements reasonable measures to ensure that data is not retained longer than necessary and that retention practices are aligned with industry standards and applicable legal requirements.
9. Data Security
The Company implements and maintains appropriate technical and organizational measures designed to protect data processed in connection with the Services against unauthorized or unlawful access, disclosure, alteration, loss, or destruction.
Such measures may include, without limitation, the use of secure hosting environments, encryption technologies where appropriate, access controls, authentication mechanisms, network security protocols, and regular monitoring of systems for vulnerabilities and potential threats. The Company also seeks to ensure that access to data is limited to authorized personnel who require such access for the performance of their duties and who are subject to appropriate confidentiality obligations.
The Company regularly evaluates and updates its security practices to address evolving risks and technological developments. However, Users acknowledge that no method of transmission over the internet or method of electronic storage can be guaranteed to be completely secure, and the Company cannot ensure or warrant absolute security of data.
In the event of a data security incident affecting data processed on behalf of Clients, the Company will take appropriate steps to investigate, mitigate, and, where required, notify the relevant Clients in accordance with applicable contractual and legal obligations. Clients remain responsible for fulfilling any regulatory notification requirements to supervisory authorities or data subjects, unless otherwise agreed.
Users and Clients are also responsible for implementing appropriate safeguards on their own systems and ensuring that access credentials and integration points are properly secured.
10. Data Subject Rights
As the Company acts as a data processor and does not have a direct relationship with end users whose data may be processed through the Platform, it does not independently respond to requests from data subjects regarding their personal data.
Data subjects seeking to exercise their rights under applicable data protection laws, including the right of access, rectification, erasure, restriction of processing, data portability, or objection, must direct such requests to the relevant data controller, which is typically the advertiser, publisher, or other Client that originally collected the data.
The Company will, to the extent required by applicable law and contractual obligations, provide reasonable assistance to its Clients in responding to data subject requests. This may include locating and providing relevant data, enabling correction or deletion where instructed, or supporting the restriction of processing.
The Company does not independently assess or validate the legal basis of data subject requests and will act only upon documented instructions from the relevant data controller, except where required to do otherwise by applicable law.
Users acknowledge that the Company’s ability to respond to or act upon data subject requests is limited to its role as a processor and that ultimate responsibility for compliance with data subject rights lies with the data controller.
11. Children’s Data
The Services and the Website are not directed to, nor intended for use by, individuals under the age of eighteen (18) or the age of majority in the relevant jurisdiction. The Company does not knowingly collect, solicit, or process personal data relating to children.
As the Company operates as a data processor and does not directly collect personal data from end users, it relies on its Clients, including publishers and advertisers acting as data controllers, to ensure that personal data is collected and processed in compliance with applicable laws, including any requirements relating to children’s data.
Clients are solely responsible for ensuring that their data collection practices comply with all applicable laws and regulations concerning minors, including obtaining verifiable parental consent where required and implementing appropriate safeguards.
If the Company becomes aware that it has processed personal data relating to a child in violation of applicable law or without proper authorization, it will take reasonable steps to notify the relevant Client and, where appropriate, delete or restrict such data in accordance with applicable legal requirements and the instructions of the data controller.
The Company disclaims any liability arising from the collection or processing of children’s data by Clients or third parties in violation of applicable laws.
12. Changes to This Privacy Policy
The Company reserves the right to update, amend, or otherwise modify this Privacy Policy at any time in order to reflect changes in legal requirements, regulatory guidance, industry practices, or the Company’s business operations and Services.
Any such updates shall be effective upon posting of the revised Privacy Policy on the Website, unless otherwise required by applicable law. Where required, the Company may take additional steps to notify Users or Clients of material changes, including through the Website or other appropriate communication channels.
Users are encouraged to review this Privacy Policy periodically to remain informed about how data is processed in connection with the Services. Continued use of the Website or Services following the publication of any changes shall constitute acknowledgment and acceptance of the updated Privacy Policy.
Where the Company acts as a data processor, it is the responsibility of the relevant data controller to ensure that any necessary updates to privacy disclosures provided to end users are made in accordance with applicable law.
13. Contact Information
If you have any questions, requests, or concerns regarding this Privacy Policy, the processing of data in connection with the Services, or the Company’s role as a data processor, you may contact the Company using the contact details:
CDI Marketing Group B.V.
Address: Keizersgracht 229 C, Amsterdam, 1016 DV, Netherlands
Privacy Contact Email: dpo@clickdealer.com
Where the inquiry relates to personal data processed on behalf of a Client, the Company may, where appropriate, direct the request to the relevant data controller or request that the inquiry be submitted directly to such controller. The Company may also cooperate with its Clients, as required, to facilitate the handling of such requests in accordance with applicable data protection laws.
The Company will make reasonable efforts to respond to legitimate inquiries within a reasonable timeframe; however, the Company’s ability to respond may be limited where it acts solely as a data processor and does not have direct control over the relevant data.
