CoadX's Privacy Policy

Last updated: 15 May 2026

Who we are

This Privacy Policy explains how COAD SOLUTIONS LIMITED, a company incorporated in Hong Kong with registered office at Unit 1411, 14/Floor, Cosco Tower, 183 Queen's Road Central, Sheung Wan, Hong Kong (“CoadX”, “we”, “us”, or “our”), processes personal data in connection with coad.network and the COADS product and related services. Where this Policy refers to “COADS” it means our advertising exchange and related advertising technology services. Because CoadX is registered in Hong Kong, this Policy is designed to address applicable requirements under the Personal Data (Privacy) Ordinance (Cap. 486) of Hong Kong (“PDPO”), while also reflecting GDPR-style global transparency standards and U.S. privacy-framework disclosures where relevant. For data collected through coad.network itself, including contact forms, demo requests, business relationship management, contracting, billing, support, and marketing, CoadX is the data controller or equivalent responsible business. For some COADS processing, depending on the service configuration and contract, CoadX may act as an independent controller, joint controller, processor, service provider, or contractor. We will describe those roles in our contracts and, where required, in supplemental notices. OpenX’s separation between website and exchange processing is a useful reference model, and this Policy follows the same contextual approach within one combined document.

COADS is not targeted at users in Hong Kong, UK/EAA, US. COADS is designed primarily for publishers, advertisers, agencies, DSPs, SSPs, and other business partners operating outside Hong Kong. However, because CoadX is a Hong Kong-registered company and may process personal data across jurisdictions, we provide this Policy on a globally transparent basis and incorporate PDPO-specific rights and procedures.

What this Policy covers

This Policy applies to personal data we collect:

  • directly from you through coad.network, business communications, onboarding, contracting, support, and payment or invoicing processes;
  • automatically through our website, our products, and technologies we or our partners deploy;
  • from third parties, including publishers, SSPs, DSPs, advertisers, agencies,fraud-prevention vendors, analytics providers, hosting providers, payment processors, and other ad-tech or business partners;
  • from public or commercially available sources where lawful.

Where we collect personal data directly from you, we will provide a short-form collection notice or Personal Information Collection Statement (“PICS”) at or before collection if required by PDPO. That notice may appear in a form, a banner, a sign-up flow, or another just-in-time interface and will supplement this Policy.

Personal data we collect

Depending on how you interact with us, the personal data we collect may include the following categories.

Business and account information. Name, work email address, telephone number, company name, job title, country, account credentials, contract details, onboarding records, and communications with us.

Identifiers and online IDs. IP address, cookie ID, advertising ID, device ID, connected TV ID, hashed email address or hashed phone number where used lawfully, account ID, transaction ID, and other pseudonymous identifiers. Under GDPR, online identifiers can constitute personal data; OpenX similarly treats device and online identifiers as core ad-tech data categories.

Device, browser, and network information. Browser type, operating system, language, screen dimensions, app or site information, device model, internet service information, timestamps, technical logs, and diagnostics.

Advertising and bidding data. Bid request and response data, impression data, click data, win/loss data, ad placement information, domain or app bundle, ad slot or inventory information, frequency capping data, campaign performance metrics, attribution data, and anti-fraud or invalid traffic indicators. This category is included because COADS operates as an ad exchange and therefore needs to support auction, delivery, measurement, brand safety, and reporting workflows. OpenX’s exchange policy provides a strong reference for these ad-tech categories.

Behavioral and interest data. Browsing history, interactions with ads or pages, contextual browsing signals, purchase or conversion signals provided by partners, and inferred or modeled interest segments where lawful.

Location data. Approximate geolocation inferred from IP address or other signals, such as country, region, city, or postal-code level location. We do not intentionally collect precise geolocation unless specifically disclosed and legally permitted.

Payment and finance data, if applicable. Billing contact information, business address, tax information, invoice records, payment status, transaction metadata, and limited payment-related details. If card payments are used, payment processors may process full card data on our behalf; we generally receive only the information required for billing, reconciliation, fraud prevention, and support.

Support, compliance, and legal records. Helpdesk tickets, correspondence, grievance records, consent and preference records, identity verification information for rights requests, fraud investigation records, and records needed to comply with legal obligations.

Sources of personal data

We may collect personal data from:

  • you directly;
  • your employer or organization;
  • publishers, advertisers, agencies, DSPs, SSPs, exchanges, and supply or demand partners;
  • hosting, analytics, consent, identity, measurement, attribution, brand-safety, verification, and fraud-prevention vendors;
  • payment processors, auditors, advisers, and professional service providers;
  • publicly available sources and lawful data providers;
  • cookies and similar technologies on browsers, apps, connected TV environments, or other devices, where permitted.

Why we use personal data

We may use personal data for the following purposes:

Website operation and business relationship management. To operate coad.network, respond to contact and demo requests, create or manage accounts, communicate with business partners, negotiate and perform contracts, and provide customer support.

Ad serving, bidding, and marketplace operations. To operate COADS, process bid requests and responses, make or receive bids, deliver ads, perform frequency capping, prevent duplicate delivery, support campaign execution, troubleshoot delivery issues, and maintain logs needed for exchange operations.

Analytics, measurement, and reporting. To understand service usage, measure ad performance, detect errors, prepare business reports, conduct attribution and campaign analysis, and improve product functionality. Where feasible, we use aggregated or de-identified data for analytics and product improvement.

Security, fraud prevention, and compliance. To detect fraud, invalid traffic, malware, brand-safety issues, policy violations, abuse, and security incidents; maintain system integrity; investigate complaints; and comply with applicable laws, court orders, or regulatory requests. PDPO requires practical steps to protect personal data, and GDPR requires technical and organizational measures proportionate to risk.

Billing, accounting, and finance. To issue invoices, process payments, reconcile accounts, collect amounts due, maintain books and records, and comply with tax, audit, or financial reporting duties.

Direct marketing. To send newsletters, product updates, event invitations, whitepapers, surveys, or other promotional communications about CoadX or COADS, but only in accordance with applicable law. If Hong Kong PDPO applies to a direct marketing use, we will obtain the required informed consent, identify the data types and classes of marketing subjects involved, provide a response channel free of charge, and honor opt-out requests without charge.

Lawful bases for EEA, UK, and similar frameworks

If and to the extent GDPR, UK GDPR, Swiss data protection law, or similar laws apply, we process personal data on one or more of the following legal bases:

  • Consent, including for non-essential cookies and similar technologies used for online advertising, tracking, profiling, or certain analytics, where consent is required by law;
  • Performance of a contract or steps prior to entering into a contract;
  • Compliance with a legal obligation;
  • Legitimate interests, including operating and securing our business, preventing fraud, supporting our B2B services, maintaining logs, and improving our products, provided those interests are not overridden by your rights and freedoms.

Where our technologies involve storage or access technologies for online advertising, associated tracking, or profiling, we will rely on consent where applicable law requires it. ICO guidance states that online advertising uses of cookies and similar technologies require consent, and that consent must be actively and clearly given.

Direct marketing notice

If we use your personal data for our own direct marketing, we may use your name, work contact details, organization information, and records of your preferences to market our services, events, content, or offers related to advertising technology, media buying, monetization, analytics, brand safety, fraud prevention, measurement, or related business services. If PDPO applies, we will not do so unless we have first provided the legally required notice and obtained the required consent. On first use for direct marketing, we will notify you of your right to require us to cease such use without charge. You may opt out at any time using the unsubscribe link, the preference center, our webform, or the contact details below.

We do not sell or transfer your personal data to another person for that other person’s direct marketing unless we have separately provided the specific notices and obtained any consent required by law.

Cookies, pixels, and similar technologies

We and our partners may use cookies, pixels, SDKs, local storage, server-side tags, device identifiers, and similar technologies to remember preferences, keep our services secure, measure performance, support advertising functions, and understand interactions with coad.network and COADS. In ad-tech contexts, these technologies may be used to recognize browsers or devices, facilitate frequency capping, support reporting, or—with consent where required—support interest-based advertising and related profiling.

Where required by law, we will obtain your consent before placing or reading non-essential cookies or similar technologies. We will also provide clear information about what the technologies do and why we use them. You can manage preferences through our cookie banner and preference center, browser controls, mobile advertising settings, or other device-level controls. Where legally required, we will honor browser-based opt-out signals such as Global Privacy Control.

How we disclose personal data

We may disclose personal data to the following categories of recipients where relevant to the purposes described above:

  • Affiliates and group entities;
  • Service providers and vendors, such as cloud hosting and infrastructure providers,CDNs, security vendors, anti-fraud vendors, analytics providers, measurement and attribution providers, customer support platforms, email distribution providers, payment processors, auditors, and legal advisers;
  • Ad-tech ecosystem participants, such as publishers, advertisers, agencies, demand-side platforms, supply-side platforms, exchanges, data or identity partners, verification providers, and measurement vendors;
  • Regulators, law enforcement, courts, and public authorities where required or justified by law;
  • Successors and transaction counterparties in connection with a merger, financing, acquisition, reorganization, or sale of assets.
  • Other parties with your direction or consent.

Examples of vendor categories that may process data for us or with us include: hosting/cloud providers, content delivery and logging tools, consent management platforms, identity and matching vendors, DSPs, SSPs, publishers, fraud-prevention vendors, brand-safety and measurement vendors, payment processors, and customer-support or CRM systems. We may publish a separate vendor list or make a current list available on request where appropriate.

International data transfers

We may process and transfer personal data in Hong Kong, Singapore, the EEA, the UK, the United States, and other jurisdictions where we, our partners, or our vendors operate. If personal data is transferred from the EEA, UK, or another jurisdiction with transfer restrictions to a country not recognized as adequate, we will use an appropriate lawful transfer mechanism, such as the European Commission’s Standard Contractual Clauses, the UK International Data Transfer Agreement or UK Addendum, an adequacy decision, or another legally recognized safeguard. Where the law requires it, we will assess transfer risk and adopt supplementary measures.

For Hong Kong-related transfers, we recognize that section 33 of the PDPO is not yet in operation, but the PCPD recommends contractual safeguards and due diligence as a best practice. Accordingly, we may use the PCPD’s Recommended Model Contractual Clauses or comparable clauses, together with data processing and onward-transfer restrictions, security requirements, retention controls, and audit rights.

Data retention

We retain personal data only for as long as reasonably necessary for the purposes described in this Policy, for related compatible purposes, and to satisfy legal, accounting, audit, dispute, and enforcement needs. Our retention schedule is reviewed and updated periodically. PDPO requires that personal data not be kept longer than necessary, and GDPR applies the storage-limitation principle.

Our current standard retention ranges are as follows, unless a different period is required by law, contract, litigation hold, or a documented business or security need:

  • Website and security logs: usually 30 to 180 days, and up to 12 months for security investigations.
  • Contact, demo, and sales inquiry records: usually 12 to 24 months after the last meaningful interaction.
  • Support records: usually 12 to 24 months after closure, longer where needed for recurring issues or disputes.
  • COADS bidstream, request/response, and event-level identifiers: usually 30 to 90 days.
  • Fraud, invalid traffic, abuse, and security investigation data: usually 90 days to 24 months, depending on severity and recurrence.
  • Cookie or device-based preference records and opt-out/suppression records: for the life of the preference plus a reasonable compliance period.
  • Contract, billing, tax, and accounting records: for the term of the relationship and usually up to 7 years thereafter.
  • Aggregated or de-identified analytics: may be retained longer where no longer identifiable or where the data is kept in a form that does not reasonably identify individuals.

Security

We use technical and organizational measures designed to protect personal data against unauthorized or accidental access, processing, erasure, loss, alteration, or use. Depending on the system and risk, these measures may include encryption in transit, encryption or other protections at rest where appropriate, pseudonymization or hashing, role-based access control, least-privilege access, multi-factor authentication, network segmentation, logging and monitoring, vulnerability management, malware protection, backup and recovery procedures, secure deletion, vendor due diligence, contractual security obligations, confidentiality commitments, and incident response plans. GDPR Article 32 and PDPO DPP4 both require risk-appropriate safeguards of this kind.

No system can be guaranteed to be perfectly secure. If we become aware of a personal data incident, we will assess it promptly and notify affected individuals, regulators, and counterparties where required by law or where notification is otherwise appropriate. Under Hong Kong guidance, breach notification is encouraged even though not universally mandatory, and under GDPR certain breaches must be documented and in some cases notified.

Your rights and how to exercise them

Depending on your location and the law that applies, you may have rights to access, correct, delete, restrict, object to, or receive a portable copy of your personal data, to withdraw consent, and to complain to a regulator. Under GDPR-style regimes, requests under Articles 15 to 22 are ordinarily answered without undue delay and within one month, subject to extension where permitted; such requests are generally free of charge unless manifestly unfounded or excessive. Under PDPO, data subjects may request data access and data correction; DARs and DCRs should generally be handled within 40 days, a reasonable and non-excessive fee may be charged for a DAR where permitted, and no fee may be charged for complying with a DCR.

If your request relates to COADS pseudonymous identifiers, we may ask you to provide information that helps us identify your records, such as a cookie ID, advertising ID, browser or device information, and evidence that the relevant browser or device is yours. This is a common operational issue in ad-tech privacy rights handling and is also reflected in OpenX’s approach.

If you are a resident of certain U.S. states, you may also have rights to know/access, delete, correct, and opt out of the sale, sharing, or targeted advertising use of personal information, subject to exceptions and verification requirements. If legally required, we will honor a valid Global Privacy Control signal as an opt-out request for the browser or device that sent it.

To exercise your rights, please use any of the following methods:

  • Email: privacy@coad.network

We may need to verify your identity before acting on a request. If we do not act on your request, we will explain why, subject to legal limits. If you are unhappy with our response, you may complain to the PCPD in Hong Kong, your EEA supervisory authority, the ICO in the UK, or another competent authority in your jurisdiction, as applicable.

Children’s privacy

coad.network and COADS are not directed to children, and we do not knowingly collect personal data from children for behavioral advertising in contexts where this would be prohibited. We do not intentionally design COADS to target users in Hong Kong, and we do not intend COADS to be a consumer-facing service for children. If we learn that we have collected personal data from a child in a manner that requires deletion, parental authorization, or stronger safeguards under applicable law, we will take appropriate steps. PCPD and ICO guidance both expect stronger privacy protections where an online service is likely to be accessed by children.

Changes to this Policy

We may update this Policy from time to time to reflect changes in our products, processing activities, partners, legal requirements, or compliance practices. If we make material changes, we will post the updated version on coad.network, update the “Last updated” date, and where required provide a more prominent notice or seek refreshed consent. OpenX follows the same general update model, and GDPR/PDPO transparency principles support this approach.

Contact details and dispute resolution

If you have questions about this Policy, our privacy practices, or your rights, please contact:

  • COAD SOLUTIONS LIMITED
  • Attention: Data Protection Officer / Privacy Team
  • Address: Unit 1411, 14/Floor, Cosco Tower, 183 Queen's Road Central, Sheung Wan, Hong Kong
  • Email: privacy@coad.network

We encourage you to contact us first so that we can try to resolve your concern promptly. If a complaint cannot be resolved internally, you may lodge a complaint with an applicable supervisory or regulatory authority, including the PCPD in Hong Kong, the ICO in the UK, or the relevant data protection authority in the EEA. Nothing in this Policy limits any statutory right of complaint or legal remedy you may have.