← Back to Home

Privacy Policy

Last Updated: April 2026

1. Introduction

Welcome to Bidkernel (“Bidkernel,” “we,” “our,” or “us”). We operate the website at bidkernel.io and provide a programmatic advertising infrastructure platform (the “Platform”) along with a client-side software development kit (the “SDK”) that runs on publisher websites (collectively, the “Services”).

This Privacy Policy explains how we collect, use, disclose, and protect information when you interact with our Services. It applies to all users of our Services, including publishers who manage ad configurations through our dashboard, visitors to publisher websites where our SDK operates, and visitors to our own website.

By using our Services, you acknowledge that you have read and understood this Privacy Policy. If you are a publisher using our Platform, you are responsible for ensuring that your own privacy policy adequately discloses the use of Bidkernel's SDK and the data collection described herein.

2. Definitions

To help clarify this policy, we use the following terms:

  • “Platform Users”: Publishers and their team members who create accounts, log in, and manage ad configurations through the Bidkernel dashboard.
  • “End Users”: Visitors to publisher websites where the bidkernel SDK is installed. End Users do not have a direct relationship with Bidkernel.
  • “Website Visitors”: Visitors to bidkernel.io who may browse our marketing pages, join our waitlist, or read our documentation.
  • “Personal Data”: Any information that relates to an identified or identifiable individual.

3. Information We Collect

3.1 Platform Users (Dashboard)

When you create an account and use our Platform, we collect:

  • Account information: Email address and display name, obtained through our authentication provider (Auth0) via OAuth / OpenID Connect.
  • Organization data: Publisher business name, domain, contact email, and optional contact address that you provide when configuring your account.
  • Session data: Hashed session tokens and session expiration timestamps used to maintain your authenticated state.
  • Configuration data: Ad slot definitions, bidder configurations, environment settings, supply chain parameters, User ID module settings, and other ad stack configuration you create through the dashboard.
  • Audit logs: We log configuration changes including the action performed (create, update, delete), the affected entity, the user who made the change, and a diff of the fields that were modified.
  • Billing information: Subscription tier, usage metrics (request counts, data processed), and billing period data. Payment processing is handled by Stripe; we store only Stripe customer and subscription identifiers, not your payment card details.

3.2 End Users (Publisher Website Visitors)

When the Bidkernel SDK runs on a publisher's website, it collects the following data from End Users to facilitate ad auctions, measure ad performance, and provide analytics to publishers:

  • Identifiers: A randomly generated pageview ID (per page load), a session ID (stored in the browser's localStorage with a 30-minute expiry), and a first-party user ID (stored as a cookie with a 30-day expiry). These are pseudonymous identifiers and are not linked to real names, email addresses, or other directly identifying information.
  • Page context: The page URL (origin and pathname only; query strings are stripped) and the publisher domain.
  • Device and browser information: Device type (desktop, mobile, or tablet), browser name, device manufacturer, and device model. Browser and device details are derived from the User-Agent header at our ingest servers, not collected client-side.
  • Location data: Country (ISO 3166-1 alpha-2 code), region, city, and postal code. This data is derived from the visitor's IP address by our edge network provider (Cloudflare) at the network level. We do not use GPS or precise geolocation APIs. Raw IP addresses are not stored in our analytics data warehouse.
  • Ad auction data: Auction identifiers, bid requests sent to demand partners, bid responses received (including bidder name, CPM, currency, ad size, deal ID, media type, latency, advertiser domain, and creative ID), winning bids, and timeout events.
  • Ad performance data: Impression events (when an ad is rendered), viewability events (whether the IAB viewability threshold was met), time-in-view duration, click events, and ad refresh events.

3.3 Website Visitors

When you visit bidkernel.io, we may collect:

  • Waitlist information: Your email address if you sign up for our waitlist or request early access.
  • Server logs: Standard web server log data including IP address, browser type, referring page, and pages visited.

4. Cookies and Tracking Technologies

We use the following cookies and browser storage mechanisms:

4.1 Platform Cookies (bidkernel.io)

  • session_token: Secure, HttpOnly authentication cookie (30-day expiry). Essential for maintaining your login session.
  • oauth_state: Secure, HttpOnly CSRF protection cookie (10-minute expiry). Used during the OAuth login flow to prevent cross-site request forgery.

4.2 SDK Storage (Publisher Websites)

  • First-party user ID cookie: A pseudonymous identifier set on the publisher's domain with a 30-day expiry. Used to provide frequency capping and analytics continuity across visits. This cookie is first-party to the publisher's domain, not to bidkernel.io.
  • Session ID (localStorage): A pseudonymous session identifier stored in the browser's localStorage with a 30-minute sliding expiry. Used to group pageviews into sessions for analytics.

4.3 Prebid User ID Modules

Publishers may optionally enable third-party User ID modules through our Platform (e.g., ID5, SharedID, and others). These modules may set their own cookies or use other storage mechanisms to create cross-site advertising identifiers. The privacy practices for these modules are governed by their respective providers' privacy policies. Bidkernel provides the configuration interface but does not control the data collection practices of individual User ID module providers.

4.4 Cookie Sync (Server-to-Server)

When publishers configure Server-to-Server (S2S) bidding through Prebid Server, cooperative cookie syncing may be enabled to allow demand partners to match their user identifiers. This process is initiated by the publisher's configuration and is subject to the privacy policies of the participating demand partners.

5. How We Use Your Information

We use the information we collect for the following purposes:

  • Service delivery: To operate the Platform, authenticate users, serve ad configurations, execute ad auctions, and deliver analytics.
  • Analytics and reporting: To provide publishers with auction performance data, revenue reporting, fill rates, viewability metrics, and other analytics through the dashboard.
  • Billing and metering: To track usage (ad requests, data processed), calculate charges, process payments, and enforce subscription limits.
  • Security and integrity: To detect and prevent fraud, abuse, unauthorized access, and technical issues, and to maintain audit trails of configuration changes.
  • Communication: To send transactional communications such as usage alerts (at 80%, 100%, and 150% of allowance), account notifications, and early access invitations.
  • Improvement: To analyze aggregated usage patterns to improve Platform performance, reliability, and features.
  • Compliance: To generate and manage supply chain transparency files (ads.txt and sellers.json) as required by IAB standards, and to comply with legal obligations.

6. Legal Basis for Processing (EEA/UK)

If you are located in the European Economic Area (EEA) or United Kingdom (UK), our legal bases for processing your Personal Data under the General Data Protection Regulation (GDPR) are:

  • Contract performance: Processing necessary to provide the Services you have contracted for (Platform Users).
  • Legitimate interests: Processing necessary for our legitimate interests in operating, improving, and securing our Services, provided these interests are not overridden by your rights. This includes analytics, fraud prevention, and infrastructure optimization.
  • Consent: Where required by applicable law, such as for certain cookies or marketing communications. You may withdraw consent at any time.
  • Legal obligation: Processing necessary to comply with applicable laws, regulations, or legal processes.

7. Data Sharing and Third Parties

We do not sell your Personal Data. We share information only in the following circumstances:

7.1 Sub-Processors

We use the following service providers to operate our infrastructure:

  • Auth0 (Okta): Authentication and identity management. Receives: email address and display name during login.
  • Cloudflare: Content delivery network, edge compute, DNS, and SSL provisioning. Receives: all HTTP traffic to our Services. Cloudflare derives location data (country, region, city, postal code) from IP addresses.
  • Google Cloud Platform (BigQuery): Analytics data warehouse. Receives: aggregated ad auction and performance data (trace events) for analytics queries.
  • Stripe: Payment processing. Receives: billing contact information and payment method details. Stripe's privacy policy governs its handling of payment data.

7.2 Demand Partners

During programmatic ad auctions, bid request data (including page URL, device type, ad slot dimensions, and location data) is shared with demand-side platforms (DSPs) and supply-side platforms (SSPs) that the publisher has configured through our Platform. The specific partners vary by publisher configuration and may include exchanges such as Magnite, PubMatic, Index Exchange, and others. Each demand partner's handling of bid request data is governed by its own privacy policy.

7.3 Ad Server Integration

Publishers may integrate with Google Ad Manager (GAM) or other ad servers through our Platform. Data shared with ad servers is determined by the publisher's configuration and the ad server's own data collection practices.

7.4 Other Disclosures

We may also disclose information:

  • To comply with applicable law, regulation, legal process, or governmental request.
  • To enforce our Terms of Service or protect the rights, property, or safety of Bidkernel, our users, or the public.
  • In connection with a merger, acquisition, or sale of assets, in which case the successor entity would be bound by this Privacy Policy.

8. Data Controller and Processor Roles

For Platform Users: Bidkernel acts as the data controller over account information, session data, and billing data that we collect directly from publishers and their team members.

For End Users: The publisher is the data controller over End User data collected through the Bidkernel SDK on their website. Bidkernel acts as the data processor, processing End User data on behalf of and under the instructions of the publisher. Publishers who require a Data Processing Agreement (DPA) in accordance with GDPR Article 28 may request one by contacting us.

9. Data Retention

  • Platform User data: Account information and configuration data are retained for as long as your account is active. After account cancellation, data is retained for 90 days to allow for reactivation, then permanently deleted.
  • Analytics data (End User): Ad auction and performance data is retained indefinitely while the publisher's account is active. Analytics query access is limited by subscription tier (30 days to unlimited). After 90 days of account inactivity, analytics data is deleted.
  • Audit logs: Configuration change audit logs are retained for the duration of the publisher's account plus 90 days after account closure.
  • Session data: Session tokens expire after 30 days and are deleted upon expiration or logout.
  • Waitlist data: Email addresses are retained until early access is granted or you request removal.

10. International Data Transfers

Our Services are operated from infrastructure located in the United States and served globally through Cloudflare's edge network. If you are located outside the United States, your information may be transferred to, stored, and processed in the United States or other countries where our service providers maintain facilities.

For transfers of Personal Data from the EEA or UK, we rely on appropriate safeguards including Standard Contractual Clauses (SCCs) approved by the European Commission, or other legally recognized transfer mechanisms. You may request a copy of the applicable safeguards by contacting us.

11. Your Rights

11.1 EEA/UK Residents (GDPR)

If you are located in the EEA or UK, you have the following rights:

  • Access: Request a copy of the Personal Data we hold about you.
  • Rectification: Request correction of inaccurate or incomplete data.
  • Erasure: Request deletion of your Personal Data (subject to legal retention requirements).
  • Restriction: Request restriction of processing in certain circumstances.
  • Portability: Request your data in a structured, machine-readable format.
  • Objection: Object to processing based on legitimate interests.
  • Withdraw consent: Where processing is based on consent, withdraw it at any time.
  • Complaint: Lodge a complaint with your local data protection authority.

For End Users: Because Bidkernel acts as a data processor for End User data, End Users should direct data subject requests to the publisher whose website they visited. The publisher will coordinate with Bidkernel to fulfill such requests.

11.2 California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Right to know: Request disclosure of the categories and specific pieces of Personal Data we have collected.
  • Right to delete: Request deletion of your Personal Data.
  • Right to opt-out of sale: We do not sell Personal Data as defined under the CCPA.
  • Right to non-discrimination: We will not discriminate against you for exercising your rights.

To exercise these rights, contact us.

12. Children's Privacy

Our Services are not directed to children under 16 years of age (or the applicable age of consent in your jurisdiction). We do not knowingly collect Personal Data from children. Publishers are responsible for ensuring that their websites where the Bidkernel SDK is installed comply with applicable children's privacy laws, including COPPA. If we learn that we have collected data from a child without proper consent, we will take steps to delete that information promptly. If you believe a child has provided us with Personal Data, please contact us.

13. Data Security

We implement appropriate technical and organizational measures to protect your information against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption in transit (TLS/HTTPS) for all communications.
  • Encryption at rest for stored data.
  • Hashed session tokens and API keys (plaintext never stored).
  • Role-based access controls and multi-user permission management.
  • Audit logging of all configuration changes.
  • OAuth 2.0 / OpenID Connect authentication (no passwords stored by Bidkernel).
  • CSRF protection on all state-changing operations.
  • Secure, HttpOnly, SameSite cookies for session management.

No method of transmission or storage is 100% secure. While we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee absolute security.

14. Consent Management

Our Platform supports integration with IAB Transparency and Consent Framework (TCF) consent management modules. Publishers are responsible for implementing appropriate consent mechanisms on their websites in accordance with applicable law. Bidkernel respects consent signals passed through the TCF framework and will suppress data collection and bid requests where consent has not been obtained, as configured by the publisher.

15. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify Platform Users by email or through an in-app notification at least 30 days before the changes take effect. The “Last Updated” date at the top of this policy indicates when it was last revised. Continued use of the Services after the effective date constitutes acceptance of the updated policy.

16. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, please reach out through our contact form.

Confirm Action