Data Processing Addendum

Last Updated: 15 June 2026

1. Introduction

This Data Processing Addendum ("DPA") forms part of the Terms of Service and any applicable Publisher Agreement between H&T GAMING ("Processor", "we", "us") and the publisher or client ("Controller", "you") and governs the processing of personal data by H&T GAMING on behalf of the Controller in connection with our advertising technology services.

This DPA is designed to comply with the requirements of the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and other applicable data protection legislation. In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data protection matters.

2. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person, as defined by applicable Data Protection Laws.
  • "Processing" means any operation performed on Personal Data, including collection, recording, organisation, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.
  • "Data Protection Laws" means the UK GDPR, EU GDPR, the Data Protection Act 2018, the ePrivacy Directive, and any other applicable data protection legislation.
  • "Sub-processor" means any third party engaged by H&T GAMING to process Personal Data on behalf of the Controller.
  • "Data Subject" means the identified or identifiable individual to whom the Personal Data relates.
  • "Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data.

3. Scope and Purpose of Processing

H&T GAMING processes Personal Data solely for the purpose of providing advertising technology services to the Controller, including:

  • Serving, delivering, and optimising digital advertisements on the Controller's properties.
  • Conducting real-time bidding auctions and programmatic ad transactions.
  • Measuring and reporting on ad performance, viewability, and revenue.
  • Detecting, preventing, and filtering invalid traffic and fraudulent activity.
  • Ensuring compliance with advertising policies and regulations.

Categories of Personal Data Processed

  • IP addresses (full or truncated).
  • Device identifiers and advertising IDs.
  • Browser and device information (user agent, screen resolution, language).
  • Cookie identifiers and tracking pixel data.
  • Geolocation data (country, region, city level).
  • Page URL and referring URL data.

Categories of Data Subjects

  • End users and visitors of the Controller's websites, mobile applications, and CTV platforms.

4. Obligations of H&T GAMING (Processor)

H&T GAMING shall:

  • Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law.
  • Ensure that persons authorised to process Personal Data are subject to appropriate confidentiality obligations.
  • Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including encryption of data in transit, access controls, and regular security assessments.
  • Not engage another processor (Sub-processor) without prior general or specific written authorisation from the Controller.
  • Assist the Controller in responding to Data Subject requests to exercise their rights under applicable Data Protection Laws.
  • Assist the Controller in ensuring compliance with data security, breach notification, data protection impact assessment, and prior consultation obligations.
  • At the Controller's choice, delete or return all Personal Data upon termination of the services, unless retention is required by applicable law.
  • Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits and inspections.

5. Obligations of the Controller

The Controller shall:

  • Ensure that it has a valid legal basis for the processing of Personal Data and the transfer of such data to H&T GAMING.
  • Implement and maintain an appropriate Consent Management Platform (CMP) on its properties to obtain and manage end-user consent where required by applicable law, including for advertising cookies and personalised advertising.
  • Comply with applicable transparency and notice obligations towards Data Subjects.
  • Ensure that its instructions to H&T GAMING are lawful and do not cause H&T GAMING to breach any applicable Data Protection Laws.
  • Integrate the Google Transparency and Consent Framework (TCF) where serving advertisements within the European Economic Area or United Kingdom.

6. Sub-processors

The Controller provides general authorisation for H&T GAMING to engage Sub-processors. H&T GAMING shall:

  • Impose contractual obligations on Sub-processors that are no less protective than those in this DPA.
  • Remain fully liable for the acts and omissions of its Sub-processors.
  • Notify the Controller of any intended changes to Sub-processors, providing the Controller with the opportunity to object within 14 days.

Current Sub-processors

  • Google LLC (United States) — Ad serving, programmatic advertising, and analytics via Google Ad Manager, AdX, and Google Analytics. Privacy Policy
  • Prebid.org ecosystem partners (Various) — Header bidding demand partners as configured for your inventory.
  • Amazon Web Services (AWS) (United States) — Cloud computing infrastructure and data processing. Privacy Policy
  • Google Cloud Platform (GCP) (United States) — Cloud infrastructure, compute, and analytics services. Privacy Notice
  • Contabo GmbH (Germany) — Dedicated and virtual server hosting. Privacy Policy
  • Hostinger International Ltd (Lithuania) — Web hosting and domain services. Privacy Policy
  • Hetzner Online GmbH (Germany) — Dedicated server and cloud hosting infrastructure. Privacy Policy
  • Cloudflare, Inc. (United States) — Content delivery, DDoS protection, DNS, and web security services. Privacy Policy

7. International Transfers

Where Personal Data is transferred to countries outside the United Kingdom or European Economic Area that have not been deemed to provide an adequate level of data protection, H&T GAMING shall ensure that appropriate safeguards are in place. These safeguards may include Standard Contractual Clauses (SCCs) as approved by the UK Information Commissioner's Office or the European Commission, binding corporate rules, or reliance on an adequacy decision.

8. Security Measures

H&T GAMING implements and maintains the following technical and organisational security measures:

  • Encryption: TLS 1.2+ encryption for all data in transit; encryption at rest for stored Personal Data.
  • Access Control: Role-based access controls, multi-factor authentication for administrative access, and principle of least privilege.
  • Monitoring: Continuous monitoring of systems for security threats, intrusion detection, and anomalous activity.
  • Incident Response: Documented incident response procedures with defined escalation paths.
  • Business Continuity: Regular backups, disaster recovery procedures, and redundant infrastructure.
  • Personnel: Confidentiality agreements for all staff with access to Personal Data; regular data protection training.

9. Security Incident Notification

In the event of a Security Incident involving Personal Data processed on behalf of the Controller, H&T GAMING shall:

  • Notify the Controller without undue delay and in any event within 48 hours of becoming aware of the incident.
  • Provide sufficient information to enable the Controller to fulfil its own breach notification obligations under applicable Data Protection Laws.
  • Take reasonable steps to mitigate the effects of the Security Incident and prevent further occurrences.
  • Cooperate with the Controller and provide all information and assistance reasonably requested in relation to the incident.

10. Data Subject Rights

H&T GAMING shall promptly assist the Controller in responding to requests from Data Subjects exercising their rights under applicable Data Protection Laws, including rights of access, rectification, erasure, restriction, portability, and objection. Where H&T GAMING receives a Data Subject request directly, we shall promptly redirect the request to the Controller unless otherwise instructed.

11. Data Retention and Deletion

Upon termination of the services or upon the Controller's written request:

  • H&T GAMING shall delete or return all Personal Data processed on behalf of the Controller within 30 days, unless retention is required by applicable law.
  • Upon request, H&T GAMING shall provide written confirmation of the deletion.
  • Aggregated and anonymised data that cannot identify individual Data Subjects may be retained for analytics and reporting purposes.

12. Audit Rights

H&T GAMING shall make available to the Controller all information necessary to demonstrate compliance with this DPA. The Controller may conduct or commission an independent third-party audit of H&T GAMING's processing activities, subject to reasonable notice (at least 30 days), during normal business hours, and no more than once per calendar year, unless a Security Incident or regulatory investigation necessitates additional audits.

13. Duration and Termination

This DPA shall remain in effect for the duration of the service relationship between H&T GAMING and the Controller. The obligations relating to confidentiality, data deletion, and security shall survive termination of this DPA. In the event of any termination or expiration, the provisions of Section 11 (Data Retention and Deletion) shall apply.

14. Governing Law

This DPA shall be governed by and construed in accordance with the laws of England and Wales, without regard to its conflict of law principles. Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.

15. Contact

For questions regarding this Data Processing Addendum, please contact: