GDPR Compliance

1. Our Commitment to Data Protection

L3K Network ("L3K," "we," "us," or "our") is committed to protecting the privacy and personal data of individuals in the European Union (EU) and European Economic Area (EEA) in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"). This page outlines how we meet our obligations under the GDPR, the rights available to data subjects, and how those rights can be exercised. We recognize that as a performance marketing network operating globally, we have a heightened responsibility to ensure that personal data is processed lawfully, fairly, and transparently. We have implemented comprehensive technical and organizational measures to ensure compliance with the GDPR across all aspects of our operations.

2. Legal Basis for Processing

Under the GDPR, we must have a valid legal basis for processing personal data. Depending on the context and purpose of processing, we rely on the following legal bases:

• Contractual Necessity (Article 6(1)(b)): We process personal data when it is necessary for the performance of a contract to which the data subject is a party. This includes processing account registration data, managing advertiser and publisher relationships, tracking conversions, calculating commissions, and processing payments
• Legitimate Interests (Article 6(1)(f)): We process personal data when it is necessary for our legitimate interests or the legitimate interests of a third party, provided those interests are not overridden by the data subject's rights and freedoms. Our legitimate interests include fraud detection and prevention, network security, platform improvement, and business analytics. We conduct a balancing test for each processing activity to ensure our interests do not unduly impact data subjects
• Consent (Article 6(1)(a)): Where required, we obtain explicit, informed, and freely given consent before processing personal data. This applies particularly to marketing communications, non-essential cookies, and any processing that goes beyond what is necessary for our contractual or legitimate interest purposes. Consent can be withdrawn at any time without affecting the lawfulness of processing carried out prior to withdrawal
• Legal Obligation (Article 6(1)(c)): We process personal data when it is necessary to comply with a legal obligation to which we are subject, such as tax reporting requirements, anti-money laundering regulations, and responses to lawful requests from public authorities

3. Data Subject Rights

Under the GDPR, individuals in the EU/EEA have the following rights regarding their personal data. We are committed to facilitating the exercise of these rights in a timely and transparent manner:

Right of Access (Article 15)

You have the right to obtain confirmation as to whether your personal data is being processed and, if so, to access the personal data along with information about the purposes of processing, the categories of data concerned, the recipients or categories of recipients, the retention period, and the source of the data where it was not collected directly from you. We will provide a copy of your personal data free of charge in a commonly used electronic format.

Right to Rectification (Article 16)

You have the right to obtain the rectification of inaccurate personal data without undue delay. You also have the right to have incomplete personal data completed, including by providing a supplementary statement. You can update most of your account information directly through our platform dashboard, or you can submit a rectification request to our Data Protection Officer.

Right to Erasure (Article 17)

You have the right to obtain the erasure of your personal data without undue delay where: the data is no longer necessary for the purposes for which it was collected; you withdraw consent and there is no other legal basis for processing; you object to processing and there are no overriding legitimate grounds; the data has been unlawfully processed; or the data must be erased to comply with a legal obligation. Please note that this right is not absolute, and we may retain certain data where we have a legal obligation to do so, or where the data is necessary for the establishment, exercise, or defense of legal claims, including fraud investigations and financial record-keeping requirements.

Right to Restriction of Processing (Article 18)

You have the right to restrict the processing of your personal data where: you contest the accuracy of the data (for a period enabling us to verify accuracy); the processing is unlawful and you oppose erasure; we no longer need the data but you require it for legal claims; or you have objected to processing pending verification of our legitimate grounds. When processing is restricted, we will only store the data and will not process it further without your consent, unless for the establishment, exercise, or defense of legal claims or for the protection of the rights of another person.

Right to Data Portability (Article 20)

You have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format (such as CSV or JSON), and to transmit that data to another controller without hindrance. This right applies where processing is based on consent or contractual necessity and is carried out by automated means. Upon request, we will directly transmit your data to another controller where technically feasible.

Right to Object (Article 21)

You have the right to object, on grounds relating to your particular situation, to the processing of your personal data based on our legitimate interests. Upon receiving an objection, we will cease processing unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defense of legal claims. Where personal data is processed for direct marketing purposes, you have the absolute right to object at any time, and we will cease processing for that purpose immediately.

4. Data Protection Officer

L3K has appointed a Data Protection Officer (DPO) to oversee our compliance with the GDPR and to serve as the primary point of contact for data subjects and supervisory authorities on all matters relating to data protection. Our DPO is responsible for monitoring compliance with data protection policies and the GDPR, advising on data protection impact assessments, cooperating with supervisory authorities, and acting as the contact point for data subjects exercising their rights.

5. International Transfers

As L3K is headquartered in the United States and operates a global network, personal data of EU/EEA individuals may be transferred to and processed in countries outside the EU/EEA that may not provide an equivalent level of data protection. To ensure that such transfers comply with the GDPR, we implement the following safeguards:

• Standard Contractual Clauses (SCCs): We enter into EU-approved Standard Contractual Clauses with all data importers located outside the EU/EEA, ensuring contractual obligations to protect personal data in accordance with EU standards
• Adequacy Decisions: Where possible, we transfer data to countries that have received an adequacy decision from the European Commission, confirming that the country provides an adequate level of data protection
• Transfer Impact Assessments: We conduct transfer impact assessments to evaluate the legal framework of the recipient country and implement supplementary measures where necessary, such as encryption and pseudonymization, to ensure adequate protection
• Binding Corporate Rules: For intra-group transfers, we maintain binding corporate rules that establish uniform data protection standards across all L3K entities

You may request a copy of the safeguards we use for international transfers by contacting our DPO at dpo@l3k.com.

6. Data Processing Agreements

Where L3K acts as a data processor on behalf of our advertisers or other partners, we enter into Data Processing Agreements (DPAs) in accordance with Article 28 of the GDPR. These agreements define the scope and purpose of data processing, the obligations and rights of the data controller, the technical and organizational security measures we implement, the terms for sub-processing, our obligations regarding data subject rights and breach notification, and the procedures for data return or deletion upon termination. We require all sub-processors engaged by L3K to enter into equivalent data processing agreements, ensuring the same level of data protection throughout the processing chain. A current list of our sub-processors is available upon request.

7. Data Breach Notification

In the event of a personal data breach, L3K has established comprehensive breach detection, investigation, and reporting procedures in compliance with Articles 33 and 34 of the GDPR:

• Supervisory Authority Notification: We will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of a breach that is likely to result in a risk to the rights and freedoms of natural persons. The notification will include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach
• Data Subject Notification: Where a breach is likely to result in a high risk to the rights and freedoms of affected individuals, we will notify those individuals without undue delay, describing the nature of the breach in clear and plain language, the likely consequences, and the measures taken to address the breach and mitigate its effects
• Controller Notification: Where L3K acts as a data processor, we will notify the relevant data controller without undue delay upon becoming aware of a personal data breach, providing sufficient information to enable the controller to fulfill its own notification obligations
• Breach Documentation: We maintain a comprehensive record of all personal data breaches, including the facts relating to the breach, its effects, and the remedial actions taken, regardless of whether the breach is reportable to the supervisory authority

8. Data Protection Impact Assessments

In accordance with Article 35 of the GDPR, L3K conducts Data Protection Impact Assessments (DPIAs) prior to engaging in processing activities that are likely to result in a high risk to the rights and freedoms of individuals. This includes the introduction of new tracking technologies, large-scale profiling activities, automated decision-making processes, and any new processing that involves sensitive categories of data. Our DPIAs systematically assess the necessity and proportionality of the processing, identify and evaluate risks to data subjects, and define measures to mitigate those risks. The results of our DPIAs are reviewed by our Data Protection Officer and are available to supervisory authorities upon request.

9. How to Exercise Your Rights

To exercise any of the rights described in this document, you may submit a request through any of the following channels:

• Email our Data Protection Officer at dpo@l3k.com
• Write to us at: L3K Network, Data Protection Officer, 85 Broad Street, 16th Floor, New York, NY 10004, United States
• Use the data subject request form available in your account dashboard settings

When submitting a request, please include sufficient information to verify your identity and clearly describe the right you wish to exercise. We may require additional information to verify your identity before processing your request. We will acknowledge receipt of your request within 5 business days and will respond substantively within one month. If your request is particularly complex or if we receive a large number of requests, we may extend the response period by an additional two months, in which case we will notify you of the extension and the reasons for the delay within the initial one-month period.

If you are not satisfied with our response to your request, you have the right to lodge a complaint with your local supervisory authority. A list of EU/EEA supervisory authorities is available at edpb.europa.eu/about-edpb/about-edpb/members_en.

10. Contact

For any questions, concerns, or requests regarding our GDPR compliance or data protection practices, please contact us: