Kontext Privacy Policy

Kontext is in the process of joining the IAB Europe Transparency & Consent Framework (TCF) and it complies with its policies and specifications.

When we process personal data of Targeted End Users in the European Economic Area (EEA), United Kingdom, or Switzerland in connection with digital advertising, we do so in accordance with the TCF. This means that:

• Our data processing purposes and legal bases are aligned with the standardized TCF purposes described below.
• We respect consent and objection signals communicated to us via TCF-compliant Consent Management Platforms (CMPs) used by our publisher partners.
• We only process personal data for purposes where appropriate consent has been obtained or legitimate interest has been established and not objected to by the user.
• We honor the TC String (Transparency and Consent String) that accompanies each ad request and only process data in accordance with the permissions encoded therein.

Processing without a CMP:

Some of our publisher partners may not have implemented a TCF-registered CMP. In such cases, our server determines the user's geographic location via IP geolocation. For users identified as being in the EEA/UK, we default to contextual-only processing for standard Purposes (1-10): device identifiers are not used for ad targeting, profiling, or measurement, and no personal data is transmitted to downstream advertising partners for those Purposes. Device identifiers and signals may still be processed under Special Purposes (SP1-3). For users outside the EEA/UK, processing proceeds under applicable local law.

We collect several types of information from and about you when you use our Services, including:

1. Personal Information:

   • Account information. When you create an account with us we will collect personal information such as your name, email address and avatar ("Personal Information").
   • Communication information. We may also collect other information that you provide through your interactions with us, for example, if you request information about our services, interact with our sales team or contact customer support, complete a survey, provide feedback, or post comments, or register for an event or participate in marketing activities ("Communication Information"). We may keep a record of your communications with us and other information you share during these communications.

2. Non-personal Information:

   • Device information. Data that does not identify you, such as your internet connection, internet service provider, browser type, device type, OS, geographic location, and the device you use to access our Services. We collect this information automatically for the improvement of the Services.
   • Usage data. We automatically collect information to track user behavior on the Services, including browsing actions, and patterns including page views, view duration, clicks, and content viewed.
   • Log data. Information automatically sent by your browser or device when you use our Services. Log data includes your Internet Protocol (IP) address, the date and time of your request, and crash logs.

1. How we collect this information:

• Directly from you when you provide it to us.
• Information that you provide when using the Services.
• Information that you provide by filling in forms on our Websites. This includes information provided at the time of registering to use our Services, subscribing to our service, requesting further Services, or when you report a problem with our Services.
• Information that you provide when you contact us.
• Billing information for the payment of your order.
• Automatically as you navigate through the Services. Information collected automatically may include usage details, IP addresses, and information collected through cookies or other tracking technologies.
• We do not collect personal information automatically, but we may aggregate non-personal information that we collect from other sources or that you provide to us.
• From third parties, for example, our business partners.

We use information that we collect about you or that you provide to us, including any personal information:

• To provide our Services to you.
• To provide you with information, products, or Services you request from us.
• To provide you with notices about your account, including expiration and renewal notices.
• To carry out our obligations and enforce our rights arising from any contracts entered into between you and us, including for billing and collection.
• To notify you about changes to our Services or any products or Services we offer or provide through it.
• In any other way we may describe when you provide the information.
• For any other purpose with your consent.
• To provide personalized recommendations to you based on your browsing behavior.

We use subprocessors to facilitate our Services.

1. In the event subprocessors who we work with need access to your Personal Information for this purpose, we have entered into agreements to ensure that your Personal Information is processed in accordance with all applicable laws and regulations.

   We only use third party providers that maintain the same or above levels of data protection and security as Kontext.

   We only disclose Personal Information that we collect or you provide as described in this Privacy Policy for the fulfillment of the service.

   Below is a non-exclusive list of our subprocessors:

   • Vercel Inc. (USA)
   • Google LLC (USA)
   • AC PM LLC (Postmark) (USA)
   • Preset, Inc. (USA)
   • SmartyAds, Inc. (USA)
   • LiftOff Mobile, Inc. (USA)

   The list of subprocessors may change as we update or remove some of the above suppliers and/or introduce other suppliers to assist us in the operation of the Platform.

2. We may also disclose your non-personal information:

   • To comply with any court order, law, or legal process, including to respond to any government or regulatory request.
   • To enforce or apply our Terms of Service and other agreements, including for billing and collection purposes.
   • If we believe disclosure is necessary or appropriate to protect the rights, property, or safety of the Company, our customers, or others. This includes exchanging information with other companies and organizations for the purposes of fraud protection and credit risk reduction.
   • If we undergo a merger, acquisition, or asset sale, non-personal information may be transferred as part of that transaction.

We operate globally and may transfer, store, and process your information in countries outside of your own. These countries may have data protection laws that are different from those of your country. We ensure that any international transfers of your personal information are subject to appropriate safeguards, such as standard contractual clauses approved by relevant regulatory authorities, to ensure the protection of your privacy and personal information.

We strive to provide you with choices regarding the personal information you provide to us. We have created mechanisms to provide you with the following control over your information:

• Tracking Technologies. You can set your browser to refuse all or some browser cookies, or to alert you when cookies are being sent. If you disable or refuse cookies, please note that some parts of this site may then be inaccessible or not function properly.
• Promotional Offers from the Company. We may periodically send you marketing communications that promote our Services consistent with your choices. You may opt out from receiving such communications by following the unsubscribe instructions in the communication. Please note that we may still send you important service-related communications regarding our products or Services, such as communications about your subscription or account, service announcements or security information.

Targeted End User Choices and Opt-Out

If you are a Targeted End User, you have the following choices regarding how your data is processed:

• Consent management: When you use an application that integrates Kontext ads, the publisher's Consent Management Platform (CMP) will present you with choices about how your data is processed. You can grant or withhold consent for each purpose, and you can change your choices at any time by accessing the privacy settings within the application.
• Device-level controls:
  • iOS (IDFA): Go to Settings > Privacy & Security > Tracking, and disable "Allow Apps to Request to Track." This prevents apps from accessing your IDFA.
  • iOS (IDFV): IDFV is assigned per publisher and cannot be individually reset. Uninstalling all apps from a publisher resets the IDFV.
  • Android (GAID/AAID): Go to Settings > Privacy > Ads, and select "Delete advertising ID" or "Opt out of Ads Personalization."
• Contact us: You may contact us at privacy@kontext.so to exercise your rights, including requesting access to, correction of, or deletion of your personal data.

When we receive a valid opt-out signal or when consent is not provided for a particular purpose, we will not process your data for that purpose. We may still serve non-personalised, contextual advertisements where permitted by applicable law and the user's consent choices.

You can review, correct, update, or delete your personal information by logging into the Services and visiting your account profile page. You may also contact us at privacy@kontext.so to request access to, correct, restrict, transfer or delete any personal information that you have provided to us.

We cannot delete your personal information except by also deleting your user account. We may not accommodate a request to change information if we believe the change would violate any law or legal requirement or cause the information to be incorrect.

Residents of certain states may have additional personal information rights and choices. Please see the Section 'Your State Privacy Rights' for more information.

U.S. State consumer privacy laws may provide their residents with additional rights regarding our use of their personal information.

California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and Virginia provide their state residents with rights to:

• Confirm whether we process their personal information.
• Access and delete certain personal information.
• Correct inaccuracies in their personal information, taking into account the information's nature processing purpose (excluding Iowa and Utah).
• Data portability.
• Opt-out of Personal Information processing for:
  • targeted advertising (excluding Iowa);
  • sales; or
  • profiling in furtherance of decisions that produce legal or similarly significant effects (excluding Iowa and Utah).
• Either limit (opt-out of) or require consent to process sensitive Personal Information.

The exact scope of these rights may vary by state.

If you are a resident of the European Union you may have additional rights under the General Data Protection Regulation:

• Right of access to your Personal Information - you may at any time ask us to confirm whether or not your Personal Information is being processed, and if so, for what purposes, to what extent, to whom it is made available, for how long we will process it, whether you have the right to correct, delete, limit the processing or raise an objection from where we obtained Personal Information form and whether there is automatic decision-making based on the processing of your Personal Information, including possible profiling. You also have the right to obtain a copy of your Personal Information, the first provision being free of charge, and for the next provision, we may require a reasonable payment of administrative costs.
• Right to rectification - you may at any time request we correct or add to your Personal Information if it is inaccurate or incomplete.
• Right to erasure - you can also request the deletion of your Personal Information from our systems. We will comply with these requests unless we have a legitimate reason not to delete your Personal Information.
• Right to restrict processing - you can ask us to restrict certain processing of your Personal Information. If we restrict certain processing of your Personal Information, this may lead to limits on the use of our Platform and Website.
• Right to data portability - you have the right to receive your Personal Information from us in a structured, commonly used, and machine-readable format for the purpose of transferring Personal Information to another processor.

To exercise any of these rights please contact us at our email address privacy@kontext.so. To appeal a decision regarding a consumer rights request please contact us at the same address.

We retain Targeted End User personal data for a maximum of 365 days from the date of collection for all advertising processing purposes. Specific details:

The 365-day retention period aligns with the IAB TCF consent renewal cycle. When a user's consent expires or is withdrawn, we cease processing their data for the relevant purposes and delete it in accordance with these retention periods.

For Customer (advertiser and publisher) account data, we retain personal information for as long as you use our services, as required by law (for example, to comply with legal tax or accounting requirements), or as otherwise communicated to you. After an account is deleted, your personal information is removed after 30 days, as specified in our terms.

We have implemented steps to protect your personal information from accidental loss and unauthorized accidental loss and unauthorized access, use, alteration, and disclosure. All information you provide is stored on our secure servers behind firewalls. Any payment transactions will be encrypted. However, no security measures are perfect or impenetrable. Therefore, we cannot guarantee the security of your information.

The safety and security of your information also depend on you. If we have given you (or you have chosen) a password to access certain parts of our Services, it is your responsibility to keep this password confidential. Please do not share your password with anyone.

Our website is not for children under 18, and we do not knowingly collect their personal information. If you are under 18, do not use or provide any information on our services. If we discover personal information from a child under 18 without parental consent, we will delete it. If you believe we have information from or about a child under 18, please contact us via email.

The California Code of Regulations defines a "resident" as anyone who is in California for reasons other than temporary or transitory purposes, and anyone domiciled in California who is outside the state for temporary or transitory purposes. All others are considered "non-residents." If you meet the definition of a "resident," we must follow specific rights and obligations concerning your personal information.

The categories of personal information we collect can be found in this Privacy Policy. We do not collect protected classification characteristics under California or federal law, commercial information, or biometric information. If you use an authorized agent to exercise your right to opt out, we may deny the request if the agent doesn't provide proof of valid authorization to act on your behalf.

We may disclose personal information such as user interaction data, device information, or inferred interests to third parties (including ad partners and ad networks) for the purpose of serving behavioral ads or measuring ad performance. These disclosures may be considered a "sale" or "sharing" under California law.

This section describes how the personal information of our Customer's users ("Targeted End Users") may be collected and processed, when a Customer uses Kontext. To summarise, Kontext provides a service to other companies who you have a direct contractual relationship with.

For Targeted End Users residing in the US: Kontext is a service provider within the meaning of The California Consumer Privacy Act of 2018 § 1798.140 (22).

For other Targeted End Users: In respect of Targeted End User data processed for advertising purposes — including ad selection, ad measurement, contextual analysis of conversation content, and profiling — Kontext acts as an independent data controller within the meaning of Article 4(7) of the GDPR. We independently determine the purposes and means of processing this data, including what data our SDK collects, how our AI selects and generates advertisements, which demand-side platforms receive bid requests, and how long data is retained. For certain processing activities performed strictly on behalf of and under the instructions of our publisher or advertiser partners (such as hosting publisher-specified ad configurations), we may act as a data processor within the meaning of Article 4(8) of the GDPR, governed by a data processing agreement with the relevant partner. Where we share Targeted End User data with demand-side platforms, ad exchanges, or other advertising technology partners in the course of real-time bidding, each party acts as an independent data controller for the data it receives.

It is the responsibility of our Customers to ensure they have obtained all necessary consents and approvals from their Targeted End Users to process such data in compliance with applicable data protection laws, and the Kontext Terms and Conditions.

While using our Services, our Customers may be providing us with access to Targeted End Users' personal information to analyze the context of a conversation. This may include:

• Device Information: Technical data such as your IP address, Internet service provider (ISP), device details (including ID, model, manufacturer, operating system, and language settings), browser type, general geographic location (like country or ZIP code, and, if available, more precise latitude and longitude), mobile carrier, Google Advertising ID (GAID/AAID), Identifier for Advertisers (IDFA), Identifier for Vendor (IDFV), and connection speed. We do not collect the Android ID (ANDROID_ID), which is a permanent, non-resettable hardware identifier. All advertising identifiers we access are resettable by the user through their device settings.
• Conversation Content: The full text of user conversations within our publisher partners' applications is transmitted to our servers. Our AI system analyzes this text in real time to understand the conversational context and generate or select contextually relevant advertisements. Conversation text is processed for the purpose of contextual ad selection and is not used to build persistent user profiles unless separate consent is obtained. Raw conversation text is not shared with demand-side platforms or other third parties — only derived contextual signals (such as topic categories) are included in bid requests.
• Usage Information: Data about how you interact with a Customer's app or other websites and applications. This includes form submissions, viewed content, site navigation behavior, referring and exit pages, viewed pages and content, click paths, and timestamps. It also covers information collected through cookies and similar technologies.
• Ad Engagement Data: Information about the ads you're shown and how you respond to them. For example, whether you viewed or clicked on an ad, and if it resulted in actions like making a purchase or downloading an app.
• Location Information: Data that helps us determine your general geographic location. We use non-precise geolocation (country-level and city-level) derived from IP address.

Device information, usage information, ad engagement data and location help us to improve our Services and to deliver a better and more personalized service.

Targeted End Users are assigned a tracking ID to personalise the user's ads and the generated ad content.

Kontext does not make any decisions based solely on automated processing that produce legal effects or significant impact on Targeted End Users. Profiling is carried out for the purpose of generating and providing ads.

How We Process Targeted End User Data Under the IAB TCF

When our publisher partners (such as mobile app operators) serve ads through Kontext, we process Targeted End User data for the following standardized purposes under the IAB Europe Transparency & Consent Framework:

Purpose 1 — Store and/or access information on a device (Legal basis: Consent)

Our SDK, integrated into our publisher partners' mobile applications, accesses the following device identifiers: Google Advertising ID (GAID/AAID) on Android, Identifier for Advertisers (IDFA) on iOS, and Identifier for Vendor (IDFV) on iOS. These identifiers are used to serve, measure, and personalize advertising. We do not set cookies or use web-based local storage. For standard advertising purposes (ad selection, profiling, measurement), access to device advertising identifiers requires the user's explicit consent. Device identifiers may also be processed under Special Purposes (SP1, SP2, SP3) without consent, as described below.

Purpose 2 — Use limited data to select advertising (Legal basis: Legitimate interest, consent where required by the publisher)

We use real-time contextual data to select and deliver relevant advertisements. This includes analysis of the full text of user conversations to understand the current topic, non-precise geolocation data, device type, operating system, language settings, time of day, session metadata, and frequency capping data.

Purpose 3 — Create profiles for personalised advertising (Legal basis: Consent)

With the user's consent, we may build a profile about the user based on their activity over time, including their interactions with ads, topics of conversation, and engagement patterns. This profile is used to understand the user's interests and preferences for delivering more relevant advertising in the future.

Purpose 4 — Use profiles to select personalised advertising (Legal basis: Consent)

With the user's consent, we may use the advertising profile described in Purpose 3 to select and deliver personalised advertisements.

Purpose 7 — Measure advertising performance (Legal basis: Legitimate interest, consent where required by the publisher)

We measure the performance of advertisements by tracking impressions, clicks, conversions, and the effectiveness of different ad formats and creatives. This information is used to provide reporting to advertisers and publishers and to improve our ad serving systems.

Purpose 10 — Develop and improve services (Legal basis: Legitimate interest, consent where required by the publisher)

We use aggregated usage data, ad performance metrics, and system logs to improve our AI-based ad generation and selection algorithms, optimize SDK performance, and enhance service reliability. Data for this purpose is retained for a maximum of 365 days.

Special Purpose 1 — Ensure security, prevent and detect fraud, and fix errors (Legal basis: Legitimate interest)

We monitor ad traffic for fraudulent patterns, use device identifiers (GAID/AAID, IDFA, IDFV) and device signals to detect suspicious activity, and analyze system logs to identify and fix errors in ad delivery. This processing occurs under legitimate interest and does not require the user's consent. As permitted by the TCF, users do not have a right to object to processing under Special Purposes.

Special Purpose 2 — Deliver and present advertising and content (Legal basis: Legitimate interest)

We use device identifiers (GAID/AAID, IDFA, IDFV) and technical information to deliver and render advertisements within publisher applications, including selecting the appropriate ad format, loading creative assets, and presenting ads in the user interface. This processing occurs under legitimate interest and does not require the user's consent.

Special Purpose 3 — Save and communicate privacy choices (Legal basis: Legitimate interest)

We use device identifiers (GAID/AAID, IDFA, IDFV) to associate and communicate user privacy choices across ad serving sessions. When a user grants or withholds consent via the publisher's CMP, we retain that preference and apply it to subsequent ad requests. This processing occurs under legitimate interest and does not require the user's consent.

Device identifiers and basic device signals (IP address, user agent, request metadata) may be processed under Special Purposes regardless of whether Purpose 1 consent has been granted or whether a TC String is present. Special Purposes are necessary for the proper functioning and security of the advertising service.

We may identify devices based on information transmitted automatically, such as user agent, screen resolution, and operating system (Feature 3).

Categories of Data Collected from Targeted End Users (TCF)

In connection with our participation in the IAB TCF, we collect and process: IP addresses, device characteristics, device identifiers (GAID/AAID, IDFA, IDFV), conversation content, browsing and interaction data, non-precise location data, user profiles (with consent), and privacy choices communicated via TCF-compliant CMPs.

Legitimate Interest Claim

Kontext (operated by Halusky Inc.) relies upon legitimate interest for certain data processing activities in connection with its participation in the IAB Europe Transparency & Consent Framework.

Purpose 2 — Use limited data to select advertising:

We have a legitimate interest in using limited, real-time data — including analysis of conversation content — to select and deliver contextually relevant advertisements. We use real-time, contextual signals to select an appropriate advertisement, including analyzing the text of user conversations to understand the current topic, the user's approximate geographic location, device type, and time of day. The impact on data subjects is minimal: conversation text is analyzed for topical relevance only and is not shared in raw form with third parties. The use of conversation content for contextual relevance is analogous to how traditional publishers use page content to select relevant ads. Users retain full control through the publisher's CMP and through their device-level advertising settings. We have assessed that our legitimate interest does not override the interests, rights, or freedoms of data subjects.

Purpose 7 — Measure advertising performance:

We have a legitimate interest in measuring the performance of advertisements served through our platform. We collect data about whether advertisements were displayed, whether users interacted with them, and whether they led to desired outcomes. This data is used to generate aggregate performance reports and improve ad serving effectiveness. The impact on data subjects is minimal, as measurement data is collected as a natural part of the ad serving process. We have assessed that our legitimate interest does not override the interests, rights, or freedoms of data subjects. Users retain the right to object to this processing at any time through the publisher's CMP.

Purpose 10 — Develop and improve services:

We have a legitimate interest in using aggregated usage data, ad performance metrics, and system logs to improve our AI-based ad generation and selection algorithms, optimize SDK performance, and enhance service reliability. The impact on data subjects is minimal, as this processing uses aggregated data and does not create additional risks for data subjects. We have assessed that our legitimate interest does not override the interests, rights, or freedoms of data subjects. Users retain the right to object to this processing at any time through the publisher's CMP.

Special Purpose 1 — Ensure security, prevent and detect fraud, and fix errors:

We have a legitimate interest in monitoring ad traffic for fraudulent patterns, detecting suspicious activity using device identifiers and signals, and analyzing system logs to fix errors. This is necessary for the proper functioning and security of the advertising service. As permitted by the TCF, this is a Special Purpose and does not offer a right to object.

Special Purpose 2 — Deliver and present advertising and content:

We have a legitimate interest in using device identifiers and technical information to deliver and render advertisements within publisher applications. This is necessary for the technical delivery of the advertising service. As permitted by the TCF, this is a Special Purpose and does not offer a right to object.

Special Purpose 3 — Save and communicate privacy choices:

We have a legitimate interest in using device identifiers to associate and communicate user privacy choices across ad serving sessions. This is necessary to ensure consent signals are respected consistently. As permitted by the TCF, this is a Special Purpose and does not offer a right to object.

Device Storage Disclosure

In accordance with TCF requirements, we publish a machine-readable disclosure of our device storage practices at: https://megabrain.co/.well-known/device-storage-disclosure.json

If we make significant changes to how we handle your personal information, we will notify you through a notice on this page. The date the Privacy Policy was last updated is at the top of the page.

To ask questions or comment about this Privacy Policy and our privacy practices, contact our data protection officer at:

Halusky Inc.
3550 South Dupont Highway,
19901 Dover, DE
United States of America
privacy@kontext.so

EU Representative (Article 27 GDPR):

Andrej Kiska
Namesti Republiky 1081/7
110 00 Praha 1
Czech Republic
andrej@kontext.so