GDPR Compliance
Last updated: April 22, 2026
Our Commitment to GDPR
Ciaro is fully committed to GDPR compliance. As a click fraud detection and PPC optimization platform, we process personal data (primarily IP addresses and device data) to identify fraudulent activity. We've built our platform from the ground up with data protection principles at its core.
Lawful Basis for Processing
We process personal data under the following legal bases:
| Data Type | Legal Basis | Purpose |
|---|---|---|
| IP addresses | Legitimate interest | Fraud detection & prevention |
| Device fingerprints | Legitimate interest | Identifying repeat fraudulent actors |
| Click behavior data | Legitimate interest | Distinguishing bots from real users |
| Session replays | Consent (your end users) | Behavioral analytics & UX optimization |
| Account info | Contract performance | Service delivery & billing |
Data Processing Roles
Ciaro as Data Processor
When analyzing click traffic on your website, Ciaro acts as a Data Processor on your behalf. You (our customer) are the Data Controller. We process data only according to your instructions and the terms of our Data Processing Agreement (DPA).
Ciaro as Data Controller
For your account information (name, email, billing) and our direct marketing, Ciaro acts as the Data Controller.
Data Processing Agreement (DPA)
We provide a comprehensive DPA to all customers that covers:
- Scope and purpose of data processing
- Sub-processor disclosures and notification obligations
- Data transfer mechanisms (Standard Contractual Clauses)
- Technical and organizational security measures
- Data breach notification procedures
- Data subject rights assistance
To request a signed DPA, contact dpo@ciaro.click.
Data Subject Rights
Ciaro supports all GDPR data subject rights:
- Right of Access (Art. 15): Request a copy of all personal data we process about you
- Right to Rectification (Art. 16): Correct inaccurate personal data
- Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten")
- Right to Restrict Processing (Art. 18): Limit how we use your data
- Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format
- Right to Object (Art. 21): Object to processing based on legitimate interest
For your website visitors: If a visitor to your website requests access to or deletion of data collected by Ciaro's script, contact us and we will assist you in fulfilling the request within 30 days.
International Data Transfers
When transferring personal data outside the EEA, we rely on:
- Standard Contractual Clauses (SCCs): EU-approved contractual safeguards with all sub-processors
- Adequacy Decisions: Where applicable, we use providers in countries recognized by the EU as providing adequate protection
- Supplementary Measures: Additional technical safeguards including encryption and pseudonymization
Privacy by Design & Default
Our platform implements GDPR's privacy by design principles:
- Data Minimization: We collect only the data necessary for fraud detection — no unnecessary personal data
- Automatic Masking: Sensitive form inputs (passwords, credit cards, personal fields) are masked at the browser level before transmission
- Pseudonymization: IP addresses and device data are hashed after the active fraud analysis window (90 days)
- Purpose Limitation: Data collected for fraud detection is never used for advertising, profiling, or sold to third parties
- Storage Limitation: Strict retention periods with automatic deletion (30 days for session replays, 90 days for click data)
Cookie Compliance
Ciaro's fraud detection uses a single first-party, strictly necessary cookie for session integrity. This cookie:
- Contains no personal information
- Is classified as "strictly necessary" under ePrivacy Directive (fraud prevention)
- Does not require consent under most EU DPA guidance
- Is not used for tracking, advertising, or profiling
For session replay and heatmap features (analytics cookies), we provide a consent management integration that respects your visitors' cookie preferences.
Breach Notification
In the event of a personal data breach, Ciaro will:
- Notify affected customers within 72 hours of becoming aware of the breach
- Provide details of the nature, scope, and likely consequences of the breach
- Describe measures taken to address and mitigate the breach
- Assist you in fulfilling your own notification obligations to supervisory authorities and data subjects
Sub-Processors
We maintain a current list of sub-processors and notify customers before adding new ones, providing an opportunity to object. Current sub-processors include cloud infrastructure, payment processing, and email delivery services.
Request our full sub-processor list at dpo@ciaro.click.
Data Protection Officer
For any GDPR-related inquiries, contact our Data Protection Officer:
dpo@ciaro.click
Ciaro
Office No. 3, Al Wasl Building
Next to Dubai Mall / Burj Khalifa Metro Station
Downtown, Dubai, UAE