Privacy Policy | Perennius Media

Last Updated: April 2026

Effective Date: April 2026

At Perennius Media Limited, we engineer trust through rigorous data stewardship. This policy governs our advertising tracking, data analytics, and anti‑fraud technologies. Rooted in the principles of Data Minimization, Purpose Limitation, and Privacy by Design, our infrastructure processes Telemetry, Heuristics, and Attribution signals exclusively to fortify digital advertising integrity. We do not handle Personally Identifiable Information (PII) in its raw form; instead, we rely on Data Anonymization, Pseudonymization, and ephemeral identifiers that prevent re‑identification of natural persons.

                Key Privacy Principle: Our systems operate on Non‑PII signals. Every data point is either irreversibly anonymized at the ingestion layer or stripped of direct identifiers. We maintain strict Cookies Granularity, never resorting to cross‑site tracking or third‑party cookie syncing.
            

1. Taxonomy of Collected Data

We collect only those data points indispensable for campaign measurement, fraud detection, and probabilistic attribution. All signals are classified into three meticulously segmented strata. No stratum contains PII in its native form.

1.1 Network‑Level Telemetry

This stratum encompasses truncated IP addresses (the final octet is masked), autonomous system numbers (ASN), connection type (e.g., cellular, Wi‑Fi), carrier‑derived metadata, and approximate geolocation derived solely from the truncated IP (granularity limited to city‑level or broader). We do not perform deep packet inspection, nor do we harvest full, unmasked IP addresses. IP truncation occurs at the edge, before any storage or heuristic analysis, rendering the data Non‑PII.

1.2 Device & Browser Heuristic Components

A strictly limited set of device characteristics is used to generate a high‑entropy Device Heuristic Token. These include browser vendor and version, operating system and its major version, screen resolution density category, hashed subsets of installed font metrics, timezone offset, and the hashed WebGL renderer string. Cookies Granularity is maintained at the domain level; we deploy first‑party identifiers exclusively, with no cross‑domain syncing. The resulting token is ephemeral and Non‑PII by design, re‑salted every 24 hours to prevent longitudinal profiling.

1.3 Interaction & Attribution Signals

This category captures impression visibility metrics (viewability percentage), normalized click coordinates (not raw), ad engagement duration, conversion event timestamps, and campaign referrer strings (with query parameters stripped). For Attribution, we employ Probabilistic Matching against anonymized cohorts, avoiding deterministic one‑to‑one reconciliation. All timestamps are rounded to the nearest 15‑minute interval, further obfuscating user‑specific behavioral patterns and upholding Data Anonymization standards.

2. Legal Basis for Processing

Perennius Media Limited acts as a Data Controller for certain processing activities and as a Data Processor when operating on behalf of demand‑side platform (DSP) and supply‑side platform (SSP) partners. Our lawful bases, aligned with Article 6 of the UK GDPR and the EU General Data Protection Regulation, include:

Legitimate Interest: Processing of network and device telemetry for fraud prevention, invalid traffic (IVT) filtration, and security heuristics. We conduct regular Legitimate Interest Assessments (LIA) and Data Protection Impact Assessments (DPIA), documenting the balancing test and mitigation measures.
Consent: Where required under the ePrivacy Directive or local regulations, we rely on explicit, granular consent obtained via a certified Consent Management Platform (CMP). Our tags respect the IAB Europe Transparency & Consent Framework (TCF) v2.2 signals, and we never bypass consent strings.
Contractual Necessity: Attribution and delivery measurement are processed to fulfill contractual obligations with advertisers and publishers, ensuring accurate billing and performance verification.

3. Data Security Architecture

Our security posture is built on a zero‑trust, defense‑in‑depth model. All data in transit is encrypted via TLS 1.3 with perfect forward secrecy; data at rest utilizes AES‑256‑GCM encryption and envelope key management through a FIPS 140‑2 Level 3 hardware security module (HSM). We enforce Attribute‑Based Access Control (ABAC) and require multi‑factor authentication for any human access to production environments. Anomaly detection systems continuously audit access patterns. When generating aggregated insights, we apply Differential Privacy techniques with a strict privacy budget (ε ≤ 1.0), ensuring that individual contributions cannot be reconstructed. Logs are immutable and retained for a strictly limited window before secure purging.

4. Third‑Party Disclosure & Sub‑Processor Ecosystem

We do not sell, rent, or trade raw telemetry data. Disclosures are confined to a vetted list of sub‑processors that perform essential functions such as cloud infrastructure (ISO 27001 certified), fraud analytics, and measurement verification. Each sub‑processor undergoes a rigorous vendor risk assessment, and we mandate adherence to Standard Contractual Clauses (SCCs) for international transfers. In the event a data subject exercises their rights, we contractually obligate all processors to cascade deletion or rectification instructions. A current list of sub‑processors is available upon request to our Data Protection Officer.

5. Global Compliance & GDPR Rights Statement

Perennius Media Limited extends the core rights enshrined in the GDPR to all data subjects globally, regardless of jurisdiction, including those protected by the California Consumer Privacy Act (CCPA), Brazil’s Lei Geral de Proteção de Dados (LGPD), and other emerging frameworks. You possess the following enforceable rights with respect to any information that could be considered personal data:

Right of Access — Obtain confirmation and a copy of processed data.
Right to Rectification — Correct inaccurate or incomplete data.
Right to Erasure — Request deletion under specific conditions.
Right to Restriction of Processing — Limit processing in defined circumstances.
Right to Data Portability — Receive data in a structured, machine‑readable format.
Right to Object — Object to processing based on legitimate interests, including profiling for direct marketing.
Rights related to Automated Decision‑Making — We do not engage in solely automated decisions with legal or similarly significant effects.

To exercise any of these rights, please contact privacy@perenniusmedia.com. We will respond within 30 calendar days, verifying your identity through minimal challenge‑response mechanisms. You also have the right to lodge a complaint with your local supervisory authority.

6. Granular Opt‑Out Mechanism: Reclaiming Your Telemetry Footprint

We provide a multi‑layered opt‑out framework that respects Cookies Granularity and device‑level preferences. Because our identifiers are ephemeral by design, opting out ensures that all future data collection ceases and existing heuristics are irreversibly expired.

Browser‑Based Opt‑Out (Cookie Scope): Activate the Global Privacy Control (GPC) signal in your browser, which our systems interpret as a universal objection. Additionally, you may set the perennius_optout first‑party cookie by visiting our dedicated preference center. This cookie persists for 24 months and instructs our edge nodes to drop all subsequent telemetry collection.
Mobile Advertising Identifier Reset: On iOS, navigate to Settings > Privacy & Security > Tracking and disable “Allow Apps to Request to Track.” Then reset your IDFA via Settings > Privacy & Security > Apple Advertising. On Android, open Settings > Privacy > Ads and select “Delete advertising ID.” Our device heuristic token will automatically regenerate, severing any link to previous cohorts.
Industry‑Wide Opt‑Out Platforms: We honor the Network Advertising Initiative (NAI) and Digital Advertising Alliance (DAA) opt‑out tools. Use their web‑based interfaces to broadcast your preferences across multiple AdTech participants, including Perennius Media.
Direct Data Subject Request: Send an email to optout@perenniusmedia.com with the subject line “TELEMETRY ERASURE REQUEST.” Include only the hashed device token (if available) or the approximate timestamp of your last interaction. Our privacy engineering team will manually purge all associated logs and confirm completion within 72 hours.

Upon successful opt‑out, all data collection ceases immediately. Any previously aggregated, anonymized reports remain intact, as they cannot be disaggregated to identify a natural person. The opt‑out is resilient to cookie resets thanks to our server‑side Token Revocation List (TRL), which blocks re‑identification even if a new heuristic token is generated from the same device fingerprint.

7. Data Retention & Lifecycle Governance

Raw telemetry logs are retained for a maximum of 30 days, after which they are converted into aggregated, differentially private statistical models. Pseudonymized device tokens are rotated every 24 hours, and the mapping between old and new tokens is destroyed within 7 days. Attribution windows are capped at 28 days post‑click and 24 hours post‑view. This aggressive lifecycle ensures that no persistent profile can be constructed over time.

8. Data Protection Officer & Contact

Perennius Media Limited
30 N Gould St Ste R, Sheridan, WY 82801, USA
DPO Email: dpo@perenniusmedia.com
General Privacy Inquiries: privacy@perenniusmedia.com

For EU/UK representative inquiries, please contact our designated representative at eu-representative@perenniusmedia.com.

This Privacy Policy is effective as of April 2026 and supersedes all prior versions.