Skip to content
HighAdsROI
ข้อกฎหมาย

Privacy Policy

How HighAdsROI collects, uses, and protects information across the eleven Asia-Pacific markets we serve.

Last updated: · Version 1.0

This policy is provided in good faith and reflects our practices as of the last-updated date. Where local law in your market grants you stronger rights, those rights apply.

1. Who we are

HighAdsROI ("we", "us", "our") provides server-side ad-measurement infrastructure (server-side Google Tag Manager, Meta Conversions API, TikTok Events API, LINE Conversion API) deployed inside our customers' own Google Cloud Platform tenancies. For the purposes of this policy:

  • Visitors of this website: we are the data controller for the limited information described below.
  • Our customers' end-users: their ad measurement data is processed inside the customer's GCP. We are the processor; the customer is the controller. See the Data Processing Addendum for that relationship.

2. What we collect (this website)

  • Form submissions: name, work email, company, role, primary market, monthly event volume, and free-text message you provide on the demo request form.
  • Technical data: IP address (truncated before storage), user agent, referrer, request timing, and Cloudflare-derived country code.
  • Cookies and similar technologies: see Cookie Policy. Strictly-necessary cookies only by default; analytics and marketing cookies require explicit consent.

3. Why we collect it (lawful basis)

  • Performance of a contract / pre-contract (GDPR Art. 6(1)(b), AU APP 6, NZ IPP 10): responding to your demo request and onboarding you as a customer.
  • Legitimate interests (GDPR Art. 6(1)(f)): site security, fraud prevention, abuse mitigation. We balance this against your privacy and never use the data for profiling without consent.
  • Consent (GDPR Art. 6(1)(a), TH PDPA, JP APPI): analytics and marketing cookies, newsletter subscription.
  • Legal obligation: tax records, regulator requests, accounting requirements.

4. Who we share with

We share only the minimum data necessary, with vetted sub-processors. The current list is on our Sub-processors page. As of last update, it includes:

  • Cloudflare (CDN, DDoS protection, Pages hosting)
  • Google Cloud Platform (Firestore, BigQuery — for our customers' tenancies; we do not store your website-visitor data here)
  • HubSpot (CRM, demo request handling)
  • Slack (internal team notifications, no PII forwarded)
  • Sentry (error monitoring, scrubbed of PII)

We do not sell personal information. We do not share it with ad platforms from this website (we are the producer of an ad-measurement product, not an advertiser).

5. Storage and retention

  • Demo requests: 24 months from last interaction, then deleted unless required by law (e.g. accounting).
  • Server logs: 90 days, then aggregated and deleted.
  • Cookies: see Cookie Policy for per-cookie retention.
  • Backups: rolling 35 days, encrypted at rest.

You may request earlier deletion at any time (see Section 6).

6. Your rights

Subject to your local law, you can:

  • Access the personal information we hold about you.
  • Correct it if inaccurate.
  • Delete it ("right to be forgotten" / erasure).
  • Restrict our processing, or object to it.
  • Receive a portable copy.
  • Withdraw consent at any time, where processing is based on consent.
  • Lodge a complaint with the regulator in your market (see Section 13).

Email privacy@highadsroi.com. We will verify your identity and respond within 30 days (or the period required by your local law, whichever is shorter).

7. Cross-border transfers

Where data needs to leave its country of origin (for example, demo requests from EU residents being processed in our HubSpot account), we rely on:

  • Standard Contractual Clauses (EU SCCs, UK IDTA, AU equivalent).
  • Adequacy decisions where available.
  • Your explicit consent where strictly necessary.

Your customers' end-user data does not cross borders — it stays in your GCP region (Sydney, Tokyo, or Singapore). That's the entire premise of this product.

8. Cookies

See the dedicated Cookie Policy.

9. Security

See the dedicated Security page. Highlights:

  • TLS 1.3 in transit, AES-256 at rest.
  • SHA-256 hashing of PII before any analytics storage.
  • OIDC + audience verification on all internal automation routes.
  • SOC 2 Type II in progress; ISO 27001 on roadmap for 2026.

10. Children

This website is for B2B audiences. We do not knowingly collect data from anyone under 16 (or the equivalent age in your jurisdiction). If you believe we have, contact us and we will delete it.

11. Changes to this policy

Material changes will be announced 30 days in advance via email to customers and via a banner on this site. Non-material changes (clarifications, typo fixes) are versioned and dated below.

12. Contact

Data Protection Officer: dpo@highadsroi.com
General privacy: privacy@highadsroi.com

13. Jurisdiction-specific notices

Australia

Under the Australian Privacy Act 1988 (as amended in 2024), our Australian Privacy Principles (APP) Compliance contact is the DPO above. The Office of the Australian Information Commissioner (OAIC) handles complaints we cannot resolve.

New Zealand

The Office of the Privacy Commissioner (privacy.org.nz) is the relevant supervisory authority. We comply with the Privacy Act 2020 and the 2023 amendments.

European Union / United Kingdom

Where GDPR or UK GDPR apply, the DPO is the controller's representative. EU data subjects can lodge complaints with their local supervisory authority.

Japan

We comply with the APPI as amended in 2022, including external transmission rules and third-party-disclosure consent requirements.

Thailand

Under the PDPA 2019, this policy is provided in Thai on the corresponding language page. Cross-border transfer disclosures are above.

Singapore

Compliant with PDPA 2012 and the Do-Not-Call register. Our Singapore DPO contact is the same as above.

Other markets (HK, TW, MY, VN, ID, PH)

We comply with PDPO (Cap. 486), the Personal Information Protection Act, PDPA 2010 (as amended in 2024), PDPL Decree 13/2023, UU PDP 2022, and DPA 2012 respectively. Per-market DPO contact details are available on request.

This document is the master English version. Translations are provided for convenience; in case of conflict, the English version controls except where local law requires otherwise.