Privacy Policy (Core) v3.2

1. Hub-and-Spoke Structure

This Core Privacy Policy ("Core Policy") explains how AdBlock Limited ("AdBlock360," "we," "us") processes Personal Data across AdBlock360 services.

1.1 Platform-Specific Addenda

• adblock360.com/privacy-policy/website
• adblock360.com/privacy-policy/desktop

1.2 Cookie Policy

See: adblock360.com/cookies-policy

1.3 Single Source of Truth

General disclosures (rights, retention, international transfers, vendor list) are provided ONLY in this Core Policy. Addenda contain ONLY platform-specific processing details and user controls.

2. Controller (Who We Are)

AdBlock Limited

Company Registration: C 104782 (Malta)
Address: International House, Mdina Road, Mriehel, BKR 3000, Malta
Privacy Contact: privacy@adblock360.com
Support: support.adblock360.com

Data Protection Officer (DPO): We have not appointed a DPO. We periodically assess our obligations under GDPR Article 37 / UK GDPR. For privacy questions, contact privacy@adblock360.com.

3. Definitions

• "Personal Data" means information relating to an identified or identifiable individual.
• "Device Identifier" includes IP address, cookie identifiers, advertising identifiers (e.g., click IDs), and (for Premium licensing) a pseudonymized Hardware ID (HWID).
• "Advertising / Attribution Data" includes campaign parameters, conversion events, and identifiers used to measure and optimize advertising performance.
• "Server-Side Conversion Event" means a conversion/measurement event transmitted from our servers to analytics/advertising platforms, depending on your region and choices.
• "Pseudonymized" means identifiers are transformed (e.g., hashed) but may still relate to an identifiable individual/device.

4. Categories of Personal Data We Process

4.1 Data You Provide

• Account data (email; password hash; optional name; preferences)
• Support communications (ticket content; emails)
• Subscription/licensing status (Free/Premium; license state)

4.2 Data Collected Automatically

• Identifiers and technical data: IP address; timestamps; device/OS/app version; language
• Website identifiers: cookie IDs; advertising IDs/click IDs (where enabled)
• App licensing identifiers (Premium): pseudonymized HWID; device association metadata
• Diagnostics/telemetry identifiers: pseudonymous event IDs and device/app signals (depending on settings)

4.3 Data from Third Parties

• Payment processors: transaction/subscription status; limited payment metadata (no full card numbers)
• Social sign-on (if you choose SSO): email; name; provider user ID
• Advertising/analytics partners: may receive identifiers and conversion events where enabled

5. Purposes of Processing

• Provide services (account, login, subscriptions, Premium licensing and device management)
• Process payments, manage subscriptions, handle refunds/chargebacks; send purchase reminders if checkout is not completed
• Provide customer support and service communications
• Security, abuse prevention, incident handling
• Website analytics, A/B testing, advertising/remarketing and conversion measurement (only where enabled/allowed)
• Legal compliance and enforcement of our terms

6. Legal Bases (EEA/UK)

6.1 Contract (Art. 6(1)(b))

Account services; Premium licensing/activation; subscription management; support.

6.2 Legal Obligation (Art. 6(1)(c))

Tax/accounting; lawful requests.

6.3 Legitimate Interests (Art. 6(1)(f))

Security and fraud/abuse prevention; application diagnostics, crash reporting and limited product telemetry (with user controls; see Desktop Addendum).

6.4 Consent (Art. 6(1)(a))

Non-essential cookies/trackers; advertising/remarketing; certain website analytics where required.

7. Disclosures / Recipients (Vendors)

We share Personal Data with vendors as necessary, under appropriate contractual protections.

7.1 Core Vendor List

• Infrastructure/hosting/CDN: AWS; Google Cloud Platform (GCP)
• Payments: Stripe, PayPal, and other payment methods as available at checkout
• Email delivery: Brevo
• Customer support: Zendesk
• Consent management & cookie scanning (website): Termly
• Website analytics/UX/experimentation (where enabled): Google Analytics; Microsoft Clarity; Convert.com
• Advertising/attribution (where enabled): Google Ads (incl. remarketing, conversion measurement, conversion linker); Voluum
• Error tracking/diagnostics (app, depending on settings): Sentry

7.2 US/California Note

We do not sell Personal Data for money. However, if you enable advertising/remarketing, certain disclosures may be considered "sharing" or "targeted advertising" under US state laws (see Section 11).

8. International Data Transfers

Some vendors may process data outside the EEA/UK (including the United States). Where GDPR/UK GDPR applies, we implement safeguards such as:

• EU SCCs and UK transfer mechanisms (Addendum/IDTA as applicable)
• Adequacy decisions where available
• Supplementary measures where required

Country-specific overseas transfer information for South Korea and Japan is provided in Appendices A and B.

9. Retention

Typical retention periods (unless longer is required by law or for legal claims):

• Account data: active + up to 30 days after deletion request
• Payment/tax records: up to 7 years
• Support tickets: up to 3 years
• Security logs: typically up to 90 days (longer if incident investigation requires)
• Error/crash reports (if enabled): typically up to 90 days (then deleted or aggregated)
• Website analytics (Google Analytics): up to 26 months
• Website analytics (Microsoft Clarity): up to 30 days

9.1 Account Deletion and Payment Data

When you delete your Account, we process your deletion request as follows:

Data we delete from our systems: Your account profile, subscription records, and payment history in our database are deleted after a 30-day soft-delete window (during which you may restore your account).

Data retained on third-party payment platforms: Your customer record on our payment processor (Stripe) is retained after account deletion. This record contains your email address and transaction history. We retain this record for legitimate purposes including tax and accounting compliance (up to 7 years), fraud prevention and chargeback handling, and to ensure you can become a paying customer again if you return. Stripe may also independently retain transaction data under its own legal obligations and privacy policy.

What this means for you: If you return after deleting your account, our payment system will recognize your email and allow you to purchase a subscription without issues. Your previous payment methods are not retained (Stripe removes stored card details when a subscription ends).

• A/B testing (Convert.com): up to 180 days
• Attribution (Voluum): up to 12 months
• Advertising/conversion measurement data: retained per our configuration and partner rules
• Consent records (CMP): typically up to 3 years (auditability and compliance)

10. Security

We use appropriate technical and organizational security measures (access controls, encryption in transit, least privilege, monitoring). No system is 100% secure.

11. Your Privacy Rights and Choices

11.1 EEA/UK (GDPR/UK GDPR)

You may have rights to access, rectification, erasure, restriction, portability, and to object to processing based on legitimate interests. Where we rely on consent, you can withdraw consent at any time.

Complaints (Malta): Office of the Information and Data Protection Commissioner (IDPC), Malta.

11.2 United States (State Privacy Laws incl. CA/CPRA)

Depending on your state, you may have rights to access, delete, correct, portability, and to opt out of:

• Targeted advertising
• Certain profiling (where applicable)
• "Sale" and/or "sharing" (California)

California (CPRA): We provide a "Do Not Sell or Share / Targeted Advertising Opt-Out" mechanism on our website. Where legally required/recognized, we aim to honor opt-out preference signals such as Global Privacy Control (GPC).

11.3 Canada / Australia / Japan / South Korea

We handle access/correction and other requests as required by applicable law. Additional consent/notice requirements may apply to overseas transfers and cookies/trackers (see Appendices).

12. How to Exercise Rights / Contact

Email: privacy@adblock360.com
Subject: "Privacy Rights Request — [Country/State]"

We may verify your identity before processing your request.

13. Children

Our services are not directed to children. We do not knowingly collect Personal Data from children under 13.

If you are in the EEA and under the age at which you can provide consent under applicable law (which may vary between 13 and 16 depending on your country), or if you are in the UK and under 13, please do not use our services or provide Personal Data without parental involvement.

If you believe we have collected Personal Data from a child, contact privacy@adblock360.com and we will delete it.

14. Automated Decision-Making

We do not use automated decision-making producing legal or similarly significant effects on you. We may use automated rules for security/abuse prevention (typically with safeguards and, where appropriate, human review).

15. Changes

We may update this Policy and revise the "Last updated" date. For material changes, we will notify you by email and/or in-app notice at least 30 days in advance.

Appendix A — South Korea (PIPA) Overseas Transfers

If you are in South Korea, overseas transfers may require specific disclosures and/or consent depending on the transfer basis and applicable law. Where required, we provide: items transferred; destination country; date/time/method; recipient name/contact; purpose; retention; and how to refuse and consequences.

Example: AWS

• Recipient: Amazon Web Services, Inc. (AWS)
• Country: United States
• Items: account identifiers, subscription/licensing metadata, pseudonymized device identifiers, security logs, service delivery data
• Purpose: hosting/infrastructure and service operation
• Method: encrypted transmission (TLS/HTTPS) as needed during service use
• Retention: per Section 9

Example: Google (if enabled)

• Recipient: Google (Analytics/Ads)
• Country: United States and/or other locations
• Items: cookie/advertising identifiers, device/browser data, IP-derived signals, conversion events
• Purpose: analytics, advertising/remarketing, conversion measurement
• Method: cookies/trackers and/or server-side conversion events (encrypted)
• Retention: per Section 9 / tool configuration

Appendix B — Japan (APPI) Overseas Transfers

If you are in Japan, transfers of personal information to foreign third parties may require consent specifying the receiving country unless an exception applies (e.g., adequacy/whitelist or equivalent measures implemented by the recipient).

We implement contractual and organizational safeguards with vendors and can provide further information upon request.

Typical recipients may include: AWS (US), Google (US or other locations), and other vendors listed in Section 7, depending on your use and choices.