Last updated: August, 2025
This Data Processing Addendum ("Addendum") forms an integral part of the Advertiser Terms and Conditions ("Principal Agreement") available at https://www.lospollos.com/advertisers-terms/, entered into by and between the Company or any of its related entities ("Vendor"), acting on its own behalf and as agent for each Vendor Affiliate (as defined below) and you ("the Advertiser") acting on its own behalf and as agent for each Advertiser Affiliate (as defined below). This Addendum sets forth the parties' mutual agreement concerning the processing of the Advertiser Data (as defined below) in connection with the Services.
By continuing to access or use the Services, the Advertiser expressly acknowledges that it has read, understood, and agreed to be bound by the terms of this Addendum. If the Advertiser does not agree with the terms set forth herein, it must immediately cease all use of the Services.
Unless otherwise defined in this Addendum, all capitalized terms shall have the meanings ascribed to them in the Principal Agreement. In all other respects, the terms and conditions of the Principal Agreement shall remain unchanged and in full force and effect, except as expressly amended by this Addendum.
In consideration of the mutual obligations set forth herein, the parties agree that the following terms and conditions shall be incorporated as an Addendum to the Principal Agreement.
1. Definitions and Interpretation
1.1 In this Addendum, the following terms shall have the meanings set out below, and cognate terms shall be construed accordingly:
1.1.1 "Applicable Data Protection Laws" means all applicable laws, regulations, and regulatory requirements relating to the protection, privacy, and security of Personal Data, including but not limited to: the General Data Protection Regulation (EU) 2016/679 (GDPR); the national data protection laws of the European Union Member States implementing or supplementing the GDPR; the UK Data Protection Act 2018 and UK GDPR; the Swiss Federal Act on Data Protection (FADP); the California Consumer Privacy Act (CCPA), as amended; any other applicable data protection or privacy laws, rules, or regulations governing the Processing of Personal Data under this Addendum;
1.1.2 "Advertiser Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with the Advertiser, where "control" means: (i) the ownership of more than 50% of voting securities; (ii) the power to direct or cause the direction of management or policies, whether by contract, ownership, or otherwise;
1.1.3 "Advertiser Group Member" means the Advertiser or any Advertiser Affiliate;
1.1.4 "Advertiser Data" means any Personal Data processed by Vendor on behalf of an Advertiser Group Member pursuant to or in connection with the Principal Agreement;
1.1.5 "EEA" means the European Economic Area;
1.1.6 "Instructions" means the documented, lawful, and binding written or electronic instructions issued by the Advertiser (or an Advertiser Affiliate) to Vendor regarding the specific manner in which Vendor shall process Advertiser Data, in accordance with the scope of the Services and this Addendum.
1.1.7 "Vendor Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with Vendor, where "control" means: (i) the ownership of more than 50% of voting securities; (ii) the power to direct or cause the direction of management or policies, whether by contract, ownership, or otherwise;
1.2 The following terms shall have the meaning ascribed to them under Applicable Data Protection Laws, and cognate terms shall be construed accordingly: "Business", "Commission", "Controller", " Data Subject ", "Member State", "Personal Data", "Personal Data Breach", "Processing", "Processor", "Sub-processor" and " Supervisory Authority ", "Service Provider".
1.3 The term "include" (and derivatives such as "including") shall mean "include without limitation". References to legislation include amendments, replacements, and successor laws. "Writing" includes electronic communications where legally permissible.
2. Roles and Responsibilities in Data Processing
2.1 For the purposes of this Addendum and under Applicable Data Protection Laws, when the Advertiser uses the Services and instructs the Vendor to process Advertiser Data on behalf of an Advertiser Group Member, the Advertiser acts as a Controller (or a Business, as defined under the CCPA), and the Vendor acts as Processor (or a Service Provider, as defined under the CCPA). The Vendor shall process such Advertiser Data solely on the basis of the Advertiser's documented Instructions and exclusively for the purposes outlined in this Addendum and the Principal Agreement.
The Vendor shall process Advertiser Data strictly for the purpose of providing and facilitating access to the Services in accordance with the Principal Agreement, including activities necessary to maintain, develop, enhance, and improve the features and functionality of the Services. All such Processing shall be conducted in accordance with Applicable Data Protection Laws, this Addendum, and the Principal Agreement.
As the Controller, the Advertiser determines the purposes and means of Processing Advertiser Data. The Advertiser is solely responsible for ensuring that its use of the Services and the associated Processing of Advertiser Data comply with all applicable legal requirements. This includes securing an appropriate lawful basis for processing, providing all required notices to Data Subjects, and obtaining all necessary consents under Applicable Data Protection Laws. The Advertiser shall provide or make available to the Vendor all information reasonably necessary to enable the Vendor to process Advertiser Data in compliance with Applicable Data Protection Laws.
The Vendor's Processing activities may include, without limitation, the collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, alignment or combination, restriction, erasure, or destruction of Advertiser Data, whether such Processing is carried out by automated or manual means.
The Advertiser retains sole responsibility and control over Advertiser Data at all times, including the responsibility for ensuring the legality of the Advertiser Data and the manner in which it was collected.
Each party agrees to fulfill its respective obligations under all Applicable Data Protection Laws. In particular, the Vendor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk associated with the processing activities, as further detailed in this Addendum.
3. Processing of Advertiser Data
3.1 Vendor and each Vendor Affiliate shall:
3.1.1 comply with all Applicable Data Protection Laws in the course of Processing Advertiser Data; and
3.1.2 refrain from Processing Advertiser Data other than in accordance with the documented Instructions of the relevant Advertiser Group Member, unless such Processing is required under Applicable Data Protection Laws to which the Vendor is subject. In such cases, and to the extent permitted by those laws, the Vendor or the relevant Vendor Affiliate shall inform the relevant Advertiser Group Member of the legal requirement prior to carrying out such Processing.
3.2 Each Advertiser Group Member:
3.2.1 instructs Vendor and each Vendor Affiliate to process Advertiser Data; and
3.2.2 warrants and represents that it is, and will continue to be for the duration of the Addendum, duly and lawfully authorized to issue the Instructions on behalf of each relevant Advertiser Affiliate.
3.3 Annex 1 to this Addendum contains specific information regarding the Vendor's Processing of Advertiser Data, as required under Article 28(3) of the GDPR (and, where applicable, similar provisions under other Applicable Data Protection Laws).
3.4 The Advertiser may propose reasonable amendments to Annex 1 from time to time by providing written notice to the Vendor, where such amendments are reasonably necessary to ensure compliance with such legal requirements.
4. Security Measures
4.1 In accordance with Article 32 (1) of the GDPR, the Vendor has implemented and will continue to maintain technical and organizational measures that are reasonably necessary to ensure a level of security appropriate to the risk, and to safeguard the confidentiality, integrity, and availability of Advertiser Data. These measures include, but are not limited to:
(i) information security measures;
(ii) physical security measures;
(iii) access controls to manage and limit data access by personnel and contractors based on role-specific requirements;
(iv) processes for regularly testing, assessing, and evaluating the effectiveness of the technical and organizational security measures in place;
(v) use of advanced password protection techniques, including AES-512 encryption; and
(vi) implementation of multi-factor authentication (MFA) to ensure secure access to systems that process Advertiser Data.
4.2 The Vendor may update its security measures from time to time to adapt to evolving security risks and technological advancements. Upon reasonable request, the Vendor shall provide the Advertiser with a description of the specific security measures applicable to the processing of Advertiser Data.
4.3 The Vendor takes appropriate steps to ensure the reliability, integrity, and trustworthiness of all personnel involved in the Processing of Advertiser Data. Where applicable and legally permissible, this includes conducting background checks proportionate to each individual's role and responsibilities. The Vendor also ensures that its personnel:
(i) are informed of the confidential nature of Advertiser Data and are contractually bound by confidentiality and data use obligations;
(ii) have received training on Applicable Data Protection Laws, specifically in relation to the handling of Advertiser Data and how such laws apply to their duties; and
(iii) understand both the Vendor's obligations and their own individual responsibilities under Applicable Data Protection Laws and this Addendum.
5. Sub-processing
5.1 As of the effective date of this Addendum, the Vendor does not engage any Sub-processors for the Processing of Advertiser Data. Notwithstanding this, each Advertiser Group Member hereby authorizes the Vendor and each Vendor Affiliate to engage Sub-processors (and to permit each Sub-processor appointed pursuant to this Section 5 to further engage additional Sub-processors), subject to compliance with the terms of this Addendum.
5.2 In the event the Vendor appoints Sub-processors, a list of all authorized Sub-processors, including their names, business addresses, and a description of the nature of the Processing they perform, shall be provided as an annex to this Addendum and shall be updated from time to time as necessary.
6. Data Subject Rights
6.1 Taking into account the nature of the Processing, the Vendor and each Vendor Affiliate shall assist each Advertiser Group Member by implementing appropriate technical and organizational measures, to the extent reasonably possible, to enable the Advertiser Group Members to fulfill their obligations, understood as reasonably interpreted by the Advertiser, to respond to Data Subjects' requests to exercise their rights under Applicable Data Protection Laws.
6.2 The Vendor shall:
6.2.1 promptly notify the Advertiser in the event it receives a request from a Data Subject exercising their rights under any Applicable Data Protection Laws in relation to Advertiser Data; and
6.2.2 refrain from responding to any such request except in accordance with the documented Instructions of the Advertiser or the relevant Advertiser Affiliate, unless the Vendor is legally required to do so under Applicable Data Protection Laws. In such a case, and to the extent permitted by law, the Vendor shall inform the Advertiser of the legal requirement before responding to the request;
6.2.3 to the extent legally permissible, promptly notify the Advertiser if the Vendor receives a governmental or national security request for access to data relating to the Advertiser or Advertiser Data provided by the Advertiser.
7. Personal Data Breach
7.1 The Vendor shall notify the Advertiser in writing without undue delay and, where feasible, no later than seventy-two (72) hours after becoming aware of a Personal Data Breach affecting Advertiser Data. The notification shall include sufficient information to enable the Advertiser Group Member(s) to fulfill any legal obligations to notify supervisory authorities or affected Data Subjects in accordance with Applicable Data Protection Laws. At a minimum, such notification shall:
7.1.1 describe the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects affected, as well as the categories and approximate number of Personal Data records involved;
7.1.2 provide the name and contact details of the Vendor's designated contact person from whom additional information regarding the breach may be obtained.
7.2 The Vendor shall cooperate fully with the Advertiser and any affected Advertiser Group Member and shall take such reasonable commercial steps as may be directed by the Advertiser to assist with the investigation, containment, mitigation, and remediation of the Personal Data Breach.
7.3 The Advertiser shall bear sole responsibility for determining whether to notify any supervisory authority, affected Data Subjects, regulators, law enforcement bodies, or other third parties of the Personal Data Breach, as required under Applicable Data Protection Laws. The Advertiser shall also retain full discretion regarding the content of such notifications and any mitigation measures offered, including remedies or compensation to affected individuals, unless such obligations arise due to a breach of this Addendum or Applicable Data Protection Laws by the Vendor.
7.4 Any notification made by the Vendor under this Section shall not be construed as an admission of fault, liability, or wrongdoing by the Vendor in connection with the Personal Data Breach.
7.5 Notifications regarding a Personal Data Breach shall be delivered to the contact email address designated by the Advertiser for such purposes, or by any other method previously agreed upon by the parties. It is the responsibility of the Advertiser to ensure that the designated contact details remain current, accurate, and secure.
7.6 For the purposes of this Addendum, an "unsuccessful" Personal Data Breach refers to an event that does not result in unauthorized access to, or acquisition of, Advertiser Data stored or processed by the Vendor. Examples of such events may include, without limitation, pings, port scans, denial-of-service attacks, failed log-in attempts, or other similar incidents that do not compromise the confidentiality, integrity, or availability of Advertiser Data. Notification under this Section is not required for unsuccessful Personal Data Breaches.
7.7 Unless the Personal Data Breach is attributable to the Vendor's own acts or omissions in breach of this Addendum or Applicable Data Protection Laws, the Vendor reserves the right to require the Advertiser to reimburse the Vendor for any reasonable expenses incurred in performing its obligations under this Section.
8. Data Protection Impact Assessment and Prior Consultation
8.1 To the extent required under Applicable Data Protection Laws, the Vendor and each Vendor Affiliate shall provide reasonable assistance to each Advertiser Group Member in connection with any data protection impact assessments and prior consultations with supervisory authorities or other competent data protection authorities, where such assessments or consultations are reasonably deemed necessary by the Advertiser under Articles 35 or 36 of the GDPR, or under equivalent provisions of any other Applicable Data Protection Laws.
8.2 Such assistance shall be provided solely in relation to the Vendor's Processing of Advertiser Data, and shall take into account the nature of the Processing and the information reasonably available to the Vendor at the time.
9. Deletion or Return of Advertiser Data
9.1 Upon termination or expiration of the Services, and unless otherwise required under Applicable Data Protection Laws, the Vendor shall, at the Advertiser's written request and choice, either delete (meaning to irreversibly destroy or render Personal Data unrecoverable) or return all Advertiser Data. This obligation is subject to any legal requirements mandating the retention of such data.
9.2 The Vendor may retain Advertiser Data only to the extent required under Applicable Data Protection Laws, and only for the duration and purposes specified by such laws. During any such retention period, the Vendor and each Vendor Affiliate shall ensure the continued confidentiality of all retained Advertiser Data and shall restrict its Processing solely to the purpose(s) mandated by the applicable law requiring its retention.
9.3 Unless otherwise instructed in writing by the Advertiser or required by applicable law, the Vendor will retain Advertiser Data only for as long as necessary to fulfill the purposes of the Agreement. Any additional costs incurred by the Vendor in complying with a request to return Advertiser Data after termination or expiration of the Services shall be borne by the Advertiser.
10. Audit rights
10.1 Upon the Advertiser's written request, and subject to the execution of a mutually agreed non-disclosure agreement that protects the confidentiality of proprietary information, the Vendor and each Vendor Affiliate shall cooperate with audits conducted by any Advertiser Group Member or by an auditor appointed by any Advertiser Group Member in relation to the Processing of Advertiser Data by the Vendor.
10.2 Any Advertiser Group Member intending to conduct an audit shall provide the Vendor or the relevant Vendor Affiliate with reasonable prior written notice of no less than thirty (30) days. The Advertiser shall make, and shall ensure that its appointed auditors make, all reasonable efforts to avoid (or, if avoidance is not possible, to minimize) any damage, injury, or disruption to the Vendor's premises, personnel, equipment, or business operations during the course of such audit.
10.3 The Advertiser may exercise its right to conduct one (1) data protection audit per twelve (12)-month period. Audits shall be conducted during regular business hours, subject to reasonable scheduling arrangements, and shall be limited in scope and duration to what is reasonably necessary to assess the Vendor's compliance with this Addendum and Applicable Data Protection Laws. Audits shall not include access to data, systems, or facilities that are unrelated to the Advertiser or that pertain to other clients of the Vendor.
10.4 The Advertiser shall bear all reasonable costs and expenses associated with the audit, including, without limitation, any fees for time spent by Vendor personnel in connection with the audit, which shall be charged at the Vendor's then-applicable hourly rates. Such rates will be made available to the Advertiser upon request prior to the commencement of the audit.
11. Confidentiality
11.1 The Vendor is committed to maintaining the confidentiality of all Advertiser Data and shall not use or disclose such data to any third party, except in the following limited circumstances:
(i) in accordance with the Advertiser's explicit written instructions;
(ii) as expressly permitted under this Addendum;
(iii) as reasonably necessary to provide, maintain, or improve the Services; or
(iv) as required to comply with applicable laws, regulations, or a valid and binding order issued by a competent governmental or judicial authority (including subpoenas or court orders).
11.2 If the Vendor receives a lawful request for access to Advertiser Data from a governmental or regulatory authority, the Vendor shall make reasonable efforts to direct such authority to request the data directly from the Advertiser. In doing so, the Vendor may disclose the Advertiser's basic contact information to facilitate direct communication.
11.3 If the Vendor is legally compelled to disclose Advertiser Data despite such efforts, the Vendor shall, unless prohibited by law or a binding legal order, provide the Advertiser with prior notice of the request in order to allow the Advertiser to seek a protective order or other appropriate legal remedy.
11.4 The Vendor shall restrict access to Advertiser Data to authorized personnel only and shall impose appropriate contractual obligations on such personnel, including obligations relating to confidentiality, data protection, and data security.
12. Transfers
12.1 Taking into account the nature of the Processing and the information reasonably available to the Vendor, the Vendor shall assist the Advertiser in meeting its obligations related to transfer impact assessments by providing all necessary and relevant information upon request.
12.2 Advertiser Data shall be stored, processed, or transferred only within Switzerland, the European Union (EU), and/or to countries that are the subject of an adequacy decision pursuant to Article 45 of the GDPR and Article 16 of the Swiss Federal Act on Data Protection (FADP). In cases where Advertiser Data is to be transferred to a country that does not ensure an adequate level of data protection, such transfer shall take place only following the conclusion of particular agreements between the Vendor and the said subjects, which will include safeguard clauses and/or appropriate safeguards for the protection of Advertiser Data.
13. Instructions
13.1 In accordance with Applicable Data Protection Laws, the Vendor shall process Advertiser Data strictly in accordance with the Advertiser's documented Instructions. Such Instructions constitute the legal basis for the Vendor's processing activities and ensure compliance with the Advertiser's obligations as the Controller. The Instructions governing the processing of Advertiser Data are set forth in this Addendum and may be further clarified or supplemented through functionalities available within the Services. Any Instructions that fall outside the scope of this Addendum or that require additional operational efforts shall be mutually agreed upon in writing prior to their execution.
13.2 If, at any time, the Vendor reasonably believes that any Instructions from the Advertiser may violate or conflict with Applicable Data Protection Laws, the Vendor shall promptly notify the Advertiser in writing. Upon receipt of such notification, the Advertiser shall have the right to amend or withdraw the non-compliant Instructions. Until such corrective actions are taken, the Vendor may suspend any processing activities related to the disputed Instructions.
13.3 The Advertiser acknowledges and agrees that it retains full responsibility and liability for the legality and content of all Instructions provided to the Vendor. The Vendor shall have no obligation to verify the legality of the Advertiser's Instructions beyond the duty to notify the Advertiser of any apparent non-compliance with Applicable Data Protection Laws.
14. Governing Law
14.1 This Addendum shall be governed by and construed in accordance with the laws of Switzerland, excluding its conflict of laws principles. The parties agree to endeavor in good faith to resolve amicably any dispute, controversy, or claim arising out of or relating to this Addendum.
14.2 Should such efforts fail, any unresolved dispute shall be finally settled by arbitration under the Swiss Rules of International Arbitration administered by the Swiss Arbitration Centre, as in effect at the time the Notice of Arbitration is submitted. The arbitration proceedings shall be conducted in English, and a sole arbitrator shall be appointed.
15. General Terms
15.1 All notices under this Addendum shall be provided in writing and sent to the following contact email address: [email protected].
15.2 This Addendum, together with all applicable policies made available on the Vendor's Website or otherwise provided to the Advertiser by the Vendor, constitutes the entire agreement between the parties concerning the Processing of Advertiser Data. It supersedes all prior negotiations, understandings, and communications, whether written or oral, relating to the subject matter herein.
15.3 In the event of any inconsistency between the provisions of this Addendum and any other agreements between the parties, including the Principal Agreement or any subsequent agreements (except where explicitly agreed otherwise in writing and signed by both parties), the provisions of this Addendum shall prevail.
15.4 Should any provision of this Addendum be found to be invalid or unenforceable, such invalidity or unenforceability shall not affect the remaining provisions, which shall continue in full force and effect. The invalid or unenforceable provision shall either (i) be amended as necessary to render it valid and enforceable while preserving the parties' original intent as closely as possible or, if amendment is not feasible, (ii) be interpreted as if such provision had never been included.
15.5 This Addendum shall automatically terminate simultaneously with the termination of the Principal Agreement between the parties.
15.6 Section titles, headings, and the division of this Addendum into sections and other subdivisions are for convenience only and shall not affect the interpretation or construction of this Addendum.
15.7 If either party determines that this Addendum no longer complies with Applicable Data Protection Laws or regulatory requirements, the parties agree to negotiate in good faith to promptly amend this Addendum to ensure continued compliance.
15.8 Neither party may assign or transfer any of its rights or obligations under this Addendum without the prior written consent of the other party.
16. Contact Details
For any questions, comments, or requests relating to this Addendum, please contact: [email protected].
Annex 1
Details of Processing of Advertiser Data
This Annex 1 sets forth certain details regarding the Processing of Advertiser Data.
The subject matter of the Processing under this Addendum is the Advertiser Data. The primary purpose of such Processing is to enable the provision of the Services in accordance with the Principal Agreement. The Vendor shall process Advertiser Data only for as long as necessary to deliver the Services.
1. Categories of Advertiser Data to be processed
The categories of Advertiser Data that may be collected, accessed, or otherwise processed by the Vendor under this Addendum shall be determined solely by the Advertiser acting in its capacity as Controller. Subject to the Advertiser's Instructions, the types of data that may be processed include, but are not limited to, the following:
- IP address
- User Agent
- Country, region, city
- Language
- Email address
- Login nickname
- Password (encrypted using AES-512)
- Device type
- ZIP/postal code
- Age
- Gender
- Date of birth
- Sexual preferences
- Operating system version
- Browser version
The Vendor may also process special categories of Personal Data (as defined under the GDPR) or sensitive Personal Data (as defined under the CCPA), if and only if such Processing is authorized by the Advertiser. Such special or sensitive Personal Data shall only be processed where the explicit consent of the Data Subject (as defined under the GDPR) or a valid opt-in consent (as required under the CCPA, where applicable) has been lawfully obtained and properly documented. All special or sensitive data processed by the Vendor shall have been collected in full compliance with Applicable Data Protection Laws, and the relevant individuals shall have provided freely given, specific, informed, and unambiguous consent for one or more specified purposes.
2. Categories of Data Subject
The Advertiser Data relates to the end-users who access or use the Advertiser's or Advertiser Affiliate's websites or applications, or recipients of the Advertiser's advertisements.
3. Obligations of the Advertiser and Advertiser Affiliates
As the Controller of Advertiser Data, the Advertiser bears primary responsibility for compliance with Applicable Data Protection Laws in respect of the Processing of Advertiser Data and for safeguarding the rights of Data Subjects. In particular, the Advertiser acknowledges, represents, and warrants the following:
(i) the Advertiser has obtained and shall maintain all necessary rights, authorizations, and legal bases required under Applicable Data Protection Laws to enable the Vendor to process Advertiser Data in accordance with this Addendum;
(ii) the Advertiser shall ensure that all Instructions provided to the Vendor relating to the Processing of Advertiser Data comply with Applicable Data Protection Laws and acknowledges sole responsibility for the lawfulness of such Instructions;
(iii) upon redirection by the Vendor of requests received from Data Subjects or competent authorities under Applicable Data Protection Laws, the Advertiser shall respond promptly to such requests or provide the Vendor with appropriate Instructions on how to respond;
(v) the Advertiser shall promptly notify the Vendor of any formal inquiries, investigations, or proceedings initiated by any governmental, regulatory, supervisory, or law enforcement authority relating to the Vendor's Processing of Advertiser Data under this Addendum.
4. Obligations of the Vendor and Vendor Affiliates
In accordance with its role as Processor under Applicable Data Protection Laws, and in addition to specific obligations set out in this Addendum, the Vendor represents and warrants as follows:
(i) the Vendor shall process Advertiser Data solely to the extent and in the manner necessary to provide the Services, in compliance with Advertiser Instructions and Applicable Data Protection Laws and this Addendum;
(ii) the Vendor shall not retain, use, or disclose Advertiser Data for any purpose other than the provision of the Services, outside the direct business relationship between the Advertiser and Vendor, or in any manner prohibited by Applicable Data Protection Laws;
(iii) the Vendor shall not sell, as defined under the CCPA, any Personal Data provided by the Advertiser for Processing under this Addendum;
(iv) the Vendor shall notify the Advertiser promptly if it determines that it can no longer comply with its obligations under Applicable Data Protection Laws, and shall cooperate with the Advertiser to take reasonable and appropriate remedial measures to address any unauthorized Processing of Advertiser Data.