01 — Introduction
Overview & Scope
At Topsort, we take the protection of personal information seriously.Personal informationmeans information that identifies you as an individual or from which you can be reasonably identified. This Privacy Policy applies to Topsort Inc. (doing business as Topsort) and provides information about the personal information we collect and handle about our customers, platform users, website visitors, employees, and business partners.
This policy covers all personal information processed by Topsort in connection with our advertising technology platform for marketplaces, websites, applications, and business operations. Topsort uses pseudonymised information to serve interest-based advertisements while protecting individual privacy and complying with applicable privacy laws, including GDPR, the Australian Privacy Act, Brazilian LGPD, and CCPA.
As our services are provided to marketplaces who act as data controllers for their end users, marketplace customers are responsible for obtaining appropriate consents and providing privacy notices to their users. This Privacy Policy primarily covers our direct relationships and does not replace the privacy obligations of our marketplace customers toward their end users.
Where you provide us with personal information about someone else, you must have their consent to share that information with us and must advise them of this Privacy Policy. Topsort may update this policy from time to time; the most up-to-date version is always available on our website.
02 — Purpose
Why We Collect Your Information
We collect, hold, use and disclose your personal information so that we can provide our advertising technology services, improve and personalize our platform, and operate our business effectively. This includes, but is not limited to:
Service Provision
- Managing your account and providing access to our SaaS platform
- Processing transactions and managing billing in accordance with our SaaS Master Service Agreement
- Delivering advertising campaigns using pseudonymised information
- Providing platform analytics and performance reporting
- Offering customer support and technical assistance
Business Operations
- Conducting risk assessments and security monitoring in accordance with our Information Security Management System
- Preventing fraud and ensuring platform security
- Complying with legal obligations under GDPR, ePrivacy Directive, Australian Privacy Act, Brazilian LGPD, and other applicable regulations
- Managing relationships with vendors and business partners per our Third-Party Management Policy
- Conducting internal audits and quality assurance
Communications & Marketing
- Communicating about our services and platform updates
- Providing marketing materials and promotional information (with appropriate consent)
- Conducting surveys and research to improve our services
- Managing event participation and business development
Legal & Compliance
- Meeting regulatory requirements and responding to legal process
- Protecting our rights and interests
- Supporting business continuity and disaster recovery
03 — Data Types
Types of Information We Collect
Personal information is classified according to our Data Management Policy into three categories based on sensitivity level.
Confidential Data (Highest Sensitivity)
- Customer data and personally identifiable information (PII)
- Company financial and banking data; salary, compensation, and payroll information
- Authentication credentials and access keys
- Technical vulnerability reports, incident data, and source code
- Strategic plans and business information
Customer & Platform Data
- Identity & contact:name, business name, email address, phone number, business address
- Account information:login credentials, user preferences, platform settings
- Financial information:billing details, payment processing data, transaction history
- Platform usage data:interactions, feature usage, campaign performance metrics (using pseudonymised identifiers where possible)
Technical & Analytics Data
- Technical information: IP addresses, browser information, device identifiers (using opaque identifiers where possible)
- Log data: access logs, error logs, security event logs
- Location information: general geographic location for service delivery
- Aggregated and anonymized data for service improvement and statistical analysis
04 — Collection
How We Collect Information
We collect your personal information when you interact or transact with us, including when you:
- Register for and use our advertising technology platform
- Create an account or subscribe to our SaaS services
- Contact us for customer support or sales inquiries
- Participate in surveys, research, or marketing activities
- Visit our websites or use our applications
- Attend events or engage with us on social media
- Enter into contracts or business relationships with us
- Apply for employment with Topsort
We may also collect information from third-party sources, including public directories and business sources, professional networking platforms, referral partners, cloud infrastructure providers, payment processors, and regulatory or legal sources as required by law.
05 — Security
How We Protect Your Information
We hold personal information electronically, at our facilities, and with trusted service providers. We implement comprehensive administrative, technical, and organizational security measures in accordance with our Information Security Management System (ISO 27001).
Technical Safeguards
- Encryption of data in transit and at rest for all Confidential data
- Multi-factor authentication and role-based access controls
- Network firewalls and intrusion detection systems
- Regular security assessments and vulnerability testing
- Secure development practices and code review
- Pseudonymization and anonymization techniques for advertising services
Administrative Safeguards
- Information security policies and procedures
- Employee security training and background checks
- Incident response and breach notification procedures
- Data classification and handling requirements per our Data Management Policy
- Need-to-know access principles and documented approval processes
Device & Data Security
- Mobile devices with Confidential data must be encrypted and password-protected with automatic screen lock after 15 minutes
- Confidential data may not be stored on personal devices or removable media
- Backups are encrypted for all Confidential information
- Secure disposal procedures including data wiping or physical destruction, with certificate retention for professional destruction services
Our security controls are continually reviewed and updated to protect your personal information appropriately. Vendor security assessments are conducted per our Third-Party Management Policy.
06 — Sharing
Sharing Your Information
We may share personal information within the Topsort organization and with trusted third parties to provide our services and conduct business operations, subject to our data classification requirements.
Technology & Infrastructure
- Cloud hosting and data processing providers (AWS and other platforms)
- Application development and technical support services
- Security monitoring and threat detection services
- Backup and disaster recovery service providers
Business Operations
- Customer support and communication platforms
- Payment processing and financial services
- Marketing and business development platforms
- Professional services (legal, accounting, consulting)
Regulatory & Legal
- With your representatives and authorized parties
- With regulatory authorities and law enforcement as required by law
- In connection with business transfers or corporate transactions
- To protect our rights, property, or safety, or that of others
Transfer of Confidential data requires explicit written permission from management or a data owner. All sharing must comply with legal contracts or arrangements. Third-party vendors must meet our security requirements for data disposal and processing. Restricted data sharing requires management approval on a need-to-know basis.
07 — International
International Data Transfers
We use systems and service providers located in various countries, and we may transfer personal information internationally for processing by our service providers, cloud infrastructure, and business partners. We ensure appropriate safeguards are in place for all international data transfers.
Transfer Safeguards
- For transfers subject to GDPR and Australian Privacy Act requirements, we use Standard Contractual Clauses (SCCs) and adequacy decisions where applicable
- We ensure overseas recipients provide substantially similar data protections
- We implement additional safeguards including encryption, access controls, and contractual protections
- Cross-border data transfer protections comply with applicable international requirements
For transfers involving Brazilian personal data, we ensure compliance with LGPD international transfer provisions through contractual clauses or adequacy decisions recognized by ANPD (Brazilian Data Protection Authority). Cross-border processing of Brazilian data is limited to countries or organizations providing adequate protection levels.
08 — Retention
Data Retention
We retain personal information only as long as necessary for the purposes for which it was collected, to meet legal and regulatory requirements, and for legitimate business needs.
Specific Retention Periods
- Customer platform data:Deleted within 30 business days of contract termination
- Support communications:Retained for service improvement purposes
- Employee records:As required by employment law and business needs
- Security & audit logs:Varying periods based on type and regulatory requirements
- Financial records:As required by applicable accounting standards and tax laws
When retention periods expire, we securely delete or anonymize personal information. Data classified as Restricted or Confidential is securely deleted, and hard drives and devices are securely wiped or physically destroyed before disposal.
Data subject to legal proceedings is retained as required by legal counsel and reviewed annually for continuing requirements and scope.
09 — Your Rights
Your Privacy Rights
Your rights depend on the jurisdiction in which you reside. To exercise any of these rights, contact us atdpo@topsort.com. We will respond within applicable timeframes (typically 30 days). We may be unable to fulfill certain requests where they conflict with legal retention requirements or legitimate business interests.
10 — Cookies & Marketing
Cookies & Marketing Communications
Our websites and platform use cookies and similar tracking technologies. When you visit our website, a consent banner will appear before any non-essential cookies are set. You may accept all, decline all non-essential, or customize your preferences by category. You may update your consent at any time via "Cookie Settings" in the footer. Disabling certain categories may limit some platform functionality.
Marketing Communications
We may contact you about our products and services based on legitimate interest, or with your explicit consent for additional content like company news and product updates. Where we seek explicit consent, we present a clear opt-in checkbox and will only send such communications if you have affirmatively agreed.
You may unsubscribe from marketing communications at any time via the unsubscribe link in any email, through your account preferences in our platform, or by contactingdpo@topsort.com.
11 — Automation
Automated Decision-Making & Pseudonymisation
We may use automated systems for fraud detection and security monitoring, advertising optimization using pseudonymised information, platform performance improvement, customer support routing, and business analytics on anonymized datasets.
Our advertising services use pseudonymised information and data aggregation methods that protect individual privacy. Statistical analysis is performed on anonymized datasets, and data is not retained beyond what is required for legitimate business purposes.
When automated decision-making significantly affects you, we provide: information about the logic involved; the right to request human review; the ability to challenge decisions and request explanations; and appropriate safeguards and oversight measures.
12 — Children
Children's Privacy
Our advertising technology services are not directed to children under 16 years of age (or under 13 in Brazil). We do not knowingly collect personal information from children without appropriate parental consent.
For Brazilian children's data, our marketplace customers must obtain "specific and highlighted consent" from parents or legal guardians before processing personal information of individuals under 18 years of age.
Marketplace customers are responsible for ensuring they have appropriate consents and age verification measures for their end users, including compliance with children's privacy requirements in their respective jurisdictions. If you believe we have collected information about a child, please contact us immediately atdpo@topsort.com.
13 — Roles
Data Controller vs. Processor
When We Act as Data Controller
- Our own customer and business data
- Employee information and HR data
- Marketing and business development activities
- Website visitor information
- Internal business operations and analytics
When We Act as Data Processor
- Customer advertising campaign data processed according to customer instructions
- Platform user behavior data processed on behalf of customers using pseudonymised information
- Analytics and reporting data generated for customers
- Technical support data processed under customer direction
When we act as a processor, marketplace customers are responsible for: providing lawful processing instructions; ensuring a legal basis for processing exists; obtaining appropriate consents from end users; handling individual rights requests (access, deletion, correction); maintaining appropriate data processing agreements with us; providing adequate privacy notices to end users; and ensuring compliance with children's privacy requirements and cross-border transfer rules.
14 — Incidents
Breach Notification
In the event of a personal data breach that poses a risk to individuals, we will:
- Assess the risk and take immediate containment measures
- Notify supervisory authorities within 72 hours where required by law
- Inform affected individuals without undue delay if high risk exists
- For customer data processed as a processor, notify customers promptly to assist with their breach response obligations
For breaches affecting Brazilian personal data, we will notify ANPD within 3 working days of becoming aware of any qualifying breach, inform affected individuals in accordance with ANPD guidelines when the breach poses significant risks, and document all breach details and response measures taken.
15 — Contact
Contact Us & Complaints
For questions about this Privacy Policy, to exercise your privacy rights, or to submit a complaint about our handling of your personal information, please contact us. We will acknowledge your complaint, investigate promptly, and respond within 30 days with our findings and any corrective actions. If you are not satisfied, you may escalate to the relevant supervisory authority below.
16 — Version History
Version History
Topsort may update this Privacy Policy to reflect changes in our practices, legal requirements, or business operations. Material changes will be communicated through email notification to registered users, prominent notice on our website, and direct communication to affected customers.
| Version | Date | Description | Author |
|---|---|---|---|
| 1.0 | Nov 1, 2021 | First version | Ember Thomas |
| 2.0 | Sep 30, 2025 | First version integrating web policies and compliance requirements | Francisco Cabezas |
| 2.1 | May 18, 2026 | Applied PDF authoritative version: contact details, dates, exceptions, glossary | Felipe Fuller |
Continued use of our services after policy changes constitutes acceptance of the updated terms, unless stronger consent requirements apply under applicable law. Policy compliance is verified through business tool reports, internal and external audits, and regular policy reviews in accordance with our Information Security Management System.
Violationsof this policy should be reported tolegal@topsort.comor to the Chief Executive Officer.Exception requestsmust be submitted to the Chief Technology Officer or Chief Executive Officer for approval.
17 — Glossary
Glossary of Terms
Key definitions to help you understand your rights and our data processing practices. For legal advice or specific data protection questions, please consult qualified legal counsel or contact our DPO.
A formal determination by a regulatory authority (e.g., the European Commission or ANPD) that a third country provides an adequate level of data protection, allowing personal data to be transferred without additional safeguards.
The process of removing or altering personal information so that individuals cannot be identified, either directly or indirectly.
Autoridade Nacional de Proteção de Dados — Brazil's National Data Protection Authority responsible for enforcing the LGPD and handling privacy complaints from Brazilian residents.
Processing of personal data using automated means, without meaningful human intervention, that produces legal effects or similarly significant effects for individuals.
California Consumer Privacy Act / California Privacy Rights Act — state laws providing privacy rights and consumer protection for California residents.
A freely given, specific, informed, and unambiguous agreement by an individual to the processing of their personal data.
The entity that determines the purposes and means of processing personal data. Marketplace customers typically act as controllers for their end users.
The principle that personal data collection should be adequate, relevant, and limited to what is necessary for the specified purposes.
An entity that processes personal data on behalf of a data controller. Topsort typically acts as a processor for marketplace customers.
A designated person responsible for monitoring compliance with data protection laws and serving as a point of contact for privacy matters. Contact: dpo@topsort.com.
General Data Protection Regulation — European Union regulation that governs data protection and privacy for individuals within the EU and European Economic Area.
The preservation of data beyond normal retention periods due to litigation, regulatory investigations, or other legal requirements.
A legal basis for processing personal data where the processing is necessary for legitimate business purposes that don't override individual privacy rights.
Lei Geral de Proteção de Dados — Brazil's General Data Protection Law governing the processing of personal data of individuals in Brazil, providing comprehensive privacy rights and obligations.
Information that identifies or can reasonably be used to identify an individual person, including names, contact details, and online identifiers.
The processing of personal data so that it can no longer be attributed to a specific person without additional information that is kept separately and securely.
Legal mechanisms approved by regulatory authorities (such as the European Commission) to provide appropriate safeguards for international data transfers.
Government bodies responsible for monitoring and enforcing compliance with data protection laws (e.g., OAIC in Australia, ANPD in Brazil, data protection authorities in the EU).