Privacy Policy - Into The Bid

Last updated: January 30, 2026

This Privacy Policy explains how Into The Bid LLC (“we,” “us,” or “our”) collects, uses, and protects information in connection with its services, including the website ivtguard.io and certain B2B consulting and header bidding monetization services.

1. Data Controller and Target Audience

Data Controller: Into The Bid LLC
30 N Gould St Ste N, Sheridan, WY 82801
Contact Email: [email protected]

Intended Audience and Scope: Into The Bid LLC is a United States-based entity. Our services are offered on a business-to-business (B2B) basis to organizations acting in a professional/commercial capacity. We do not market or intentionally direct our services to consumers.

International Reach / Restricted Regions: Because the internet is global, our Services may be deployed on properties that receive traffic from many jurisdictions, including the EEA, the UK, or Switzerland (“Restricted Regions”). Where such traffic occurs, we process technical identifiers only for fraud prevention and security purposes as described in this Policy. Customers remain responsible for determining and meeting any local notice, transparency, and consent requirements applicable to their deployments.

Article 27 (GDPR/UK GDPR) Statement: We do not intentionally target individuals in Restricted Regions. We periodically assess whether our processing requires appointing an EU/UK representative under Article 27 GDPR / UK GDPR. If we determine that appointment is required based on the nature and scale of our processing, we will take appropriate steps to comply.

2. Information We Collect and Purposes

2.a. Anti-Fraud Security Services (ivtguard.io / IVTGuard.io)

When a user visits a website or app that uses our ivtguard.io service, we process certain technical information transmitted by the browser/device and the network, such as IP address (processed transiently and not stored by us in raw, hashed, or masked form), HTTP headers, user agent string, browser type and version, operating system, device characteristics, device/browser fingerprint signals (e.g., timezone, CPU/RAM class, WebGL vendor/renderer), timestamps, referrer URL, and internal identifiers.

We may also use “similar technologies” (such as browser local storage / session storage) to store and read a short-lived security flag or token and/or a pseudonymous identifier to help identify suspicious sessions, prevent repeated abuse, and apply security protections consistently. These flags/tokens are time-limited and used solely for fraud prevention and security.

Purpose: This information is processed solely to detect, score, and mitigate malicious automated activity (bots), invalid traffic (IVT), ad fraud, abuse, and security threats, including maintaining and applying a short-lived fraud/security reputation for high-confidence malicious devices and actors (“Threat Intelligence Network”).

Important: IVTGuard enforcement decisions are limited to ad request routing (e.g., suppressing or withholding an ad request from being sent to one or more advertising or measurement partners, including SSPs). The Service does not block, deny, or restrict end-user access to content on the integrated site/app.

Legal Basis (where applicable): Our legitimate interests (and those of our customers) in protecting services, preventing fraud, and maintaining the security and integrity of the digital advertising ecosystem.

Similar Technologies / ePrivacy (where applicable): Some jurisdictions regulate the use of device storage/access technologies (including local storage and fingerprinting techniques). Customers are responsible for implementing the Services in compliance with such rules, including providing required notices and obtaining consent where required. We provide the Services in a security/fraud prevention context and minimize data used and retained.

Retention:

IP address: We do not store IP addresses (not raw, not hashed, not masked) in application databases, caches, persistent logs, datasets, or dashboards controlled by Into The Bid. IP may be processed transiently for request handling, fraud prevention, and security, and is not retained by Into The Bid in Processor-controlled storage.
Transient IVT/security diagnostic storage (in-memory): Certain technical identifiers and diagnostic context (excluding IP address) are retained in transient in-memory storage for short periods. Default retention is approximately 6 hours, and may be configured for operational needs with safeguards (minimum 5 minutes; maximum 24 hours), after which the data expires automatically. Our systems are designed to avoid persisting IP address values in this transient storage.
Browser storage (localStorage/sessionStorage): Short-lived security tokens/flags and/or pseudonymous identifiers may persist on the device for up to approximately 32 hours to reduce repeated abuse, then expire.
Security/fraud enforcement windows: Certain security outcomes may persist for up to approximately 32 hours to prevent repeated abuse and maintain integrity.
Persistent non-sensitive logs: Operational logs designed to exclude sensitive fields may be retained for up to 30 days, subject to rotation and operational constraints (and may be shorter).

We may retain information longer if required for a specific security investigation, legal obligation, or valid legal process.

Prohibited Uses: We do not use this information for marketing, cross-context behavioral advertising, or consumer profiling for advertising purposes. We do not use Threat Intelligence Network data to deliver personalized ads. We use cross-property correlation solely for fraud prevention and security.

2.b. Header Bidding Monetization Services (Consulting / Wrapper)

Into The Bid LLC may provide consulting and/or a header bidding wrapper (e.g., PrebidJS-based) that facilitates communication between the publisher’s website and advertising partners.

Into The Bid LLC does not store personal data for cross-context behavioral advertising or consumer profiling through this wrapper. The wrapper may transmit technical information as part of ad request operations to advertising partners selected by the publisher. Publishers are responsible for obtaining any required consents and providing appropriate transparency regarding their chosen advertising and measurement partners.

2.c. Personally Identifiable Information (PII) Provided Directly (B2B)

If you contact us or register for an account (B2B), we may process business contact information such as name, email, company, and phone number.

Purpose: Service delivery, customer support, account administration, and business operations.
Retention: As long as necessary for the business relationship or legal compliance.

2.d. Website Logs and Security (intothebid.com / ivtguard.io)

We may use strictly necessary cookies or similar technologies for security and performance. We do not use marketing cookies on our websites.

Into The Bid does not store visitor IP addresses (not raw, not hashed, not masked) in application databases or logs controlled by Into The Bid. However, our infrastructure providers (e.g., hosting, CDN/WAF) may process standard logs (including IP address and timestamps) to ensure the availability, performance, and security of our websites and services.

Cloudflare and Hostinger: We use providers such as Cloudflare (CDN/WAF/security) and Hostinger (hosting/infrastructure). These providers may collect and process IP addresses and related network metadata in connection with providing and securing their services (e.g., DDoS mitigation, traffic filtering, delivery, and infrastructure security) under their own documentation, retention practices, and privacy policies. To the extent these providers process such data as independent controllers for their own infrastructure/security purposes, that processing is governed by the provider’s own notices and policies.

Cookies / Similar Technologies: We do not use marketing cookies on our websites. We may use strictly technical cookies or similar technologies for security and performance. As described above, our anti-fraud service may also use local storage/session storage for limited security flags/tokens to help prevent abuse.

3. Data Minimization and Logging Design

We design IVTGuard to minimize sensitive data stored at rest. Sensitive diagnostic context is stored only in transient in-memory storage with short TTL periods and restricted access, and is designed to exclude IP addresses. Persistent logs are designed to exclude sensitive fields and are retained only for a limited period as described above.

4. Information Sharing

We do not sell or rent PII. Information is shared only with:

Service Providers / Subprocessors: Third-party providers used to deliver the Services (e.g., Cloudflare, Hostinger, Grafana Labs) under appropriate confidentiality and data processing terms. Certain providers may also process limited technical data as independent controllers for their own infrastructure security purposes, subject to their own notices.
Legal Requirements: When necessary to comply with law, enforce our terms, or protect rights, safety, and security.

4.1 Threat Intelligence Network Sharing

To prevent fraud and security threats at scale, we may maintain a Threat Intelligence Network that applies high-confidence fraud/security indicators across integrated properties. We do not sell this data or share it for advertising targeting. We may share fraud/security signals with customers and service providers strictly for fraud prevention, security, and integrity purposes.

5. International Transfers

We are headquartered in the United States and may process data in the United States and other locations where we or our service providers operate. Where Applicable Data Protection Laws require safeguards for cross-border transfers (including for transfers of personal data from the EEA/UK/Switzerland), we use recognized transfer mechanisms such as Standard Contractual Clauses (SCCs) and implement reasonable supplementary measures where appropriate.

6. User Rights

Regardless of your location, you may request to access, correct, or delete your personal data by contacting us at [email protected]. We will respond to requests in accordance with applicable laws.

Because IVTGuard generally operates without end-user accounts, we may require reasonable information to locate relevant records (e.g., request IDs or other technical evidence) and may be unable to link data to a specific individual without such information.

7. Security

We implement technical and organizational measures (e.g., access controls, encryption in transit, credential management) to protect data, prioritizing minimization of data at rest and the transient nature of security diagnostics where feasible.

8. Children

Our services are not intended for or directed at children under 16 (or 13 in certain jurisdictions). We do not knowingly collect PII from children.

9. Changes to this Policy

We may update this policy. The “Last updated” date will reflect the most recent changes.