Skip to content

Record of Processing Activities (RoPA)

Last updated: August 1, 2025

This Record of Processing Activities (RoPA) documents how Ponta Oy processes personal data in accordance with Article 30 of the General Data Protection Regulation (GDPR).

1. Data Controller

Company Name: Ponta Oy
Business ID (Y-tunnus): 3342566-2 Registered Address: [Insert full address]
Email: privacy@ponta.co

2. Purpose of Processing

Purpose Description
User Account Management Creating and maintaining user accounts for advertisers and publishers
Advertising Campaign Delivery Displaying and tracking advertisements across publisher properties
Analytics and Optimization Measuring ad performance, click-through rates, and platform usage
Customer Support Responding to user inquiries and resolving issues
Billing and Invoicing Managing subscriptions, invoices, and tax compliance
Legal Compliance Storing logs and user actions to meet legal or regulatory obligations

3. Categories of Data Subjects

  • Website visitors (ads.ponta.co)
  • Registered advertisers and publishers
  • End users who view or interact with served ads
  • Business contacts of client companies

4. Categories of Personal Data

Category Examples
Identification Name, email address, company name, login credentials
Technical IP address, device info, user agent string, session cookies
Behavioral Page visits, clicks, ad views, engagement timestamps
Financial Payment method, billing address, VAT number
Communication Support tickets, emails, live chat logs

5. Recipients of the Data

Data may be shared with:

  • Cloud infrastructure providers (e.g., AWS, DigitalOcean)
  • Analytics tools (e.g., Google Analytics, internal tools)
  • Ad tech partners (e.g., Google Ads, Meta Pixel)
  • Payment processors (e.g., Stripe, Paytrail)
  • Legal/regulatory authorities when required

All recipients are under data processing agreements.

6. Data Transfers Outside the EU/EEA

Yes. When data is transferred outside the EU, we ensure one of the following is in place:

  • Standard Contractual Clauses (SCCs)
  • Adequacy decisions by the European Commission
  • Binding corporate rules or certifications (e.g., DPF)

7. Retention Periods

Data Type Retention Period
Visitor logs 12 months
User account data Duration of business relationship + 6 years
Ad performance data Anonymized after 90 days
Financial records 7 years (per Finnish accounting law)

8. Security Measures (TOMs)

  • HTTPS and encryption of data in transit and at rest
  • Role-based access control and 2FA for admin access
  • Secure backup and disaster recovery
  • Regular vulnerability assessments
  • Breach detection and reporting protocol
Processing Activity Legal Basis
Account registration Contractual necessity
Ad delivery Legitimate interest / Consent
Analytics and optimization Consent
Billing and invoicing Legal obligation
Support and communication Legitimate interest

10. Data Protection Contact

Privacy Lead
Ponta Oy
privacy@ponta.co