Privacy Policy

Metys — CTV Advertising Measurement

Effective: April 2026 · Last updated: April 12, 2026

1. Introduction

Metys (“we”, “us”, “our”) operates metys.co and provides CTV (Connected TV) advertising measurement solutions. Our technology helps advertisers and media agencies understand whether CTV ad campaigns drive real engagement on their websites.

This Privacy Policy describes what personal data we collect, how we use it, how long we retain it, who we share it with, and what rights you have. It applies to:

End Users — individuals whose devices are exposed to advertisements measured by Metys, or who visit websites where our measurement pixel is deployed.
Website Visitors — individuals who visit metys.co directly.
Customers — advertisers, agencies, and media partners who use the Metys platform.

2. Our Role and the IAB Transparency & Consent Framework

Metys participates in the IAB Europe Transparency & Consent Framework (TCF) and complies with its Specifications and Policies.

In the context of our measurement solutions, Metys acts as a data controller for the processing of hashed identifiers and measurement metadata. When processing data on behalf of an advertiser under a data processing agreement, we may also act as a data processor.

Under the California Consumer Privacy Act (CCPA/CPRA), Metys functions as a service provider processing data on behalf of our business customers.

3. Data We Collect Through Our Measurement Solutions

Our measurement technology operates through two lightweight tracking pixels — an impression pixel embedded in CTV ad creatives (via VAST tags) and a site pixel deployed on advertiser websites (via tag managers).

3.1 Impression pixel (CTV ads)

Data element	Description
Hashed IP address	The viewer’s IP address is received at the Cloudflare network edge and immediately hashed using SHA-256. The raw IP address is discarded at the edge and is never stored in, or transmitted to, our backend systems.
User agent string	Used to classify device types (CTV, mobile, desktop) and filter invalid traffic.
Timestamp	Date and time of the impression event (UTC).
Campaign identifiers	Campaign ID, publisher ID, creative ID.
Context label	Content genre (e.g. Drama, Sports, News), based on IAB Content Taxonomy 3.1.

3.2 Site pixel (advertiser websites)

Data element	Description
Hashed IP address	Identical hashing process — raw IP never leaves the network edge.
User agent string	Device classification and invalid traffic filtering.
Timestamp	Date and time of the page visit (UTC).
Page URL and domain	The specific page visited on the advertiser’s website.
Session ID	Randomly generated, non-persistent. Not linked to any user account or device.

3.3 What we do NOT collect

Metys does not collect, store, or process any of the following: raw (unhashed) IP addresses beyond the network edge · cookies or device-stored identifiers · device fingerprints · advertising IDs (IDFA, GAID) · names, email addresses, or user-provided information · login credentials · browsing history beyond the advertiser’s own website · purchase, financial, or payment data · precise geolocation coordinates · special categories of personal data.

We never combine, enrich, or cross-reference the personal data we process with additional data sources with the goal of identifying individual end users. All outputs are aggregated, campaign-level statistics.

4. How We Use the Data

Advertising measurement — matching hashed identifiers from impression events to visit events to determine whether CTV ad exposure correlates with subsequent website engagement.
Content performance measurement — analysing which pages exposed households visit and whether they reach key interest pages.
Statistical audience analysis — aggregated insights by ad network, publisher, content genre, frequency, and reach overlap.
Contextual optimization — aggregated context-level data to help ad networks understand which environments drive engagement.
Invalid traffic detection — user agent analysis to identify and exclude bots and crawlers.
Service improvement — aggregated, de-identified data to refine our methodology.

We do not use this data to serve, select, or personalise advertisements. We do not build individual user profiles.

5. Legal Basis for Processing (GDPR)

Legal basis	Applies to
Consent (Art. 6(1)(a))	Where a CMP operating under the IAB TCF transmits a valid consent signal.
Legitimate interest (Art. 6(1)(f))	Where consent is unavailable (e.g. CTV environments without a CMP). See our Legitimate Interest Claim.
Contract performance (Art. 6(1)(b))	Customer account data necessary to deliver contracted services.

6. Data Retention

Data category	Maximum retention
Hashed IPs, impression/visit records, user agents	365 days
Aggregated campaign reports (no personal data)	Duration of customer relationship
Customer account information	Duration of contract + legal requirements
Invalid traffic patterns	Indefinitely (aggregated, non-personal)

7. Data Sharing and Sub-processors

We do not sell, rent, or trade personal data.

Recipient	Purpose
Customers	Aggregated campaign reports only. Never personal data or hashed identifiers.
Cloudflare, Inc.	Infrastructure. IP hashing at the edge. DPA with EU Standard Contractual Clauses.
Law enforcement	Only where legally compelled.
Corporate transactions	In event of merger/acquisition, subject to same privacy commitments.

8. International Data Transfers

IP hashing completes at the Cloudflare edge before data is transmitted. For transfers outside the EEA/UK, we rely on Cloudflare’s DPA and EU Standard Contractual Clauses, plus supplementary technical measures (TLS 1.3, pseudonymisation, access controls).

9. Cookies and Device Storage

Metys does not use cookies, localStorage, IndexedDB, advertising IDs, or any device storage. Our disclosure: metys.co/.well-known/deviceStorage.json.

10. Your Rights

EEA / UK / Switzerland (GDPR)

Access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20), objection (Art. 21), complaint to supervisory authority.

Note: Because we only process hashed IPs, we may need additional information to locate your records.

United States (CCPA/CPRA, VCDPA, CPA)

Know/access, delete, correct, opt out of sale/sharing. Metys does not sell or share personal information. We do not engage in cross-context behavioural advertising.

Contact: privacy@metys.co. Response within 30 days.

11. Opt-Out

CMP: Decline consent for advertising measurement via the publisher’s consent interface.
Global Privacy Control: We honour GPC signals.
Direct: privacy@metys.co

12. Security

Edge-level IP hashing, TLS 1.3, encryption at rest, access controls. No method is 100% secure.

13. Children’s Privacy

Not directed at children under 16. We do not knowingly collect data from children.

14. Changes

Material changes will update the date at the top of this page.

15. Contact

privacy@metys.co · metys.co