Privacy Policy
CyberAdX Network is built on a privacy-by-design architecture. This policy explains exactly what our ad pixel collects, what it deliberately does not collect, and your rights as a user.
The short version
When you visit a website that uses CyberAdX ads, our pixel records a pseudonymous impression event — it does not store your IP address, set any cookies, or build a profile linked to your identity. Your raw IP is hashed immediately on receipt and discarded. If your browser has Do Not Track or Global Privacy Control enabled, we skip individual event logging entirely.
Read on for the full technical and legal detail, or email us with any question.
Who We Are
CyberAdX Network is a cybersecurity-focused advertising network operated by Quantum Security AI. We serve display ads on a network of cybersecurity publisher sites — including breached.company, compliancehub.wiki, threatwatch.news, cisomarketplace.com, and others — reaching security professionals, CISOs, and enterprise IT decision-makers.
Our ad pixel runs at px.cyberadx.network. All ad impressions, clicks, and page events are processed through this endpoint.
What Our Pixel Collects
Each time an ad impression is served, the pixel records the following data points and stores them in our Cloudflare D1 database for up to 90 days:
| Data | What it is | Purpose |
|---|---|---|
| Visitor ID (hashed) | SHA-256 of your IP + a rotating daily salt → a 16-character code that cannot be reversed | Frequency capping, fraud detection |
| Campaign shown | Which advertiser's ad was displayed (e.g. "Bitdefender") | Impression counting, billing |
| Ad unit / zone | Which ad slot on the page (e.g. "top leaderboard") | Placement analytics |
| Page URL | The URL of the article page where the ad appeared | Publisher analytics |
| Country | Country code derived from your IP by Cloudflare (e.g. "US") | Geographic reporting |
| Device family | Browser family only — Chrome, Firefox, Safari, Mobile Safari | Device-type reporting |
| Timestamp | When the impression occurred (UTC) | Time-series analytics |
Daily salt rotation: The daily salt used to hash visitor IDs is replaced every 48 hours and permanently discarded. After rotation, there is no way to link old and new visitor IDs — even internally. This bounds any pseudonymous tracking to a 48-hour window.
What We Do Not Collect
These data points are deliberately excluded from our pixel. This is enforced in code — not just policy.
- ✕Raw IP address — Your IP is hashed immediately on ingress. The raw address is never written to any database or log.
- ✕Cookies — The pixel sets no cookies — first-party or third-party. No localStorage or sessionStorage writes for tracking purposes.
- ✕Name, email, or account information — We have no mechanism to link ad impressions to any identified user account.
- ✕Full User-Agent string — Only the browser family (e.g. "Chrome") and major version are stored. The full UA string is discarded.
- ✕Cross-site browsing history — Impressions from different publisher sites are not joined into a cross-site profile.
- ✕Behavioral interests or inferred segments — We do not build interest profiles. Ads are targeted by publisher content category, not by individual user behavior.
- ✕Children's data — All CyberAdX publisher sites are professional B2B cybersecurity content not directed at children under 13. We do not knowingly collect data from minors.
Do Not Track & Global Privacy Control
CyberAdX respects both the Do Not Track (DNT) header and the Global Privacy Control (GPC) signal. If your browser or privacy extension sends either signal:
- ✓Individual impression and click events are not written to our database
- ✓Your visit is counted only in aggregate, anonymized analytics (no visitor ID, no page URL, no campaign detail)
- ✓No data is shared with advertisers for that session
- ✓Ad display is not affected — you still see ads, but they are not logged individually
To enable GPC in your browser: Firefox (built-in in privacy settings), Brave (built-in), Chrome (via the Privacy Badger extension or browser setting). Safari enables DNT in Advanced preferences.
Legal Basis for Processing (GDPR)
If you are located in the European Economic Area or United Kingdom, our legal basis for processing pseudonymous impression data is Legitimate Interest under Article 6(1)(f) of the GDPR.
Our legitimate interest
Delivering ads on publisher sites, measuring that delivery, and detecting fraudulent impressions are necessary for the operation of a publisher-supported ad network. Publishers rely on this revenue to produce free cybersecurity content.
Why we do not rely on consent
Because we set no cookies and do not process data that qualifies as "personal data" under GDPR (hashed, non-reversible, 48h-bounded pseudonyms), we do not need to display a cookie consent banner for the pixel's core function. If our data handling practices change in a way that requires consent, we will update this policy and implement appropriate consent mechanisms.
No automated decision-making
We do not use your data for automated decisions that produce legal or similarly significant effects (Article 22 GDPR). Ad serving decisions are based on advertiser targeting criteria (publisher site content category, ad format), not on individual user profiling.
Data Retention
| Store | What | Retention |
|---|---|---|
| Cloudflare D1 (database) | Impression events, click events | 90 days — auto-deleted on a rolling basis |
| Cloudflare KV (cache) | Daily hashing salt | 48 hours — auto-expires, then discarded |
| Cloudflare KV (cache) | Turnstile verification tokens | 5 minutes — performance cache, no PII |
| Cloudflare Analytics Engine | Aggregate pageview counts (no visitor ID) | 90 days (Cloudflare default) |
Your Rights
GDPR rights (EEA/UK residents)
You have the right to:
- ›Access — request a copy of data we hold about you. Because visitor IDs are hashed pseudonyms, we cannot identify which records (if any) relate to you without additional information.
- ›Erasure — request deletion of your data. Because visitor IDs are derived from a hashed, non-reversible function, we cannot isolate specific rows belonging to you. All records are automatically deleted within 90 days. The daily salt rotation (every 48h) means all existing hashed IDs are effectively unlinked from you after two days.
- ›Object — object to processing under legitimate interest. Enable DNT or GPC in your browser — our pixel honours this signal immediately and stops logging individual events for your session.
- ›Complain — lodge a complaint with your national data protection authority (e.g. ICO in the UK, CNIL in France, BfDI in Germany).
CCPA rights (California residents)
- ›Right to know — this policy describes all categories of data collected and their purposes.
- ›Right to opt-out of sale — CyberAdX does not sell personal information. Advertiser click tracking (Impact, affiliate networks) is campaign attribution only — no user identity data is transferred.
- ›Right to non-discrimination — opting out of tracking (via DNT/GPC) does not affect the ads you see or any service you receive.
To exercise any of these rights, email [email protected] with the subject line "Privacy Request". We will respond within 30 days.
Infrastructure & Third Parties
Cloudflare
All CyberAdX pixel traffic passes through Cloudflare, our infrastructure and security provider. Cloudflare processes traffic at its global edge network and is certified under the EU-U.S. Data Privacy Framework. Cloudflare's privacy policy applies to edge-level processing: cloudflare.com/privacypolicy.
Cloudflare Turnstile
We use Cloudflare Turnstile (an invisible CAPTCHA alternative) to verify that ad impressions come from real browsers rather than automated bots. Turnstile runs a browser challenge without displaying any visual puzzle or requiring any user interaction. It does not use cookies and does not track users across sites.
Advertiser click destinations
When you click an ad, you are redirected to the advertiser's website. From that point, the advertiser's own privacy policy applies. Affiliate links may include tracking parameters (SubID) that identify the publisher site source — this is standard affiliate attribution and does not include your personal identity.
No other third-party data sharing
CyberAdX does not share impression or visitor data with data brokers, audience segment platforms, demand-side platforms (DSPs), or any third party other than the infrastructure providers listed above.
Bot & Fraud Protection
To protect advertisers from paying for fraudulent impressions, we operate several bot-filtering layers:
- ›Cloudflare edge-level bot detection (known crawlers, data center IPs)
- ›Turnstile invisible browser challenge — verifies human browser context before logging an impression
- ›Domain allowlist — only approved publisher sites can trigger impression events
- ›HMAC-signed click tokens — each impression generates a one-time cryptographic token; click fraud without a valid token is impossible
- ›Rate limiting — 60 events per minute per pseudonymous visitor ID per publisher site
These measures process network-level signals (IP reputation, ASN, request patterns) transiently at the Cloudflare edge. No bot-detection data is stored beyond the per-request decision.
Policy Updates
We may update this policy when our data handling practices change. Material changes — such as new categories of data collected or new third-party processors — will be announced at least 14 days before taking effect, posted on this page, and linked from the CyberAdX network notice.
This policy was last updated: May 24, 2026. Effective date: January 1, 2026.
Questions About Your Privacy?
Our stack is built for a privacy-conscious cybersecurity audience. If you have a question about how your data is handled, or want to exercise a data right, reach out directly.
Contact: [email protected]Also see: Advertising Policy · Terms & Conditions