Privacypolicy.
How SearchTurbo collects, uses, and protects personal data under UK GDPR, EU GDPR, and the Data Protection Act 2018.
This Privacy Policy explains how SearchTurbo Ltd. ("SearchTurbo", "we", "us") collects, uses, and protects personal data when you interact with our website, surfaces, browsers, and SDK products. It applies to all visitors and end-users of integrations that route through our Decision Engine.
1. Controller
SearchTurbo Ltd.
124 City Road, London, EC1V 2NX, United Kingdom
Email: privacy@searchturbo.com
For matters of EU GDPR, our EU-based engineering office in Berlin (Strassburger Str. 55, 10405 Berlin) acts as the operational data-processing location. SearchTurbo has not appointed a Data Protection Officer under Art. 37 GDPR because our core activities do not require it, but the controller contact above handles all data-subject requests.
2. Data we process, by purpose
Depending on the surface and your consent, we process the following categories:
| Purpose | Categories processed | Legal basis |
|---|---|---|
| Operate the start page and route search queries | Search query text, typing-cadence signals, surface ID, approximate GEO (country/region) | Art. 6(1)(b), (f) |
| Run the demand-partner auction | Query intent classification, pseudonymized session token, surface ID, language | Art. 6(1)(b) |
| Fraud prevention and click-validation | Truncated user-agent, click timing, surface integrity signals (e.g. retry rate) | Art. 6(1)(f) |
| Marketing attribution & conversion measurement | Hashed click identifier, demand-partner click ID, conversion postback if delivered | Art. 6(1)(a) |
| Platform analytics | Aggregated query volumes, surface RPM, latency percentiles | Art. 6(1)(f) |
| Contact requests | Name, company, email, message body | Art. 6(1)(b), (f) |
| Consent management | Consent state per category, timestamp, schema version | Art. 6(1)(c) |
We do not collect names, email addresses, full IP addresses, or any direct identifiers unless you submit them via the contact form or a partner provides them through a contracted integration.
3. Demand partners and what we share
To operate the auction, we share necessary signals on a per-query basis. The data we share is intentionally minimized:
- Search foundations (Google, Bing, Yahoo): query text, surface ID, language, approximate region. Forwarded via OAuth-based search APIs under their respective DPA.
- Retail and ecommerce demand (eBay, Saturn, MediaMarkt, Amazon, Otto): intent classification, surface ID, pseudonymized session token. No raw query unless explicitly negotiated in the Insertion Order.
- Ad-tech intermediaries (Magnite, OpenX, Smaato, Solute, Taboola, AdMarketplace): intent classification, surface ID, GEO at country level, demand-partner click ID at click time.
Each partner is engaged under a Data Processing Agreement (Art. 28 GDPR) or, where the partner is an independent controller, under a joint-controller arrangement (Art. 26 GDPR). A current vendor list with purpose IDs is available in our Cookie Policy.
4. Logging
Our infrastructure produces several technical logs separate from the platform data above:
| Log type | Contents | Retention |
|---|---|---|
| Server access logs | Truncated IP (last octet zeroed), timestamp, request path, response code | 30 days |
| Application error logs | Stack trace, request ID, no personal payload | 14 days |
| Security logs | Failed auth attempts, rate-limit events, anomaly detection signals | 180 days |
Logs are stored in EU-located infrastructure and are accessed only on need-to-know basis by engineering and security personnel.
5. Retention
| Data category | Retention |
|---|---|
| Raw query logs | 90 days, then aggregated |
| Aggregated auction metrics | 24 months |
| Consent records | 12 months from last consent action |
| Contact-form submissions | 3 years from last contact |
| Server access logs | 30 days |
| Invoices and partner contracts | 10 years (UK / DE tax obligation) |
6. International transfers
Some demand partners operate on infrastructure in the United States. Transfers outside the UK / EEA rely on:
- Standard Contractual Clauses (SCCs) under Commission Implementing Decision (EU) 2021/914 and the UK addendum,
- EU-US Data Privacy Framework certification where the recipient is enrolled,
- UK Data Bridge for transfers from the UK, where applicable.
We assess each transfer mechanism in light of Schrems II jurisprudence and apply supplementary technical measures (pseudonymization, query-level aggregation) where the destination jurisdiction does not provide essentially equivalent protection.
7. Cookies and consent
For details on the cookies and similar storage we use, including how to withdraw consent, see our Cookie Policy. Categories there map one-to-one to the consent banner you see on this site.
8. Your rights
Under UK and EU GDPR you have the right to:
- Request access to the personal data we hold about you (Art. 15)
- Request rectification of inaccurate data (Art. 16)
- Request erasure (Art. 17), subject to retention obligations above
- Restrict or object to processing (Art. 18, 21)
- Receive your data in a portable format (Art. 20)
- Withdraw consent at any time, via the , without affecting the lawfulness of prior processing
Reach us at privacy@searchturbo.com. We respond within 30 days as required by law.
9. Complaint authorities
If you believe our processing infringes data-protection law, you may lodge a complaint with the supervisory authority of your habitual residence, place of work, or place of the alleged infringement:
- United Kingdom: Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow SK9 5AF — ico.org.uk
- Germany: Berliner Beauftragte für Datenschutz und Informationsfreiheit, Friedrichstr. 219, 10969 Berlin — datenschutz-berlin.de
- European Union: European Data Protection Board (EDPB) maintains the list of national authorities at edpb.europa.eu
10. Children
SearchTurbo's surfaces and integrations are not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided personal data, please contact privacy@searchturbo.com and we will delete the data promptly.
11. Security
We maintain appropriate technical and organisational measures (Art. 32 GDPR) including transport encryption (TLS 1.2+), at-rest encryption for sensitive logs, role-based access control, regular vulnerability scanning, and an incident-response process aligned with Art. 33 / 34 GDPR breach-notification timelines.
12. Changes to this Policy
We revise this Policy when our processing changes or when legislation requires it. Material updates are flagged on the page with a new "Last updated" date. Older versions are archived internally and available on request to privacy@searchturbo.com.
| Version | Date | Change |
|---|---|---|
| 1.0 | May 2026 | Initial version, accompanies launch of TCF-2.3-compatible consent framework. |