Data Processing Agreement (DPA)

Last Updated: 1st January 2026

1. Introduction and Parties

This Data Processing Agreement (“DPA”) forms part of, and is incorporated into, the Terms of Service and/or any other agreement (“Agreement”) between:

• Vola.ad (“Processor”, “Service Provider”, “we”, “us”, or “our”), an AI-powered advertising platform and a subsidiary of Collectcent Digital Private Limited
• The customer, advertiser, agency, publisher, or partner using the Services (“Controller”, “Business”, or “you”)

This DPA governs the processing of Personal Data by Vola.ad on behalf of the Controller in connection with the Services.

2. Definitions

For the purposes of this DPA:

• Personal Data: Any information relating to an identified or identifiable individual.
• Processing: Any operation performed on Personal Data (collection, storage, use, disclosure, etc.).
• Controller: The entity that determines the purposes and means of processing Personal Data.
• Processor: The entity that processes Personal Data on behalf of the Controller.
• Sub-processor: Any third party engaged by the Processor to process Personal Data.
• Data Subject: The individual to whom the Personal Data relates.

Under applicable laws:

• Controller = “Data Fiduciary” (DPDP Act)
• Processor = “Data Processor”

3. Scope and Applicability

This DPA applies where Vola.ad processes Personal Data on behalf of the Controller in connection with:

• Campaign execution and optimization
• Programmatic advertising and bidding
• Audience targeting and segmentation
• Attribution and analytics
• Platform usage and account management

In certain scenarios, Vola.ad may act as an independent Controller (e.g., platform analytics, fraud detection). In such cases, this DPA does not apply, and processing is governed by our Privacy Policy.

4. Nature and Purpose of Processing

Vola.ad processes Personal Data strictly for the purpose of providing the Services under the Agreement.

Processing activities may include:

• Collection, storage, and organization of data
• Retrieval, analysis, and optimization
• Transmission to advertising partners (e.g., SSPs, DSPs, exchanges)
• Measurement, attribution, and reporting
• Fraud detection and prevention

Processing is carried out using automated systems, including AI and machine learning models, to improve campaign performance and platform efficiency.

5. Categories of Data and Data Subjects

5.1 Categories of Personal Data

May include:

• Online identifiers (IP address, device ID, advertising ID)
• Cookie identifiers and tracking data
• Approximate location data
• Campaign interaction data (impressions, clicks, conversions)
• Account and contact information (for platform users)

5.2 Categories of Data Subjects

May include:

• End users interacting with ads
• Customers or users of the Controller’s services
• Platform users (advertisers, agencies, publishers)

Vola.ad does not intentionally process sensitive personal data unless explicitly required and permitted by law.

6. Obligations of the Controller

The Controller represents and warrants that:

• It has a valid legal basis for processing Personal Data
• It has obtained all necessary consents from Data Subjects
• It complies with all applicable data protection laws
• It provides appropriate notices to Data Subjects

The Controller is solely responsible for:

• The accuracy and legality of the data provided
• Compliance with applicable privacy regulations
• Responding to Data Subject requests

7. Obligations of the Processor (Vola.ad)

Vola.ad shall:

• Process Personal Data only on documented instructions from the Controller
• Not use Personal Data for purposes other than those specified
• Ensure confidentiality of all Personal Data
• Implement appropriate technical and organizational measures
• Assist the Controller in fulfilling its legal obligations
• Notify the Controller of any data breaches as required by law

We ensure that personnel authorized to process data are bound by confidentiality obligations.

8. Sub-processors

Vola.ad may engage Sub-processors to support the delivery of Services, including:

• Cloud hosting providers
• Analytics providers
• Advertising exchanges and partners
• Infrastructure and support vendors

We ensure that all Sub-processors:

• Are bound by written agreements
• Provide equivalent data protection safeguards
• Process data only as instructed

We remain fully liable for the actions of our Sub-processors.

9. Cross-Border Data Transfers

Personal Data may be transferred and processed in jurisdictions outside the Controller’s location, including India and the United States.

We ensure that such transfers are protected through:

• Contractual safeguards
• Industry-standard security measures
• Compliance with applicable laws

10. Data Security

Vola.ad implements appropriate technical and organizational measures, including:

• Encryption (data in transit and at rest)
• Access controls and authentication mechanisms
• Network security and monitoring
• Regular audits and risk assessments

These measures are designed to protect Personal Data against unauthorized access, loss, misuse, or alteration.

11. Data Subject Rights Assistance

To the extent required by law, Vola.ad shall assist the Controller in responding to requests from Data Subjects, including:

• Access requests
• Correction or deletion requests
• Objections or opt-outs
• Data portability requests

Such assistance will be provided taking into account the nature of processing and available information.

12. Data Breach Notification

In the event of a Personal Data breach, Vola.ad shall:

• Notify the Controller without undue delay
• Provide relevant details about the breach
• Take reasonable steps to mitigate its impact
• Cooperate in fulfilling legal notification obligations

13. Data Retention and Deletion

Vola.ad shall retain Personal Data only for as long as necessary to provide the Services or comply with legal obligations.

Upon termination of the Agreement or upon request:

• Data will be deleted or anonymized
• Copies will be removed from active systems (subject to backups and legal retention)

14. Audits and Compliance

Upon reasonable request, Vola.ad may provide information necessary to demonstrate compliance with this DPA.

Audits:

• Must be reasonable and not disruptive
• May be subject to confidentiality obligations
• May require prior notice

We may also provide third-party audit reports or certifications where available.

15. CCPA/CPRA Specific Terms

For purposes of U.S. privacy laws:

• Vola.ad acts as a Service Provider / Processor
• We do not sell Personal Data in the traditional sense
• We process data only for business purposes as defined by law

We agree:

• Not to retain, use, or disclose Personal Data beyond permitted purposes
• Not to combine Personal Data with other data except as allowed

16. DPDP Act Compliance

In alignment with the Digital Personal Data Protection Act, 2023:

• The Controller acts as the Data Fiduciary
• Vola.ad acts as the Data Processor
• Processing is carried out under lawful instructions
• Appropriate safeguards are implemented

We assist in grievance redressal and compliance obligations where applicable.

17. Liability

Each party shall be liable for its own violations of applicable data protection laws.

Vola.ad’s liability is subject to limitations outlined in the main Agreement.

18. Term and Termination

This DPA remains in effect as long as Vola.ad processes Personal Data on behalf of the Controller.

Termination of the Agreement will result in termination of this DPA, subject to data retention obligations.

19. Governing Law

This DPA shall be governed by the laws specified in the main Agreement.

20. Contact Information

For data protection inquiries, connect with our team at support@vola.ad