How we comply with the EU/UK GDPR, including SCCs, sub-processors and your data-subject rights.
Last updated: January 2026
This page describes how Thriving Wolves Ltd. complies with the EU General Data Protection Regulation 2016/679 (GDPR), the UK GDPR and the UK Data Protection Act 2018. It complements our Privacy Policy and explains the roles, rights and contractual safeguards that apply to data subjects, Advertisers and Publishers in the European Economic Area, United Kingdom and Switzerland.
In most cases Thriving Wolves acts as an independent data controller for the personal data it collects from Publishers and end-users that pass through tracking links, because we determine the purposes and means of that processing for fraud prevention, network integrity and our own legitimate interests.
Where Thriving Wolves processes personal data on behalf of an Advertiser (for example, lead-generation Offers where personal data is collected and passed to the Advertiser), the Advertiser is the controller and Thriving Wolves acts as a processor. In that case a Data Processing Agreement (DPA) applies — see Section 6.
We process personal data under one or more of the following GDPR Article 6 bases: contract, legitimate interests, consent (where required for marketing cookies and direct marketing), and legal obligation. We do not process special-category data unless an explicit Article 9 basis applies.
Data subjects in the EU/UK have the rights to: access, rectification, erasure ("right to be forgotten"), restriction of processing, data portability, objection, and to withdraw consent. They also have the right not to be subject to solely automated decision-making that produces legal effects — we do not make solely automated decisions of that nature.
Requests should be submitted to [email protected]. We will respond within 30 days (extendable by two months for complex requests, with notification).
Personal data is transferred from the EEA/UK to processors and to our own offices in India, the UAE and the United States. We rely on the following safeguards:
We engage the following categories of sub-processors: cloud hosting, content delivery, email delivery, payment processing, fraud-detection tooling, customer-support tooling and analytics. A current list of named sub-processors is available from [email protected]. We provide at least 30 days' notice of new sub-processors via email to Advertiser DPA signatories; you may object on reasonable grounds.
Advertisers acting as controllers can sign our standard DPA, which incorporates the EU SCCs (Module 2) and the UK IDTA. To request a copy or to negotiate amendments, email [email protected].
If a personal data breach occurs that is likely to result in risk to data subjects' rights and freedoms, we will notify the relevant supervisory authority without undue delay and within 72 hours where feasible (Article 33). We will notify affected Advertisers (as controllers) without undue delay so they can fulfil their own obligations.
EU representative under Article 27 GDPR and UK representative under UK GDPR can be designated upon written request to [email protected]. Until a representative is named, our DPO accepts data-subject requests directly.
Data Protection Officer: [email protected]
Legal: [email protected]