Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Cluep is a Canadian mobile advertising platform that uses natural language processing and computer vision to target audiences in social and content apps based on the meaning of the content they consume. The platform integrates with mobile ad exchanges, fires tracking pixels, may set cookies on mobile web inventory and reads device advertising identifiers (IDFA, AAID), which qualifies it as a tracking technology under the ePrivacy Directive and as a personal data processor under the GDPR.
Cluep is a Canadian mobile advertising platform headquartered in Toronto and now part of Cineverse. It uses natural language processing and computer vision to target audiences in social and content apps based on what they read, watch and post, rather than relying solely on persistent identifiers. The platform operates as a Demand Side Platform connected to mobile ad exchanges and supply side platforms.
On in app inventory, Cluep reads the IDFA on iOS and the AAID on Android, plus the IP address, the user agent, the bundle ID, contextual data about the page or post being viewed, click coordinates and engagement signals. On mobile web inventory, Cluep may set a third party cookie holding a pseudonymous identifier and perform cookie syncing with partner SSPs. These data points feed the contextual targeting model and the audience segments.
Cluep writes and reads identifiers on the user device, which falls within Article 5(3) of the ePrivacy Directive. Prior, free, specific, informed and unambiguous consent is required before any pixel or SDK call. The IAB TCF v2.2 signal must be passed in OpenRTB requests. On iOS, the App Tracking Transparency prompt is also required before reading the IDFA. While the contextual targeting reduces the need for cross site identifiers, processing the content of public posts can still qualify as personal data processing.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Cluep processes data primarily on Canadian and US infrastructure. Canada benefits from a partial adequacy decision under PIPEDA for the commercial sector, but transfers to the US part of the operation rely on the EU US Data Privacy Framework when applicable, otherwise on Standard Contractual Clauses combined with a Transfer Impact Assessment. Operators must inform users in the privacy notice and document the safeguards.
Block all Cluep tags and SDK calls until consent is granted, integrate a CMP certified for IAB TCF v2.2, route the TC string in every OpenRTB request, request App Tracking Transparency on iOS, sign a DPA and SCCs with Cluep or its parent Cineverse, register Cluep in your record of processing activities and your privacy notice, and define a retention period and a process for forwarding data subject requests.
EU based contextual mobile DSPs that keep bid stream data inside the EEA, SKAdNetwork on iOS and aggregated reports from the Google Privacy Sandbox on Android are alternatives that reduce the reliance on persistent identifiers and on third country transfers.
Websites using Cluep must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is required because Cluep processes mobile advertising identifiers and IP addresses at scale, profiles users based on the content they consume, integrates with the open RTB ecosystem and transfers data to Canada and the United States. The DPIA must cover the legal basis, the bid stream flows, the role of Cluep as processor or joint controller, the SCC and DPF mechanisms and the safeguards against US government access requests.
Sample consent text
We use Cluep to deliver and measure mobile advertising campaigns. Cluep stores cookies and reads device advertising identifiers, shares pseudonymous identifiers with advertising partners and transfers personal data to Canada and the United States. You can accept, refuse or withdraw your consent at any time in our privacy preferences.
Third-party domains contacted
cluep.comtag.cluep.comsdk.cluep.comads.acuityplatform.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| IDFA | mobile_identifier | persistent | iOS Identifier for Advertisers used to build mobile audiences and measure ad delivery |
| GAID | mobile_identifier | persistent | Google Advertising ID on Android, read for cross app targeting and frequency capping |
| cluep_uid | http_cookie | 1 year | Cluep proprietary user identifier used in web placements for cross session profiling |
| cluep_session | http_cookie | session | Session level identifier used to deduplicate impressions and reconstruct user journeys |
Cluep places tracking cookies for advertising — comply with GDPR using FlowConsent.
Cluep does not place classic browser cookies but reads the mobile advertising identifier (IDFA on iOS, Google Advertising ID on Android), the IP address, approximate or precise location and device level metadata such as model, OS version and language. These identifiers are persistent across sessions and are considered personal data under the GDPR.
Yes. Reading the mobile advertising identifier and any other terminal stored value falls under Article 5(3) of the ePrivacy Directive, so prior, freely given, specific and informed consent is required. The consent must be collected before the Cluep SDK or pixel makes any network call.
Article 6(1)(a) GDPR, consent, is the only realistic legal basis given the profiling and cross context targeting nature of the service. Legitimate interest is not appropriate because of the impact on data subjects and the EDPB guidance on tracking for advertising.
Cluep is owned by AcuityAds (Illumin), headquartered in Canada with infrastructure in both Canada and the United States. Canada benefits from a partial GDPR adequacy decision, but US transfers require a valid mechanism such as the EU US Data Privacy Framework, standard contractual clauses and a transfer impact assessment.
Yes. The systematic evaluation of personal aspects through profiling, the use of mobile identifiers and the scale of mobile RTB processing trigger Article 35 GDPR. A DPIA documenting purposes, retention, transfer mechanisms and risks is mandatory.
Block the Cluep SDK or tag until the user consents to advertising and personalisation. Pass a valid IAB TCF v2.2 TC string. Honour the user choice immediately if they later withdraw consent. Document partners and purposes in your privacy policy and your record of processing activities.
Contextual advertising platforms that do not rely on device identifiers, such as Seedtag, GumGum contextual or first party CRM driven targeting, lower the risk because they do not require consent based identifier processing. They typically have lower scale but reduce DPIA and transfer concerns.
List Cluep and its parent company AcuityAds in your vendor table, mention the categories of data processed (mobile identifiers, IP, location, behavioural events), the purposes (audience targeting, profiling, measurement), the retention period and the third country transfer mechanism. Provide a direct opt out link.