Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Lunio (formerly PPC Protect) is a UK based click fraud prevention SaaS that fingerprints visitors and analyses click patterns to block invalid traffic on paid campaigns.
Lunio, formerly known as PPC Protect, is a UK based click fraud prevention SaaS. It is deployed as a JavaScript snippet on the advertiser website to detect and block fraudulent, automated or low value clicks across Google Ads, Microsoft Ads, Meta and other paid channels.
The snippet collects IP address, user agent, device and browser fingerprint, screen resolution, time zone, click coordinates and navigation patterns. It sets first party cookies on the publisher domain to remember scoring decisions. The data is sent to Lunio servers in the UK and the US to compute a fraud score.
Lunio reads and writes information on the user terminal and processes personal data including IP addresses and fingerprints. Because the fingerprinting goes beyond what is strictly necessary to deliver the website requested by the user, prior consent is required under Article 5(3) of the ePrivacy Directive and the EDPB guidelines on device fingerprinting.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Lunio operates primarily from the United Kingdom, which benefits from an EU adequacy decision, but parts of the infrastructure run on AWS in the United States. Transfers to the US must be covered by Standard Contractual Clauses, the UK International Data Transfer Addendum or the EU US Data Privacy Framework.
Although Lunio is sometimes presented as a security tool, supervisory authorities in the EU treat fingerprinting based fraud detection as requiring consent. Load the script only after opt in, list Lunio in your privacy notice and DPA, and consider a privacy by design configuration that minimises the data sent.
Websites using Lunio must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended due to systematic device fingerprinting, processing of IP and behavioural data for scoring, and transfers to the United States.
Sample consent text
We use Lunio to detect and block fraudulent clicks on our advertising campaigns. Lunio analyses your device and browser and sets cookies. Do you accept?
Third-party domains contacted
lunio.aicdn.lunio.aiapi.lunio.aippcprotect.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| lunio_uid | marketing | 12 months | Persistent first party identifier used to score visitors for click fraud detection. |
| lunio_session | analytics | 30 minutes | Identifies the current browsing session for fraud scoring. |
| lunio_bot | marketing | 90 days | Stores the latest bot or human classification result for the visitor. |
| lunio_fp | marketing | 6 months | Stores a hashed device and browser fingerprint used to recognise returning fraudulent visitors. |
Lunio places tracking cookies for advertising — comply with GDPR using FlowConsent.
Lunio sets first party cookies on the publisher domain to remember scoring decisions and bot or human classifications. Typical names include lunio_uid and lunio_session. Lifetimes range from session only to several months depending on the configuration.
Yes. Lunio uses device fingerprinting and sets cookies that are not strictly necessary for the service requested by the user. Prior, informed and granular consent is therefore required before the script is loaded, in line with Article 5(3) of the ePrivacy Directive and the EDPB guidelines.
The legal basis is the explicit consent of the data subject under Article 6(1)(a) of the GDPR. Operators sometimes invoke legitimate interest for fraud prevention, but the fingerprinting techniques used by Lunio are typically considered to require consent.
Lunio is a UK based vendor and the United Kingdom benefits from an adequacy decision. However, some processing occurs on AWS in the United States. UK to US transfers must be covered by Standard Contractual Clauses, the UK IDTA or the EU US Data Privacy Framework.
A DPIA is recommended because Lunio performs systematic device fingerprinting, scores users based on behavioural data and transfers data to a third country. These three elements taken together usually trigger the DPIA obligation under Article 35 of the GDPR.
Block the script until consent is collected via a CMP, document the legal basis in your record of processing activities, sign a Data Processing Agreement with Lunio, list the relevant cookies in your cookie policy and retain data only for the period strictly necessary to fight fraud.
Native click fraud filters from Google Ads and Microsoft Ads, server side IP and behaviour rules, or open source bot detection libraries can reduce reliance on fingerprinting. Some EU based competitors also offer click fraud protection with stricter data minimisation defaults.
List Lunio (PPC Protect Limited) as a processor for click fraud prevention, describe the data collected including IP and device fingerprint, specify cookie names and durations, mention the UK and US storage locations and the safeguards in place and provide an opt out path via your CMP.