Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Tapsell is the largest mobile advertising platform in Iran, offering an SDK and web tags for in app banners, interstitials, native and rewarded ads, plus targeting and conversion tracking. It collects mobile advertising IDs, device data and behavioural signals, and processes them on servers located in Iran.
Tapsell is the leading mobile advertising network in Iran, headquartered in Tehran. It offers publishers and advertisers an SDK for Android and iOS, plus web placements, that serve banner, interstitial, native, video and rewarded formats. Tapsell handles auctioning, targeting and conversion tracking through its own platform, and is widely used inside Iran where Google AdMob and Meta Audience Network have limited availability. For European publishers, the relevance is mainly when their app or site reaches Iranian users or when they integrate Tapsell to monetise that audience.
The Tapsell SDK reads the Google Advertising ID on Android, the Apple Identifier for Advertisers on iOS where allowed by App Tracking Transparency, and a Tapsell internal device identifier. It also collects model, operating system, locale, carrier, screen size, language, IP address, coarse geolocation, app package name and a stream of impression and click events. On the web, Tapsell sets first and third party cookies for attribution and retargeting and may receive a hashed user identifier from the publisher.
Advertising identifiers and IP addresses are personal data, so Article 6(1)(a) GDPR and Article 5(3) of the ePrivacy Directive apply. The processing aims at personalised advertising, which the EDPB and most regulators treat as requiring opt in consent that is informed, specific and freely given. Profiling and the absence of a legitimate interest balance for targeted ads make consent the only realistic legal basis, alongside compliance with the Apple ATT and Google Privacy Sandbox rules.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Iran is not covered by an adequacy decision and is not part of the EU US Data Privacy Framework. Standard Contractual Clauses are difficult to enforce and Iranian law allows broad governmental access. The most defensible transfer ground for EU data is Article 49(1)(a) GDPR explicit consent, used only for occasional and clearly explained transfers, combined with strong supplementary measures such as data minimisation, pseudonymisation and contractual restrictions. For most EU publishers, the safer option is to disable Tapsell for European traffic.
If Tapsell is loaded for any EU or UK user, block the SDK and any web tag until consent is given through your CMP under the advertising and personalisation purposes. The notice must clearly mention Iran as the destination country, the absence of adequacy and the use of explicit consent under Article 49. Provide an easy refusal and withdrawal path that immediately stops all SDK calls and clears related cookies. Keep auditable logs of the consent string and the country of the user.
Document Tapsell as a separate processor in your records, including transfer to Iran, the categories of data, the retention applied by Tapsell, and the legal basis. List Tapsell cookies and identifiers in your cookie policy, expose Tapsell as a recipient in the privacy notice and add a country specific warning. Implement geofencing so the SDK only initialises for non EU traffic where possible, and re prompt users when the data flow or sub processors change.
Websites using Tapsell must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is required before deploying Tapsell on any audience that includes EU or UK residents, because the service combines personalised advertising, device identifiers and a transfer to Iran without an adequacy decision. Document the categories of data, retention, the explicit consent flow, the Article 49 transfer assessment and the supplementary measures considered. EDPB Recommendations 01/2020 on supplementary measures and CNIL or BfDI guidance on advertising should be cited.
Sample consent text
We use the Tapsell mobile advertising platform to deliver and measure ads. With your consent, your advertising ID, device data and IP address are sent to Tapsell servers in Iran, a country without an EU adequacy decision. You can refuse or withdraw your consent at any time in the cookie preferences.
Third-party domains contacted
api.tapsell.irplus.tapsell.irsdk.tapsell.irads.tapsell.irstatic.tapsell.irCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| tapsell_uid | third_party | 1 year | Tapsell device or user identifier used for ad delivery, frequency capping and conversion attribution across publisher properties. |
| tapsell_session | third_party | Session | Short lived session identifier used by the Tapsell web tag to group ad events within a single browsing session. |
| _tap_targeting | third_party | 6 months | Stores targeting and retargeting segments inferred from previous interactions with Tapsell ads. |
| GAID | first_party | Until reset | Google Advertising ID read by the Tapsell mobile SDK on Android, used for personalised advertising and attribution. |
| IDFA | first_party | Until reset | Apple Identifier for Advertisers read by the Tapsell SDK on iOS only when App Tracking Transparency consent is given. |
Tapsell places tracking cookies for advertising — comply with GDPR using FlowConsent.
Yes. The mobile SDK reads the Google Advertising ID, the Apple IDFA where ATT consent is given, and a Tapsell device identifier, while web placements set cookies for attribution and retargeting. All of these are personal data under GDPR.
Yes. Article 5(3) of the ePrivacy Directive requires consent before identifiers are read or stored, and Article 6(1)(a) GDPR is the legal basis for personalised advertising. Legitimate interest is not acceptable for targeted ads.
Iran has no EU adequacy decision and Standard Contractual Clauses are not effective there because of state access powers. The most realistic ground is Article 49(1)(a) GDPR explicit consent, used as a transparent and exceptional measure, combined with supplementary controls.
Iranian law allows broad governmental access to telecommunications and data, which fails the European Essential Guarantees test for surveillance. Without strong supplementary measures and explicit consent, the transfer is likely unlawful for EU residents.
Yes for most deployments. The combination of profiling, advertising identifiers, large scale processing and transfer to a non adequate country triggers Article 35 GDPR. Document the necessity, the proportionality, the transfer impact assessment and the residual risks.
If you must use Tapsell for European users, gate the SDK behind explicit consent, geofence to specific markets, minimise the data sent, hash any user identifier on your side, and run regular audits of the SDK behaviour on real devices.
For European audiences, use ad networks based in or with adequacy coverage from the EEA, the UK, the US (under the DPF) or other adequate countries. Examples include Google AdMob, Equativ, Adform, Smart and contextual networks that avoid identifier sharing.
List Tapsell in the advertising category, identify the company as based in Iran, mention the international transfer and the Article 49 consent ground, describe the cookies and identifiers used, and link to the Tapsell privacy policy.