Legitimate Interest Statement (IAB TCF)
This page explains how Leanr Ads Ltd (“Leanr”, “we”, “us”, “our”) relies on Legitimate Interests as a legal basis under the IAB Europe Transparency & Consent Framework (“TCF”), for limited processing necessary to deliver advertising creatives, measure technical delivery, and protect our systems. This statement is aligned to Leanr’s current TCF vendor registration selections for Purposes 2, 7, 9, 10 and Special Purposes 1, 2 and 3.
Scope note: This page covers processing for which Leanr relies on Legitimate Interest. Where consent is required or selected instead (for example, storing/reading information on a device or personalised advertising), Leanr relies on consent signals provided by the relevant Consent Management Platform (CMP).
1. Who we are
Leanr Ads Ltd
United Kingdom
Email: tom@leanrads.com
Website: https://www.leanrads.com
Leanr is typically a Data Processor when providing creative delivery and measurement services for clients. The client (publisher/advertiser/platform) is typically the Data Controller and determines which purposes and legal bases apply.
2. TCF vendor form alignment (line-by-line)
The table below shows exactly what Leanr claims under Legitimate Interest, and what Leanr does not claim. This is designed to match Leanr’s TCF vendor registration selections.
| TCF item | Leanr selection | What Leanr does (plain English) | Maximum retention |
|---|---|---|---|
| Purpose 1: Store and/or access information on a device | Consent only (Leanr does not use LI for Purpose 1) | Any cookies or web storage used for frequency capping and/or de-duplication is used only when allowed by applicable consent signals. | Cookie max age (if used): 604800 seconds (7 days). Web storage: best-effort / browser-dependent. |
| Purpose 2: Use limited data to select advertising | Consent or Legitimate Interest; default legal basis: Legitimate Interest | Select an eligible creative or campaign using limited, non-profiled ad request data such as page/app context, approximate location, device type, browser, language, time, and basic delivery constraints. | 30 days (max), or shorter where feasible. |
| Purpose 3: Create profiles for personalised advertising | Not used | Leanr does not create behavioural profiles for personalised advertising. | N/A |
| Purpose 4: Use profiles to select personalised advertising | Consent only (Leanr does not use LI for Purpose 4) | Where personalised advertising is configured by the controller, Leanr relies on applicable consent signals. Leanr does not claim Legitimate Interest for this purpose. | 30 days (max), or shorter where feasible. |
| Purpose 5: Create profiles to personalise content | Not used | Leanr does not create profiles to personalise content. | N/A |
| Purpose 6: Use profiles to select personalised content | Not used | Leanr does not use profiles to select personalised content. | N/A |
| Purpose 7: Measure advertising performance | Legitimate Interest as sole legal basis | Count impressions, clicks and interactions; produce technical performance metrics; de-duplicate events; support billing and reporting integrity. | 60 days (max), or shorter where feasible. |
| Purpose 8: Measure content performance | Not used | Leanr does not measure content performance under its TCF vendor registration. | N/A |
| Purpose 9: Understand audiences through statistics | Legitimate Interest as sole legal basis | Produce aggregate audience and delivery statistics, such as counts by campaign, placement, geography at a coarse level, browser/device class and time period. | 60 days (max), or shorter where feasible. |
| Purpose 10: Develop and improve services | Legitimate Interest as sole legal basis | Analyse delivery quality, troubleshoot service behaviour, improve creative rendering, reporting accuracy, reliability, fraud controls and operational performance. | 60 days (max), or shorter where feasible. |
| Purpose 11: Use limited data to select content | Not used | Leanr does not select content under its TCF vendor registration. | N/A |
| Special Purpose 1: Ensure security, prevent and detect fraud, and fix errors | Legitimate Interest | Detect abuse/bot activity, prevent replay or duplicate firing, troubleshoot errors, protect infrastructure and service integrity. | 30 days (max), or shorter where feasible. |
| Special Purpose 2: Deliver and present advertising and content | Legitimate Interest | Serve creative assets and ensure they render correctly and reliably in the user’s browser. | 30 days (max), or shorter where feasible. |
| Special Purpose 3: Save and communicate privacy choices | Legitimate Interest | Receive, respect and communicate privacy choices such as TCF strings, consent status and related privacy signals needed to apply user choices. | 30 days (max), or shorter where feasible. |
| Features (match/combine data; link devices; identify devices) | Not used | Leanr does not perform cross-device linking, combine external datasets for identity, or fingerprint users. | N/A |
| Special Features (precise geolocation; active scanning for identification) | Not used | Leanr does not use precise location data or actively scan device characteristics for identification. | N/A |
3. Legitimate Interest Assessment summary (LIA)
3.1 Purpose test (why we rely on LI)
Leanr’s legitimate interests are to (a) select and deliver eligible advertising creatives using limited data, (b) measure advertising delivery and interactions for reporting integrity, (c) understand delivery audiences through aggregate statistics, (d) develop and improve Leanr’s ad-serving services, (e) save and communicate privacy choices, and (f) protect Leanr’s systems and clients from fraud, abuse, and errors. Without this limited processing, Leanr cannot ensure accurate counting, prevent duplicate event inflation, apply privacy signals, or maintain secure and stable operations.
3.2 Necessity test (why this processing is necessary)
Leanr processes only the minimum data needed to achieve the purposes above, including:
- limited ad request context (for example page/app context, approximate location, device type, browser, language and time) to select eligible advertising;
- event-level identifiers (for example, an impression ID or event ID) to prevent double-counting;
- basic technical data (IP address, user agent, timestamps) for security, fraud prevention, service improvement and coarse diagnostics;
- privacy signals (for example TCF strings and consent status) to apply and communicate user choices;
- non-personal campaign, placement and creative identifiers necessary for delivery, reporting and service improvement.
Where feasible, Leanr reduces identifiability (for example, truncating IP addresses for analytics) and uses purpose-specific short retention periods.
3.3 Balancing test (why users’ rights are not overridden)
Leanr’s processing under LI is limited, expected in the context of ad delivery, and subject to safeguards:
- No profile creation under LI: Leanr does not build behavioural profiles. Purpose 4 is consent-only where configured by the controller.
- No special features: no precise geolocation and no device fingerprinting/active scanning.
- Data minimisation: limited request context, event-level logging, technical signals and privacy signals only.
- Short retention: maximum retention is purpose-specific: 30 days for Purpose 2 and Special Purposes 1-3, and 60 days for Purposes 7, 9 and 10.
- Transparency: this statement, plus Leanr’s Privacy Policy and device storage disclosures.
- Security controls: access controls, monitoring, and least-privilege practices.
4. Data categories used under LI
Under LI (Purposes 2, 7, 9, 10 and Special Purposes 1-3), Leanr may process:
- IP address (for security/fraud, approximate location and coarse diagnostics only; truncated/anonymised where feasible)
- User agent (browser/device/OS)
- Limited ad request context, such as page/app context, approximate location, language, time and basic delivery constraints
- Event data (impression/click/interaction signals and timestamps)
- TCF strings, consent status and related privacy signals needed to respect user choices
- Non-personal campaign, placement and creative identifiers
Leanr does not intentionally process:
- names, personal emails, phone numbers from ad impressions
- precise location data
- special category data
- cross-device identifiers or fingerprint hashes
5. Device storage and cookies (where consent applies)
Where device storage is used (Purpose 1), Leanr relies on the relevant consent signals and configuration. Leanr may use:
- Web storage (e.g. localStorage/indexedDB) for short-lived frequency capping or de-duplication, where available; and/or
- Optional cookies (best-effort), with a maximum age of
604800seconds (7 days), without refresh.
Device storage disclosures (JSON) are published at Leanr’s device storage disclosure URL (as provided in Leanr’s vendor registration).
6. User choices and controls
- Consent controls: Where a CMP is present, users can manage consent via the CMP interface.
- Browser controls: Users can block or delete cookies and local storage using browser settings.
- Rights requests: Where Leanr is a controller (e.g. website enquiries), users can contact Leanr directly. In ad-serving contexts, requests should typically be directed to the controller (publisher/advertiser/platform).
7. Sanity-check against common publisher privacy questionnaires
Quick answers (Leanr’s intended posture):
- Do you create profiles? No. Purpose 3 is not used.
- Do you use profiles to select personalised advertising? Consent-only for Purpose 4 where configured by the controller; Leanr does not claim LI for this.
- Do you select ads using limited data? Yes, for Purpose 2, using limited non-profiled request data.
- Do you use fingerprinting / active scanning? No.
- Do you use precise geolocation? No.
- Do you link devices or combine external datasets for identity? No.
- What do you store on device? Best-effort short-lived frequency capping/de-dupe keys; optional cookie max age 7 days; no refresh.
- What is your retention? Purpose 2 and Special Purposes 1-3: max 30 days; Purposes 7, 9 and 10: max 60 days. Aggregated reporting may be retained longer in non-identifying form.
- Are you controller or processor? Typically processor for ad-serving; controller for website enquiries.
- Do you sell data or share it for third-party marketing? No.
- Do you honour TCF signals? Yes—Leanr applies TCF signals as provided by the controller/CMP.
8. Contact
For questions about this Legitimate Interest Statement or Leanr’s TCF registration:
Email: tom@leanrads.com