Legitimate Interest Statement (IAB TCF)
This page explains how Leanr Ads Ltd (“Leanr”, “we”, “us”, “our”) relies on Legitimate Interests as a legal basis under the IAB Europe Transparency & Consent Framework (“TCF”), for limited processing necessary to deliver advertising creatives, measure technical delivery, and protect our systems.
Scope note: This page covers only the processing for which Leanr relies on Legitimate Interest. Where consent is required (for example, for storing/reading information on a device), Leanr relies on consent signals provided by the relevant Consent Management Platform (CMP).
1. Who we are
Leanr Ads Ltd
United Kingdom
Email: tom@leanrads.com
Website: https://www.leanrads.com
Leanr is typically a Data Processor when providing creative delivery and measurement services for clients. The client (publisher/advertiser/platform) is typically the Data Controller and determines which purposes and legal bases apply.
2. TCF vendor form alignment (line-by-line)
The table below shows exactly what Leanr claims under Legitimate Interest, and what Leanr does not claim. This is designed to match Leanr’s TCF vendor registration selections.
| TCF item | Leanr selection | What Leanr does (plain English) | Maximum retention |
|---|---|---|---|
| Purpose 1: Store and/or access information on a device | Consent only (Leanr does not use LI for Purpose 1) | Any cookies or web storage used for frequency capping and/or de-duplication is used only when allowed by applicable consent signals. | Cookie max age (if used): 604800 seconds (7 days). Web storage: best-effort / browser-dependent. |
| Purpose 7: Measure advertising performance | Legitimate Interest | Count impressions/clicks/interactions and produce technical performance metrics; de-duplicate events; ensure reporting integrity. | 30 days (max for personal data in raw logs), or shorter where feasible. |
| Special Purpose 1: Ensure security, prevent and detect fraud, and fix errors | Legitimate Interest | Detect abuse/bot activity, prevent replay/duplicate firing, troubleshoot errors, protect infrastructure and service integrity. | 30 days (max), or shorter where feasible. |
| Special Purpose 2: Deliver and present advertising and content | Legitimate Interest | Serve creative assets and ensure they render correctly and reliably in the user’s browser. | 30 days (max), or shorter where feasible. |
| Purposes 2–6 (ad selection & profiling/personalisation) | Not used | Leanr does not select ads, create user profiles, or use profiles to select personalised advertising or content. | N/A |
| Purposes 8–11 (content measurement/audience insights/service development/content selection) | Not used | Leanr does not run audience insight modelling or content personalisation on end users via the creative server. | N/A |
| Features (match/combine data; link devices; identify devices) | Not used | Leanr does not perform cross-device linking, combine external datasets for identity, or fingerprint users. | N/A |
| Special Features (precise geolocation; active scanning for identification) | Not used | Leanr does not use precise location data or actively scan device characteristics for identification. | N/A |
3. Legitimate Interest Assessment summary (LIA)
3.1 Purpose test (why we rely on LI)
Leanr’s legitimate interests are to (a) deliver advertising creatives reliably, (b) measure technical delivery and interactions for reporting integrity, and (c) protect Leanr’s systems and clients from fraud, abuse, and errors. Without this limited processing, Leanr cannot ensure accurate counting, prevent duplicate event inflation, or maintain secure and stable operations.
3.2 Necessity test (why this processing is necessary)
Leanr processes only the minimum data needed to achieve the purposes above, including:
- event-level identifiers (for example, an impression ID or event ID) to prevent double-counting;
- basic technical data (IP address, user agent, timestamps) for security, fraud prevention, and coarse diagnostics;
- non-personal campaign/creative identifiers necessary for reporting.
Where feasible, Leanr reduces identifiability (for example, truncating IP addresses for analytics) and uses short retention periods.
3.3 Balancing test (why users’ rights are not overridden)
Leanr’s processing under LI is limited, expected in the context of ad delivery, and subject to safeguards:
- No profiling: Leanr does not build behavioural profiles or perform cross-site tracking for advertising selection.
- No special features: no precise geolocation and no device fingerprinting/active scanning.
- Data minimisation: event-level logging and technical signals only.
- Short retention: maximum 30 days for raw logs containing personal data (often shorter where feasible).
- Transparency: this statement, plus Leanr’s Privacy Policy and device storage disclosures.
- Security controls: access controls, monitoring, and least-privilege practices.
4. Data categories used under LI
Under LI (Purpose 7 and Special Purposes 1–2), Leanr may process:
- IP address (for security/fraud and coarse location only; truncated/anonymised where feasible)
- User agent (browser/device/OS)
- Event data (impression/click/interaction signals and timestamps)
- Non-personal campaign/creative identifiers
Leanr does not intentionally process:
- names, personal emails, phone numbers from ad impressions
- precise location data
- special category data
- cross-device identifiers or fingerprint hashes
5. Device storage and cookies (where consent applies)
Where device storage is used (Purpose 1), Leanr relies on the relevant consent signals and configuration. Leanr may use:
- Web storage (e.g. localStorage/indexedDB) for short-lived frequency capping or de-duplication, where available; and/or
- Optional cookies (best-effort), with a maximum age of
604800seconds (7 days), without refresh.
Device storage disclosures (JSON) are published at Leanr’s device storage disclosure URL (as provided in Leanr’s vendor registration).
6. User choices and controls
- Consent controls: Where a CMP is present, users can manage consent via the CMP interface.
- Browser controls: Users can block or delete cookies and local storage using browser settings.
- Rights requests: Where Leanr is a controller (e.g. website enquiries), users can contact Leanr directly. In ad-serving contexts, requests should typically be directed to the controller (publisher/advertiser/platform).
7. Sanity-check against common publisher privacy questionnaires
Quick answers (Leanr’s intended posture):
- Do you profile users or do behavioural targeting? No.
- Do you use fingerprinting / active scanning? No.
- Do you use precise geolocation? No.
- Do you link devices or combine external datasets for identity? No.
- What do you store on device? Best-effort short-lived frequency capping/de-dupe keys; optional cookie max age 7 days; no refresh.
- What is your retention? Raw logs with personal data: max 30 days (often shorter); aggregated reporting may be retained longer in non-identifying form.
- Are you controller or processor? Typically processor for ad-serving; controller for website enquiries.
- Do you sell data or share it for third-party marketing? No.
- Do you honour TCF signals? Yes—Leanr applies TCF signals as provided by the controller/CMP.
8. Contact
For questions about this Legitimate Interest Statement or Leanr’s TCF registration:
Email: tom@leanrads.com