Privacy Policy

Gunava ("we", "us", "our") is a gaming and kids advertising infrastructure platform operating under two legal entities:

• Gunava México, S.A. de C.V. — registered in Mexico City, Mexico
• Gunava Colombia S.A.S. — registered in Colombia

Gunava operates as an advertising infrastructure layer — not a media vendor. We provide publishers, agencies, and advertisers with a structured, compliant, and contextualized platform to deliver advertising within gaming environments, including applications and websites targeting children and general audiences.

Our platform incorporates a proprietary Classification Engine, an AI-powered Activation Intelligence layer, and a multi-SSP supply infrastructure purpose-built to meet the highest standards of child-safe and privacy-first advertising.

This Privacy Policy explains:

• What data Gunava collects from users of apps and websites where our advertising is served ("End Users")
• What data Gunava collects from advertisers, agencies, and publishers who use our platform ("Platform Users")
• How we handle children's data in compliance with COPPA, LGPD, and applicable regional frameworks
• Your rights regarding your personal data and how to exercise them

This policy applies to all Gunava products and services including the advertising delivery infrastructure, the Gunava AI Agent (available at agent.gunava.ai), and the Gunava Publisher and Advertiser Dashboard.

• No behavioral targeting of children under any circumstance
• No collection or storage of personally identifiable information from End Users
• Contextual ad delivery only — based on game content, not user profiles
• Every ad creative manually reviewed for age-appropriateness before delivery
• PRIVO-certified compliance infrastructure

How Kids-Safe Inventory Is Identified

Gunava identifies Kids Safe inventory through a multi-layer verification process:

• App Store & Google Play scraping: Automated extraction of age ratings, content descriptors, and developer-declared audience classifications directly from official store metadata
• Classification Engine review: Our proprietary engine applies additional contextual signals to flag apps and games with child audiences for human editorial review

Publishers using Gunava's infrastructure are contractually required to accurately declare their audience classification and to maintain up-to-date age-rating information across all stores where their apps are distributed.

End Users (people who see ads in apps and games)

Gunava collects the minimum data necessary to deliver a single, relevant advertisement. This data is referred to as Device Signal Data and consists of:

Platform Users (advertisers, agencies, publishers)

Individuals who access the Gunava platform or Dashboard provide:

• Full name and corporate email address
• Company name and role
• Login credentials (stored in hashed form)
• Usage and activity data within the Dashboard (pages visited, campaigns created, reports accessed)
• Communication records (email and in-platform messages)

Our Approach to Children's Privacy

Gunava's architecture is specifically designed to ensure that no personally identifiable information is collected from, stored about, or associated with children in child-directed environments. Our technical approach:

• Device Signal Data is observed momentarily — data is processed only in memory to generate a de-identified contextual signal and is never written to persistent storage in identifiable form
• No persistent identifiers — Gunava does not assign, collect, or use persistent device identifiers (IDFA, GAID, IDFV, fingerprints, or cookies) when serving ads in Kids-verified or COPPA-required contexts
• No behavioral profiles — Gunava does not build, maintain, or sell behavioral profiles of any End User, and expressly prohibits its supply and demand partners from doing so within the Gunava infrastructure
• No retargeting — Children are never retargeted based on prior ad exposures, app usage, or any other behavioral signal
• Contextual-only targeting — Ads are matched to app environments based on the content of the app and broad geographic signals, never based on the individual user

Ad Creative Review

All advertising creatives scheduled for delivery in Kids-verified or COPPA-required inventory are reviewed by Gunava's editorial team before activation. Review criteria include:

• Age-appropriateness of visual and textual content
• Absence of misleading, violent, sexual, or harmful content
• Compliance with applicable advertising standards (e.g., CARU Guidelines)
• No collection of personal information via interactive elements
• Clear distinction between advertising content and game/app content

Individuals who access the Gunava Platform (including the AI Agent at agent.gunava.ai, the campaign dashboard, and the API) are referred to as Platform Users.

What We Collect from Platform Users

• Registration and identity data (name, email, company, role)
• Authentication data (hashed passwords, session tokens)
• Campaign briefs and configuration data submitted through the AI Agent or dashboard
• Technical usage data (login timestamps, features accessed, IP addresses, browser data)

Legal Basis for Processing

Gunava uses data exclusively for the following purposes:

• Delivering contextually relevant, compliant advertising in partner apps and websites
• Frequency capping to limit ad repetition for individual device sessions
• Fraud detection and invalid traffic (IVT) filtering
• Aggregate, non-identifiable campaign performance measurement and reporting
• Operating and improving the Gunava Platform and AI Agent
• Providing campaign briefs, whitelists, and Private Marketplace deals to advertisers
• Billing and account management for Platform Users
• Complying with legal obligations

Gunava's platform is designed with explicit prohibitions on certain data practices. The following are never collected, processed, stored, or shared by Gunava:

• Names, email addresses, phone numbers of any End User
• Date of birth or age of any End User
• Precise GPS location or granular geographic data
• Persistent device identifiers (IDFA, GAID, IDFV) from child-directed supply
• Behavioral profiles or interest graphs
• Health, financial, or sensitive personal information
• Social media identifiers or cross-app tracking data
• Biometric data of any kind
• Any data capable of re-identifying an individual after de-identification

With Supply and Demand Partners

Gunava shares Device Signal Data with SSP and DSP partners solely for the purpose of executing contextual ad delivery. All partners are contractually bound to:

• Use data only for the purpose of serving the specific ad impression
• Not retain, aggregate, or profile data from child-directed supply
• Maintain equivalent or higher standards of data protection for child audiences
• Comply with COPPA, applicable GDPR-K provisions, and local children's privacy laws

With Measurement and Verification Providers

Gunava may engage third-party measurement providers (for viewability, brand lift, attention metrics, or others) who may access limited, aggregated, and de-identified campaign data. These providers:

• Do not receive individually identifiable End User data
• Are prohibited from using measurement data for their own commercial purposes
• Operate under data processing agreements consistent with this policy

With Advertisers and Agencies

Advertisers and agencies receive aggregated, anonymized campaign performance reports. No individual-level End User data is included in any advertiser-facing reporting.

For Legal Reasons

We may disclose data when required by law, court order, or government authority, or when necessary to protect the rights and safety of Gunava, its users, or the public.

Gunava operates across Mexico, Colombia, and with partners in the United States, Europe and Latin America. Data transfers outside the country of origin are governed by:

• Standard contractual clauses approved by the relevant data protection authority
• Adequacy decisions where applicable
• Binding contractual obligations on recipients to maintain equivalent protection

For transfers involving data from US End Users in child-directed contexts, all processing complies with COPPA requirements regardless of where processing occurs.

Gunava implements technical and organizational security measures appropriate to the nature of the data processed, including:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
• Access controls with role-based permissions for all platform systems
• Regular security audits and vulnerability assessments
• Incident response procedures with mandatory notification timelines
• Data minimization architecture — data is not collected if it is not strictly necessary
• Separation of child-directed supply data from general audience data at the infrastructure level

In the event of a data breach affecting personal data, Gunava will notify affected parties and relevant regulatory authorities within the timeframes required by applicable law.

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Right of Access: Request a copy of the personal data we hold about you
• Right to Rectification: Request correction of inaccurate or incomplete data
• Right to Erasure: Request deletion of your personal data in certain circumstances
• Right to Restriction: Request limitation of processing in certain circumstances
• Right to Portability: Receive your data in a machine-readable format
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Where processing is consent-based, withdraw at any time

To exercise any of these rights, contact us at privacy@gunava.digital. We will respond within 30 days.

Under the Children's Online Privacy Protection Act (COPPA), parents and legal guardians of children under 13 have specific rights regarding their child's data. Because Gunava's infrastructure is designed to collect no personal information from children, these rights are satisfied structurally. However, if you believe your child's personal information has been collected by Gunava, you have the right to:

• Review any personal information collected from your child
• Request deletion of any such information
• Refuse further collection of information from your child

For operations involving data from Brazilian residents, Gunava complies with the Lei Geral de Proteção de Dados (LGPD — Law No. 13,709/2018). Brazilian residents have rights equivalent to those described in Section 13. Data processing for Brazilian users is based on one or more of the legal bases enumerated in Art. 7 of the LGPD, including consent, legitimate interest, and contract performance.

Brazil-specific inquiries can be directed to privacy@gunava.digital with the subject line "LGPD Request".