Privacy Policy

Last updated: 3 June 2026 · In effect from: 3 June 2026 · Version: 1.0

This Privacy Policy explains how rtbcrid.com ("we", "us", "our") collects, uses, stores, transfers, and protects information about you. It is drafted to comply with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the ePrivacy Directive (2002/58/EC, as amended), and the equivalent post-Brexit UK GDPR & Data Protection Act 2018. If you are visiting from outside the EU/EEA/UK, the protections in this policy are extended to you as a matter of practice.

Reading time: 8 minutes. If you only have 30 seconds, jump to "At a glance".

1. Who is the data controller

The data controller for personal data processed via rtbcrid.com is:

Name: Anatolii Halytskyi (sole operator)
Website: rtbcrid.com
Email for all privacy matters: ipaladin1993@gmail.com
EU / EEA representative: not appointed (Art 27 GDPR exemption — processing is occasional, does not include sensitive data on a large scale, and is unlikely to result in a risk to the rights and freedoms of natural persons)
Data Protection Officer: not appointed (Art 37 GDPR — none of the mandatory criteria apply: rtbcrid.com is not a public authority, does not carry out large-scale systematic monitoring, and does not process special category data)

For all data-protection requests, write to the email above. We respond within 30 calendar days as required by Art 12(3) GDPR.

2. At a glance

All tools (Beautifier, Diff, JSON→CSV, URL Decoder, Escape/Unescape, Prefix/Suffix, ORTB Renderer) process input entirely in your browser. Nothing you paste leaves your computer unless you explicitly click 🔗 Share.
One localStorage entry (rtbcrid.activeTab) remembers which tool you last used. Strictly necessary — no consent required.
The bottom of every page has one banner ad slot. Ads appear regardless of your cookie banner choice; what changes is whether they can be personalised.
Accept all → personalised ads. The SSP and bidding DSPs may use cookies/identifiers to target your interests.
Reject → non-personalised contextual ads only. Each bid request carries device.dnt=1 + device.lmt=1 (Do Not Track + Limit Ad Tracking) so DSPs are instructed to show only ads matched against the page content, never against any user profile.
We do not run analytics, do not sell data, and do not track you across other sites.
You can withdraw consent any time via Google Funding Choices — the same banner reopens via your browser's site settings, or you can clear the cookie store and reload.

3. What personal data we collect

3.1 Data you provide directly

None, as a matter of normal operation. We do not have a sign-up form, do not ask for your name or email, and do not require an account. If you choose to email us at ipaladin1993@gmail.com, we will keep your message and email address for the purpose of replying to you and resolving any matter you raise.

3.2 Data your browser sends automatically

Every HTTP request made to rtbcrid.com — like any website — necessarily transmits the following to our hosting provider for the duration of the request:

Your IP address
Your User-Agent string (browser and OS name/version)
The requested URL path (e.g. /, /#diff, /privacy)
The Referer header (the previous page you were on, if your browser sent one)
Standard HTTP headers (Accept-Language, etc.)

These are processed by our hosting provider for traffic delivery and abuse prevention. We do not store these logs ourselves — they are retained by the hosting provider per their own retention schedule (see Section 5).

3.3 Data stored on your device

We use the browser's localStorage API (not HTTP cookies) for the following:

Key	Value	Purpose	Lifetime	Consent?
`rtbcrid.activeTab`	One of: `json`, `diff`, `renderer`, `url`, `escape`, `affix`, `json2csv`, `about`	Returns you to the same tool when you reload the page	Persistent (until you clear browser storage)	No — strictly necessary
Google Funding Choices cookies (e.g. `__gpi`, `__gpi_optout`, IAB TCF v2 `euconsent-v2`)	IAB TCF v2.2 Consent String + Google Additional Consent (AC) String. See Google's cookie reference.	Records your choice from the Google CMP banner (Consent / Do not consent / Manage options)	Set by Google — typically 13 months per IAB TCF guidance, then user is re-prompted	No — required to remember your consent choice (Recital 32)

The rtbcrid.activeTab value stays on your device only and is never read or transmitted by any server-side code we operate. The Funding Choices cookies are managed by Google and may be read by Google ad serving and by IAB TCF-compliant DSPs to honour your consent choice.

3.4 Data sent in advertising bid requests

Once you make any choice on the cookie banner (Accept or Reject), the bottom ad slot constructs an OpenRTB 2.6 bid request and sends it through our serverless proxy to multiple advertising supply-side platforms (SSPs) in parallel — this is industry-standard header bidding. Each SSP runs its own auction among bidding demand-side platforms (DSPs); we pick the highest CPM bid across all SSPs (first-price auction, OpenRTB at:1) and that creative is rendered in the slot. Loss notices are sent to non-winning SSPs so they can update their auction analytics. That bid request contains:

Your IP address — added server-side from the connection metadata
User-Agent string (browser/OS)
Page URL, the referrer URL, and our publisher ID (77263)
Screen size, viewport size, language, time zone offset
A randomly-generated, ephemeral transaction ID — new for every auction, not linked to you across sessions
Banner sizes our ad slot accepts
A binary GDPR signal (regs.ext.gdpr=1 if your timezone is in the EEA/UK, otherwise 0)
If you clicked Reject: device.dnt=1 + device.lmt=1 — Do Not Track and Limit Ad Tracking flags. DSPs that honour these signals (industry-standard practice) will not match the request against any user profile or cookie database; they bid based on the page content only (contextual advertising).

It does not contain your name, email, account information, the contents of any tool input you ever pasted, or any persistent cross-session identifier we maintain. When you accept ads, the SSP and bidding DSPs may set their own cookies / device identifiers under their own privacy notices; when you click Reject, the dnt + lmt signals instruct them to refrain.

4. Where your data is stored and who has access

This section is the most often-asked: where physically does my data live, and which people can see it?

4.1 In your browser

The two localStorage entries described in Section 3.3 live only in your browser's local storage area, on your own device (laptop, desktop, phone). They are isolated by browser profile and not synchronised to any of our servers. We have no way to read them remotely.

4.2 On our hosting infrastructure (Netlify)

rtbcrid.com is hosted by Netlify, Inc. (44 Montgomery Street, Suite 300, San Francisco, CA 94104, USA). Netlify is the only company that physically stores any data on our behalf. Specifically:

Static page content (the HTML, CSS, JS, ads.txt, robots.txt etc.) is delivered from Netlify's global edge network. For EU/UK visitors, content is served from European edge nodes (typically Frankfurt, Amsterdam, London). No personal data is stored at the edge layer — only the public files that make up the site.
HTTP request logs (timestamp, IP, UA, URL) are collected by Netlify for traffic delivery, DDoS protection and abuse prevention. Netlify retains them for up to 30 days for the Free plan; we have no access to raw logs and cannot retrieve them for individuals. Netlify Privacy Policy · Netlify GDPR & SCCs.
Netlify Functions (our /api/share, /api/bid, /cors, /sitemap endpoints) run on AWS Lambda via Netlify's serverless platform. Function execution is ephemeral — input is processed in memory and discarded when the function returns. No persistent function logs contain personal data we control.
Netlify Blobs (used only for the optional Share-link feature) is built on AWS S3. The Blobs you create live in S3 buckets allocated by Netlify, typically in the us-east-1 (Virginia, USA) AWS region. Each blob is identified by a 7-character random ID that we never associate with you.

People who can access this infrastructure:

Anatolii Halytskyi (the operator) — Netlify dashboard access for site administration. Cannot retrieve raw user IPs or request logs; sees only aggregate analytics (visit counts, top pages).
Netlify staff — under their Data Processing Addendum (DPA), restricted to legitimate operational purposes (security incident response, customer support if we open a ticket, abuse investigation).
AWS staff — as Netlify's sub-processor, under contractual confidentiality, only for infrastructure operation.

4.3 With advertising partners

We use two ad demand sources for the bottom ad slot, run as a sequential auction:

Primary: our supply-side platform (SSP). Bid requests are sent through our serverless proxy to the SSP and from there to bidding DSPs. They process the request as independent controllers under their own privacy notices. We do not control which specific DSPs participate in any given auction — this is determined by the SSP's demand mix. Typical DSPs in the bidding pool include large global ad-tech companies (e.g. The Trade Desk, DV360, Amazon, MediaMath); each has its own privacy notice and consent management.
Fallback: Google AdSense (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland — the data controller for EU/EEA traffic). If our SSP does not respond within 500 ms or returns a bid below the price floor, AdSense renders a contextually-matched ad in the slot instead. When you have rejected personalized advertising, we set Google's requestNonPersonalizedAds=1 flag so AdSense serves non-personalized contextual creatives only. Google's privacy policy: policies.google.com/privacy.

5. Why we process your data (purposes and legal bases)

What	Purpose	Legal basis (GDPR Art 6)	Retention
HTTP request to load a page	Deliver the page you requested	Art 6(1)(b) — performance of a service you requested	Netlify logs ≤30 days, then deleted
`rtbcrid.activeTab` localStorage	Return you to the same tool on reload	Art 6(1)(f) — legitimate interest (usable application)	Until you clear your browser storage
Google Funding Choices cookies (IAB TCF v2 + Google AC string)	Remember your CMP choice (Consent / Do not consent / Manage options)	Required to comply with Art 7(1) — proof of consent	~13 months per IAB TCF guidance, then re-prompt
VAST wrapper proxy (`/cors`)	Fetch a VAST tag URL you pasted into the ORTB Renderer	Art 6(1)(b) — performance of a service you requested	Not stored (proxied through, not logged with personal data)
Share-link storage (`/api/share`)	Store the creative/diff you chose to share	Art 6(1)(b) — performance of a service you explicitly requested by clicking Share	Indefinite (delete on request)
Bid request (`/api/bid`) — after Accept	Show you a personalised advertisement	Art 6(1)(a) — your explicit consent, via the cookie banner	Not stored by us; SSP and DSPs per their own policies
Bid request (`/api/bid`) — after Reject	Show you a contextual (non-personalised) advertisement; `dnt=1` + `lmt=1` instruct DSPs not to profile or track you	Art 6(1)(f) — legitimate interest in monetising the site through advertising, balanced against the user's interests by passing tracking-opt-out signals	Not stored by us; SSP and DSPs per their own policies

6. International data transfers

Netlify (US-based) and several downstream DSPs may transfer personal data outside the European Economic Area. Where this occurs:

Transfers to Netlify and AWS are covered by the EU Standard Contractual Clauses (Implementing Decision (EU) 2021/914) per GDPR Art 46(2)(c). Netlify offers a Data Processing Addendum incorporating these clauses; we have accepted it.
Transfers to DSPs occur only if you consent to advertising. Our SSP is contractually required to flow GDPR consent signals to all DSPs in the auction. DSPs that participate in IAB Europe's TCF v2 are bound by the framework's vendor list and consent strings; DSPs that do not participate may be excluded from auctions where consent is missing.
For US-based recipients, transfers also rely on the EU-US Data Privacy Framework (adopted 10 July 2023) where the recipient is self-certified.

We do not transfer data to countries lacking an adequacy decision or appropriate safeguards.

7. Automated decision-making and profiling

The advertising auction process inherently involves automated processing: DSPs receive the bid request and decide in milliseconds whether and how much to bid, based on attributes of the request (URL, device, geographic region from IP, time of day). This is not "solely automated decision-making producing legal or similarly significant effects" within the meaning of Art 22(1) GDPR — it merely results in an ad being shown, which has no legal effect on you and does not significantly affect your rights.

We do not profile you. We do not maintain a user database. Every bid request we send carries a fresh random transaction ID with no linkage to prior visits.

8. Your rights under GDPR

Under Chapter III of the GDPR (Articles 12–22), you have the following rights with respect to any personal data we control:

Right of access (Art 15) — request a copy of any data we hold about you
Right to rectification (Art 16) — correct inaccurate or incomplete data
Right to erasure / "right to be forgotten" (Art 17) — delete your data (subject to the limited exceptions in Art 17(3))
Right to restriction (Art 18) — limit processing while a dispute is resolved
Right to data portability (Art 20) — receive a machine-readable export
Right to object (Art 21) — object to processing based on legitimate interests; we will stop unless we demonstrate compelling overriding grounds
Right to withdraw consent (Art 7(3)) — at any time, for any consent-based processing (i.e. advertising). Open Google Funding Choices via the browser's site settings, or clear your cookies for rtbcrid.com and reload the page — the consent banner will re-appear and you can change your choice. The effect is immediate.
Right to lodge a complaint with a supervisory authority (Art 77) — see edpb.europa.eu for a list of national authorities

How to exercise your rights

Email ipaladin1993@gmail.com and describe your request. To help us identify the data we hold (we have no account system), please include:

The IP address(es) from which you visited (you can check this at iplocation.net)
Approximate date(s) of your visit(s)
For Share-link deletion: the short link URL you want removed

We do not charge any fee for handling requests. We respond within 30 days; complex cases may be extended by up to 60 additional days with notice (Art 12(3)).

9. Security

We protect data in transit and at rest with the following measures:

TLS 1.2+ everywhere — all rtbcrid.com traffic is HTTPS-only; HTTP requests are 301-redirected to HTTPS by Netlify
HSTS with preload — eligible browsers refuse to connect via HTTP at all
Iframe sandboxing — all advertising creatives are rendered inside a sandboxed iframe (sandbox="allow-scripts allow-popups allow-popups-to-escape-sandbox allow-same-origin") so creatives cannot read other pages, access cookies, or escape into the parent document
Same-origin restriction on Share-link storage — the /api/share endpoint accepts requests only from rtbcrid.com
No persistent server-side database for user data — minimises the attack surface (no SQL injection, no credential leak vector, no user table to exfiltrate)

If we ever become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours (Art 33) and, where the risk is high, notify you directly without undue delay (Art 34).

10. Cookies and similar technologies

rtbcrid.com does not set any HTTP cookies on first-party domains. The only persistent data we store on your device is the two localStorage entries listed in Section 3.3.

If you accept advertising, third-party domains contacted by the bid auction (the SSP and its DSPs) may set their own cookies in their domain contexts. We have no control over the names, expiry, or purposes of those cookies; refer to the privacy notices of each provider. The Reject advertising button on our banner prevents any such third-party calls from happening at all.

11. IAB TCF v2.2 status

rtbcrid.com integrates the IAB Europe Transparency & Consent Framework (TCF) v2.2 through Google Funding Choices, which is a Google-certified Consent Management Platform (CMP, registered as CMP ID 300 in the IAB TCF Vendor List).

When the CMP banner is shown to you, the choices you make are encoded as an IAB TCF v2.2 Consent String (the tcString value exposed through window.__tcfapi). Our ad slot reads this string and:

Forwards it to bidding DSPs in the OpenRTB user.ext.consent field
Sets regs.ext.gdpr=1 when Google's geolocation determines GDPR applies (EEA / UK / Switzerland), 0 otherwise
Treats your choices for IAB Purposes 1 (storage), 3 (personalised profile) and 4 (personalised ad selection) as gates for personalised vs contextual advertising — if you have NOT consented to all three, we additionally pass device.dnt=1 + device.lmt=1 to DSPs

DSPs that participate in IAB TCF v2.2 are contractually bound to honour your consent choices. The Google CMP also produces a Google Additional Consent (AC) String for Google ad partners that are not registered in the IAB Global Vendor List.

12. Children

rtbcrid.com is not directed at children under 16. Under GDPR Art 8, the consent of the holder of parental responsibility is required for information-society services offered directly to a child under 16 (the default age, which Member States may lower to 13). We do not knowingly collect data from children of any age. Bid requests we send carry regs.coppa=0 — this complies with the US Children's Online Privacy Protection Act (COPPA, 15 U.S.C. §§ 6501-6506) signal in OpenRTB by indicating the user is not known to be a child. If you become aware that a child has provided personal data to us, please contact us at ipaladin1993@gmail.com and we will delete it.

13. Changes to this policy

We will update this Privacy Policy when our processing changes, when laws change, or when we add new services. Material changes will be:

Announced by updating the Last updated and Version at the top of this page
For changes that affect the basis or scope of consent: a fresh cookie banner shown to all existing visitors, prompting a new consent decision

Minor wording or contact-info changes do not require fresh consent.

14. Contact

For any privacy-related question or request:

Email: ipaladin1993@gmail.com

If you are not satisfied with our response, you have the right to lodge a complaint with your national data protection authority (see Section 8).