Data Protection & DPO
Last Updated: April 14, 2026
1. Data Controller Identity
Panxo Stacks, Inc.
447 Broadway, 2nd Floor
New York, NY 10013, United States
General: support@panxo.ai
Data Protection Officer: dpo@panxo.ai
Panxo is registered with the IAB Europe Transparency & Consent Framework (TCF 2.2) as Global Vendor List ID 1527.
Panxo acts as an independent data controller for all personal data it receives through its JavaScript SDK, APIs, dashboards, and related services. Publishers deploying the SDK are separate, independent controllers for data collected on their own properties.
2. Data Protection Officer
Panxo has voluntarily designated a Data Protection contact to oversee data-protection compliance and to act as the single point of contact for data subjects and supervisory authorities. While formal appointment of a DPO under Article 37 GDPR is not mandatory for Panxo at its current scale, the designation reflects our commitment to best practice given the nature of our processing.
Data Protection Officer
Panxo Stacks, Inc.
447 Broadway, 2nd Floor, New York, NY 10013, United States
Email: dpo@panxo.ai
3. EU / UK Representative (Article 27 GDPR) and Turkey Data Controller Representative
Because Panxo is established outside the EU, UK, and Turkey and carries out the regular and systematic monitoring of data subjects in those jurisdictions, Panxo has appointed Prighter Group as its representative pursuant to Article 27 GDPR, Article 27 UK GDPR, and KVKK.
Use the Prighter portal to exercise your data subject rights (access, erasure, objection, etc.): https://app.prighter.com/portal/panxo
EU GDPR Article 27 Representative
Provider: iuro Rechtsanwälte GmbH t/a Prighter
Address: Schellinggasse 3, 1010 Vienna, Austria
Prighter acts as representative pursuant to Article 27 GDPR and is the addressee for requests from data protection authorities and data subjects. For data subject requests (DSR), Prighter provides a solution to channel, filter, and structure DSRs. The data provided by the data subject via the DSR tool is processed by Prighter using Hetzner Online GmbH as a data centre solution. According to the data subject's request, Prighter transfers the related personal data to the controller.
UK GDPR Article 27 Representative
Provider: Prighter Ltd
Address: United Kingdom
Prighter acts as representative pursuant to Article 27 UK GDPR and is the addressee for requests from the Information Commissioner's Office (ICO) and data subjects.
Turkey Data Controller Representative (KVKK)
Provider: IPTECH Legal Danışmanlık Limited Şirketi
Address: Turkey
Prighter acts as representative pursuant to KVKK and is the addressee for requests from the Turkish data protection authority and data subjects.
Central Legal Management
Legal and compliance relationships for all Prighter Group entities are managed centrally by iuro Rechtsanwälte GmbH (Schellinggasse 3, 1010 Vienna, Austria). Company Representative: Andreas Maetzler, CEO — support@prighter.com.
EU, UK, and Turkish data subjects may contact the appropriate representative directly on any matter relating to the processing of their personal data. Panxo remains the data controller; Prighter operates as processor for the technical DSR infrastructure and as controller when providing advisory and support services.
4. Your Rights
Subject to applicable law, you have the rights of access, rectification, erasure, restriction, data portability, objection, and withdrawal of consent under the GDPR/UK GDPR, and the rights to know, delete, correct, opt out of sale/sharing, and non-discrimination under the CCPA/CPRA. A full description is set out in the Privacy Policy.
5. How to Exercise Your Rights
1. Submit your request by email to dpo@panxo.ai with the subject line "Data Subject Request".
2. Identify yourself. Because Panxo processes pseudonymous identifiers, include your panxo_uid (from browser localStorage) or the _psid cookie value from .panxo-sys.com. If you cannot provide these, describe the publisher website(s) you visited and an approximate date range so that we can attempt to locate your record. Under Article 11 GDPR, we are not obliged to acquire additional information solely to identify you.
3. Specify the right you wish to exercise (access, deletion, objection, etc.).
4. Authorised agents (CCPA/CPRA) must provide signed written authorisation.
6. Response Time Commitments
• Acknowledgement: within 3 business days of receipt.
• GDPR / UK GDPR: substantive response within one (1) month, extensible by a further two (2) months for complex or numerous requests (Art. 12(3)).
• CCPA / CPRA: confirmation within ten (10) business days, substantive response within forty-five (45) days, extensible by a further forty-five (45) days.
• LGPD (Brazil): response within fifteen (15) days.
There is no fee for these requests, except where requests are manifestly unfounded or excessive (e.g., repetitive), in which case we may charge a reasonable fee or decline, and will explain why.
7. Opt-Out Mechanisms
Universal opt-out: visit panxo.ai/ad-choices to set the panxo_optout cookie (5-year retention for durability).
Global Privacy Control (GPC): Panxo automatically honours the GPC browser signal as a valid CCPA/CPRA opt-out of "sharing".
TCF 2.2: consent preferences set through your publisher's consent management platform will be respected.
8. Complaints and Supervisory Authorities
If you believe our processing of your personal data infringes applicable law, we encourage you to contact us first at dpo@panxo.ai so that we can attempt to resolve the matter. You also have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or the place of the alleged infringement. Key authorities include:
Ireland — Data Protection Commission (DPC) — dataprotection.ie
France — Commission nationale de l'informatique et des libertés (CNIL) — cnil.fr
Germany — Bundesbeauftragte für den Datenschutz (BfDI) — bfdi.bund.de
Spain — Agencia Española de Protección de Datos (AEPD) — aepd.es
Italy — Garante per la protezione dei dati personali — garanteprivacy.it
Netherlands — Autoriteit Persoonsgegevens (AP) — autoriteitpersoonsgegevens.nl
Belgium — Autorité de protection des données — autoriteprotectiondonnees.be
United Kingdom — Information Commissioner's Office (ICO) — ico.org.uk
Switzerland — FDPIC — edoeb.admin.ch
California, USA — California Privacy Protection Agency (CPPA) — cppa.ca.gov
Turkey — KVKK (Kişisel Verileri Koruma Kurumu) — kvkk.gov.tr
9. Records of Processing and DPIAs
Panxo maintains a Record of Processing Activities (Art. 30 GDPR) and has conducted a Data Protection Impact Assessment (Art. 35 GDPR) for the SDK-based detection pipeline, updated at least annually or upon material change. These records are internal but are made available to supervisory authorities on lawful request.
10. Security Incidents
In the event of a personal-data breach likely to result in a risk to the rights and freedoms of natural persons, Panxo will notify the competent supervisory authority within 72 hours of becoming aware, and will notify affected data subjects without undue delay where the breach is likely to result in a high risk (Articles 33 and 34 GDPR). Publishers will be notified in parallel given their independent-controller obligations.
11. Updates
This page is reviewed at least annually. The "Last Updated" date at the top reflects the most recent revision.
