IAB Addendum

Blueprint Demand LLC — IAB Addendum

Last updated: September 2, 2025

1) Purpose & Relationship to Other Terms

This IAB Addendum (the “Addendum”) supplements and is incorporated into any master service agreement, insertion order, SOW, or other commercial agreement between Blueprint Demand LLC (“Blueprint Demand,” “we,” “us”) and the relevant counterparty (each, a “Partner”) when the parties engage in digital advertising activities that involve the Processing of Personal Information (as defined by applicable law) (“Digital Advertising Activities”).

If both parties are signatories to the IAB Multi‑State Privacy Agreement (MSPA) (currently, the Fourth Amended and Restated version) and/or the IAB Limited Service Provider Agreement (LSPA) for California, this Addendum is intended to complement—not replace—those frameworks. Where there is a conflict, the MSPA/LSPA will govern for Covered Transactions under those frameworks. Where a party is not a signatory, these terms operate as direct contract terms.

Contact: [email protected] • Blueprint Demand LLC, Raleigh, NC, USA

2) Roles & Applicability

Depending on the campaign and data flow, each party may act as a Business/Controller, Service Provider/Processor, or Third Party under applicable state privacy laws and the IAB frameworks. The parties will document the applicable role(s) in the order form/SOW or campaign spec.

  • MSPA Signatory Mode (if applicable): Where both parties are MSPA signatories, the transaction constitutes a Covered Transaction and the MSPA terms “spring” into place between the parties for the limited purposes permitted (e.g., Deliver/Serve Ads; Measure Ad Performance; Frequency Capping; Debugging; Security; Reporting).

  • LSPA (California) Mode (if applicable): For California resident data where the parties elect the Service Provider pathway, each party will comply with the LSPA and treat signals accordingly.

3) Consumer Signals & Choice Transmission

Blueprint Demand supports and will honor privacy/choice signals relevant to Digital Advertising Activities, including:

  • IAB Tech Lab Global Privacy Platform (GPP)US National section and relevant US State sections used with the MSPA; and any successor specifications we adopt.

  • Opt‑out preference signals / UOOMs (e.g., Global Privacy Control (GPC)) as required by state law when received in a valid, verifiable form.

  • App/web consent or opt‑out UI choices collected by First Parties, when provided to us via tags, SDKs, server‑to‑server, or bidstream signals.

We will propagate received choice signals downstream to our subprocessors/partners to the extent technically feasible and contractually required. Partners agree to do the same.

4) Permitted Purposes & Restrictions

Unless otherwise agreed in writing, and only to the extent allowed by law and applicable IAB frameworks, Personal Information shared under this Addendum may be Processed solely for these Permitted Purposes:

  1. Deliver/Serve Ads (including selection and delivery);

  2. Measure Ad Performance (reporting, attribution, reach, frequency);

  3. Frequency Capping;

  4. Debugging & Security (fraud detection, incident response);

  5. Short‑term, transient use consistent with user expectations and legal requirements.

Not permitted without express, documented authorization:

  • Profiling for unrelated/incompatible purposes;

  • Selling/Sharing in a manner inconsistent with received opt‑outs;

  • Creating or appending sensitive attributes or processing Sensitive Personal Information within a Covered Transaction;

  • Combining Personal Information across sites/apps for Targeted Advertising where signals indicate Opt‑Out.

5) California (CPRA) Specifics

For California resident data, the parties will choose one of the following for each campaign or data flow:

  • Service Provider Path (LSPA): Each party acts as a Service Provider to the other for the limited Permitted Purposes. We will not retain, use, or disclose Personal Information for any purpose other than the Permitted Purposes or as otherwise permitted by law and the LSPA.

  • Business/Third‑Party Path: If the parties transact as independent Businesses/Third Parties, we will honor Do Not Sell or Share opt‑outs (including via GPP/GPC) and will include required disclosures in our public privacy notices.

6) Signals, Logging & Auditable Records

We will maintain commercially reasonable logs of received privacy signals (e.g., GPP strings, GPC headers) and how they were honored in our systems for a reasonable period. Upon reasonable request, and subject to confidentiality, we will provide high‑level attestations describing our compliance posture for a given campaign.

7) Data Minimization, Retention & Security

Each party will:

  • Limit Personal Information to what is necessary for the Permitted Purposes;

  • Retain it only as long as needed for those purposes (or as required by law/contract), then delete or de‑identify;

  • Implement reasonable and appropriate administrative, technical, and physical security measures;

  • Bind subprocessors to materially similar obligations and remain responsible for them.

8) State‑Specific Requirements

Where state privacy laws (e.g., CA, CO, CT, UT, VA, and newer laws such as MD, MN, MT, NE, NH, NJ, OR, TX and others as they become effective) impose additional requirements, the parties will comply, including honoring universal opt‑out signals where required and applying heightened standards for certain data categories.

9) Sensitive Personal Information

We do not knowingly Process Sensitive Personal Information in Covered Transactions. If a campaign requires such Processing, the parties will execute additional terms or an applicable IAB optional addendum (if and when available) and obtain any legally required consents.

10) Consumer Requests

We will reasonably assist each other with responding to valid consumer/privacy requests that relate to data we Process for the other party, including opt‑outs of Targeted Advertising, “sale/share,” access, deletion, or correction, consistent with role and law. Requests should be directed to [email protected] (or to your account team), with sufficient information to identify the person and the campaign.

11) Compliance Cooperation

Each party will promptly notify the other of a Security Incident or material compliance inquiry that is reasonably likely to impact the other party and will cooperate in good faith to address it. Each party represents it maintains a privacy program proportionate to its role in the ecosystem.

12) Precedence; Survivability

If this Addendum conflicts with a governing MSPA/LSPA term for a Covered Transaction, the MSPA/LSPA controls for that Transaction. Otherwise, this Addendum controls over conflicting commercial terms regarding privacy signal handling. Sections that by their nature should survive (e.g., security, retention, cooperation) will survive termination.

13) Contact

Questions about this IAB Addendum? Email [email protected] or write to Blueprint Demand LLC, Raleigh, NC, USA.

IAB / Tech Lab Resources (Links)

  • IAB Privacy (MSPA overview & materials): https://www.iabprivacy.com/

  • IAB Multi‑State Privacy Agreement (MSPA) — PDF: https://www.iabprivacy.com/IAB%20Multi-State%20Privacy%20Agreement%20%28MSPA%29%5B1%5D.pdf

  • IAB Limited Service Provider Agreement (LSPA) — PDF: https://www.iabprivacy.com/lspa-2019-12.pdf

  • IAB Tech Lab — Global Privacy Platform (GPP): https://iabtechlab.com/gpp/