Skip to main content

Advertiser data processing agreement

Version 1.0 — effective 30 April 2026

1. Scope

This Data Processing Agreement (the “DPA”) sets out the standard terms under which Indexeli Intelligence Limited, trading as TreatCompare, shares outbound click and (where applicable) conversion data with healthcare advertisers (“Advertisers”) in connection with the TreatCompare comparison service. It supplements, and is incorporated by reference into, any commercial agreement between TreatCompare and the Advertiser. In the event of conflict between this DPA and the commercial agreement, this DPA prevails on data protection matters.

2. Roles

Each party is an independent Controller of the personal data it processes under this arrangement, not joint controllers and not in a controller-processor relationship. TreatCompare is the Controller of click data we capture on our domain. The Advertiser is the Controller of any data subject information collected on the Advertiser's own website after a click is delivered.

3. Data shared by TreatCompare

TreatCompare shares the following per outbound click via the redirect URL and, on request, in CSV / API exports:

  • A randomly generated click identifier (UUID v4)
  • The provider slug (the Advertiser's identifier in our database)
  • Source page on TreatCompare and treatment category
  • UTM parameters (utm_source=treatcompare, utm_medium=referral, utm_campaign={category})
  • Aggregated metadata: device type, country code, click timestamp

TreatCompare does not share the data subject's name, email address, IP address, exact location, browsing history, or any data the data subject did not voluntarily disclose to TreatCompare. We do not share special category data (including health data).

4. Data shared by the Advertiser (conversions)

Where the commercial agreement is on a cost-per-acquisition or revenue-share basis, the Advertiser may post conversion events back to TreatCompare via the/api/conversions endpoint. Permitted fields:

  • click_id — the TreatCompare click identifier (UUID)
  • status — commercial status token (e.g. booked, purchased, refunded)
  • value_gbp — net sale value in pounds, optional
  • treatment_ref — advertiser's own SKU / treatment reference, optional
  • external_order_id — advertiser's own order reference for reconciliation, optional

The Advertiser must not include in any postback: the data subject's name, email, telephone number, address, IP address, free-text health information, or any special category data. TreatCompare will reject any postback that contains such data and may suspend the Advertiser's webhook secret.

5. Lawful basis

Both parties rely on legitimate interests (UK GDPR Article 6(1)(f)) for the processing described in this DPA — specifically the parties' legitimate interest in operating, measuring, billing, and improving the referral relationship. TreatCompare has carried out a Legitimate Interests Assessment available on request. Data subjects are informed of this processing in TreatCompare's privacy policy.

6. Security

  • All click and conversion data is transmitted over HTTPS (TLS 1.2+)
  • The conversions postback API requires a per-Advertiser secret rotated on demand
  • TreatCompare logs are restricted to authorised TreatCompare personnel
  • Bot traffic is filtered at the redirect handler before logging or billing

7. Retention

Click and conversion records are retained for 24 months from the click date for billing reconciliation, dispute resolution, and statutory tax record keeping. Records are then irreversibly deleted. The Advertiser is responsible for retention of data on their own systems in accordance with their own retention policy.

8. Audit and dispute

On reasonable notice and no more than once per calendar year, the Advertiser may request an export of click and conversion records attributed to them. Disputes about click counts must be raised within 30 days of the relevant invoice date. TreatCompare's records are deemed authoritative absent evidence of system fault.

9. International transfers

TreatCompare processes click and conversion data on infrastructure hosted within the UK / EEA (Vercel, Neon). No data subject personal data is transferred outside the UK / EEA in the course of normal operation. Any future transfer will be governed by the UK International Data Transfer Addendum or equivalent safeguard.

10. Termination

On termination of the commercial agreement, TreatCompare will: (a) cease delivering new clicks to the Advertiser within 7 days; (b) revoke the Advertiser's webhook secret; (c) provide a final reconciliation export on request; and (d) retain historical records for the period set out in clause 7. The Advertiser must, on termination, cease using any TreatCompare-supplied click identifiers for any purpose other than reconciliation of pre-termination clicks.

11. Contact

Data protection contact: data@treatcompare.com. For commercial enquiries (CPC / CPA / revenue share): hello@treatcompare.com.

12. Governing law

This DPA is governed by the laws of England and Wales, and the parties submit to the exclusive jurisdiction of the courts of England and Wales.