> For the complete documentation index, see [llms.txt](https://docs.onlymonster.ai/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.onlymonster.ai/privacy-and-compliance/bot-detection-policy.md). # Bot Detection Policy ## OMLAB DIGITAL LTD · HE 478780 · Limassol, Cyprus **Effective Date:** April 7th 2026 {% hint style="info" %} This Bot Detection Policy is provided for transparency and compliance purposes. Descriptive sections are informational only and do not create binding obligations beyond those expressly stated. {% endhint %} ### Preamble This Bot Detection Policy ("Policy") forms part of the OnlyMonster Agreement and is incorporated by reference into the **Terms and Conditions** between you ("User", "Organisation") and **OMLAB DIGITAL LTD** ("OnlyMonster", "we", "us", "our"). It governs OnlyMonster's Bot Detection feature within the Traffic Metrics module of the Service, including the automated processing of account data, the classification of potentially automated ("bot") accounts, and the rights and obligations of Organisations in connection with such processing. Capitalised terms used but not defined herein have the meanings given in the Terms and Conditions and the Data Processing Agreement ("DPA"). In case of conflict, the following order of precedence applies: (1) the DPA, (2) the Terms and Conditions, (3) this Policy. ### 1. Definitions **1.1. "Bot" or "Bot Account"** means an account identified by the Service's automated analysis as exhibiting behavioural characteristics associated with automated, non-human, or fraudulent activity. **1.2. "Bot Detection"** means the automated feature of the Service that analyses Fan accounts acquired through Traffic Links and classifies them as potential bots or genuine users. **1.3. "Bot Rate"** means the percentage of potential bot accounts among all Fan accounts acquired through a given Traffic Link, as displayed in the Service. **1.4. "Detection Result"** means the outcome of a Bot Detection scan for an individual account, expressed as either a bot classification flag or the absence thereof. **1.5. "Scan"** means a single automated analysis cycle initiated by the Organisation for a specific Traffic Link. **1.6. "Traffic Link"** means a Tracking Link or Trial Link created within the Traffic Metrics module of the Service. Bot Detection is not available for Direct Traffic. **1.7. "Traffic Metrics"** means the module of the Service providing analytics on fan acquisition through Traffic Links. **1.8. "False Positive"** means a genuine human user incorrectly classified as a bot by the automated analysis. **1.9. "False Negative"** means an automated or fraudulent account that is not identified as a bot by the automated analysis. **1.10. "Transparency Notice"** means any privacy notice, terms of service, or equivalent disclosure document through which the Organisation informs Data Subjects about the processing of their personal data, including automated profiling. ### 2. Overview and Scope #### 2.1. Purpose Bot Detection is a feature within the Traffic Metrics module that assists Organisations in identifying potentially automated or fraudulent Fan accounts acquired through Traffic Links. Its purpose is to provide informational intelligence to support the Organisation's internal traffic quality assessments and to prevent metric inflation caused by non-human activity. #### 2.2. Scope of Application Bot Detection operates at the level of individual Traffic Links and is available exclusively for: * Tracking Links; and * Trial Links. **Bot Detection is not available for Direct Traffic. The Bot Detection field for Direct Traffic will always display as N/A.** #### 2.3. Nature of Processing Bot Detection constitutes automated processing of Fan account data, including behavioural profiling of Data Subjects. OnlyMonster acts as Data Processor in connection with this feature, processing Fan data solely in accordance with the Organisation's Instructions and the DPA. The Organisation acts as Data Controller and bears sole responsibility for the lawfulness of such processing. ### 3. Transparency and Fan Notification Obligations #### 3.1. Organisation as Data Controller The Organisation is the Data Controller in respect of all Fan personal data processed through Bot Detection. As Data Controller, the Organisation bears **sole and exclusive responsibility** for ensuring that Fans are informed of the automated processing of their data in accordance with all applicable laws. OnlyMonster, acting solely as Data Processor, has no direct relationship with Fans and does not assume any notification or transparency obligation towards them. #### 3.2. Mandatory Transparency Notice Prior to activating Bot Detection, the Organisation must ensure that its Transparency Notice — whether a privacy policy, platform terms, or equivalent disclosure — contains, at minimum, the following information in a clear and accessible form: * **(a) the fact** that automated profiling of Fan account activity is carried out in connection with the Organisation's use of the platform; * **(b) the purpose** of such profiling (detection of automated or fraudulent accounts to ensure traffic quality and metric integrity); * **(c) the legal basis** for the processing under Article 6 GDPR, as determined by the Organisation (e.g. legitimate interest pursuant to Article 6(1)(f), in which case the Organisation must have conducted and documented a Legitimate Interests Assessment); * **(d) the existence of automated decision-making** and, where decisions with significant effects are made on that basis, meaningful information about the logic involved, as required by Article 22(3) GDPR; * **(e) the data retention period** applicable to Detection Results, or the criteria used to determine such period; * **(f) the Fan's rights** under applicable data protection law, including the right to object, the right to access, the right to rectification, and the right to request human review of any automated classification that affects them; * **(g) the identity and contact details of the Data Controller** (the Organisation) and, where applicable, of the Organisation's data protection officer. #### 3.3. Jurisdictional Compliance The Organisation is **solely responsible** for ensuring that its Transparency Notice and notification practices comply with all data protection and privacy laws applicable in the jurisdictions in which its Fans are located, including but not limited to: * Regulation (EU) 2016/679 (GDPR) and the UK GDPR, for Fans located in the European Economic Area or the United Kingdom; * the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), for Fans located in California, United States; * any other federal, state, provincial, or national privacy law applicable to the Fan's jurisdiction. **OnlyMonster makes no representation** that use of Bot Detection is compliant with the laws of any specific jurisdiction. The Organisation must obtain independent legal advice regarding its obligations in each relevant jurisdiction before activating Bot Detection. #### 3.4. No Delegation to OnlyMonster The Organisation may not delegate, transfer, or purport to assign its transparency and notification obligations towards Fans to OnlyMonster. Any representation made by the Organisation to Fans stating or implying that OnlyMonster is responsible for data protection notices relating to Bot Detection will constitute a material breach of this Policy and the DPA. #### 3.5. Ongoing Compliance The Organisation's transparency obligations are continuous. If the Organisation materially changes the manner in which it uses Bot Detection results — including by applying them to new decision-making processes, sharing them with third parties, or using them in new jurisdictions — the Organisation must update its Transparency Notice prior to such change and, where required by applicable law, re-obtain consent from the relevant Data Subjects. ### 4. Enabling and Managing Bot Detection #### 4.1. Activation Bot Detection may be activated by an authorised user of the Organisation from the Link Overview view within Traffic Metrics by selecting the Bot Detection button located in the upper-right area of the page. Activation constitutes a documented Instruction to OnlyMonster to commence automated analysis of Fan accounts acquired through the selected Traffic Link, in accordance with the DPA. #### 4.2. Automatic Scanning Once Bot Detection is enabled for a Traffic Link: * all new Fan accounts subsequently acquired through that link are scanned automatically; * the Organisation will receive an in-platform notification upon completion of each Scan. #### 4.3. Automatic Deactivation If Detection Results for a completed Scan are not reviewed by the Organisation within ten (10) calendar days of the Scan completing, Bot Detection will be automatically disabled for that Traffic Link. The Organisation may re-enable Bot Detection at any time from the Link Overview. #### 4.4. Organisation's Pre-Activation Obligations **Prior to activating Bot Detection, the Organisation must:** * ensure that a valid legal basis under Article 6 GDPR (and, where applicable, Article 9 GDPR) exists for the automated processing and profiling of Fan account data; * have conducted, or confirmed that an existing DPIA covers, the processing activities performed by Bot Detection, in accordance with Article 35 GDPR; * have published or made available a Transparency Notice meeting the requirements of Section 3.2 of this Policy; * have entered into the DPA with OnlyMonster. ### 5. Detection Results and Interface #### 5.1. Link Overview — Bots Block Adjacent to the Fan Purchase Frequency block within the Link Overview, the Bots section displays aggregated Detection Results for the selected Traffic Link: * **Detected** — the total number of Fan accounts classified as potential bots. * **Bot Rate** — the percentage of potential bot accounts among all Fan accounts acquired through the Traffic Link. #### 5.2. Link Overview — Fan Table A red bot icon is displayed adjacent to the username of any Fan account flagged by the automated analysis: * **Icon displayed** — the account has been classified as a potential bot by the automated analysis. * **No icon displayed** — the account was not classified as a potential bot at the time of the Scan. #### 5.3. Traffic Metrics Dashboard — Bots Column A dedicated Bots column within the Traffic Metrics table shows the Detection Result for each Traffic Link: * **A number (e.g. 14)** — count of Fan accounts classified as potential bots. * **OFF** — Bot Detection is currently disabled for that Traffic Link. * **N/A** — Bot Detection is not available for this entry (Direct Traffic). ### 6. Detection Methodology #### 6.1. Automated Analysis Bot Detection applies automated behavioural analysis to Fan accounts acquired through Traffic Links. The analysis evaluates account-level signals to determine the likelihood that an account is operated by an automated system rather than a genuine human user. The system is designed for continuous improvement and detection criteria may be updated periodically to enhance accuracy and address emerging circumvention methods. #### 6.2. Non-Disclosure of Signals In order to preserve the effectiveness of Bot Detection and prevent circumvention, the specific signals, rules, thresholds, and analytical logic applied by the system are not publicly disclosed. This does not affect the Organisation's obligation to provide meaningful explanations to Data Subjects under Article 22(3) GDPR. Where a Data Subject exercises their right to an explanation, the Organisation shall contact OnlyMonster at , and OnlyMonster shall provide sufficient information to enable the Organisation to discharge its obligation, subject to applicable security and confidentiality constraints. #### 6.3. System Updates Detection criteria and methodology may be adjusted periodically to improve accuracy or respond to new patterns of automated activity. OnlyMonster will provide the Organisation with reasonable prior notice of any changes that materially affect the nature of processing under the DPA. ### 7. Accuracy, Limitations, and Disclaimers #### 7.1. Informational Basis Detection Results are generated by automated analysis and are provided on an informational basis only. OnlyMonster does not represent or warrant that Detection Results are accurate, complete, or free from error. #### 7.2. False Positives and False Negatives The automated analysis may produce False Positives and False Negatives. The Organisation acknowledges these limitations and agrees that Detection Results shall not be treated as definitive determinations. No material decision affecting a Data Subject shall be made solely on the basis of a Detection Result without human review. #### 7.3. No Warranty Detection Results are provided **"as is"** without any express or implied warranty as to fitness for a particular purpose, merchantability, or accuracy. ### 8. Organisation's Responsibilities #### 8.1. Controller Responsibility The Organisation acts as Data Controller in respect of all Fan account data processed through Bot Detection and is solely responsible for: * establishing and maintaining a valid legal basis for automated processing and profiling of Fan account data; * conducting a DPIA where required under Article 35 GDPR prior to activating Bot Detection; * publishing and maintaining a Transparency Notice that meets the requirements of Section 3 of this Policy in all jurisdictions where Fans are located; * implementing and maintaining a mechanism through which Data Subjects may request human review of any automated classification; * establishing a data retention policy for Detection Results consistent with Article 5(1)(e) GDPR — recommended maximum: ninety (90) calendar days from the date of the Detection Result, unless a longer period is specifically justified in the Organisation's DPIA; * ensuring that any decision affecting a Data Subject based on Detection Results incorporates a meaningful element of human review, in compliance with Article 22 GDPR. #### 8.2. Decisions Based on Detection Results Detection Results are **informational tools**. Any decision carrying material consequences for a Data Subject — including account suspension, moderation, payout adjustment, or communication with traffic providers — must not be taken solely on the basis of an automated Detection Result. A qualified individual must review the relevant Detection Results and apply independent judgment before any such decision is implemented. #### 8.3. Interaction with Traffic Providers Where the Organisation uses Detection Results as the basis for disputes, claims, chargebacks, or renegotiations with traffic providers, the Organisation is solely responsible for assessing the legal and contractual implications of such use and complying with applicable law. #### 8.4. Indemnification The Organisation agrees to indemnify, defend, and hold harmless the OnlyMonster Indemnitees (as defined in the Terms and Conditions) from and against any claims, damages, losses, costs, and expenses (including reasonable legal fees) arising from: * any failure by the Organisation to comply with its obligations under this Policy or applicable data protection law, including its transparency and notification obligations under Section 3; * any decision taken by the Organisation on the basis of Detection Results, including claims by Data Subjects, Fan Platforms, traffic providers, or supervisory authorities arising from such decisions; * any breach of the representations and warranties in Sections 3 and 8.1 of this Policy. ### 9. Access Control #### 9.1. Permission Requirements Access to Bot Detection functionality is governed by the same permission structure applicable to Traffic Metrics: * **View Traffic Metrics permission** — required to view Detection Results, Bot Rate, and bot flags in the Fan table and Traffic Metrics Dashboard. * **Edit Traffic Metrics permission** — required to activate, deactivate, or otherwise manage Scans. #### 9.2. Internal Access Controls The Organisation is responsible for ensuring that access to Detection Results is limited to personnel with a legitimate operational need, consistent with the principle of data minimisation under Article 5(1)(c) GDPR. ### 10. Data Subject Rights and Complaint Mechanism #### 10.1. Applicable Rights Data Subjects whose accounts are processed through Bot Detection may exercise the following rights against the Organisation as Data Controller: * **Right to information (Articles 13–14 GDPR)** — to be informed of automated profiling through the Organisation's Transparency Notice. * **Right of access (Article 15 GDPR)** — to obtain confirmation of whether their account has been profiled and the Detection Result. * **Right to explanation (Article 22(3) GDPR)** — where profiling produces a decision with significant effects, to receive a meaningful explanation of the logic applied. * **Right to object (Article 21 GDPR)** — to object to profiling based on legitimate interest. * **Right to rectification (Article 16 GDPR)** — to request review or correction of an inaccurate Detection Result. #### 10.2. Human Review Mechanism The Organisation must maintain an accessible mechanism through which Data Subjects may request human review of any bot classification that has resulted in a decision affecting them. OnlyMonster shall provide reasonable assistance in accordance with the DPA. #### 10.3. Contact for Data Protection Requests Data protection enquiries relating to Bot Detection may be directed to: | | | | -------------------------- | -------------------- | | **Data protection / DPO:** | | ### 11. Amendments OnlyMonster may amend this Policy upon reasonable prior notice. Amendments that materially affect the nature of processing under the DPA will be communicated in accordance with the DPA notification provisions. Continued use of Bot Detection following the effective date of an amended Policy constitutes acceptance of the changes, except where applicable law requires express consent. ### 12. Contact Information | | | | -------------------------- | -------------------------------------------------------------------------- | | **For legal notices:** | OMLAB DIGITAL LTD, Ifigeneias 14, 3036, Limassol, Cyprus (registered mail) | | **General inquiries:** | | | **Data protection / DPO:** | | | **Government inquiries:** | | --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.onlymonster.ai/privacy-and-compliance/bot-detection-policy.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.