Privacy Policy

The data controller responsible for the processing of your personal data is AdPredictor, contactable at privacy@adpredictor.ai.

If you have any questions about this Privacy Policy or wish to exercise your rights, please contact us at the email address above.

Account Information: When you register, we collect your name, email address, and authentication credentials (managed via Supabase Auth). If you sign in with Google, we receive your Google profile information (name, email, profile picture).

Google Ads Data: If you connect your Google Ads account, we access campaign data, keyword performance, search terms, daily metrics, and account metadata via the Google Ads API. This data is used exclusively to provide you with insights, predictions, and optimization recommendations.

Payment Information: When you subscribe to a paid plan, payment processing is handled entirely by Stripe. We store your Stripe customer ID and subscription status, but never your credit card number or full payment details.

Usage Data: We collect information about how you use the Service, including pages visited, features used, tool inputs/outputs, and interaction patterns. This helps us improve the product.

Contact & Lead Data: If you submit a contact form or use our free tools, we collect the information you provide (name, email, company, message content, tool inputs).

Technical Data: We automatically collect IP addresses, browser type, device information, and access timestamps for security, rate limiting, and analytics purposes.

We process your personal data based on the following legal grounds under GDPR Article 6:

Contract Performance (Art. 6(1)(b)): Processing necessary to provide the Service you requested, including account management, Google Ads data analysis, and subscription handling.

Legitimate Interest (Art. 6(1)(f)): Processing for security (rate limiting, fraud prevention), product improvement (analytics), and customer support. We have assessed that these interests do not override your fundamental rights.

Consent (Art. 6(1)(a)): Where required, such as for marketing communications and non-essential cookies. You can withdraw consent at any time.

Legal Obligation (Art. 6(1)(c)): Processing necessary to comply with tax, accounting, or other legal requirements.

Service Delivery: To provide AI-powered Google Ads insights, predictions, campaign management features, and optimization recommendations.

Account Management: To create and manage your account, authenticate your identity, and handle billing.

Communication: To send essential service emails (welcome, password reset, account notifications). We use Brevo as our email service provider.

Security: To protect against unauthorized access, detect anomalies, and enforce rate limits.

Product Improvement: To analyze aggregated, anonymized usage patterns and improve the Service.

AI Processing: Tool inputs and campaign data may be processed by third-party AI providers to generate insights. This data is not used to train AI systems.

We share your data with the following third-party processors, each of which maintains their own privacy policies and data processing agreements:

Supabase (EU/US) — Authentication and database hosting. Data stored in AWS eu-west-1 (Ireland).

Stripe (US) — Payment processing. PCI DSS Level 1 certified.

Vercel (US) — Application hosting and serverless functions. SOC 2 Type 2 certified.

Google (US) — Google Ads API access for campaign data synchronization. Subject to Google API Services User Data Policy.

Brevo (EU/US) — Transactional email delivery and CRM.

Upstash (EU) — Rate limiting via Redis. Data processed in EU region.

Cloudflare (US) — Turnstile CAPTCHA for spam protection on forms.

AI processing service (US) — AI-powered insight generation. Anonymized campaign data is processed to generate optimization recommendations. Data is not used for model training.

Google Analytics (US) — Website analytics with Consent Mode v2 for GDPR compliance.

We ensure all processors provide adequate data protection guarantees. Where data is transferred outside the EEA, we rely on Standard Contractual Clauses (SCCs) or adequacy decisions.

Essential Cookies: Required for authentication and session management. These cannot be disabled.

Analytics Cookies: Google Analytics (GA4) with Consent Mode v2. These are only activated with your consent.

Security Cookies: Cloudflare Turnstile uses cookies for bot detection on forms.

We do not use advertising cookies or sell your data to advertisers. You can manage your cookie preferences through your browser settings.

Account Data: Retained for the duration of your account. Deleted within 30 days of account deletion.

Google Ads Data: Campaign metrics and insights are retained while your account is active. Historical data retention depends on your plan (Starter: 30 days, Professional: 90 days, Enterprise: 365 days).

Contact Form Submissions: Retained for up to 24 months for follow-up purposes.

Server Logs & Security Data: Retained for up to 90 days for security and debugging purposes.

Payment Records: Retained as required by tax and accounting legislation (typically 5-7 years).

You have the following rights regarding your personal data:

Right of Access (Art. 15): Request a copy of all personal data we hold about you. You can do this instantly via Settings > Export Data, which downloads a JSON file with all your data.

Right to Rectification (Art. 16): Request correction of inaccurate personal data.

Right to Erasure (Art. 17): Request deletion of your personal data. You can do this via Settings > Delete Account, which triggers deletion (or anonymisation) of your data and your authentication account, subject to any retention required by law, security, or billing.

Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format (JSON). Available via the export feature.

Right to Restrict Processing (Art. 18): Request that we limit how we use your data.

Right to Object (Art. 21): Object to processing based on legitimate interest.

Right to Withdraw Consent: Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.

CCPA Rights: If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect, the right to delete it, and the right to opt-out of the sale of personal information. We do not sell personal information.

To exercise any of these rights, visit our GDPR Self-Service Portal at /gdpr-portal or contact us at privacy@adpredictor.ai. You may also use the self-service options in your account settings. We will respond within 30 days as required by GDPR. You also have the right to lodge a complaint with your local supervisory authority (in Spain: Agencia Española de Protección de Datos, www.aepd.es).

We implement appropriate technical and organizational measures to protect your personal data, including: encryption in transit (TLS 1.3) and at rest, secure authentication via Supabase Auth with OAuth 2.0, rate limiting to prevent abuse, regular security reviews, and access controls limiting data access to authorized personnel only.

In the event of a data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay, as required by GDPR Article 33-34.

The Service is not intended for individuals under 13 years of age. We do not knowingly collect personal data from children under 13. If we become aware that we have collected data from a child under 13, we will delete it promptly. Users between 13 and 16 require parental or guardian consent.

Your data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States. Where this occurs, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, or reliance on the EU-US Data Privacy Framework where applicable.

We may update this Privacy Policy from time to time. We will notify you of material changes via email or an in-app notification at least 30 days before they take effect. The "Last updated" date at the top of this page indicates the most recent revision.

For any privacy-related inquiries, data subject requests, or complaints: Email: privacy@adpredictor.ai

Supervisory Authority: If you are in the EU/EEA and believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection authority. In Spain: Agencia Española de Protección de Datos (AEPD) — www.aepd.es.