PRIVACY POLICY
THE ADS ENGINE ("we," "us," or "our") is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, disclose, and protect your information when you use our platform as a subscriber (Client) or as a visitor to a Client's website hosted on the Ads Engine platform.
This policy complies with the UK General Data Protection Regulation (UK GDPR), the EU GDPR (2016/679), and other applicable data protection legislation.
Data Controller: PAJ Strategies ("The Ads Engine").
All data protection enquiries: privacy@theadsengine.com
1. Data We Collect
1.1 Client (Subscriber) Data
- Account information: Business name, owner name, email address, password (stored as bcrypt hash), city, country, industry, and subdomain preference.
- Business profile data: Services, keywords, content preferences, branding assets, and scheduling settings.
- Billing information: Subscription plan and payment status. Full card details are handled exclusively by Stripe and never stored by us.
- Usage data: Log files, IP addresses, browser type, pages visited, and feature usage metrics.
- Communications: Emails and support messages you send to us.
1.2 Lead / Visitor Data (Collected on Your Behalf)
When visitors submit lead capture forms on your Client-hosted blog, we collect this data as a Data Processor on your behalf:
- Contact information: name, email address, phone number (where provided).
- Message content submitted via the lead form.
- Technical data: IP address and User-Agent string (for spam filtering only).
- Attribution data: source URL, referrer, and UTM parameters.
All lead PII is encrypted at rest using AES-256 (Fernet encryption).
1.3 Analytics Data
We use Umami Analytics — a privacy-preserving, open-source tool that does not use cookies, does not track users across sites, and does not collect personally identifiable information.
2. Data Storage and Security
All personal data is stored exclusively on servers located in Germany (EU), operated by Hetzner Online GmbH (ISO 27001 and ISO 9001 certified).
- Encryption at rest: Lead PII encrypted with AES-256 (Fernet). Passwords hashed with bcrypt (cost factor 12+).
- Encryption in transit: TLS 1.2+ enforced on all connections.
- Access controls: Principle of least privilege applied to all systems.
- Automated backups: Encrypted backups retained for 7 days.
3. Sub-processors
We share limited data with these third-party sub-processors, each bound by appropriate DPAs or SCCs:
Resend (resend.com)
Purpose: Transactional email delivery.
Data shared: Lead name, email address, phone number, message content, and source page URL (included in lead notification emails sent to the business owner).
Location: United States (SCCs apply).
Stripe (stripe.com) — Payment Processor
Purpose: Payment processing and subscription management.
Data shared: Billing contact info and subscription data.
Location: UK and United States.
Hetzner Online GmbH (hetzner.com)
Purpose: Cloud infrastructure and managed databases.
Location: Germany (EU) — no data transfer outside EEA.
Anthropic (anthropic.com)
Purpose: AI content generation via the Claude CLI.
Data shared: Business profile info only. No lead PII or visitor contact data is shared with Anthropic.
Location: United States (Anthropic DPA applies; inputs not used for training).
Sentry (Functional Software Inc. — sentry.io)
Purpose: Error monitoring and performance tracking.
Data shared: May process IP addresses and user agent strings contained in error reports. No lead PII is intentionally included.
Location: United States (SCCs apply). Privacy Policy
MaxMind (maxmind.com)
Purpose: Geographic IP lookup for language and region detection.
Data shared: IP addresses are looked up locally against a downloaded database. No PII is transmitted to MaxMind's servers.
Location: United States. Privacy Policy
Google LLC (google.com)
Purpose: Search Console integration for SEO performance monitoring.
Data shared: Website performance data (search queries, impressions, click-through rates). No visitor PII is shared.
Location: United States (SCCs apply). Privacy Policy
BotHero (bothero.ai) — Live Chat
Purpose: AI-powered live chat widget on marketing pages and client blog pages.
Data shared: Chat messages you send, page URL, browser type, and IP address (for rate limiting). No lead PII is shared unless you voluntarily include it in a chat message.
Location: Germany (EU) — hosted on the same Hetzner infrastructure. Privacy Policy
Umami (umami.is) — Privacy-Preserving Analytics
Purpose: Aggregate page view statistics on client blog pages. Does not use cookies, does not track individual users, and does not collect PII.
Data shared: None individually identifiable. Collects only aggregate page views, referrer, and device type.
Location: Germany (EU) — self-hosted on our own Hetzner infrastructure. No data leaves the EU.
4. International Data Transfers
Our primary data storage is in Germany (EU) via Hetzner, so no international transfer occurs for stored data. However, some sub-processors (Stripe, Resend, Anthropic, Sentry, Google) are based in or process data through the United States. We ensure appropriate safeguards are in place for each transfer:
- EU-to-US transfers: Protected by the European Commission's Standard Contractual Clauses (SCCs) under GDPR Article 46(2)(c).
- UK-to-US transfers: Protected by the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, as applicable under UK GDPR. The EU SCCs alone do not constitute a valid transfer mechanism for UK data — we apply the appropriate UK instrument.
A copy of the applicable transfer mechanism is available upon request by emailing privacy@theadsengine.com.
5. Data Retention
| Data Category | Retention Period |
|---|---|
| Active subscriber account data | Retained while subscription is active |
| Cancelled account data | 45 days from cancellation, then permanently deleted |
| Lead / visitor PII | 2 years from submission, or until Client deletion request |
| Billing records | 7 years (tax and accounting law) |
| Application logs | 90 days |
| Encrypted backups | Up to 7 days |
6. Your Rights as a Data Subject
Under UK GDPR and EU GDPR, you have the following rights. To exercise them, email privacy@theadsengine.com. We respond within 30 days.
- Right of Access (Art. 15): Request a copy of your personal data.
- Right to Rectification (Art. 16): Request correction of inaccurate data.
- Right to Erasure (Art. 17): Request deletion of your data.
- Right to Data Portability (Art. 20): Receive your data in a machine-readable format.
- Right to Object (Art. 21): Object to processing based on legitimate interests.
- Right to Restrict Processing (Art. 18): Restrict how we process your data.
You have the right to lodge a complaint with a supervisory authority. In the UK: Information Commissioner's Office (ICO). If you are located in the European Economic Area, you may also contact your local national data protection supervisory authority.
7. Data Breach Notification
In the event of a personal data breach, we will:
- Notify the ICO within 72 hours of becoming aware of a qualifying breach, where the breach is likely to result in a risk to individuals' rights and freedoms (UK GDPR Article 33 / EU GDPR Article 33).
- Notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms (UK GDPR Article 34 / EU GDPR Article 34). Notification will be sent via email to the address held on file.
We maintain an internal breach register and have documented procedures for detecting, reporting, and investigating personal data breaches.
8. Cookie Usage
We use minimal cookies strictly necessary to operate the platform. We do not use third-party advertising cookies or cross-site tracking technologies.
Umami Analytics (used on Client-hosted blog pages) does not use cookies or persistent tracking identifiers. No consent is required for Umami under the ePrivacy Directive.
See our full Cookie Policy for details.
9. Legal Basis for Processing (GDPR Art. 6)
- Contract Performance (Art. 6(1)(b)): Processing necessary to deliver the Service, manage your subscription, and send transactional emails.
- Legitimate Interests (Art. 6(1)(f)): Usage and log data to improve the platform, detect fraud, and maintain security.
- Legal Obligation (Art. 6(1)(c)): Retaining billing records for tax compliance.
- Consent (Art. 6(1)(a)): Where relied upon (e.g. optional marketing emails), you may withdraw consent at any time.
10. California Privacy Rights (CCPA)
If you are a California resident, the California Consumer Privacy Act (CCPA) grants you additional rights regarding your personal information:
- Right to Know: You may request disclosure of the categories and specific pieces of personal data we have collected about you, the sources of that data, our business purpose for collecting it, and the categories of third parties with whom we share it.
- Right to Delete: You may request deletion of your personal data, subject to certain exceptions.
- Right to Opt Out of Sale: We do not sell personal information, and we have not sold personal information in the preceding 12 months. You do not need to take any action to opt out.
- Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.
To exercise your California privacy rights, email privacy@theadsengine.com with the subject line "California Privacy Request." We will respond within 45 days.
11. Additional Rights for Brazilian Residents (LGPD)
If you are located in Brazil, the Lei Geral de Proteção de Dados (Law 13,709/2018 — LGPD) provides you with additional rights regarding your personal data.
We process personal data under the legal bases defined in LGPD Article 7, including contract performance (Art. 7-V), legitimate interest (Art. 7-IX), and consent where applicable (Art. 7-I).
Under LGPD Article 18, Brazilian data subjects have the right to:
- Confirmation of processing: Confirm whether we process your personal data.
- Access: Access the personal data we hold about you.
- Correction: Request correction of incomplete, inaccurate, or outdated data.
- Anonymization, blocking, or deletion: Request anonymization, blocking, or deletion of unnecessary or excessive data, or data processed in non-compliance with LGPD.
- Data portability: Receive your data in a structured format to transfer to another service provider.
- Information about shared data: Obtain information about public and private entities with whom we share your data.
- Review of automated decisions (Art. 20): Request review of decisions made solely by automated means that affect your interests.
Cross-border transfers of personal data from Brazil to Germany (infrastructure) and the United States (sub-processors) are conducted under Standard Contractual Clauses in accordance with ANPD Resolution CD/ANPD 19/2024.
The supervisory authority in Brazil is the Autoridade Nacional de Proteção de Dados (ANPD) — anpd.gov.br.
Our Data Protection Officer (Encarregado) can be contacted at: privacy@theadsengine.com.
12. Additional Rights for South African Residents (POPIA)
If you are located in South Africa, the Protection of Personal Information Act 4 of 2013 (POPIA) provides you with additional rights regarding your personal information.
We process personal information under POPIA's conditions for lawful processing, including consent (Section 11) and legitimate interest (Section 11(1)(f)).
Under POPIA Section 23, South African data subjects have the right to:
- Access: Request access to the personal information we hold about you.
- Correction: Request correction or deletion of inaccurate, irrelevant, or excessive personal information.
- Deletion: Request deletion of personal information we are no longer authorised to retain.
- Right to object: Object to the processing of your personal information on reasonable grounds.
The supervisory authority in South Africa is the Information Regulator of South Africa — inforegulator.org.za.
To exercise your POPIA rights, email privacy@theadsengine.com.
13. Additional Rights for Canadian Residents
If you are located in Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) governs how we handle your personal information.
We process personal data in accordance with PIPEDA's fair information principles, including accountability, identifying purposes, consent, limiting collection, and safeguards.
Canadian residents have the following rights under PIPEDA:
- Right to access: Request access to the personal information we hold about you.
- Right to challenge accuracy: Request correction of inaccurate or incomplete information.
- Right to withdraw consent: Withdraw consent to the collection, use, or disclosure of your personal information, subject to legal or contractual restrictions.
Canada's Anti-Spam Legislation (CASL): We send commercial electronic messages only with express or implied consent as defined under CASL. Every marketing email includes a functional unsubscribe mechanism. Our contact: PAJ Strategies ("The Ads Engine") — support@theadsengine.com.
Quebec residents: Quebec's Law 25 (Act Respecting the Protection of Personal Information in the Private Sector) provides additional privacy rights. Please contact us at privacy@theadsengine.com to exercise these rights.
The supervisory authority in Canada is the Office of the Privacy Commissioner of Canada — priv.gc.ca.
14. Additional Rights for Singapore Residents
If you are located in Singapore, the Personal Data Protection Act 2012 (PDPA, as amended 2020) governs how we handle your personal data.
We comply with the PDPA's obligation to collect, use, and disclose personal data only for purposes a reasonable person would consider appropriate in the circumstances.
Singapore residents have the following rights under the PDPA:
- Right to access: Request access to the personal data we hold about you and information about how it has been used or disclosed in the past year.
- Right to correction: Request correction of inaccurate personal data in our possession or control.
Mandatory breach notification: In the event of a notifiable data breach affecting your personal data, we will notify the Personal Data Protection Commission (PDPC) within 3 business days of becoming aware of the breach, and notify affected individuals within 3 business days after PDPC notification, where required under the PDPA.
The supervisory authority in Singapore is the Personal Data Protection Commission (PDPC) — pdpc.gov.sg.
To exercise your PDPA rights, email privacy@theadsengine.com.
15. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. We will notify you of material changes by email (to the address associated with your account) or by posting a prominent notice on our website at least 30 days before any material changes take effect. The updated policy will always show a revised "Last updated" date at the top of this page.
We encourage you to review this policy periodically. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated policy.
16. Contact Our Data Protection Officer
Data Protection OfficerPAJ Strategies ("The Ads Engine")
Email: privacy@theadsengine.com
General support: support@theadsengine.com
Legal matters: legal@theadsengine.com
We aim to respond to all data protection requests within 30 days. Complex requests may require up to 3 months, in which case we will notify you within 30 days of the expected timeline.
Google API Services User Data Policy
The Ads Engine's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
What Google Data We Access
When you connect your Google Ads account, we access:
- Campaign data (names, settings, budgets, bidding strategies)
- Ad group and ad content (headlines, descriptions, extensions)
- Performance metrics (impressions, clicks, conversions, cost)
- Keyword data (search terms, quality scores, bids)
How We Use Your Data
Your Google Ads data is used exclusively to:
- Display campaign performance in your dashboard
- Generate AI-powered ad copy suggestions
- Create and manage campaigns on your behalf
- Provide optimization recommendations
Data Storage and Security
Your Google Ads credentials (OAuth refresh tokens) are encrypted at rest using AES-256 encryption. We do not share your Google Ads data with third parties. Campaign data is cached temporarily for dashboard performance and is refreshed on each login.
Revoking Access
You can disconnect your Google Ads account at any time from your dashboard settings. This immediately revokes our access to your Google Ads data. You can also revoke access directly from your Google Account permissions.