Privacy Policy

1. Introduction

Welcome to Ad Superpowers ("we," "our," or "us"). We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform and services.

Data Controller: AdSuperpowers.ai, registered at Noorddijk 21, 1521 PC Wormerveer, Netherlands, Chamber of Commerce (KvK) number 70810419. Contact: contact@adsuperpowers.ai.

We have assessed that appointment of a Data Protection Officer is not mandatory under Article 37 GDPR, as our processing does not involve large-scale systematic monitoring or large-scale processing of special categories of data. Nick Ofman serves as our data protection contact.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

• Email address
• Name (optional)
• Password (encrypted)
• Organization/company name (if applicable)

2.2 Connected Platform Data

When you connect advertising, analytics, and marketing platforms (Meta Ads, Google Ads, Google Analytics, Google Search Console, Google Tag Manager, LinkedIn Ads, TikTok Ads, TikTok Ads), we access:

• OAuth access tokens (encrypted at rest)
• Account IDs, container IDs, and names you select to connect
• Campaign and ad performance data when you request it
• Analytics and search performance data when you request it
• Tag management configuration data (tags, triggers, variables) when you request it
• Instagram account identifiers linked to your Facebook Pages, used solely to enable ad placements on Instagram on your behalf
• Facebook Page metadata necessary to create and manage ad creatives (e.g., page-backed Instagram accounts for ad delivery)

Important: We do not store your platform data permanently. Data is fetched in real-time when requested by your AI assistant and is not cached beyond temporary API response caching (maximum 30 minutes).

2.3 Usage Information

We collect information about how you use our service:

• API request logs (tool usage, timestamps)
• Feature usage patterns
• Error logs for troubleshooting

2.4 Payment Information

Payment processing is handled by Stripe. We do not store your credit card information. We receive from Stripe:

• Subscription status
• Payment history (amounts and dates)
• Billing email address

3. How We Use Your Information

We use collected information to:

• Provide and maintain the Ad Superpowers service
• Authenticate your identity and manage your account
• Connect to your advertising, analytics, and tag management platforms on your behalf
• Read platform data (campaigns, analytics, tags) when you request it
• Perform write operations on your behalf when you explicitly instruct your AI assistant (e.g., updating campaigns, creating ads with text variants, creating tags, publishing container versions)
• Link your Facebook Pages to Instagram ad placements, including creating page-backed Instagram accounts when no Instagram account is connected to your Page
• Process your subscription payments
• Send important service notifications
• Respond to support requests
• Improve our services and develop new features
• Comply with legal obligations

3a. Legal Basis for Processing (Article 6 GDPR)

Under Article 6(1) GDPR, we process your personal data only where we have a valid legal basis. The table below sets out the legal basis for each processing activity:

Where we rely on legitimate interests, you have the right to object under Article 21 GDPR. We will honour your objection unless we can demonstrate compelling legitimate grounds that override your interests, rights and freedoms.

Providing your account email, password, and payment information is a contractual requirement. We cannot provide the service without these. Connecting advertising platforms is optional and only required to use the specific integrations you choose.

4. Data Security

We implement industry-standard security measures:

• All OAuth tokens are encrypted at rest using AES-256 encryption
• All data transmission uses TLS/SSL encryption
• Database connections are SSL-encrypted
• API keys are hashed and cannot be retrieved
• Regular security audits and updates

5. Data Sharing and Sub-processors

We do not sell your personal information. We engage the following sub-processors to help us deliver the service. Each is bound by a written data processing agreement that imposes GDPR-equivalent obligations. Transfers outside the EEA are covered by the European Commission's Standard Contractual Clauses (SCCs, 2021/914) or an adequacy decision where applicable.

Connected advertising platforms (Meta, Google, LinkedIn, TikTok) are independent controllers for data you authorize us to read or write on your behalf, not sub-processors. Their handling of your data is governed by their own privacy policies. Write operations (e.g., updating campaigns, creating or publishing GTM tags) are only performed when you instruct your AI assistant to do so.

We will notify active customers by email of any subprocessor change at least 30 days in advance where feasible. The most current list is always available on this page.

Legal requirements: We may also share data when required by law or to protect our rights.

Data Processing Agreement (DPA)

When you use Ad Superpowers in a business capacity and personal data of your end users or team members is processed through our platform, we act as a processor on your behalf under Article 28 GDPR. Our standard Data Processing Agreement, including the EU Standard Contractual Clauses where relevant, is available on request at contact@adsuperpowers.ai. Team and Enterprise customers receive a signed DPA as part of onboarding.

6. Google API Services User Data Policy

Ad Superpowers's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Ad Superpowers integrates with the following Google services:

• Google Ads: Read campaign performance data and manage campaigns, ad groups, ads, and keywords on your behalf.
• Google Analytics 4: Read analytics reports, page views, traffic sources, and user metrics.
• Google Search Console: Read search performance data, keyword rankings, and manage URL indexing.
• Google Tag Manager: Read container configurations (tags, triggers, variables), run automated audits, create and edit tags, triggers, variables, and workspaces, create version snapshots, and publish container versions to production.

All read and write operations are performed only when explicitly requested by you through your AI assistant. Write operations that affect live environments (e.g., publishing GTM versions, modifying Google Ads campaigns) require your explicit instruction.

Specifically, Ad Superpowers commits to the following:

• Limited use: We only use Google user data to provide and improve the features you explicitly request. Data is fetched and actions are performed on-demand when you use our tools.
• No third-party transfers: We do not transfer Google user data to third parties except as necessary to provide our service, with your consent, for security purposes, or to comply with applicable law.
• No advertising use: We do not use Google user data for serving advertisements, including retargeting, personalized, or interest-based advertising.
• No human review without consent: Humans do not read your Google user data unless you have given affirmative consent, it is necessary for security purposes (e.g., investigating abuse), or it is required to comply with applicable law.
• No data selling: We do not sell Google user data to third parties, data brokers, or information resellers.

7. Your Rights

You have the right to:

• Right of access (Art 15 GDPR). Obtain a copy of the personal data we hold about you
• Right to rectification (Art 16 GDPR). Correct inaccurate or incomplete data
• Right to erasure ("right to be forgotten", Art 17 GDPR). Delete your account and associated data
• Right to restriction of processing (Art 18 GDPR). Limit how we use your data in specified circumstances
• Right to data portability (Art 20 GDPR). Receive your data in a structured, commonly used, machine-readable format (JSON)
• Right to object (Art 21 GDPR). Object to processing based on legitimate interests, including profiling
• Right to withdraw consent (Art 7(3) GDPR). Where processing is based on consent, withdraw it at any time without affecting prior lawful processing
• Right to disconnect any connected advertising platform at any time via your dashboard
• Right not to be subject to solely automated decisions (Art 22 GDPR). See our AI Processing section below

To exercise these rights, contact us at contact@adsuperpowers.ai

Right to Lodge a Complaint

If you believe our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement (Article 77 GDPR).

Our lead supervisory authority is the Dutch Data Protection Authority:

Autoriteit Persoonsgegevens
Postbus 93374, 2509 AJ Den Haag, Netherlands
autoriteitpersoonsgegevens.nl

We would appreciate the opportunity to address your concerns directly before you approach the supervisory authority. Please reach out to contact@adsuperpowers.ai first.

8. Data Retention

We retain your data for as long as your account is active. Upon account deletion:

• Account information is deleted within 30 days
• OAuth tokens are immediately revoked and deleted
• Usage logs are retained for 90 days for abuse prevention
• Payment records are retained as required by law (typically 7 years)

9. Cookies

We use essential cookies for:

• Authentication and session management
• Security (CSRF protection)

We do not use advertising, analytics, or tracking cookies on our marketing or application domains. Because only strictly necessary cookies are used, no cookie consent banner is required under Article 5(3) of the ePrivacy Directive (as implemented in the Dutch Telecommunications Act). If this changes, we will introduce a compliant consent mechanism before any non-essential cookies are set.

10. International Data Transfers

10.1 Data Location

Your data is hosted exclusively within the European Union:

• Database: EU region (Supabase)
• Cache: EU region (Upstash)
• Application servers: EU region (Railway, Vercel)

We do not transfer personal data outside the EU except as required for platform integrations (Meta, Google Ads, Google Analytics, Google Search Console, Google Tag Manager, LinkedIn, TikTok) which you explicitly authorize.

10.2 Data Breach Notification

In the event of a data breach that affects your personal information, we will:

• Notify you within 72 hours of becoming aware of the breach
• Report the breach to the relevant supervisory authority (Dutch DPA)
• Provide details of the breach, affected data, and remediation steps

11. Children's Privacy

Our services are not intended for individuals under 16 years of age (the age of digital consent in the Netherlands under Article 8 GDPR and Article 5 UAVG). For users in jurisdictions with a higher age of digital consent, that higher age applies. We do not knowingly collect personal information from children below the applicable age of consent. If you believe we have collected such data, contact us at contact@adsuperpowers.ai and we will delete it promptly.

AI Processing and Automated Decision-Making

Ad Superpowers is designed to be used with AI assistants (e.g., Claude, ChatGPT, Gemini, or other Model Context Protocol clients of your choice). The AI assistant runs in your environment, not ours. When you issue an instruction, the AI assistant calls our MCP server, which in turn calls the advertising platforms you have connected.

We do not send your data to AI providers. The AI provider (Anthropic, OpenAI, Google, or otherwise) is your own chosen processor, not ours. Ad Superpowers returns structured data to the AI assistant you selected; the AI provider's handling of that data is governed by your agreement with them.

We do not train AI models on your data. Your account data, connected platform data, and prompts are never used to train, fine-tune, or otherwise improve any machine learning model. Not ours, not anyone else's.

No solely automated decisions with legal or similarly significant effects (Article 22 GDPR). All write operations against your ad accounts are performed only on your explicit instruction through the AI assistant. We do not autonomously spend budget, change bids, or alter campaigns without a human instruction in the loop. You remain the decision-maker; the AI assistant is a tool that executes your instructions.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by email or through our platform. Your continued use of the service after changes constitutes acceptance of the updated policy.

13. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to know what personal information we collect
• Right to delete your personal information
• Right to opt-out of sale of personal information (we do not sell data)
• Right to non-discrimination for exercising your rights

To exercise these rights, contact us at contact@adsuperpowers.ai

14. Data Protection Contact

For any data protection inquiries or to exercise your GDPR rights, contact:

Data Protection Contact: Nick Ofman

Email: contact@adsuperpowers.ai

Response Time: Within 30 days as required by GDPR

15. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

Email: contact@adsuperpowers.ai