Privacy Policy

UniAds ("we", "our", "us") is an AI media-buyer software-as-a-service operated by an independent founder based in Estonia. We help small and medium businesses launch and manage their own Google Ads and Meta Ads campaigns through a web dashboard and a Telegram bot.

Contact: info@uniads.eu

2.1 Account data

• Email address — when you sign up with email, or supplied by Google / Facebook / Telegram on social login.
• Display name — first name and (where available) avatar URL from the identity provider you used.
• Telegram identifiers — telegram_id and @username when you connect your Telegram account.
• Identity provider keys— Google "sub", Facebook user id, Telegram id (one row per provider you link).

2.2 Connected ad accounts

• OAuth refresh tokens from Meta Ads and Google Ads, encrypted with AES-256-GCM before storage. Decrypted only at API call time, never logged.
• Ad account metadata — your Google Ads customer_id, Meta ad account id, account name, currency. Connected ad accounts you authorise; we never harvest data from accounts you have not explicitly connected.

2.3 Business profile (filled in onboarding)

• Business name, type, website URL, country/city, target audience.
• Service descriptions and prices for the offerings you ask us to advertise.
• Photos and other creative assets you upload or that we scrape from your website at your request.

2.4 Campaign metrics

• Read-only metrics we pull from your connected ad accounts: spend, impressions, clicks, conversions, CPA, CTR, ROAS. Stored for up to 12 months for charts and anomaly detection.

2.5 Leads

• When a visitor submits a form on a landing page we host for you, or when Meta forwards a lead via webhook, we store: name, phone, email, the form id, the campaign id, and your AI-suggested first reply.
• These leads belong to you (the advertiser). We process them on your behalf as a processor under GDPR.

2.6 Conversations

• Text and voice messages you exchange with our Telegram bot or the web chat. Voice messages are transcribed to text via OpenAI Whisper; the audio is discarded after transcription.
• We retain the last 100 messages per user to give the AI conversational context. Older history is deleted automatically.

2.7 Payment data

• Handled entirely by Stripe. We store only the Stripe customer id and subscription id — never card numbers, CVV, or bank details.

2.8 Technical data

• IP address (kept for rate-limiting), browser user-agent, request timestamps.
• Session JWT stored in your browser's localStorage (replaces cookies for auth).

• Provide the service: launch and manage campaigns you ask us to launch, generate creatives, render landing pages, route leads to your inbox.
• AI features: send a working subset of your business profile and campaign context to large-language-model providers (OpenAI, Anthropic, Groq) so they can draft ad copy, suggest budget changes, and summarise performance.
• Anomaly detection & reporting: compute trend lines, surface significant changes in your KPIs.
• Billing: manage your subscription via Stripe.
• Security: detect abuse, prevent unauthorised access.
• Service emails (transactional): receipts, security alerts, expiring-token notifications. We do not send marketing emails without separate opt-in.

We only share data with vendors that are necessary to deliver the service. Each is contractually bound to protect your data and process it solely for the stated purpose.

We do not sell personal data. We do not run ad-tech tracking on our own marketing site (no Google Analytics, no Meta Pixel) — page views are server-rendered.

Your data is primarily stored in Supabase (EU region). API calls to AI providers may route through their US infrastructure under EU-US Data Privacy Framework or Standard Contractual Clauses. By using the service you consent to these international transfers.

You have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your account and associated data
• Export your data in a portable format (JSON)
• Restrict or object to specific processing
• Withdraw consent for AI processing (this will disable AI-powered features but keep your account active)
• Lodge a complaint with the Estonian Data Protection Inspectorate (aki.ee)

To exercise any of these rights, email info@uniads.eu from the email associated with your account. We respond within 30 days.

You can delete your account at any time:

• From inside the app: Settings → Account → Delete account
• By email: send a deletion request to info@uniads.eu

Upon deletion we immediately purge: your user row, business profile, conversations, OAuth tokens, leads, creatives, and connected ad-account metadata. Encrypted backups are retained for up to 30 days for disaster recovery, then permanently deleted. We retain anonymised billing records for 7 years as required by Estonian tax law.

Disconnecting an ad platform from /accounts also revokes the OAuth token and removes the stored tokens immediately.

• All traffic served over HTTPS / TLS 1.2+.
• OAuth refresh tokens encrypted with AES-256-GCM at rest, with per-user authenticated additional data so a stolen ciphertext cannot be reused across accounts.
• Production secrets stored as environment variables, never committed to source control.
• Access to production data is limited to the founder and reviewed quarterly.

UniAds is intended for business users aged 18 or over. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, contact us and we will delete it.

We may update this policy as we add features or vendors. When we make material changes we will: (a) notify active users by email at least 14 days before the change takes effect, and (b) bump the "Last updated" date at the top of this page.

Privacy questions, data requests, or complaints: info@uniads.eu