Privacy Policy — Datafirefly Ads

Last updated: 27 April 2026

1. Data Controller

Datafirefly Ads is a SaaS service operated by Datafirefly Limited, a private limited company registered in Ireland under CRO number 810100, registered office at Blackrock, Co. Dublin, Ireland. Contact: contact@datafirefly.com.

2. Data we collect

When you create a Datafirefly Ads account and use the platform, we collect:

• Account data: email address, hashed password (argon2id), company name, country, locale.
• OAuth tokens: refresh tokens granted by Google Ads and Meta Marketing APIs, encrypted at rest with Fernet (AES-128 in CBC + HMAC-SHA256). Access tokens are derived on demand and not persisted.
• Ads platform data: campaign metadata, performance metrics (impressions, clicks, spend, conversions, ROAS), assets, and audit findings — pulled from Google Ads or Meta Ads on your authenticated request.
• E-commerce data (when shop integration enabled): product catalog metadata, order totals, COGS and shipping costs (used to compute net-margin offline conversion uploads to Google/Meta).
• Operational data: API request logs, error stack traces (with PII scrubbed) for monitoring via Sentry.
• Billing data: when applicable, Stripe customer ID and subscription status (no card numbers — Stripe Hosted Checkout).

3. Why we process this data

• To provide the platform: authenticate you, run audits, compile playbooks, push offline conversions on your behalf (legal basis: contractual necessity).
• To prevent fraud and abuse, monitor uptime and security (legal basis: legitimate interest).
• To bill subscriptions when applicable (legal basis: contractual necessity).
• To comply with legal obligations (tax, audit, regulatory).

4. Where the data lives (recipients & sub-processors)

Your data is stored and processed by the following sub-processors:

• Hetzner Online GmbH — application hosting on a dedicated bare-metal server (AX42-U) located in Hetzner’s Falkenstein 1 datacenter (Sachsen, Germany, EU). Registered office: Industriestr. 25, 91710 Gunzenhausen, Germany. ISO 27001 certified. Data Processing Agreement (DPA) signed under Art. 28 GDPR. Encrypted at rest (LUKS) + daily backups. All Datafirefly Ads data (Postgres, Redis) is stored exclusively on this server in Germany.
• Cloudflare Inc. (USA, with EU data routing) — CDN, DNS, tunneling, SSL termination.
• Sentry (Functional Software Inc.) (EU region) — error and performance monitoring.
• Google LLC — Google Ads API (you authorize via OAuth).
• Meta Platforms Ireland Ltd — Meta Marketing API (you authorize via OAuth).
• Stripe Payments Europe Ltd (Ireland) — when subscription billing applies.
• Brevo (Sendinblue SAS) (France) — transactional email (account confirmation, alerts).
• Anthropic PBC — Claude API for AI-assisted strategy generation, only when explicitly invoked.

We do not sell your data and do not share it with advertising networks beyond what you explicitly authorize via OAuth (Google Ads, Meta Ads).

5. International transfers

Some sub-processors are based outside the European Economic Area (USA). We rely on the EU-US Data Privacy Framework and Standard Contractual Clauses (SCCs) where applicable.

6. Retention

• Account data and OAuth tokens: kept while your account is active, deleted within 30 days of account closure.
• Audit findings, playbook runs, ads metrics: 24 months rolling, then aggregated.
• Operational logs (Sentry): 30 days.
• Billing records: 10 years (legal requirement).

7. Your GDPR rights

You can exercise the following rights at any time by emailing contact@datafirefly.com:

• Right to access your data.
• Right to rectification.
• Right to erasure (« right to be forgotten »).
• Right to data portability.
• Right to object to processing.
• Right to lodge a complaint with the Irish Data Protection Commission (https://www.dataprotection.ie).

8. Disconnecting Google Ads / Meta Ads

You can revoke our access to your Google or Meta Ads accounts at any time:

• Google: visit myaccount.google.com/permissions and remove « Datafirefly Ads ».
• Meta: visit facebook.com/settings → Business Integrations.

Once revoked, we permanently delete the encrypted refresh token from our database within 24 hours.

9. Security

OAuth refresh tokens are encrypted with Fernet (per-tenant key derivation). Postgres Row-Level Security enforces strict tenant isolation at the database layer. Passwords are hashed with argon2id. All traffic is TLS-encrypted (Cloudflare Universal SSL). Database backups are taken daily and encrypted at rest.

10. Cookies

We use only essential first-party cookies and a localStorage entry (ads_token) to maintain your authenticated session. We do not use third-party advertising or tracking cookies.

11. Changes to this policy

We will notify you by email of material changes, and the « last updated » date above will be revised.

12. Contact

Questions about this policy or your data? Email contact@datafirefly.com.