Privacy policy

• What we collect: account data, ad metadata, billing metadata via Dodo, session-level analytics via PostHog (self-hosted reverse proxy), Stripe attribution if you connect Stripe.
• What we don't collect: no Facebook Pixel, no LinkedIn Insight Tag, no Google Analytics, no third-party ad-tech pixels, no fingerprinting beyond bot detection.
• Where it's stored: Supabase Postgres + Storage in AWS eu-west; Dodo for billing; PostHog self-hosted at /ingest/*.
• Your rights: access, correction, deletion, portability, objection — message Jorge or email privacy@ads4founders.com.
• Contact: Jorge directly via /contact; data-protection alias privacy@ads4founders.com.

• Account data: email, password hash (via Supabase Auth), display name, role.
• Ad metadata: product name, tagline, logo, destination URL, category, status, click and signup counts.
• Payment metadata: billing address, VAT ID, payment method tokens — handled by Dodo Payments as merchant of record. We see invoice records, not raw card data.
• Session-level analytics: via PostHog, self-hosted through a first-party reverse proxy at /ingest/*. IPs are anonymized. See /methodology/traffic for the visit definition.
• Stripe attribution data if you connect Stripe — customer IDs and revenue attributed to clicks from your slot, read-only via Stripe Connect.
• Bot/fraud audit data: user-agent, headers, IP range classification, interaction signals — kept minimum necessary and rolled up monthly. See /methodology/click-fraud.

• No Meta / Facebook Pixel.
• No LinkedIn Insight Tag.
• No Google Analytics.
• No third-party ad-tech, retargeting, or DMP pixels.
• No browser fingerprinting beyond what bot detection requires (UA + IP class + interaction signals — no canvas, audio, or font probes).
• No content of your private support messages used to train AI models.

• Contract performance — for advertiser account and billing data, processing is necessary to deliver the slot you paid for.
• Legitimate interest — for bot/fraud audit and security telemetry. Pricing depends on a clean traffic substrate.
• Consent — for analytics where required by your jurisdiction. Consent banner appears for EU/UK visitors; you can decline non-essential analytics without losing account functionality.
• Legal obligation — for tax record retention (see /legal/vat) and lawful requests.

• Auth session cookie via Supabase. First-party, HTTP-only, required for sign-in. Can't be disabled without breaking the dashboard.
• Analytics cookie via the first-party /ingest reverse proxy to PostHog. Used to deduplicate unique visitors and stitch sessions across pages.
• No third-party tracking cookies. We honor Global Privacy Control (GPC) and "Do Not Track" headers where technically feasible.

• Supabase — Postgres database, auth, object storage (AWS eu-west).
• Dodo Payments — billing, merchant of record, tax collection, invoicing.
• PostHog — product and traffic analytics (self-hosted via /ingest/* reverse proxy).
• Stripe — only if you connect Stripe to attribute revenue to your slot. Read-only Connect scope.
• Vercel — web hosting and edge runtime.

• Active advertiser: account data kept while the subscription is active, plus 7 years of invoice records for tax compliance per /legal/vat.
• Cancelled advertiser: 30-day soft delete (account recoverable on request), then anonymized aggregates only.
• Server logs and security telemetry: 90 days, then deleted or aggregated.
• Audit data for the bot rate publication: retained monthly aggregate only; raw per-click rows dropped after 90 days.

You can request access, correction, deletion, portability, objection, or withdrawal of consent at any time. Email privacy@ads4founders.com from the address on your account, or message Jorge from /contact. Response within 30 days.

California residents have CCPA / CPRA rights to know, delete, correct, opt-out of sale or sharing, and non-discrimination for exercising those rights. We do not sell personal information for monetary consideration and we do not share it for cross-context behavioral advertising.

You also have the right to lodge a complaint with your local supervisory authority. EU lead supervisory authority for the data controller is the AEPD (Spain).

Where personal data is transferred outside the EEA / UK, Standard Contractual Clauses are incorporated by reference into the contracts with each sub-processor. Module 2 (Controller → Processor) and Module 3 (Processor → Processor) apply where relevant. Full mechanics in /legal/dpa.

Ads4Founders is a B2B service for founders and operators. It is not directed to anyone under 18 and we do not knowingly collect personal data from minors. If you believe a minor has created an account, message Jorge from /contact and we'll delete the data.

• TLS in transit, AES-256 at rest (Supabase-managed).
• Row-level security at the database layer — every read enforces ownership at the SQL level.
• MFA available on every account; required for admin role.
• Audit logging on every admin mutation. Webhook signatures verified on every Dodo event.
• Security disclosures to security@ads4founders.com — acknowledged within one business day.

Material changes to this policy get email notice and an in-product banner 30 days before they take effect. The "last updated" date at the bottom is the effective date of the current version. Continuing to use the service after the effective date means you accept the update.

Privacy and data-protection questions: Jorge directly via /contact, or email privacy@ads4founders.com. Data controller: Jorge Marfil, sole proprietor (Spain).