Legal
Privacy Policy
Last updated: June 28, 2026
1. Who we are
Prooflytics ("we", "us", "our") operates this Service and acts as the Data Controller under EU GDPR. We are established in the EU.
We provide an AI-powered advertising analytics platform for in-house marketing teams ("Service"). This Privacy Policy explains how we collect, use, and protect personal data when you use our Service.
2. Data we collect
Account data
When you sign up, we collect your name, email address, and authentication credentials via our third-party authentication provider. If you create a workspace, we store your organization name and billing email.
Advertising data
When you connect a Meta Ads or Google Ads account, we retrieve campaign and ad performance metrics (spend, impressions, CTR, CPA, conversions, frequency) via the respective platform APIs. We store this data in our database to power analytics and AI-generated reports. We do not access or store your ad creative assets, personal data of your ad audiences, or any data beyond the metrics needed to operate the Service.
Billing data
Payment processing is handled by a third-party payment processor. We store your payment-provider customer ID and subscription status, but we never receive or store full card numbers. All payment data is processed and stored by our payment processor under their own privacy policy.
Usage data
We collect anonymized product usage data (page views, feature interactions) via a third-party product-analytics provider to improve the Service. We also collect error logs via a third-party error-monitoring provider. No personal advertising data is included in these logs.
3. How we use your data
- To provide, operate, and improve the Service
- To generate AI-powered reports and recommendations using your advertising metrics
- To send transactional emails (report delivery, sync notifications, billing receipts) via a third-party email-delivery provider
- To process payments and manage subscriptions via our payment processor
- To detect and fix errors and security issues
- To comply with legal obligations
We do not sell your data. We do not use your advertising data to train shared AI models. AI analysis of your data is performed on-demand and the results are stored only in your account.
4. Google API Services User Data
Prooflytics' use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
What Google data we access
- Google Ads — campaign and ad performance metrics (spend, impressions, clicks, conversions, CPA, ROAS) via the
https://www.googleapis.com/auth/adwordsscope. We do not access creative assets, audience lists, or personal data of your ad audiences. - Google Analytics 4 — session, conversion, and traffic source metrics via the
https://www.googleapis.com/auth/analytics.readonlyscope. We access aggregate reporting data only — not raw user-level event logs or personally identifiable visitor data.
How we use Google data
Google user data is used exclusively to provide the Prooflytics analytics and reporting service to you. Specifically: to display your advertising performance metrics, generate AI-powered insights about your campaigns, and produce weekly performance reports. We do not use Google user data for any other purpose.
Who we share Google data with
We do not sell, rent, or share your Google user data with third parties for their own purposes. Google data is shared only with the following categories of sub-processors acting strictly on our behalf, solely to operate the Service:
- Cloud database provider (EU/US regions) — stores your synced metrics.
- Application hosting provider — processes requests to display your data.
- AI processing provider — receives anonymised aggregate metrics (no PII) to generate campaign insights.
- Background worker hosting provider — generates PDF reports from your metrics.
All sub-processors are contractually prohibited from using your Google data for any purpose other than providing services to Prooflytics. We never use Google user data for advertising, re-targeting, or to train shared AI models. The current named sub-processor list is available on request and maintained at /security.
Revoking access
You can disconnect your Google Ads or GA4 account at any time from Settings → Data Sources. Upon disconnection, OAuth tokens are immediately deleted. Synced metrics are deleted within 30 days, or immediately upon written request to privacy@prooflytics.io. You can also revoke access directly from your Google Account permissions.
5. Meta Platform Data
Prooflytics' use and transfer of information received from Meta APIs adheres to the Meta Platform Terms and Developer Policies, including the Limited Use, Data Use Checkup, and Data Security requirements.
What Meta data we access
- Meta Ads — campaign, ad set, and ad performance metrics (spend, impressions, clicks, conversions, CPA, CTR, frequency, reach) via the Marketing API endpoints
/me/adaccounts,/{ad-account-id}/insights,/{ad-account-id}/campaigns,/{ad-account-id}/adsets, and/{ad-account-id}/ads. - Business Portfolios — the list of Business Portfolios the user is a member of, via Business Manager API, solely so the user can choose which one to connect to Prooflytics. We do not access any other Business asset metadata.
What we do NOT access
Ad creative assets, audience lists or Custom Audiences, personal data of your ad audiences, Pages content, Messenger conversations, Instagram personal posts, or any data outside the Marketing API endpoints listed above.
How we use Meta data
Meta data is used exclusively to provide the Prooflytics analytics and reporting service to you. Specifically: to display your advertising performance metrics, classify ad creative lifecycle (Scaling / Mature / Fatiguing / Dead), generate AI-powered insights about your campaigns, and produce daily and weekly performance reports. We do not use Meta data to train shared AI models. We do not sell, license, or otherwise share Meta data with third parties for marketing or advertising purposes.
Sub-processors with access to Meta data
- Cloud database provider — stores encrypted Meta access tokens and the metrics retrieved with them.
- Application hosting provider — processes the API calls that retrieve and display Meta metrics.
- AI processing provider — receives anonymised aggregate Meta metrics (no PII) to generate campaign insights.
- Background worker hosting provider — generates PDF reports from Meta metrics.
All sub-processors are contractually bound by our Data Processing Agreement and may not use Meta data for any purpose other than providing the Service to Prooflytics. The current named sub-processor list is available on request and maintained at /security.
Retention and revoking access
You can disconnect Meta Ads at any time from Settings → Data sources. Upon disconnection, the encrypted access token is deleted immediately, and the metrics derived from it are purged within 30 days, or immediately upon written request to privacy@prooflytics.io. You can also revoke Prooflytics' access directly from your Meta Accounts Center.
6. AI processing
The Service uses a third-party AI provider to analyse your advertising metrics and generate insights and recommendations. Aggregate metric data (spend, impressions, CTR, CPA, conversion counts, lifecycle stage counts, etc.) is sent to our AI provider's API for this purpose. We do not include personal identifiers of your customers (names, email addresses, phone numbers) in those prompts, and we continuously audit the agent and reporting code paths to keep that boundary in place. Our AI provider's data usage is governed by their own privacy policy and API terms; per our commercial agreement, your data is not used to train their models.
7. Data storage and transfers
Your data is stored in a PostgreSQL database hosted by our cloud database provider (US region by default; EU data residency available on Growth and higher plans). The application runs on our hosting provider's global edge network and the PDF-generation worker on a separate hosting provider. For EU↔US transfers we rely on Standard Contractual Clauses (SCCs) signed with each sub-processor. By using the Service, you consent to your data being processed in these jurisdictions.
We are established in the EU and operate in compliance with the EU General Data Protection Regulation (GDPR) and Spanish LOPDGDD. Where data is transferred outside the EEA, we ensure adequate safeguards are in place (Standard Contractual Clauses or equivalent).
8. Data retention
We retain your account data for as long as your account is active. Advertising metrics are retained for up to 2 years to support trend analysis. You may request deletion of your data at any time (see Section 9). After account deletion, we retain anonymized aggregated data for statistical purposes.
Disconnect = delete. When you disconnect a CRM or payment connector, all records sourced from that provider are wiped — contacts, accounts, deals, activities, charges, invoices, identity-bridge entries — and never resurface in the dashboard or in AI prompts. Disconnecting an ad platform wipes the ad-spend history and clears any ad-level first-touch pointers on remaining contacts. Pre-existing analytical artefacts (digests, weekly / monthly reports) are kept as historical audit trail unless you request a full account erasure.
7a. Sub-processors
We use a defined set of sub-processors to operate the Service (cloud hosting, database, email delivery, AI inference, error monitoring, etc.). Each is bound by a written agreement with confidentiality, security and onward-transfer obligations matching this Privacy Policy.
The full, current sub-processor list — with purpose, region and link to that sub-processor's own privacy policy — is available on request and maintained at /security. We update that page when sub-processors change; material additions are announced by email to active customers at least 30 days before they take effect, giving you the right to object before the change is applied to your data.
7b. Data Processing Agreement (DPA)
For customers established in the EU / UK / EEA (or processing personal data of EU / UK / EEA residents), Article 28 GDPR requires a written controller-processor agreement. Prooflytics's Terms of Service incorporate a Data Processing Addendum that takes effect automatically when you start a paid subscription — no separate signing step is required for the standard SMB plans (Starter / Growth / Scale).
If your procurement team needs a separately countersigned DPA (with your legal entity named, Standard Contractual Clauses annexed), email security@prooflytics.io with the entity name and we will return a counter-signed PDF within two business days.
9. Cookies
We use essential cookies for authentication (session tokens) and preferences (theme). We use analytical cookies via our product-analytics provider to understand feature usage. You can opt out of analytical cookies through your browser settings; essential cookies are required for the Service to function.
10. Your rights
If you are in the EU or UK, you have the following rights under GDPR:
- Access — request a copy of data we hold about you
- Rectification — correct inaccurate data
- Erasure — request deletion of your data
- Restriction — restrict processing in certain circumstances
- Portability — receive your data in a portable format
- Objection — object to processing based on legitimate interests
To exercise any of these rights, contact us at privacy@prooflytics.io. We will respond within 30 days.
11. Security
We implement industry-standard security measures including encryption at rest and in transit, access tokens stored encrypted, and regular security reviews. OAuth tokens for Meta Ads and Google Ads are stored encrypted in our database and are never logged or exposed.
12. Changes to this policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or via an in-app notice at least 14 days before the change takes effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.
13. Contact
For privacy-related enquiries, contact us at: privacy@prooflytics.io
Prooflytics · European Union