GDPR Privacy Notice

The data controller for all personal data processed in connection with AdGreg is:

• Identity & contact. Email address and optional name.
• Technical. IP address, browser, device, pages viewed — recorded in server logs.
• Usage data. PostHog pseudonymous analytics about dashboard feature interactions.
• Ad-network API credentials. API keys or tokens you provide when connecting an advertising network integration, stored encrypted at rest.

• When you register an account.
• When you connect an ad network integration.
• When you browse the dashboard (PostHog analytics).
• Automatically via server logs.

• Contract Art. 6(1)(b). Authentication, fetching ad data, and billing — all necessary to perform the contract you enter when you sign up.
• Legitimate interests Art. 6(1)(f). Server logs, analytics, and security monitoring — we have assessed that this does not override your rights given the limited nature of the data.
• Legal obligation Art. 6(1)(c). Retention of billing records required by Czech accounting law.
• Consent Art. 6(1)(a). Optional communications — we will ask for explicit consent and provide a clear way to withdraw it.

• Service delivery.
• Billing & subscriptions.
• Transactional communications (password reset, receipts).
• Product improvement.
• Security & fraud prevention.

We engage the following sub-processors, each bound by a data processing agreement:

• Supabase (EU region) — database and authentication infrastructure.
• Stripe — payment processing (SCCs for US transfers).
• PostHog (EU cloud, eu.posthog.com) — product analytics with IP anonymisation.
• Ad network operators — Exoclick, TrafficStars, Kadam, Clickadilla, Onclicka, TwinRed, TrafficShop, and Hilltop. Your API credentials are transmitted to these networks solely on your instruction when you connect an integration.

We do not sell personal data.

• Stripe. A US-based company; transfers are made under Standard Contractual Clauses (SCCs), Module 2 (controller to processor).
• Ad networks. Where an ad network is located outside the EU, transmission of your API credentials occurs solely on your explicit instruction and is governed by the Art. 49(1)(b) derogation.
• All other processing remains within the EU (Supabase and PostHog both operate on EU infrastructure).

• Account data — deleted within 30 days of account deletion.
• Billing records — retained for 3 years to comply with Czech Act No. 563/1991 on Accounting.
• Analytics data — anonymised after 12 months.
• Server logs — deleted after 30 days.

• Right of access (Art. 15). Request a copy of the personal data we hold about you.
• Right to rectification (Art. 16). Ask us to correct inaccurate or incomplete data.
• Right to erasure (Art. 17). Ask us to delete your personal data, subject to legal retention obligations.
• Right to restriction (Art. 18). Ask us to restrict processing in certain circumstances.
• Right to data portability (Art. 20). Receive a machine-readable export of data you have provided.
• Right to object (Art. 21). Object to processing based on legitimate interests.
• Right to withdraw consent. Where processing is based on consent, withdraw it at any time without affecting prior lawful processing.
• Right to lodge a complaint. You may lodge a complaint with the Czech supervisory authority, Úřad pro ochranu osobních údajů (UOOU), or the DPA in your country of residence or work.

Email matthew@adgreg.com with the subject line “GDPR Request”. We respond within one calendar month. Identity verification may be required before we action your request.

We do not use automated decision-making or profiling that produces legal or similarly significant effects on individuals.

AdGreg is not directed at individuals under 16 years of age. We do not knowingly collect personal data from minors. If you believe a child has provided us with personal data, please contact matthew@adgreg.com and we will delete it promptly.

• Session cookie. A single, secure, HttpOnly cookie is set when you sign in to maintain your authenticated session. This cookie contains no personal data — only a signed session reference. It expires when you sign out or after a period of inactivity.
• Analytics cookie (PostHog). PostHog sets a first-party cookie (stored under our own domain) to distinguish unique visitors and track feature usage across sessions. The cookie is linked to a pseudonymous identifier, not your name or email. IP addresses are anonymised before storage. You may opt out of analytics tracking by emailing matthew@adgreg.com.

No advertising networks, social media pixels, or retargeting scripts are loaded on any page of AdGreg.

The effective date at the top of this page reflects the latest version. For material changes — such as new data categories, new sub-processors, or changes to the legal basis for processing — we will notify you by email at least 14 days before the changes take effect.