Privacy Policy
1. Who we are
AdsBrain is operated by Prism Hooldus OÜ, a private limited company registered in Estonia (registry code 16894703), with its seat in Tallinn, Estonia. In this policy, "AdsBrain", "we", "us" and "our" all refer to Prism Hooldus OÜ acting as the data controller under the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR").
If you have any question about this policy or how we handle your personal data, contact us at hello@adsbrain.eu.
2. What data we collect
We collect only what we need to deliver the service you asked for.
Account data
- Your email address and a hashed password (bcrypt)
- Your name, if you provide it
- Your account activity (logins, audits ordered, fix requests)
Audit data
- URLs you submit for analysis
- Publicly accessible content crawled from those URLs (HTML, metadata, images, structured data)
- Third-party SEO metrics about the domain (backlinks, keywords, traffic estimates)
Fix Service data (optional, only if you order this product)
- Website admin credentials (WordPress Application Password, SFTP username and password, or FTP credentials) that you voluntarily provide
- These credentials are encrypted with AES-256-GCM before being written to our database and are only ever decrypted inside a running fix job
Google Ads data (only if you connect your Google Ads account)
When you click "Connect Google Ads" we use Google's OAuth to obtain a refresh token with the https://www.googleapis.com/auth/adwords scope. With that token we read — and only read — the following from your Google Ads account:
- Account metadata (customer ID, name, currency, time zone, manager status)
- Campaigns, ad groups, ads, keywords, and their settings (budget, bidding strategy, status, ad strength)
- Performance metrics (impressions, clicks, cost, conversions, CTR, CPC, CPA, search impression share)
- Search terms (the actual queries that triggered your ads)
- Quality Score history per keyword
- Conversion actions and tracking configuration
- Auction insights (which competitor domains share your auctions)
- Hourly performance segments (for dayparting analysis)
- Change history events (last 14 days)
What we do with it: we feed this data into our analysis engine ("Brain") which detects wasted spend, missed opportunities, competitive pressure, Quality Score drops and produces written recommendations that we deliver to you in a daily email and in your dashboard. We never modify your account. We never call any Google Ads write/mutate endpoint. The product promise is "we advise, you decide".
Limited Use: use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not transfer your Google user data to any third party except as needed to deliver this service (for example, to large language model providers used to generate the recommendation text). We do not use it for serving advertisements. We do not allow humans to read your Google user data except (a) you, (b) with your explicit consent for support, or (c) when required for security investigations or legal compliance.
Storage: the OAuth refresh token is encrypted with AES-256-GCM at rest. Aggregated metrics, observations and recommendations are stored to power your dashboard and historical reports.
How to revoke: at any time you can disconnect by visiting myaccount.google.com/permissions and removing AdsBrain. We will stop generating new reports immediately. To delete your stored historical data contact us at hello@adsbrain.eu.
Payment data
- Payment processing is handled entirely by Stripe Payments Europe, Ltd. We never see or store your full card number
- We store the Stripe customer id, the invoice reference and the amount charged, so that we can reconcile your payments and issue receipts
Technical data
- IP address, browser type, operating system
- Referring pages, clicked links, timestamps
- Cookies strictly necessary for authentication (a JWT access token and a refresh token)
3. Why we process it (legal basis)
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Delivering the SEO audit, the fix service and the ads automation you paid for | Performance of a contract — Art. 6(1)(b) |
| Keeping accounting records and tax invoices | Legal obligation — Art. 6(1)(c) (Estonian Accounting Act, 7-year retention) |
| Detecting fraud, abuse and protecting the service | Legitimate interest — Art. 6(1)(f) |
| Sending occasional service announcements and product updates | Legitimate interest — you can opt out at any time |
| Sending marketing emails beyond transactional notifications | Consent — Art. 6(1)(a) |
4. How long we keep it
- Account data — for as long as your account is open, and for 30 days after you delete it (to allow undo and chargeback handling)
- Audit reports — 24 months from the day the audit was generated, so you can return to them
- Customer credentials provided for the Fix Service — deleted automatically within 24 hours of the fix job completing, or immediately on your request
- Payment and billing records — 7 years, as required by Estonian accounting law
- Server logs — 90 days
5. Who we share it with
We do not sell personal data. We share it only with the sub-processors that are strictly required to operate the service, under written data-processing agreements.
| Sub-processor | Role | Location |
|---|---|---|
| Stripe Payments Europe, Ltd. | Payment processing | Ireland / United States |
| Anthropic PBC | AI analysis of audit data | United States (SCCs) |
| Ahrefs Pte. Ltd. | SEO metrics and backlink data | Singapore (SCCs) |
| Zone Media OÜ (Zone.ee) | DNS and email relay | Estonia |
| FastVPS Eesti OÜ | Server hosting | Estonia |
Where data is transferred outside the European Economic Area, we rely on the European Commission's Standard Contractual Clauses ("SCCs") as the legal transfer mechanism. Our website crawler runs locally inside our own infrastructure and transmits no data to any third party.
6. How we protect it
- All traffic between your browser and our servers is encrypted with TLS 1.2 or higher
- Customer website credentials are encrypted at rest with AES-256-GCM using keys that never leave the server
- Passwords are hashed with bcrypt and never stored in plaintext
- Access to the production database is restricted to a small number of engineers and is audit-logged
- We apply rate-limiting, security headers and CSP to all routes
Breach notification. If we ever experience a personal data breach that is likely to result in a risk to your rights, we will notify the Estonian Data Protection Inspectorate (AKI) within 72 hours, and we will tell you directly by email as soon as we reasonably can.
7. Your rights under the GDPR
You have the right to:
- Access the personal data we hold about you (Art. 15)
- Rectify inaccurate data (Art. 16)
- Erase your data ("right to be forgotten") (Art. 17)
- Restrict processing (Art. 18)
- Data portability — receive your data in a machine-readable format (Art. 20)
- Object to processing based on legitimate interests (Art. 21)
- Withdraw consent at any time where processing is based on consent (Art. 7)
- Lodge a complaint with the Estonian Data Protection Inspectorate (AKI) or your local supervisory authority
To exercise any of these rights, email hello@adsbrain.eu. We will respond within 30 days.
8. Cookies
AdsBrain uses only strictly-necessary cookies for authentication (JWT access and refresh tokens). We do not use tracking cookies, advertising pixels, or third-party analytics that would require prior consent under the ePrivacy Directive.
9. Children
AdsBrain is a B2B service. We do not knowingly collect personal data from anyone under the age of 16. If you believe a minor has registered, contact us and we will delete the account.
10. Changes to this policy
We may update this policy when the service changes or when the law changes. When we do, we will update the "last updated" date at the top and, for material changes, we will notify registered users by email at least 14 days in advance.
11. Contact
Prism Hooldus OÜ (registry code 16894703)
Tallinn, Estonia
Email: hello@adsbrain.eu