Privacy Policy

Adsage ("we", "our", "us", or "the application") is a business-intelligence and reporting tool operated by MARKETHICAL SRL (CUI: RO40494906) that helps marketing teams aggregate and analyze advertising metrics from multiple platforms and produce export files (CSV) usable in their own campaign management. This Privacy Policy explains how we collect, use, store, and protect your data when you use our service, and the limits of our responsibility in providing it.

1. Information We Collect

1.1 Authentication Data

When you authorize Adsage to access your advertising accounts, we collect and store:

• Email Address: Used to identify your authorization and manage your OAuth tokens
• OAuth Access Tokens: Temporary tokens that allow us to fetch data from your advertising accounts
• OAuth Refresh Tokens: Used to automatically renew access tokens without requiring re-authorization
• Account Identifiers: Platform-specific user IDs or display names for token management

1.2 Advertising Metrics and Campaign Data

We fetch and store the following types of data from your authorized accounts:

• Google Ads Performance Data: Impressions, clicks, cost, conversions, conversion value, and all conversions
• Google Ads Reporting Dimensions: Customer and campaign identifiers, campaign names, dates, advertising network, product item IDs, product brands, and product type categories
• Google Analytics 4 Data: User behavior metrics, e-commerce transactions, traffic sources, session data (read-only access)
• Google Merchant Center Data: Product catalog information, inventory data (read-only access)
• Product Data Uploads (optional, Enterprise tier): Margin, stock, real conversions and real revenue data you provide per product (keyed by Product ID, EAN, or MPN) either by uploading a .csv / .xlsx file (max 20 MB) or by linking a public https:// URL that we fetch with a 6-hour cache.

1.3 Technical and Usage Data

• System Logs: Application activity logs for debugging and error tracking
• API Response Data: Cached data and last successful data fetch timestamps

2. How We Use Your Information

2.1 Primary Purpose

We use your data exclusively for:

• Data Aggregation: Fetching advertising metrics from multiple platforms and storing normalized reporting data in protected server-side storage
• Analytics and Reporting: Providing unified views of your marketing performance across platforms
• Token Management: Maintaining authentication to automatically fetch updated data

2.2 Read-Only Operations

3. Specific Platform Permissions

3.1 Google Services

We request the following scopes from Google:

What we do with Google data:

• List the Google Ads customer accounts available to the authenticated user
• Fetch Performance Max and Shopping reporting data, including campaign and product dimensions, impressions, clicks, cost, conversions, conversion value, and Search Impression Share metrics
• Retrieve user behavior and e-commerce data from GA4 properties you have access to
• Read product catalog data from Google Merchant Center (product listings, inventory status, pricing)
• Store normalized metrics in protected server-side storage for historical tracking and reporting

What we DON'T do:

• We never create, modify, pause, or delete Google Ads campaigns or ads
• We never change your Google Analytics settings or configurations
• We never modify, add, or delete products in your Merchant Center catalog
• We never upload conversions, create remarketing audiences, or access advertising audience-member data

4. Data Storage and Security

4.1 Storage Location

• All data is stored on secure servers located in Europe
• OAuth tokens are stored encrypted in a dedicated PostgreSQL database
• Campaign metrics are stored with SSL/TLS encryption in transit

4.2 Security Measures

• Access Control: OAuth tokens are protected by database access controls and application-level authorization
• Email Allowlist: Only pre-approved email addresses can log in (prevents unauthorized access)
• HTTPS Only: All OAuth callbacks and web interfaces use HTTPS encryption
• Token Refresh: Access tokens are automatically refreshed and expire after short periods (1 hour for Google)
• CSRF Protection: OAuth flows use state parameters to prevent cross-site request forgery
• Security Headers: All responses include strict transport security, content security policy, and anti-clickjacking headers

4.3 Data Retention

• OAuth Tokens: Stored until you revoke access or tokens expire
• Campaign Metrics: Retained for historical analysis and reporting
• System Logs: Retained for 90 days for debugging and security purposes

5. Analytics and Tracking

5.1 Microsoft Clarity

We partner with Microsoft to use Microsoft Clarity on our website to understand how visitors interact with it. Clarity captures behavioral metrics, heatmaps, and session replays to help us improve our product and user experience. This data collection uses first- and third-party cookies.

By using our site, you agree that we and Microsoft may collect and use this data. For more details, see the Microsoft Privacy Statement.

5.2 Google Tag Manager

We use Google Tag Manager to manage analytics and tracking scripts on our website. GTM itself does not collect personal data but may load tools (such as Microsoft Clarity) that do. See the Google Privacy Policy for more details.

6. Data Sharing and Third Parties

6.1 Platform APIs

We interact with the following third-party APIs to fetch your data:

• Google Ads API — Campaign metrics and performance data
• Google Analytics 4 API — User behavior and e-commerce analytics
• Google Merchant Center API — Product catalog and inventory data

These API requests are made on your behalf using your authorized OAuth tokens. We only request the data necessary for analytics and reporting purposes.

7. Your Rights and Controls

7.1 Revocation of Access

You can revoke Adsage's access to your accounts at any time:

• Via Google: myaccount.google.com/permissions

Upon revocation, we will immediately stop fetching new data from the affected account. Historical data will be retained unless you request deletion.

7.2 Data Deletion

You can request complete deletion of your OAuth tokens, email address, and all associated campaign metrics. Contact us to initiate a request. We will process requests within 30 days.

8. Limited Use Disclosure

Adsage's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

9. Data Processing Roles

For the purposes of the GDPR, the user (and, where applicable, the user's own client whose accounts are connected) acts as the data controller, and Adsage / MARKETHICAL SRL acts as a data processor that processes data solely on the documented instructions of the controller and exclusively for the purpose of aggregating metrics and producing the reporting and export output described in this policy.

• Processing is performed predominantly by automated means on our own servers.
• We do not engage sub-processors for this service. Google (as operator of Google Ads, Merchant Center, and GA4) is the original source of the data — to which the controller independently grants access — and is not our sub-processor. We will notify users in advance if we intend to engage any sub-processor in the future.
• In the event of a personal-data breach affecting processed data, we will notify the relevant controller without undue delay and, where feasible, within 72 hours.

10. Service Provided on a "Best-Effort" Basis

The service, including data processing, the dashboard, and the generation of export files, is provided on a "best-effort" and "as is" basis, without any specific service-level guarantee (such as a numeric uptime commitment or response-time penalty). We strive for continuous availability but do not warrant that the service will be uninterrupted, error-free, or available at any particular time.

The platforms we connect to (Google Ads, Google Merchant Center, Google Analytics 4) are operated by third parties and may change, deprecate, rate-limit, or remove their APIs at any time, outside our control. If such a change causes our data fetching or export generation to be partially or fully suspended, we will make reasonable efforts to adapt to the change or provide a reasonable workaround within a reasonable time, but we are not liable for any resulting interruption beyond the limits set out in Section 13.

11. Accuracy of Data and Third-Party Sources

The data shown in the dashboard and contained in any export file is derived from sources outside our control, namely (a) the third-party platforms listed above and (b) any external data you or your client supply (for example stock, margin, real conversions, or real revenue data).

• We do not warrant the accuracy, completeness, timeliness, or fitness for any purpose of data originating from third-party platforms.
• You are responsible for the content and accuracy of any external data you provide. We process such data as received and do not independently verify it.
• We are not responsible for errors in output that result from misconfiguration of the connected advertising, merchant, or analytics accounts (for example incorrect conversion tracking or feed setup), or from the poor quality of supplied external data.

To support the later identification of the source of any discrepancy, we log the fact of each data intake and each export delivery, recording what type of data was taken in from which source and what output was provided, at what time.

12. User Responsibilities and Authorization

By using the service you acknowledge and agree that:

• You are solely responsible for the professional setup, management, and optimization of your advertising accounts and campaigns. The use, interpretation, and activation of any output we generate is your own professional decision and sole responsibility.
• You warrant that the OAuth access you grant is authorized by the legitimate account holder(s), and that you hold all necessary authority and lawful basis to have the connected data processed by us on your or your client's behalf.
• You are responsible for maintaining the connected accounts (including conversion tracking, feeds, and measurement) and for the accuracy of any external data you upload or link.

13. Limitation of Liability

Nothing in this policy excludes or limits liability that cannot be excluded or limited under applicable mandatory law.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make changes, we will update the "Last Updated" date at the top of this policy. Continued use of the service after changes constitutes acceptance of the updated policy.

15. Children's Privacy

Adsage is a business tool intended for use by marketing professionals and organizations. We do not knowingly collect data from individuals under the age of 18.

16. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), our legal basis for processing your data is:

• Consent: You provide explicit consent when authorizing our application to access your advertising accounts
• Legitimate Interests: We process data to provide analytics and reporting services you have requested