Privacy Policy

Last updated: May 26, 2026 · Effective date: May 26, 2026

1. Who We Are

AdsUp.Pro ("AdsUp", "we", "our", "us") is operated by Adsup Pro LLC, a Wyoming limited liability company (EIN 61-2350536), United States. We act as a data controller for personal data we collect about you as a user of our Service, and as a data processor for personal data you submit to the Service that relates to your end customers, audiences, or other data subjects (governed by our Data Processing Addendum).

This Privacy Policy applies to the website at https://adsup.pro and to the AdsUp Service. It does not apply to third-party platforms (Meta, Google, TikTok, etc.) you connect to AdsUp; their use of your data is governed by their own privacy policies.

2. Scope & Jurisdictional Coverage

We design our practices to comply with the requirements of the following laws, insofar as each applies to a given user:

  • EU/EEA: General Data Protection Regulation (GDPR), ePrivacy Directive, EU AI Act (transparency obligations);
  • United Kingdom: UK GDPR, Data Protection Act 2018, PECR;
  • Switzerland: Federal Act on Data Protection (revFADP);
  • Norway, Iceland, Liechtenstein: GDPR (EEA);
  • United States: California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, and equivalent state laws as enacted; California SB 1001 (AI bot disclosure); California Auto-Renewal Law (ARL);
  • Canada: Personal Information Protection and Electronic Documents Act (PIPEDA), Quebec Law 25;
  • Australia: Privacy Act 1988 and Australian Privacy Principles (APP);
  • New Zealand: Privacy Act 2020;
  • Singapore: Personal Data Protection Act (PDPA);
  • Indonesia: Personal Data Protection Law (UU PDP No. 27/2022);
  • Brazil: Lei Geral de Proteção de Dados (LGPD);
  • Israel: Protection of Privacy Law 5741-1981.

For users in jurisdictions not listed, we will, on written request to privacy@adsup.pro, extend equivalent rights where reasonably feasible and not contrary to law.

The Service is not offered in the following Restricted Jurisdictions: Russia, Belarus, Iran, North Korea (DPRK), Cuba, Syria, Crimea, the so-called DNR and LNR, and the People's Republic of China. We block account creation from these jurisdictions and do not knowingly accept their residents.

3. Personal Data We Collect

  • Account data: name, email, password hash (bcrypt), profile image, locale, time zone, account-creation timestamp, IP at signup.
  • Business data: business name, country, industry, products, knowledge base, ad-account identifiers, brand profile (logos, fonts, colors).
  • Authentication tokens: OAuth access tokens, refresh tokens, page tokens, and equivalent credentials for connected platforms (Meta, Google, TikTok, YouTube, Notion, etc.), encrypted at rest with AES-256-GCM.
  • Customer Content: posts, captions, drafts, images, videos, audio, prompts, conversation history with AI, and any other media you create or upload.
  • Messaging: incoming and outgoing messages from connected Messenger, Instagram DM, WhatsApp Business, and similar inboxes you choose to manage through AdsUp.
  • Advertising data: campaign configurations, targeting parameters, creatives, budgets, bids, audiences, and performance metrics (impressions, clicks, CTR, CPC, conversions, ROAS) synced from connected ad platforms.
  • Billing: billing name, address, country (for tax), VAT/GST ID, the last four digits and brand of your card, and Stripe/Xendit customer/subscription IDs. We do not store full card numbers — those are tokenized by Stripe.
  • Sanctions screening data: name, business name, country, IP, and email-domain checks against international sanctions and PEP lists.
  • Usage telemetry: pages visited, features used, errors, request timings, AI prompts (with deidentification where feasible), referer, browser, OS.
  • Device/network: IP address, user agent, approximate geolocation derived from IP (city/country level).
  • Cookies & local storage: as described in Section 9.

Sensitive categories. We do not request or intentionally process special-category data (health, biometrics, sexual orientation, religion, political opinions, genetic data) and ask you not to submit it. If you submit such data despite this, you grant us consent to process it solely as necessary to deliver the Service to you.

Children. The Service is for users 18+. We do not knowingly collect personal data from anyone under 18. If we learn we have, we delete it promptly. We are not subject to COPPA because we do not target children under 13.

4. How We Use Personal Data & Legal Bases

For users subject to GDPR/UK GDPR/LGPD, our legal bases are as follows:

  • Contractual necessity (GDPR Art. 6(1)(b)): to provide the Service you subscribed to — account creation, authentication, publishing content, syncing campaigns, billing.
  • Legitimate interests (GDPR Art. 6(1)(f)): security, fraud and abuse prevention, sanctions screening, product improvement on de-identified data, internal analytics, debugging, and direct marketing of related services to existing customers (with right to object).
  • Legal obligation (GDPR Art. 6(1)(c)): tax, accounting, sanctions, anti-money-laundering, lawful disclosure to authorities, retention of billing records.
  • Consent (GDPR Art. 6(1)(a)): non-essential cookies, optional features (e.g. AI training opt-in if ever offered), marketing emails to non-customers, processing of any sensitive data you choose to submit.
  • Vital interests (GDPR Art. 6(1)(d)): rare scenarios involving urgent safety.

5. Sharing & Recipients

We share personal data only with the categories of recipients listed below. A current list of named sub-processors with their location, function, and data categories is available at /sub-processors and is updated from time to time.

  • Connected ad/social platforms (Meta, Google, TikTok, YouTube, LinkedIn, Microsoft Ads, Apple Ads, Notion, Google Drive): Customer Content, ad configurations, audiences, and tokens, as needed to perform the actions you direct. These platforms act as independent controllers under their own terms.
  • AI model providers (currently OpenAI, Google Gemini, Z.ai GLM): your AI prompts and necessary context, sent under enterprise-tier agreements that contractually prohibit training on your inputs/outputs. We do not send platform tokens, passwords, or full payment data to AI providers.
  • Payment processors (Stripe; Xendit for Indonesia): billing details, transaction metadata. Card data is tokenized and never stored on our servers.
  • Hosting & infrastructure (DigitalOcean, Coolify (self-hosted), Cloudflare): encrypted-at-rest databases, backups, edge security.
  • Compliance & security vendors (Sanctions.io for sanctions/PEP screening, IPQualityScore for VPN/proxy detection — when active): name, business name, IP, country, email-domain checks.
  • Error tracking (self-hosted GlitchTip, errors.adsup.pro): de-identified error reports without tokens, IPs, or emails.
  • Email delivery (transactional provider): your email address and email content for service notifications.
  • Professional advisors: lawyers, auditors, accountants, insurers, under confidentiality, only as needed.
  • In a corporate transaction (merger, acquisition, financing): subject to confidentiality and successor obligations; you will be notified per Section 22 of the Terms.
  • Authorities & lawful process: as required by valid subpoena, court order, or law.

We do not sell personal data in exchange for monetary consideration. Under CCPA/CPRA's broader definition of "sale" or "share" for cross-context behavioral advertising, our transmission of audience data to ad platforms at your direction may constitute a "sale" or "share". California residents may opt out at privacy@adsup.pro with subject "Do Not Sell or Share My Personal Information", or via the global privacy control (GPC) signal.

6. International Data Transfers

Personal data is primarily stored on infrastructure in the European Union (Frankfurt, Germany) and transferred to the United States and other jurisdictions when we operate the Service from the U.S., when you direct us to use third-party platforms with global infrastructure, or when sub-processors are located outside the EEA.

For transfers from the EEA, UK, or Switzerland to countries not deemed adequate by the European Commission, UK ICO, or Swiss FDPIC, we rely on the appropriate transfer mechanisms, which may include:

  • EU Standard Contractual Clauses (Module 1 controller-to-controller and Module 2 controller-to-processor, 2021 version), with supplementary measures from a Transfer Impact Assessment;
  • UK International Data Transfer Addendum / IDTA;
  • Swiss revFADP-compliant SCCs;
  • For the U.S.: where applicable, the EU-U.S. Data Privacy Framework or successor mechanism.

You may request a copy of the SCCs (with commercial terms redacted) by emailing privacy@adsup.pro.

7. Security

We implement administrative, technical, and physical safeguards commensurate with the risk:

  • OAuth tokens encrypted at rest with AES-256-GCM, with a separate dedicated key management process;
  • TLS 1.2+ for all data in transit; HSTS enabled;
  • Bcrypt password hashing;
  • Database access restricted to internal networks; no public ports;
  • Per-business ownership scoping on all data queries;
  • Multi-factor authentication for administrative access;
  • Daily backups; retention reviewed periodically;
  • Access audit logging for production systems;
  • Vulnerability disclosure channel at security@adsup.pro.

See our Security Overview for additional detail. No system is perfectly secure; in the event of a personal data breach we will notify affected customers and supervisory authorities as required by applicable law (including without undue delay and, where feasible, no later than 72 hours after becoming aware, under GDPR Art. 33).

8. Retention

  • Account profile & business data: retained while your account is active. Deleted within 30 days of account termination, except where law requires longer retention.
  • Customer Content (posts, drafts, media): retained while the account is active; deleted within 30 days of termination.
  • Messaging archive: retained while the integration is connected; deleted within 30 days of disconnection or termination.
  • Authentication tokens: retained while the integration is connected; revoked and deleted on disconnection or termination, typically within 24 hours.
  • Billing & tax records: retained for up to 7 years as required by U.S. and applicable foreign tax law.
  • Sanctions-screening logs: retained for 5 years per FinCEN/OFAC recommendations.
  • Error logs & telemetry: retained for up to 90 days, typically de-identified.
  • Backups: rolling backups retained up to 35 days; deletion requests propagate to backups within that window.

9. Cookies & Similar Technologies

We use the following cookies and local storage:

  • Strictly necessary: session cookie (authentication), CSRF token, cookie-consent record, security tokens. The Service cannot function without these.
  • Functional: language preference, theme (light/dark), business selector. Set only after consent or with implied consent permitted by law.
  • Analytics (self-hosted, IP-anonymized): page views and feature usage to improve the product. Only set after explicit consent in EEA/UK/CH.

We do not use third-party advertising cookies, tracking pixels, Google Analytics, or Facebook Pixel on the AdsUp marketing pages or product. Where required, a cookie banner provides granular consent before any non-essential cookie is set.

10. Your Rights

Subject to your jurisdiction and verification of your identity, you may have rights to:

  • Access and obtain a copy of your personal data;
  • Rectify inaccurate or incomplete data;
  • Erase your data ("right to be forgotten"), subject to legal-retention exceptions;
  • Restrict processing in certain circumstances;
  • Object to processing based on legitimate interests, including direct marketing;
  • Data portability — receive your data in a structured, machine-readable format;
  • Withdraw consent at any time, without affecting the lawfulness of prior processing;
  • Not be subject to solely automated decision-making producing legal or similarly significant effects (we do not engage in such automated decision-making);
  • Lodge a complaint with your supervisory authority. EU/EEA users: see edpb.europa.eu. UK: ico.org.uk. Brazil ANPD: gov.br/anpd. Indonesia under Kementerian Komunikasi dan Informatika.

California (CCPA/CPRA) specific rights: right to know, right to delete, right to correct, right to opt out of sale/share, right to limit use of sensitive personal information, right to non-discrimination for exercising rights.

To exercise any right, email privacy@adsup.pro from the address associated with your account, or use the in-product data-deletion flow at /data-deletion. We respond within 30 days (extendable by 60 days for complex requests under GDPR; 45 days under CCPA, extendable). We may decline requests where required or permitted by law (e.g. ongoing legal obligations, freedom of expression, fraud investigations).

11. AI Transparency & Automated Processing

The Service uses AI in three categories:

  • Content generation (text, image, video frames): outputs are produced for human review and approval. Where required by EU AI Act, AI-generated content may be marked.
  • Recommendations (audience suggestions, budget allocation, creative variants): purely advisory. You decide whether to act.
  • Conversational interface (the in-product AI chat): clearly labeled as AI in compliance with California SB 1001 and equivalent rules.

We do not make solely automated decisions producing legal or similarly significant effects on data subjects (GDPR Art. 22).

AI training data. We use enterprise tiers of AI providers under contracts that prohibit them from using your inputs/outputs to train their models. We do not use Customer Content to train any proprietary model of ours. We may use de-identified, aggregated usage data to improve in-product prompts and heuristics.

12. Sub-Processors & Change Notification

The current list of sub-processors is at /sub-processors. For business customers under our DPA, we will provide at least 30 days' advance notice of new or replacement sub-processors and a right to object on reasonable grounds, in accordance with the DPA.

13. Direct Marketing & Communications

We may send you transactional emails (account, billing, security, service alerts). These are not marketing and you cannot unsubscribe while you have an active account. Marketing emails (product updates, offers) are sent only with consent or under the "soft opt-in" permitted by law for similar products to existing customers, and you can unsubscribe at any time via the link in each message.

You agree not to use the Service to send marketing communications that violate CAN-SPAM, TCPA, GDPR Art. 21, CASL, the Australian Spam Act, the LGPD, or any equivalent law. See our Acceptable Use Policy.

14. Representatives & Contact

Controller of record: Adsup Pro LLC, State of Wyoming, U.S.A.

Privacy contact & Data Protection Officer (DPO): privacy@adsup.pro.

EU Article 27 representative: for EU/EEA data subjects, an independent representative under GDPR Art. 27 will be appointed once we cross the applicable thresholds for active processing of EU residents' personal data; until then, please contact privacy@adsup.pro and we will respond as if the appointment were in place.

UK representative: appointed on the same trigger basis as the EU Article 27 representative.

Indonesia (UU PDP) contact: privacy@adsup.pro.

15. Changes to This Policy

We may update this Privacy Policy. For material changes that expand processing or reduce your rights, we will provide at least 30 days' advance notice by email and/or prominent in-product notice. The "Last updated" date reflects the most recent revision. Continued use after the effective date constitutes acceptance.

16. YouTube API Services & Google APIs Disclosure

When you connect your Google account to AdsUp, our use of YouTube API Services and other Google APIs (collectively, "Google APIs") to upload videos, manage channel data, retrieve analytics, and act on your behalf is subject to:

YouTube data we access. Subject to the OAuth scopes you grant, we may access: your YouTube channel identifier and basic channel information; video upload endpoints (to publish videos you create or schedule in AdsUp); video metadata (titles, descriptions, tags, thumbnails, privacy status, scheduled publish times); playback and engagement analytics for videos published through AdsUp; and your authorization tokens, stored encrypted at rest with AES-256-GCM.

How we use YouTube data. Solely to operate the features you configure in AdsUp — uploading and scheduling videos to your channel, retrieving performance metrics for those videos in your analytics dashboard, and providing recommendations. We do not use YouTube data to train AI models, to advertise to YouTube users, to derive insights about third parties, or for any purpose other than operating the Service for you. We do not transfer YouTube data to any third party except hosting and infrastructure sub-processors bound by DPAs (see /sub-processors), or as required by law. We do not sell YouTube data.

Retention. YouTube authorization tokens are deleted within 24 hours of disconnection or subscription termination. Aggregated, de-identified analytics are subject to Section 8.

Revoking access. You may revoke AdsUp's access to your YouTube and Google account at any time via Google Security Settings → Third-party apps with account access. Revocation takes effect immediately on Google's side; AdsUp deletes cached tokens within 24 hours. You may also disconnect inside AdsUp at Settings → Connections → Disconnect.

17. Contact

Adsup Pro LLC
State of Wyoming, U.S.A. (EIN 61-2350536)
Privacy: privacy@adsup.pro · Security: security@adsup.pro · Legal: legal@adsup.pro

← Back to HomeTermsAUPDPADMCASecuritySub-processorsRefund