Privacy Policy

RektAds ("we", "us", "our") operates the RektAds platform at rektads.com. We are committed to protecting your personal data in compliance with the General Data Protection Regulation (GDPR) and applicable privacy laws.

Data controller: RektAds, Passeig de Picasso 20, 08003 Barcelona, Spain.

Contact: support@rektads.com

Account data: name, email address, and password - provided by you at registration.

Meta Ads data: performance metrics (impressions, clicks, spend, ROAS, CTR), ad creative metadata (title, body copy, thumbnail URLs), and ad account identifiers - fetched via the Meta Marketing API with your explicit authorisation. We store thumbnail URL references for display purposes; we do not download or permanently store the underlying image or video files.

Usage data: pages visited, features used, analysis credits consumed - collected automatically to operate and improve the Service.

Billing data: subscription plan, billing status, and payment history - processed by Stripe. We never store card numbers or full payment details.

AI-generated content: copy briefs, creative scores, and analysis results produced by our platform in response to your requests.

• To provide, operate, and improve the Service.
• To analyse your ad creatives and detect fatigue signals using AI.
• To generate AI-powered copy and creative recommendations.
• To process payments and manage your subscription.
• To send you account notifications, verification emails, and product updates (you can opt out of marketing emails at any time).
• To detect and prevent fraud, abuse, and security incidents.
• To comply with our legal obligations.

• Contract performance (Art. 6(1)(b)) - to deliver the Service you subscribed to.
• Legitimate interests (Art. 6(1)(f)) - product improvement, security, fraud prevention.
• Consent (Art. 6(1)(a)) - marketing emails (you can withdraw at any time).
• Legal obligation (Art. 6(1)(c)) - tax records, compliance with applicable law.

We do not sell your data. We share data only with the following trusted sub-processors, each bound by appropriate data protection agreements:

• Meta Platforms, Inc. - to retrieve your ad account data via the Meta Marketing API (data controller for Meta-side processing).
• Anthropic, PBC - AI analysis: creative thumbnail URLs and performance metrics are transmitted for processing. Anthropic does not retain your data for model training under our API agreement. (US-based - see Section 6 for transfer safeguards.)
• Stripe, Inc. - payment processing and subscription management. (US-based - see Section 6.)
• Supabase, Inc. - database hosting on EU (eu-west) infrastructure.
• Vercel, Inc. - application hosting and edge delivery. (US-based - see Section 6.)
• Resend, Inc. - transactional email delivery (account verification, notifications).
• Legal authorities when required by applicable law or valid legal process.

Some of our sub-processors (Anthropic, Stripe, Vercel) are based in the United States. Where personal data is transferred outside the European Economic Area (EEA), we ensure adequate safeguards are in place in accordance with GDPR Chapter V, including Standard Contractual Clauses (SCCs) approved by the European Commission, or reliance on the EU–US Data Privacy Framework where applicable.

• Account data is retained while your account is active and for 30 days after deletion, after which it is permanently purged.
• Creative and analysis data is retained for the duration of your subscription and 30 days after cancellation.
• Billing records are retained for 5 years as required by Spanish tax law (Ley General Tributaria).

Under GDPR, you have the following rights:

• Access (Art. 15) - request a copy of the personal data we hold about you.
• Rectification (Art. 16) - correct inaccurate or incomplete data.
• Erasure (Art. 17) - request deletion of your account and personal data.
• Portability (Art. 20) - receive your data in a structured, machine-readable format.
• Object (Art. 21) - opt out of processing based on legitimate interests.
• Restriction (Art. 18) - limit how we process your data in certain circumstances.
• Withdraw consent - where processing is based on consent, withdraw it at any time without affecting prior processing.

To exercise any of these rights, email support@rektads.com. We will respond within 30 days. We may ask you to verify your identity before processing your request.

We use a single httpOnly, secure, SameSite=Strict session cookie (rektads_session) solely for authentication purposes. We do not use tracking cookies, advertising pixels, or third-party analytics scripts.

Passwords are hashed with bcrypt (cost factor 12). All data is encrypted in transit via TLS 1.2+ and at rest. Access to production data is restricted to authorised personnel only. We implement rate limiting, input validation, and security headers to protect against common web vulnerabilities.

The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact us immediately.

We may update this Privacy Policy from time to time. We will notify you by email at least 14 days before any material changes take effect. The updated policy will be posted at rektads.com/privacy with a revised effective date.

For any privacy-related questions or to exercise your rights, contact us at support@rektads.com.

If you are not satisfied with our response, you have the right to lodge a complaint with the Spanish data protection authority: AEPD (Agencia Española de Protección de Datos) - aepd.es.