Legal

Privacy Policy

Last updated: 2 May 2026

Data controller: Orosz Enterprises FZE LLC, Business Centre, Sharjah Publishing City Free Zone, Sharjah, United Arab Emirates. Formation No.: 4428075. Licence No.: 4428075.01. Represented by Peter Orosz, Managing Director. Contact: help@goeasyads.com

1. Introduction and Scope

EasyAds ("we", "us", "our") operates goeasyads.com and the EasyAds platform (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our Service. Please read this policy carefully. If you disagree with its terms, please discontinue use of the Service.

This policy applies to users in all jurisdictions, including the European Economic Area (EEA), Hungary, the United Kingdom, and the United States (including California). Where applicable law requires additional or different protections, those protections apply in addition to this policy.

We comply with:

General Data Protection Regulation (GDPR) (EU) 2016/679 - applicable to EEA/Hungarian users
Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information (Hungary)
California Consumer Privacy Act (CCPA) as amended by CPRA - applicable to California residents
CAN-SPAM Act - applicable to email communications to US recipients
UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection

2. Information We Collect

Information you provide directly:

Account registration data: name, email address, password (stored as a bcrypt hash - we never store plaintext passwords)
Business profile information: company name, website URL, industry, advertising budgets, goals, brand assets (logos, images)
Payment information: processed and stored securely by Stripe - we receive only subscription status and billing events, never card numbers
Communications: messages you send us via email or support channels

Information collected automatically:

Log data: IP address, browser type, pages visited, timestamps
Device data: device type, operating system
Usage events: features used, buttons clicked, actions taken within the platform - collected via our own internal telemetry system (no third-party analytics scripts)
Session authentication tokens (httpOnly cookies - not readable by JavaScript)

Information received from third parties:

Meta (Facebook / Instagram): ad account data, campaign performance metrics, audience insights, page information, pixel data - received only when you connect your Meta account via OAuth
Google: your name and email address if you sign in using Google OAuth
Stripe: subscription status, billing interval, and payment event notifications via webhook

3. How We Use Your Information

We use the information we collect to:

Create and maintain your account and workspace
Provide, operate, and improve the EasyAds Service
Generate AI-powered advertising strategies, creatives, and campaign recommendations on your behalf
Process payments and manage subscriptions via Stripe
Send transactional emails (account confirmations, password reset, campaign notifications) via Resend
Detect and prevent fraud, abuse, and security incidents
Analyze internal usage patterns to improve our product (no third-party analytics tools are used)
Comply with legal obligations

We do not use your data for behavioural advertising, profiling for third-party commercial purposes, or any purpose beyond operating and improving the Service.

4. Legal Bases for Processing (GDPR)

If you are located in the European Economic Area, our legal bases for processing your personal data are:

Contract performance: processing necessary to provide the Service you signed up for (account management, campaign delivery, billing)
Legitimate interests: improving our product, preventing fraud, sending service-related communications
Legal obligation: complying with applicable laws and regulations, including financial record-keeping
Consent: if we introduce optional communications or features based on consent in the future, we will ask for it explicitly

5. Sub-processors and Data Sharing

We do not sell, trade, or rent your personal data to third parties. We share your information only with the following sub-processors, each bound by a data processing agreement:

Sub-processor	Purpose	Data category	Location
Stripe	Payment processing & subscription management	Name, email, billing info	USA (SCCs)
Resend	Transactional email delivery	Name, email address	USA (SCCs)
Anthropic	AI language model (campaign strategy, optimisation, analysis)	Business profile, ad performance data	USA (SCCs)
Google (Gemini)	AI image generation & ad copy generation	Business profile, brand assets, campaign goals	USA (SCCs)
Meta Platforms	Meta Marketing API for campaign delivery + Meta Pixel for marketing-page attribution (loaded only on goeasyads.com / www.goeasyads.com)	Campaign data, ad creatives, spend, marketing-page browser identifiers	USA (SCCs)
Vercel	Application hosting & edge runtime	IP address, request logs, server metrics	USA / EU (SCCs)
Neon	PostgreSQL database hosting (workspace + campaign data)	All persisted account data	USA / EU (SCCs)
Sentry	Error reporting & exception monitoring	IP address, request URL, stack traces, workspace ID (no plaintext PII intentionally captured)	USA (SCCs)

SCCs = EU Standard Contractual Clauses. We will notify you of material changes to our sub-processor list by updating this page and emailing affected users where required.

We may also disclose your data to legal authorities when required by law, court order, or government authority, and to successors in the event of a merger, acquisition, or sale of assets.

6. Meta-Connected Account Data

When you connect your Meta ad account, EasyAds receives and processes your campaign data, performance metrics, audience configuration, ad creatives, and ad spend information via the Meta Marketing API. This data is used exclusively to provide the Service on your behalf.

Your Meta access token is encrypted at rest using AES-256-GCM before storage
We request the minimum OAuth permissions necessary to manage your campaigns (see the permissions list in Settings → Meta Account)
We do not share your Meta data with any third party except the AI sub-processors listed above, which process it to generate recommendations
You may disconnect your Meta account at any time from Settings, which revokes our access to future data. Historical campaign data in EasyAds is deleted per the retention schedule below
If Meta requires a data deletion callback for app compliance, contact us at help@goeasyads.com and we will process your request within 30 days

7. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. Our retention schedule:

Active account data: retained for the duration of your subscription
After account deletion: database records are deleted immediately in a single transaction (workspace → campaigns → ads → creatives → keys → members)
Uploaded files (brand assets, logos): deleted from our servers at account deletion
Financial records (invoices, subscription history): retained for 7 years as required by applicable law - these are minimal records held by Stripe; we store only subscription status
Backup copies: database backups may retain data for up to 30 days after deletion before being overwritten
AI-generated content: deleted as part of workspace deletion
Internal server logs: rotated within 90 days

You can download a self-service export of your account data from Settings → Account → Export my data, which generates a JSON archive of your workspace, campaigns, ads, creatives, and onboarding answers. For broader data-portability requests (e.g. machine-readable formats for migration to another provider), contact us at help@goeasyads.com. We will fulfil requests within 30 days as required by GDPR Article 20.

8. Your Rights

Under GDPR and applicable law, you have the right to:

Access: request a copy of the personal data we hold about you
Rectification: correct inaccurate or incomplete data (most profile data can be updated directly in Settings)
Erasure ("right to be forgotten"): delete your account from Settings → Account → Delete account, or contact us
Restriction: limit how we process your data in certain circumstances
Data portability: receive your data in a machine-readable format - contact us
Objection: object to processing based on legitimate interests
Lodge a complaint: with your local supervisory authority (e.g. your national Data Protection Authority)

To exercise these rights, contact us at help@goeasyads.com. We will respond within 30 days. We may ask you to verify your identity before processing sensitive requests.

9. Security

We implement the following security measures:

Passwords: bcrypt-hashed with cost factor 12 - plaintext passwords are never stored or logged
Data in transit: TLS 1.2+ for all connections
Meta access tokens: encrypted at rest using AES-256-GCM
API keys: stored as SHA-256 hashes - raw keys are shown once at creation and cannot be recovered
Session tokens: httpOnly, Secure, SameSite=Lax cookies
OAuth anti-CSRF: Meta OAuth state is HMAC-SHA256 signed and bound to the authenticated user
Access controls: all API endpoints require authentication; workspace-scoped data is verified per request
Rate limiting: registration, login, and AI endpoints are rate-limited

No method of transmission over the Internet is 100% secure. If you discover a security vulnerability, please report it responsibly to help@goeasyads.com. See our Security page for our responsible disclosure policy.

10. International Data Transfers

Your data may be processed outside your country of residence, including in the United Arab Emirates and the United States. When transferring data from the EEA to countries without an adequacy decision, we rely on EU Standard Contractual Clauses (SCCs) as the legal transfer mechanism. Our sub-processors are listed in Section 5 above with their locations.

11. Cookies

We use strictly necessary session cookies to keep you logged in and remember your workspace selection. We do not use third-party analytics cookies, advertising tracking pixels, or behavioural profiling cookies. For the full cookie inventory, see our Cookie Policy.

12. Automated Decision-Making (GDPR Article 22)

EasyAds runs an AI agent that takes automated actions on your Meta ad campaigns: pausing under-performing campaigns, raising or lowering daily budgets within bounded limits, refreshing creatives, refining targeting, and changing optimisation events. Whether these actions execute automatically or as approval requests is controlled by your approval mode in Settings:

AUTOPILOT: low-risk actions execute automatically; high-impact decisions (budget changes, structural rewrites) still surface as approvals.
APPROVE_CREATIVES: every new ad creative requires your approval before being uploaded to Meta.
APPROVE_ALL: every action — including pauses and budget tweaks — requires your approval.

Under GDPR Article 22 you have the right not to be subject to a decision based solely on automated processing (including profiling) which produces legal effects concerning you or similarly significantly affects you. EasyAds\' automated actions affect your business\' advertising, not you personally; nevertheless we provide:

Human-in-the-loop control: switch to APPROVE_ALL in Settings at any time to require approval for every automated action.
Transparent action logs: every automated decision is written to ActionLog with its reason and inputs; visible from the dashboard.
Rollback: most actions (budget changes, status changes, copy changes) can be undone from the approval row within the undo window.
The right to contest: contact us at help@goeasyads.com to dispute any automated decision; a human will review and respond.

Note that the agent does NOT make decisions about you (the user / human) — its scope is your campaigns. We do not profile users for any purpose other than operating the Service.

13. Children

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, contact us immediately and we will delete it.

14. Your Consent Record

When you register, we record the timestamp at which you accepted these Terms of Service and this Privacy Policy. This record constitutes our legal evidence of your informed consent. You may request a copy of your consent record at any time by contacting us.

15. California Privacy Rights (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) grants you additional rights:

Right to Know: you may request disclosure of the categories and specific pieces of personal information we have collected about you
Right to Delete: you may request deletion of your personal information, subject to certain exceptions
Right to Correct: you may request correction of inaccurate personal information
Right to Opt-Out of Sale or Sharing: we do NOT sell or share your personal information for cross-context behavioural advertising
Right to Limit Use of Sensitive Personal Information: we do not process sensitive personal information beyond what is necessary to provide the Service
Right of Non-Discrimination: we will not discriminate against you for exercising your CCPA rights

To exercise any California rights, contact us at help@goeasyads.com with subject line "California Privacy Request". We will respond within 45 days. We may ask for verification before processing requests.

Shine the Light: California Civil Code § 1798.83 permits California users to request a list of any third parties to whom we have disclosed personal information for direct marketing purposes. We do not disclose personal information to third parties for their own direct marketing purposes.

16. Hungarian / EU Users - Additional Rights

In addition to the general GDPR rights in Section 8, Hungarian users have the right to:

Lodge a complaint with the Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH) at naih.hu - Hungary's national data protection authority
Seek judicial remedy through Hungarian courts under Act CXII of 2011
Withdraw consent at any time where processing is based on consent (this does not affect the lawfulness of processing before withdrawal)

Our Data Protection contact: help@goeasyads.com. We aim to respond to all data subject requests within 30 days (extendable to 60 days for complex requests with notification).

Note: As we are based in the UAE and primarily serve EU/EEA users, we rely on Standard Contractual Clauses (SCCs) as the transfer mechanism for any data transferred outside the EEA. Copies of applicable SCCs are available on request.

17. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority (NAIH for Hungarian users; your national DPA for other EU users) within 72 hours of becoming aware of the breach, as required by GDPR Article 33. If the breach is likely to result in a high risk to you personally, we will also notify you directly without undue delay.

18. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or prominent notice on the platform at least 14 days before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

19. Contact

For privacy-related inquiries or data subject requests:

Email: help@goeasyads.com
Orosz Enterprises FZE LLC
Business Centre, Sharjah Publishing City Free Zone
Sharjah, United Arab Emirates