1. Introduction
To Better Digital SASU (“ADSAP”, “we”, “us”, “our”), a French Société par Actions Simplifiée Unipersonnelle registered in Paris, France, operates the Meta advertising automation platform available at adsap.ai (the “Platform”). This Privacy Policy explains how we collect, use, share, and protect personal data when you use the Platform. It applies to all users of our services, including our website, web application, and Claude MCP integration.
We are committed to protecting your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the French Loi Informatique et Libertés, and applicable data protection legislation.
2. Data Controller
The data controller for personal data collected through the Platform for account management purposes is:
48 rue Sauffroy, 75017 Paris, France
Email: jeremy@tobetterdigital.com
When we process advertising campaign data, audience data, or creative assets on your behalf via the Meta Marketing API, we act as a Data Processor under your instructions. This relationship is governed by our Data Processing Agreement (DPA), available upon request.
3. Data We Collect
3.1 Account Data (Controller)
When you create an ADSAP account, we collect your email address, name, and authentication credentials. If you subscribe to a paid plan, our payment processor (Stripe) collects billing information on our behalf. We do not store credit card numbers on our servers.
3.2 Meta Advertising Data (Processor)
When you connect your Meta ad account via OAuth, we access and cache advertising data including campaign structures, ad set configurations, ad creatives, performance metrics, audience definitions, and pixel event data. This data is processed solely to provide you with the Platform’s automation and reporting services. We store encrypted OAuth access tokens and refresh tokens to maintain your Meta connection.
3.3 Google Drive Data (Processor)
If you connect Google Drive, we request read-only access (drive.readonly scope) to browse and transfer creative files (images and videos) to your Meta ad account. We do not modify or delete files in your Drive. Creative files are streamed from Google Drive to Meta and are not permanently stored on our infrastructure. We store your Google OAuth tokens to maintain the connection.
3.4 AI Processing Data
The Platform integrates with Anthropic’s Claude AI via the MCP (Model Context Protocol) framework. When you use the Claude MCP integration, your instructions and the resulting ad parameters (campaign names, targeting criteria, ad copy, budget values) are transmitted to Anthropic’s API for processing. Anthropic operates under commercial API terms with data retention policies described in Section 7. Your advertising data is not used to train AI models.
3.5 Usage and Technical Data
We collect standard usage data such as IP addresses, browser type, pages visited, and feature usage to improve the Platform and ensure security. We use analytics tools to understand how users interact with the Platform.
4. Legal Bases for Processing
We process personal data on the following legal bases under GDPR Article 6:
Contract performance (Art. 6(1)(b)): Processing your account data and Meta advertising data is necessary to provide you with the Platform’s services under our Terms of Service.
Legitimate interest (Art. 6(1)(f)): Usage analytics, security monitoring, and fraud prevention are carried out under our legitimate interest in maintaining and improving the Platform.
Consent (Art. 6(1)(a)): Where required, such as for optional cookies or marketing communications, we obtain your explicit consent.
Legal obligation (Art. 6(1)(c)): We may process data as required by French law, including tax and accounting obligations.
5. How We Use Your Data
We use your data to provide, maintain, and improve the Platform, including: managing your account and subscription; connecting to and syncing with your Meta ad accounts; executing campaign creation, modification, and pausing operations via the Meta Marketing API; caching performance metrics for reporting dashboards; transferring creative files from Google Drive to Meta; processing AI-assisted operations via the Claude MCP integration; communicating service updates and support responses; and ensuring security and preventing abuse.
6. Data Sharing and Subprocessors
We do not sell your personal data. We share data only with the following categories of recipients, each acting under contractual obligations and appropriate safeguards:
| Subprocessor | Purpose | Location | Safeguards |
|---|---|---|---|
| Supabase | Database hosting, authentication, edge functions | EU (Frankfurt) | GDPR DPA, EU hosting |
| Meta Platforms | Advertising API (campaign management, insights) | US / EU | EU-US Data Privacy Framework, Meta Business Tools Terms |
| Anthropic | AI processing via Claude API (MCP integration) | US | Commercial API terms, no model training on user data, SCCs |
| Drive API (creative file access), OAuth | US / EU | EU-US Data Privacy Framework, SCCs | |
| Stripe | Payment processing | US / EU | PCI DSS, GDPR DPA, SCCs |
| Vercel | Website and app hosting | US / EU | GDPR DPA, SCCs |
| Hostinger | VPS hosting | EU | EU hosting, GDPR DPA |
We will notify you of any material changes to our subprocessor list. You may object to a new subprocessor within 30 days of notification. The current subprocessor list is maintained at adsap.ai/subprocessors.
7. AI-Specific Disclosures
ADSAP uses Anthropic’s Claude AI through the MCP framework to enable conversational ad management. The following applies to AI processing:
No model training: Data sent to the Claude API under Anthropic’s commercial terms is not used to train or fine-tune AI models. This is governed by Anthropic’s commercial API agreement.
Transient processing: AI interactions are processed in real-time. Anthropic may retain API traffic for up to 30 days for safety monitoring under their standard commercial terms.
No automated decision-making: The Platform does not make fully automated decisions with legal or similarly significant effects (GDPR Article 22). All ad creation and budget changes require explicit user approval before execution.
Data minimization: We transmit only the data necessary for the requested operation (e.g., campaign parameters, targeting criteria, ad copy). We do not send your full account data or billing information to the AI.
8. International Data Transfers
Your primary data is hosted within the European Union (Supabase EU region, Frankfurt). Some data is transferred to the United States when interacting with Meta’s Marketing API, Anthropic’s Claude API, and Stripe’s payment API. These transfers are protected by Standard Contractual Clauses (SCCs) as approved by the European Commission, and where applicable, the EU-US Data Privacy Framework. We have conducted Transfer Impact Assessments (AITD) as recommended by the CNIL for each US-based subprocessor.
9. Data Retention
Account data: Retained for the duration of your active subscription plus 30 days after account deletion to allow for reactivation.
Meta advertising data cache: Campaign structures and performance metrics are cached and refreshed periodically. Cached data is deleted within 30 days of disconnecting your Meta account or terminating your subscription.
OAuth tokens: Meta and Google OAuth tokens are stored encrypted and deleted immediately upon disconnection or account termination.
Billing records: Retained for 10 years as required by French commercial and tax law (Code de commerce).
Audit logs: Platform activity logs are retained for 12 months for security and debugging purposes.
10. Your Rights
Under the GDPR, you have the following rights regarding your personal data:
Access (Art. 15): Request a copy of the personal data we hold about you.
Rectification (Art. 16): Request correction of inaccurate personal data.
Erasure (Art. 17): Request deletion of your personal data, subject to legal retention obligations.
Restriction (Art. 18): Request restriction of processing in certain circumstances.
Portability (Art. 20): Receive your personal data in a structured, machine-readable format.
Objection (Art. 21): Object to processing based on legitimate interest.
Withdraw consent (Art. 7): Where processing is based on consent, you may withdraw it at any time.
To exercise any of these rights, contact us at jeremy@tobetterdigital.com. We will respond within 30 days.
11. Security Measures
We implement appropriate technical and organizational measures to protect your personal data, including: encryption at rest and in transit (TLS 1.2+); row-level security (RLS) policies on all database tables to enforce tenant isolation; OAuth 2.1 authentication for all API integrations; encrypted storage of all third-party access tokens; rate limiting and abuse prevention on all API endpoints; regular security assessments including third-party penetration testing; and audit logging of all sensitive operations.
12. Cookies
The Platform uses strictly necessary cookies for authentication and session management. We use analytics cookies only with your consent. You can manage cookie preferences through your browser settings or our cookie consent banner when applicable.
13. Children’s Privacy
The Platform is a B2B service not intended for use by individuals under 18 years of age. We do not knowingly collect personal data from minors.
14. Supervisory Authority
If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Commission Nationale de l’Informatique et des Libertés (CNIL), the French supervisory authority: cnil.fr.
15. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email to your registered address or through a prominent notice on the Platform at least 30 days before taking effect. Continued use of the Platform after the effective date constitutes acceptance of the updated policy.
16. Contact
For any questions about this Privacy Policy or our data practices, contact us at:
48 rue Sauffroy, 75017 Paris, France
Email: jeremy@tobetterdigital.com
Website: adsap.ai