GDPR compliance

1. Our Commitment to Data Protection

Adfluence is committed to protecting the personal data of all users in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable national implementing laws. This page summarizes how we process, store, and protect personal data when you use our services, and how we support your obligations as a controller when you process your own customers' data through the platform.

2. Data Processing

We process personal data in two broad categories: data about you and your team ("account data"), and data that you upload or connect for use in the product ("customer content"), which may include personal data relating to your customers or contacts.

• Account and identity data: name, work email address, company name, role, billing and subscription details, and authentication identifiers when you sign in or integrate directory services.
• Usage and technical data: product interactions, workspace and campaign activity, IP address and approximate location, device and browser metadata, and logs needed to operate and secure the service.
• Content you provide: marketing assets, briefs, audience definitions, brand guidelines, and similar materials you create or upload. Where that content contains personal data, we process it solely to provide the services you configure and as described in our agreements.
• Data on your behalf: when you connect integrations or import lists, we process personal data you instruct us to process as a processor under your instructions and subject to our Data Processing Agreement.

We do not sell personal data. We process personal data only where we have a valid legal basis and only to the extent necessary to deliver, improve, and secure the Adfluence platform and to meet our contractual and legal obligations.

3. Legal Basis for Processing

Depending on the context, we rely on one or more of the following legal bases under Article 6(1) GDPR:

• Contract (Article 6(1)(b)): processing necessary to perform our agreement with you, including account creation, service delivery, billing, support, and security measures tied to providing the platform.
• Legitimate interests (Article 6(1)(f)): where balanced against your rights, for example fraud prevention, network and product security, aggregated analytics to improve features, and internal reporting. You may object to certain processing where applicable; we describe how in our Privacy Policy and in-product settings.
• Consent (Article 6(1)(a)): where required for non-essential cookies, certain marketing communications, or optional analytics. You may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
• Legal obligation (Article 6(1)(c)): for example tax, accounting, or responding to lawful requests from public authorities when compelled by applicable law.

4. Data Subject Rights

If we process your personal data as a controller, you have the following rights under the GDPR, subject to conditions and exceptions in applicable law:

• Right of access (Article 15)
• Right to rectification (Article 16)
• Right to erasure ("right to be forgotten") (Article 17)
• Right to restriction of processing (Article 18)
• Right to data portability (Article 20)
• Right to object (Article 21), including to processing based on legitimate interests
• Rights related to automated decision-making, including profiling (Article 22), where such processing occurs

To exercise any of these rights, contact us at dpo@adfluence.ai. We will respond within one month as required by the GDPR, or inform you if we need additional time and why. You may also lodge a complaint with your local supervisory authority; see section 9 below.

If you are an end user of one of our customers and wish to exercise rights in relation to data that customer holds in Adfluence, please contact that organization directly; we support our customers in fulfilling their obligations upon verified instruction.

5. Data Processing Agreement (DPA)

We offer a GDPR-compliant Data Processing Agreement (DPA) that incorporates the standard contractual clauses approved by the European Commission for international transfers where applicable, and that sets out our obligations as a processor, your instructions, subprocessors, security measures, and assistance with data subject requests and breach notification.

The DPA is available to all customers on request. To obtain a copy or to execute it for your organization, contact legal@adfluence.ai.

6. Sub-Processors

We engage carefully vetted sub-processors to host infrastructure, deliver AI and machine-learning capabilities, process payments, send transactional email, and provide other functions essential to the service. Categories include cloud hosting (for example AWS), AI model providers (such as OpenAI, Anthropic, and Google where features rely on those services), payment processors, and email delivery providers.

A current list of sub-processors with their roles and locations is available on request. We will notify subscribing customers at least 30 days before authorizing a new sub-processor that processes personal data, in line with our DPA, so you may object where your agreement allows.

7. International Data Transfers

Where personal data is transferred from the European Economic Area, Switzerland, or the United Kingdom to countries that have not received an adequacy decision, we implement appropriate safeguards as required by Chapter V GDPR, including the EU Commission Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum or International Data Transfer Agreement as applicable, supplemented by technical and organizational measures and transfer impact assessments where appropriate.

Enterprise customers may elect EU data residency for certain workloads where offered, reducing transfers outside the region for designated processing. We monitor developments in EU-US and UK-US data transfer frameworks and align our practices with valid mechanisms as they evolve following the invalidation of the EU-US Privacy Shield; successor frameworks and certifications are assessed for compliance with GDPR requirements before we rely on them as a transfer tool.

8. Cookie Consent & ePrivacy

In accordance with the ePrivacy Directive (2002/58/EC) and GDPR, we obtain your affirmative consent before placing any non-essential cookies or similar tracking technologies on your device. When you first visit our website, a cookie consent banner allows you to:

• Accept all — enables essential, analytics, and marketing cookies.
• Reject optional — only essential cookies are used; analytics and marketing cookies are not loaded.
• Customize — toggle individual cookie categories (analytics, marketing) on or off.

Your preferences are stored in a first-party cookie and in your browser's local storage. Non-essential scripts are not loaded until consent is given. You can withdraw or change your consent at any time by clicking "Cookie Settings" in the site footer. Withdrawal of consent does not affect the lawfulness of processing based on consent given before withdrawal (Article 7(3) GDPR).

Essential cookies that are strictly necessary for the functioning of the service (e.g., authentication tokens, session management, CSRF protection) do not require consent under ePrivacy rules and cannot be disabled.

9. Data Breach Notification

We maintain documented incident response procedures aligned with Article 33 and 34 GDPR. If we become aware of a personal data breach that is likely to result in a risk to individuals, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours, unless the breach is unlikely to result in a risk to rights and freedoms. Where the breach is likely to result in a high risk to affected individuals, we will also communicate to data subjects without undue delay, unless an exception applies.

Where we process personal data on your behalf, we will notify you without undue delay after becoming aware of a breach affecting that data, in accordance with our DPA, so you can meet your own notification obligations.

10. Data Protection Officer

You may contact our Data Protection Officer for any question relating to this notice or to the processing of your personal data at dpo@adfluence.ai.

Where required by Article 27 GDPR, we have appointed a representative in the European Union. Current contact details for the EU representative are available on request from the DPO address above.

You have the right to lodge a complaint with a supervisory authority in the Member State of your habitual residence, place of work, or place of the alleged infringement. A list of EU supervisory authorities is published by the European Data Protection Board.