Skip to content
ad2app

Privacy Policy

Last updated: 10 June 2026

1. Data Controller

The data controller of your personal data is Ad2app sp. z o.o., with its registered office at ul. Juliana Smulikowskiego 4A/21, 00-389 Warszawa, Poland, NIP: 5253042936, KRS: 0001168159 ("ad2app", "we", "us", "our").

You can contact us regarding any privacy matter at kontakt@ad2.app.

Data Protection Officer: We have assessed our processing activities against the criteria of Article 37 GDPR. Our current processing volume does not meet the mandatory threshold for DPO designation under Art. 37 GDPR. All privacy queries are handled by our designated privacy contact at kontakt@ad2.app. We will appoint a DPO if our processing activities reach the applicable threshold and will update this policy accordingly.

2. Scope of This Policy

This Privacy Policy explains how we collect, use, store, share, and protect personal data when you access or use the ad2app platform — including our website, web application, and any related services (collectively, the "Service"). It applies to all users: brands, agencies, and influencers who register accounts, as well as individuals who submit their email via our waitlist form.

We process personal data in accordance with Regulation (EU) 2016/679 (GDPR) and the Polish Act of 10 May 2018 on the Protection of Personal Data.

In fulfilling our accountability obligations under Art. 5(2) GDPR, ad2app maintains a Record of Processing Activities (ROPA) as required by Art. 30 GDPR, available to supervisory authorities on request.

3. Personal Data We Collect

We collect the following categories of personal data:

  • Identity & contact data: first name, last name, email address, business name, phone number (if provided).
  • Account credentials: hashed password; OAuth access and refresh tokens when you connect social media accounts — we store tokens, not your passwords.
  • Social platform data via OAuth: when you authorise a connection to one of the social media platforms you choose to connect (currently Instagram, TikTok, X (Twitter), YouTube, LinkedIn, Facebook, Threads, Pinterest, Reddit, and Bluesky), we receive data from that platform's API as permitted by your OAuth consent. Across all connected platforms this generally includes your account/profile data (such as user ID, username or handle, display name, avatar, and account statistics where the platform exposes them), the content and media of posts you compose, schedule, or publish through the Service, and performance/analytics data for your published posts. The specific data received depends on the platform and the permissions you grant. For some platforms we describe the data in more detail below; the absence of a platform from the detailed list does not mean less data protection — the same general categories and safeguards apply:
    • TikTok: basic profile (user ID, display name, avatar, biography, profile URL), account statistics (follower count, following count, like count, video count), video list and metadata (titles, view counts, engagement metrics), and — where enabled for scheduling features — video upload and publish permissions. We request only the permissions required for the features you actively use.
    • Instagram: Instagram Business account data including username, biography, profile picture, account type, and associated business metrics.
    • Facebook: public profile information and, where you grant permission, your Facebook email address. Facebook is an independent OAuth provider separate from Instagram.
    • YouTube: YouTube channel data (read-only: videos, statistics, channel metadata) and your Google Account profile (name, profile picture URL, Google Account ID) via the Google identity scope used for authentication.
    • Other connected platforms (X (Twitter), LinkedIn, Threads, Pinterest, Reddit, Bluesky): account/profile data, the post content and media you publish through the Service, and published-post analytics, in each case as permitted by the OAuth permissions you grant on that platform.
  • Audience data (aggregate only): demographic and engagement statistics about your social media audience, as provided by the connected platform's API. This data is processed exclusively in aggregate statistical form and is not linked to any identified individual within your audience. We have assessed whether this data could constitute special category data under Art. 9 GDPR and confirm that we do not process such special category data — audience data is processed solely as aggregate numeric metrics.
  • Inbox data: when you use the platform's inbox features, direct message conversations and post comments from your connected social media accounts are fetched and displayed. This includes content sent to you by your followers or other third parties on those platforms. See Section 11 for further detail.
  • Professional data: influencer category, social media handles, media kit content.
  • Campaign & collaboration data: campaign briefs, offer terms, messages exchanged within the platform between brands and influencers.
  • Post content & scheduled posts: the content you compose, schedule, and publish through the Service — including post text, captions, hashtags, links, scheduling times, and the images, videos, and other media you upload for those posts — together with the publishing status and metadata of each post.
  • Published-post analytics: performance and engagement metrics for posts you have published through the Service to your connected accounts (e.g. views, impressions, likes, comments, shares, reach, and other statistics), as provided by the connected platform's API.
  • Media & content: files you upload (images, videos, documents) for posts, campaigns, or your profile.
  • Technical & usage data: anonymised IP address, browser type and version, operating system, pages visited, referral URLs, timestamps, error and crash reports, and usage events (e.g. feature interactions such as button clicks and page views, tracked via PostHog — see Sections 6 and 9). Usage tracking starts only after you give consent via the cookie banner.
  • Session replay data: with your consent (see Section 9), we record replays of your interactions with the Service (mouse movement, scrolling, clicks, page navigation) to diagnose usability problems and errors. All text you type into input fields is masked before recording and never leaves your browser in readable form. Recordings are retained for 30 days.
  • Billing data: billing address and payment reference. Payment card details are handled exclusively by Stripe and are never stored by ad2app.
  • Waitlist data: if you submit your email address via our waitlist form before registering, we store that email address to notify you when access is available.
  • Feedback data: free-text feedback submitted via the in-app feedback form. This may incidentally contain personal data you choose to include.

We do not knowingly collect personal data from individuals under 18 years of age.

For information on which data fields are mandatory versus optional, see Section 8.

4. Legal Bases and Purposes of Processing

PurposeLegal basis (GDPR Art. 6)
Creating and managing your accountArt. 6(1)(b) — performance of contract
Providing platform features (scheduling and publishing posts to your connected accounts, post analytics, campaigns, collaborations, messaging, inbox)Art. 6(1)(b) — performance of contract
Processing social media data received via OAuth connections (profile/account data, post content and media you publish, published-post analytics, audience metrics, engagement data, video metadata, inbox messages)Art. 6(1)(b) — performance of contract: necessary to deliver post scheduling and publishing, post analytics, influencer-brand matching, campaign analytics, and inbox features as contracted. Audience data is processed in aggregate and anonymised form only. No Art. 9 special category data is processed.
Automated influencer–campaign matching and recommendations (profiling within the meaning of Art. 4(4) GDPR)Art. 6(1)(b) — performance of contract. No binding automated decision with legal or similarly significant effect is made solely by automated means — all matches require affirmative acceptance by both parties. Human review is available on request.
Temporary retention of account data for 30 days following account deletion (account recovery window)Art. 6(1)(f) — legitimate interests: ad2app's and the user's shared interest in preventing irreversible accidental data loss, balanced against the minimal additional retention period.
Processing payments and issuing invoices (via Stripe)Art. 6(1)(b) & Art. 6(1)(c) — contract & legal obligation
Complying with legal obligations (tax, accounting, record-keeping)Art. 6(1)(c) — legal obligation: Polish Accounting Act (Ustawa o rachunkowości), Tax Ordinance (Ordynacja podatkowa), VAT Act (Ustawa o VAT).
Waitlist email: notifying you when platform access is availableArt. 6(1)(a) — consent (given at the point of waitlist submission; withdrawable at any time).
Processing in-app feedbackArt. 6(1)(f) — legitimate interests: ad2app's interest in improving the Service through user feedback.
Improving and developing the Service (usage analytics, session replay, and error tracking via PostHog)Art. 6(1)(a) — consent, given via the cookie consent banner and withdrawable at any time. No analytics events are captured and no analytics cookies are set before you make a choice. Supplemented by Art. 6(1)(f) — legitimate interests — for aggregate, pseudonymised product statistics.
Security, fraud prevention, and abuse detectionArt. 6(1)(f) — legitimate interests: ad2app's interest in maintaining platform integrity and protecting users from harm, which overrides the minimal intrusiveness of security logging.
Transfer of personal data in a merger, acquisition, or business asset saleArt. 6(1)(f) — legitimate interests: ad2app's legitimate interest in completing lawful business restructuring, balanced against data subjects' interests. Data subjects will be notified before their data is subject to a materially different privacy policy.
Sending marketing communicationsArt. 6(1)(a) — consent (withdrawable at any time without affecting prior processing).

Data Protection Impact Assessment (Art. 35 GDPR): ad2app has conducted a pre-screening assessment of its processing activities against the criteria of Art. 35(1) GDPR. The automated influencer–campaign matching function involves profiling of natural persons based on professional and behavioural data. We have assessed whether this constitutes "systematic and extensive evaluation… on which decisions are taken that produce legal or similarly significant effects" within the meaning of Art. 35(3)(b). Our assessment concluded that because no decision with legal or similarly significant effect is produced solely by automated means — all campaign offers require affirmative acceptance by both parties — a full DPIA is not mandated at this stage. This assessment is documented in accordance with our accountability obligations under Art. 5(2) GDPR and is reviewed annually. We will conduct a full DPIA if the nature or scope of our profiling activities changes materially.

5. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes described in this policy, or as required by applicable law. Retention periods correspond to the processing purposes identified in Section 4:

  • Account data: for the duration of your account plus 30 days after deletion (account recovery window), then permanently deleted. You may request immediate permanent deletion — waiving the recovery window — by explicitly stating this in your request to kontakt@ad2.app.
  • Campaign & collaboration data: for the duration of your account plus 12 months after account deletion to allow dispute resolution, after which it is permanently deleted. Anonymised aggregated analytics may be retained indefinitely.
  • Post content, scheduled posts, and published-post analytics: retained for the duration of your account and deleted with your account data (subject to the 30-day account recovery window). Anonymised aggregated analytics may be retained indefinitely.
  • OAuth access and refresh tokens: revoked and deleted immediately upon disconnection or account deletion, with a maximum retention of 24 hours for revocation processing logs.
  • Inbox data (DMs and comments): retained for the duration of your account; deleted with your account data.
  • Invoices and billing records: 5 years from the end of the fiscal year (Polish Accounting Act).
  • Technical logs: up to 90 days.
  • Product analytics events (PostHog): retained in pseudonymised form for the operation of our analytics; deleted within 30 days of an erasure request or consent withdrawal.
  • Session replay recordings (PostHog): 30 days, then automatically deleted.
  • Marketing consent records: until consent is withdrawn plus 3 years for compliance evidence.
  • Waitlist emails: until you register for an account or request deletion, or 24 months from submission if you do not register — whichever comes first.
  • In-app feedback: up to 24 months from submission.

Data processed solely on the basis of consent (marketing, analytics cookies, waitlist) is deleted within 30 days of consent withdrawal. Data processed for contractual performance is retained for the duration of the contract plus the applicable limitation period under Polish law (generally 3 years for commercial claims under Art. 118 of the Civil Code, or 6 years for documented claims). Data retained for legal obligation compliance follows the statutory schedule above.

6. Sharing of Personal Data

We do not sell your personal data. We may share it with:

  • Other platform users: when you actively participate in a collaboration, your professional profile (name, social handles, media kit) is visible to the brands/agencies you are matched with, and vice versa.
  • Service providers (data processors) — engaged under contractual terms that include data protection obligations; we are in the process of formalising written Data Processing Agreements under Art. 28 GDPR with all sub-processors where not yet in place:
    • Zernio (ARBICHAT, S.L.) — social media API aggregation: we pass OAuth tokens, post content, media files, and inbox data to Zernio solely to execute publishing and inbox operations on your behalf. Zernio is incorporated in Spain (EEA); however, data is processed on infrastructure with residency in North America (United States). This constitutes an international data transfer covered by Standard Contractual Clauses (Commission Decision 2021/914).
    • Stripe — payment processing: billing address, email, and payment reference are shared with Stripe to process subscription payments. Stripe is located in the United States and operates under the EU–US Data Privacy Framework.
    • PostHog (PostHog, Inc.) — product analytics, session replay, and error tracking: pseudonymised usage event data (feature interactions, page views, device/browser info), masked session recordings, and error reports are processed only after you have given explicit analytics consent via the cookie banner. Our PostHog instance is PostHog Cloud EU, hosted in Frankfurt, Germany — analytics data is stored and processed within the EEA. PostHog, Inc. is incorporated in the United States; any residual access from outside the EEA is governed by a Data Processing Agreement incorporating Standard Contractual Clauses (Commission Decision 2021/914).
    • Vercel Inc. — backend API hosting and compute: server-side application code, API requests, and associated request logs are processed on Vercel's infrastructure. Vercel is located in the United States and transfers are covered by Standard Contractual Clauses (Commission Decision 2021/914).
    • Neon Inc. — PostgreSQL database hosting: all structured platform data (accounts, campaigns, collaborations, social account metadata) is stored in a Neon-hosted PostgreSQL database. Neon is located in the United States and transfers are covered by Standard Contractual Clauses (Commission Decision 2021/914).
    • Google Firebase (Firebase Authentication) — authentication token verification: authentication tokens issued to users may be verified against Firebase Authentication to validate active sessions. Firebase is a Google service located in the United States and operates under the EU–US Data Privacy Framework.
    • A current list of sub-processors (including names, countries of processing, and applicable transfer safeguards) is available on request at kontakt@ad2.app.
  • Legal authorities: where required by law, court order, or to protect the rights and safety of ad2app or third parties.
  • Business transfers: in the event of a merger, acquisition, or sale of assets, personal data may be transferred under Art. 6(1)(f) — you will be notified before it becomes subject to a different privacy policy.

7. International Data Transfers

Your data is primarily processed within the European Economic Area (EEA). Product analytics data (PostHog) is stored and processed on EU servers in Frankfurt, Germany. We use certain processors located outside the EEA, including processors based in the United States (currently: Vercel, Neon, Google Firebase, Stripe, and Zernio; plus residual support access by PostHog, Inc.). For all such transfers we ensure adequate safeguards through one or more of the following mechanisms:

  • the EU–US Data Privacy Framework (Commission Implementing Decision 2023/1795) where the recipient is certified;
  • EU Standard Contractual Clauses (SCCs, Commission Decision 2021/914) supplemented by Transfer Impact Assessments confirming equivalent protection in the destination country; or
  • an adequacy decision by the European Commission covering the recipient country.

You may request copies of applicable SCCs or a summary of our Transfer Impact Assessment findings at kontakt@ad2.app.

8. Your Rights Under GDPR

As a data subject, you have the following rights under the GDPR (Articles 15–22 and Art. 77). To exercise any of these rights, contact us at kontakt@ad2.app. We will respond within 30 days (extendable by a further 60 days for complex requests, with notice). Where we decline to act on a request, we will inform you of the reasons within the same period, along with your right to lodge a complaint with UODO (see Section 12) and your right to seek a judicial remedy.

  • Right of access (Art. 15): obtain a copy of the personal data we hold about you and information about how it is processed.
  • Right to rectification (Art. 16): request correction of inaccurate or incomplete personal data.
  • Right to erasure (Art. 17): request deletion of your personal data where there is no overriding legal basis for continued processing. Following account deletion, your data is retained in a deactivated state for 30 days to allow account recovery. You may request immediate permanent deletion (waiving the recovery window) by explicitly stating this in your request.
  • Right to restriction (Art. 18): request that we limit the processing of your data in certain circumstances.
  • Right to data portability (Art. 20): receive your data in a structured, machine-readable format and transmit it to another controller, where technically feasible.
  • Right to object (Art. 21): object to processing based on legitimate interests or to profiling. We will cease unless we demonstrate compelling legitimate grounds. You may object to direct marketing at any time.
  • Right to withdraw consent (Art. 7(3)): where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
  • Rights related to automated decision-making and profiling (Art. 22): our platform uses automated algorithms to match Influencers with relevant campaigns — this constitutes profiling within the meaning of Art. 4(4) GDPR. No final decision that produces legal or similarly significant effects is made solely by automated means; all campaign offers require affirmative acceptance by both parties. You may request human review of any automated match by contacting us. You may object to profiling under Art. 21(2).
  • Right to lodge a complaint (Art. 77): you have the right to lodge a complaint with the Polish supervisory authority — Urząd Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00-193 Warszawa, https://uodo.gov.pl — if you believe we are processing your personal data in violation of the GDPR.

Mandatory vs. optional data: Providing certain personal data (email address, name, account credentials) is a contractual requirement for accessing the Service — without it, we cannot create or maintain your account. Other fields (phone number, media kit files, audience metrics) are voluntary; their absence affects only platform functionality, not account access. Connecting social media accounts via OAuth is optional but required to access campaign matching, publishing, and inbox features.

9. Cookies, Local Storage, and Tracking Technologies

We use cookies, browser local storage, and similar technologies to operate the Service and improve your experience.

  • Strictly necessary cookies: required for authentication sessions and core platform functionality. Cannot be disabled without breaking the Service. Legal basis: Art. 6(1)(b) — contract performance; no consent required. Duration: session cookies expire when you close your browser; authentication cookies expire after 30 days of inactivity.
  • Functional cookies: set only in direct response to an action you take (e.g. selecting a language or theme preference), and strictly necessary to deliver that specific function you have requested. They do not track you across sessions beyond preserving your chosen setting. Legal basis: strictly necessary to fulfil your explicit request under Art. 173 of the Polish Telecommunications Act (ePrivacy); no separate consent required. Duration: up to 12 months, or cleared when you clear your browser data.
  • Analytics cookies (PostHog): collect pseudonymised usage event data, enable session replay (with all typed input masked), and capture error reports to help us understand and improve how the Service is used. Legal basis: Art. 6(1)(a) — consent. No analytics cookies are set and no analytics events are captured before you make a choice in the cookie consent banner shown on first visit. If you accept, PostHog sets a first-party cookie (name beginning ph_) on the ad2.app domain, valid for up to 1 year, shared between our website and the app so you are not asked twice. If you decline, no analytics cookie is set and no events are collected. Analytics data is processed on PostHog Cloud EU servers in Frankfurt, Germany (see Section 6).

You may withdraw or update your cookie consent at any time via the "Cookie settings" link in the footer of our website, or on this Privacy Policy page in the app. Withdrawing analytics consent does not affect platform functionality.

Browser local storage

In addition to cookies, we use browser local storage to preserve application state between sessions. This includes: your language and theme preferences; a cached copy of your subscription tier and status (retained for up to 30 days then invalidated); and draft campaign deadline data. Local storage data is stored on your device only and is not transmitted to our servers independently of your normal usage. It is cleared when you clear your browser data or log out.

10. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction, in accordance with Art. 32 GDPR:

  • Encryption in transit (TLS 1.2+) and at rest for stored personal data.
  • Hashed storage of passwords using bcrypt with appropriate cost factors; OAuth tokens encrypted at rest.
  • Role-based access controls with least-privilege principles; access logs retained for audit purposes.
  • Pseudonymisation of analytics and usage data where technically feasible.
  • Regular vulnerability assessments and periodic penetration testing.
  • Incident detection, response, and escalation procedures — including UODO notification within 72 hours of a qualifying breach under Art. 33 GDPR, and notification to affected data subjects where required under Art. 34 GDPR.
  • Business continuity and data recovery procedures tested at least annually.

11. Third-Party Links, Social Platforms, and Inbox Data

The Service allows you to connect the social media accounts you choose to enable platform features. Supported platforms currently include Instagram, TikTok, X (Twitter), YouTube, LinkedIn, Facebook, Threads, Pinterest, Reddit, and Bluesky. When you authorise an OAuth connection, ad2app receives data from that platform's API as permitted by your OAuth consent screen. The source of all such data is the respective social media platform's API.

Inbox data and third-party communications: when you use the inbox features, direct message conversations and post comments from your connected social media accounts are fetched and stored. This includes messages and comments sent by your followers and other third parties on those platforms. Those individuals have not directly provided their data to ad2app. We process this data under Art. 6(1)(b) (to provide the inbox feature you have contracted for) and rely on the exemption in Art. 14(5)(b) GDPR — providing individual notice to each such person would require disproportionate effort given the volume and platform-derived nature of the data. Inbox data is not used for profiling, advertising, or any purpose beyond displaying your social media communications within the platform.

Audience data (Art. 14 GDPR): when you connect a social media account, the connected platform may provide aggregate audience data (e.g. demographic statistics about your followers). This data originates from the social platform and relates to individuals who are not in a direct relationship with ad2app. We rely on Art. 14(5)(b) GDPR — individual notification is impossible given the aggregate and platform-derived nature of this data. It is processed solely in aggregated form for influencer–brand matching and campaign analytics, and is not used for any other purpose.

We are not responsible for the privacy practices of third-party social platforms. Please review their privacy policies before connecting your accounts.

12. Supervisory Authority

You have the right to lodge a complaint with the Polish data protection supervisory authority (Art. 77 GDPR) if you believe we have violated your rights:

Urząd Ochrony Danych Osobowych (UODO)
ul. Stawki 2, 00-193 Warszawa, Poland
https://uodo.gov.pl

13. Changes to This Policy

We may update this Privacy Policy from time to time. Where changes are material, we will notify you by email or by a prominent notice within the Service at least 14 days before the changes take effect. The "Last updated" date at the top of this page always reflects the most recent version.

Previous versions of this Privacy Policy are available on request at kontakt@ad2.app. A changelog summarising material amendments is maintained internally and available to supervisory authorities on request.

14. Contact

For any questions, requests, or concerns regarding this Privacy Policy or your personal data, please contact us at:

Ad2app sp. z o.o.
ul. Juliana Smulikowskiego 4A/21, 00-389 Warszawa, Poland
NIP: 5253042936
KRS: 0001168159
Email: kontakt@ad2.app