Privacy Policy

The controller of your personal data is Space Ads Sp. z o.o., spółka z ograniczoną odpowiedzialnością, registered office in Warszawa (Plac Bankowy 2, 00-095 Warszawa, Polska), Polish VAT ID PL0000000000, REGON 000000000, KRS 0000000000 (the "Controller" or "we").

Contact for data-protection matters: support@spaceads.agency or by post to the registered office.

We have not appointed a Data Protection Officer (DPO) — we do not meet the criteria of GDPR art. 37(1). Please direct all data-protection enquiries to the address in §1.

• Contact data: e-mail address;
• Invoice data: full name (B2C) or company name (B2B), VAT-ID, REGON, address (street, postcode, city, country);
• Transaction data: order history, amounts, currency, payment status, invoice data, payment-operator identifiers;
• Technical data: IP, User-Agent, session id, short UA fingerprint hash, consent timestamps;
• IP-derived country (country-level geolocation performed at the hosting provider's edge) — used to (a) prefill the "country" field at checkout and (b) serve as the second non-contradictory location-evidence piece required by Council Implementing Regulation (EU) 282/2011 art. 24f for VAT-OSS B2C TBE supplies. We retain both your self-declared country (which drives the invoice) and the detected one (audit only);
• Product and access data: purchased products, download timestamps, course progress;
• Cookie data — see the Cookie Policy.

Where processing rests on GDPR art. 6(1)(f), our legitimate interests are:

• defence against and pursuit of legal claims;
• Store security and abuse detection (e.g. payment-fraud prevention);
• internal operational analytics for management.

Your data may be disclosed to the following categories of recipients, acting solely on our instructions and under data-processing agreements:

• Vercel Inc. (USA) — web application hosting;
• Neon Inc. (USA, processing region: Frankfurt, EU) — Postgres database;
• Stripe Payments Europe Ltd. (Ireland, transfers to USA) — international payment processing;
• PayU S.A. (Poland) — Polish payment processing;
• InFakt sp. z o.o. (Poland) — invoice issuance (from phase 3);
• SMTP provider — transactional e-mail delivery;
• Accounting firm — bookkeeping under DPA;
• Legal / tax advisors — under professional secrecy.

Data may also be disclosed to public authorities (e.g. tax office, prosecutor) where such disclosure is mandatory.

Some sub-processors (Vercel, Neon, Stripe) are established or process data in the USA. Transfers to the USA take place on the basis of:

• EU-US Data Privacy Framework (Commission decision of 10 July 2023), where the recipient is enrolled, or
• Standard Contractual Clauses (Commission Implementing Decision 2021/914), supplemented by a Transfer Impact Assessment per EDPB guidance.

Specific safeguards for individual processors are available on request at support@spaceads.agency.

• access (GDPR art. 15);
• rectification (art. 16);
• erasure — "right to be forgotten" (art. 17), subject to retention obligations (e.g. invoices — 5 years);
• restriction (art. 18);
• portability (art. 20) — based on consent or contract;
• objection to processing based on legitimate interests (art. 21);
• consent withdrawal at any time (art. 7(3));
• complaint to the Polish PUODO, ul. Stawki 2, 00-193 Warsaw, uodo.gov.pl.

To exercise these rights please write to support@spaceads.agency. We respond within one month at the latest (GDPR art. 12(3)), extendable by up to two months in complex cases.

Providing the data necessary to conclude and perform the Sales Contract (e-mail, invoice data) is a contractual requirement. Other data (e.g. marketing consent) are voluntary.

We do not make decisions based solely on automated processing, including profiling, that produce legal effects or similarly significantly affect you (GDPR art. 22). Stripe and PayU may apply automated fraud-detection systems necessary to process payments — see those operators' privacy policies.

We apply technical and organisational measures appropriate to the risk:

• TLS 1.2+ encryption;
• encryption at rest at Neon;
• role-based access control (RBAC);
• regular log audits;
• append-only logs for administrative actions.

The Store uses cookies described in detail in the Cookie Policy. Cookies necessary for the Store (session, cart, currency preference) do not require consent. Analytical and marketing cookies are used only with your consent through the cookie banner.

We may update this policy to reflect legal or operational changes. Material changes are announced 14 days in advance. Archived versions available on request.

Matters not regulated herein are governed by GDPR, the Polish Personal Data Protection Act of 10 May 2018, USDE and the Polish Telecommunications Act.

This section applies only to subscribers of Space Ads OS (the CLI is installed locally on the customer's machine). It describes the data flow between the CLI and the Controller's license system.

15.1 License verification

Every CLI invocation sends three items to academy.spaceads.agency/api/license/verify:

• License key — the Controller stores only the SHA-256 hash; the cleartext key is never persisted server-side beyond the moment of issuance.
• Hardware fingerprint — irreversible SHA-256 over OS, architecture and machine ID; used purely as a soft fraud heuristic (count of distinct devices), never blocks execution and cannot identify the hardware.
• CLI version — text field (e.g. 0.1.0) used to surface update availability.

Purpose: contract performance (Art. 6(1)(b) GDPR). Retention: up to 12 months after subscription expiry for accounting and security reasons.

15.2 OAuth tokens (Meta, TikTok, Google Analytics 4)

The customer authorizes ad-account access through the Controller's OAuth bridge. Access and refresh tokens are encrypted with AES-256-GCM using a key held server-side by the Controller and stored in a database row tied to the license identifier. Plaintext tokens exist only in the server's memory at the moment of the authorization-code exchange and inside the customer's CLI process.

The Controller can technically decrypt tokens (the Controller holds the key) but does not do so outside customer-initiated support. Permissions can be revoked at any time inside Meta Business Manager / TikTok Business Center / Google Permissions — independently of the subscription.

The customer retains full ownership of the underlying ad accounts. The Controller never assumes ad-account access in its own name.

15.3 Brand-extractor (web scraping the customer's website or their clients')

The /spaceads-brand command fetches public assets from the URL the user provides. The CLI:

• identifies itself with the User-Agent spaceads-os-brand-extractor/<version>;
• honors the source site's robots.txt and X-Robots-Tag headers;
• fetches only the URL the user supplied (no domain crawl) and saves the result locally to brief.yaml.brand_system;
• does not transmit page content to the Controller's servers.

15.4 Telemetry (opt-in)

CLI telemetry is off by default. With explicit customer opt-in (SPACEADS_TELEMETRY=on environment variable) only the following are sent:

• CLI version,
• OS family (macOS / Linux / Windows),
• command name,
• outcome class (success / error category X).

Telemetry does not contain ad-account identifiers, the customer's end-client data, creative content or report content. It can be turned off at any time by setting SPACEADS_TELEMETRY=off.

15.5 Local customer data

The files clients/<slug>/brief.yaml, voice.md, credentials/, logs/<channel>_changes.jsonl and generated reports stay solely on the customer's disk. Cancellation blocks CLI execution at the next billing cycle but does not delete any local files.