Skip to main content
Legal

Privacy Policy

Last updated: April 16, 2026

1. Introduction and Data Controller

Adverdly (“we,” “our,” or “us”) is operated by HIKARI STUDIO S.R.L., a company registered in Romania (Registration No. CUI 51137445, registered office at Iași, Romania). We are the data controller for the personal data processed through the Adverdly web application at adverdly.com. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service — an AI-assisted ad creative analysis tool for performance marketers.

By using Adverdly, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the service.

2. Information We Collect

Account Information

When you sign in with Google, we receive your basic profile information (name, email address, and profile picture) via Google OAuth through Supabase authentication. We do not request access to your Google contacts, calendar, Drive, or any other Google services, and we do not store your Google password. We also store account metadata required to operate your subscription: your current plan, credit balance, billing cycle dates, and the timestamp of account creation. Our use of information received from Google APIs adheres to Google's API Services User Data Policy, including the Limited Use requirements.

Ad Creative Images and Videos

When you upload ad creatives (JPEG, PNG, GIF, WebP, MP4, WebM, or MOV) for analysis, files are stored in our object storage (Supabase) so they can be processed by our AI providers and (where your plan permits) rendered as thumbnails in saved reports. Uploaded files are saved under a per-user path with a randomly generated UUID filename and are automatically removed from storage within seven (7) days of upload. The URLs we generate use the random UUID path, which is not listed publicly and is not guessable in practice. Small images submitted by unauthenticated users on the free tier may be processed directly in memory without being persisted.

Performance Metrics

You may optionally provide ad performance data (CTR, ROAS, CPP, CPC, spend, conversions, revenue, first-time buyers, etc.) by typing it in or by importing a spreadsheet. This data is sent to our AI providers as part of the analysis prompt so that recommendations are informed by actual performance. Aggregated and per-creative metrics are stored with the analysis record on plans that include history. Metrics are never sold and are not shared with third parties beyond the AI providers described in Section 5.

Analysis Results

The output of each analysis (overall verdict, 8-dimension scores, strengths, weaknesses, recommendations, metric snapshots, and any creative thumbnails we generated) is stored in our database on plans that include history. Retention periods are described in Section 7.

Client Profiles and Business Data

You may optionally create and maintain client profiles within Adverdly, including client name, business platforms, industry classification, campaign type, ranking preferences, and benchmark values (CPP, ROAS, revenue). This data is stored under your user ID, is protected by row-level security, is not shared with third parties, and is removed when you delete your account.

Shared Report Links

You can mark any analysis in your history as “shared,” which exposes a public report URL (/report/[id]) that anyone holding the link can open without signing in. Shared reports do not currently expire; you must toggle sharing off or delete the history record to make the link inaccessible. Treat a shared link as voluntarily public information: do not mark reports as shared if they contain data you do not want third parties to see.

Usage Data

We automatically collect information about how you interact with the service, including:

  • Pages and features accessed
  • Analysis requests submitted and their metadata (tier, file counts, timestamps)
  • Plan tier and account status
  • IP address (used for rate limiting and abuse prevention)
  • Browser/device type and operating system (via Vercel Analytics, only with consent)
  • Errors and performance metrics (via Sentry)

We do not capture individual click patterns, keystroke-level activity, or session recordings. Error context may be recorded when a critical failure occurs and is retained for up to 30 days by Sentry.

Payment Information

Payments are processed by Lemon Squeezy, which acts as Merchant of Record. We do not store credit card numbers, CVV codes, or any full payment details on our servers. Lemon Squeezy shares with us only the information needed to operate your subscription: order ID, subscription ID, plan/variant, billing cycle, renewal date, current status, and the email address you used at checkout.

3. How We Use Your Information

  • To provide and maintain the Adverdly service
  • To process your ad creative analyses using AI models
  • To generate set analyses, monthly reports, and ranked performance data
  • To manage your account, credits, client profiles, and subscription
  • To generate client-ready PDF reports
  • To enforce rate limits and prevent abuse
  • To communicate essential service updates (e.g. security, billing, terms changes)
  • To improve the service based on aggregate, de-identified usage patterns

Marketing Communications

Adverdly does not currently send marketing emails from within the application. Account confirmation emails are sent by Supabase and payment/renewal receipts are sent by Lemon Squeezy. These are transactional and required to operate your account. If we ever add a marketing list in future, you will be asked to opt in explicitly and will always be able to unsubscribe.

Sensitive Data

You agree not to upload personal data in special categories as defined by GDPR Article 9, including data revealing race, ethnic origin, political opinions, religious beliefs, genetic or biometric data, health data, or data concerning sexual orientation. If you accidentally upload such data, contact hello@adverdly.com and mark the subject line “URGENT: GDPR Article 9 Data Deletion”. We will remove the data as soon as reasonably practicable, typically within two business days of receiving the request.

4. Legal Basis for Processing (GDPR)

We process your personal data under the following legal bases as defined by the General Data Protection Regulation (GDPR):

  • Contract performance (Article 6(1)(b)): Processing your account data, subscription information, uploaded creatives, and performance metrics is necessary to provide the analysis service you have requested.
  • Legitimate interest (Article 6(1)(f)): Collecting usage data, IP addresses for rate limiting, and aggregate analytics to improve and secure the service, and retaining minimal logs for fraud and abuse prevention.
  • Consent (Article 6(1)(a)): Loading optional analytics (Vercel Analytics and Speed Insights) and, if you voluntarily toggle sharing on, publishing a shared report URL. Consent can be withdrawn at any time.
  • Legal obligation (Article 6(1)(c)): Retaining invoicing records to comply with Romanian and EU accounting regulations.

AI Analysis Processing

Processing your ad creatives with Google Generative AI (Gemini) and Anthropic Claude is necessary to provide the core analysis service (contract performance). The content of your uploads and any performance metrics you supply are transmitted to these providers as part of each request. We process usage patterns and analysis metadata under legitimate interest to improve the service and detect abuse.

Automated Decision-Making Transparency

Adverdly's analysis and scoring systems are informational and educational. They provide guidance and recommendations only, not automated decisions in the sense of GDPR Article 22 (which restricts decisions that produce legal or similarly significant effects). All scoring, ratings, and recommendations are generated by AI models but are presented to you for your review. You retain full control over whether to act on any recommendation.

5. Third-Party Services (Sub-Processors)

We rely on the following third-party services to deliver Adverdly. Where these providers process personal data on our behalf, they act as sub-processors under an appropriate Data Processing Agreement (DPA).

  • Google (Generative AI — Gemini, and Google OAuth): Your ad creative images and videos, the accompanying prompt text, and any performance metrics you supply are processed by Google's Generative AI API for real-time analysis. Google OAuth also provides the identity layer when you sign in. Per Google's published terms for the paid Gemini API, your inputs and outputs are not used to train Google's models. Data is processed in the United States. See Google's Privacy Policy.
  • Anthropic (Claude): After Gemini produces the raw analysis, we use Anthropic Claude to rewrite the analysis text for readability. The full analysis text, including any performance metrics you provided, is sent to Anthropic. Per Anthropic's commercial terms, your inputs and outputs are not used to train Anthropic's models and are retained only as needed to deliver the service. Data is processed in the United States. See Anthropic's Privacy Policy.
  • Supabase: Provides authentication, the Postgres database (users, analysis history, client profiles), and object storage for uploaded creatives. All your persistent account and analysis data is stored on Supabase infrastructure. See Supabase's Privacy Policy.
  • Vercel: Hosts the web application, serves static assets, and runs scheduled maintenance jobs. With your consent, Vercel Analytics and Vercel Speed Insights collect anonymised page-view, navigation, and Core Web Vitals data; they are not loaded if you decline the cookie banner. See Vercel's Privacy Policy.
  • Lemon Squeezy: Acts as Merchant of Record and processes all subscription payments, invoicing, and tax handling. Checkout happens on Lemon Squeezy-hosted pages; we never see your card details. Lemon Squeezy sends us webhook notifications with subscription status, plan, renewal date, and billing email. See Lemon Squeezy's Privacy Policy.
  • Sentry: Provides error tracking and performance monitoring. When the application throws an error, Sentry receives the error message, stack trace, browser information, device type, and a minimal amount of contextual data (which may incidentally include a user ID or email from the authenticated session). Session replay is disabled by default. Data is processed in the EU (Germany) and retained for up to 30 days. See Sentry's Privacy Policy.
  • Upstash (Redis): Provides rate limiting. We store a hashed identifier (IP or user ID) and a counter with a short TTL. No creative or analysis content is sent to Upstash. See Upstash's Privacy Policy.

Changes to Sub-Processors

If we replace a sub-processor or add a new one that materially affects how your data is processed, we will update this policy and note the change in the “Last updated” date.

6. International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA) through our sub-processors. Google (Gemini) and Anthropic (Claude) process data primarily in the United States. Lemon Squeezy operates across the United States and EU. Supabase, Upstash, and Sentry host our production data in the EU (Frankfurt region). Vercel uses a global edge network with EU regions available for server-rendered traffic.

For transfers to the United States, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission (Decision 2021/915) and on the processor's certification under the EU-US Data Privacy Framework where available. Where appropriate, we implement supplementary technical and organisational measures, including encryption in transit and at rest and access controls.

You can request a copy of our Transfer Impact Assessment or the SCCs for any processor by contacting hello@adverdly.com. If you are an EU resident, you have the right to challenge transfers of your personal data outside the EEA.

7. Data Retention

  • Uploaded creatives (all signed-in plans): Files in object storage are automatically removed within seven (7) days of upload, regardless of plan tier. If a file is still referenced by a saved history record when cleanup runs, it remains until the reference is gone. When you delete an individual history entry, the analysis record is removed immediately, and the associated creative file is removed on the next scheduled cleanup (within seven days). If you need earlier erasure, email hello@adverdly.com.
  • Free tier (guest, no account): A single image submitted without signing in may be processed directly in memory and is not persisted. Two free analyses are available without an account, rate-limited per IP. No history is stored.
  • Free tier (signed in) and Solo plan: Uploaded creatives follow the 7-day storage rule. Analysis records are written to the database but are not surfaced in a history view on these plans and are removed within 30 days of creation.
  • Starter plan: Uploaded creatives follow the 7-day storage rule. Analysis records (scores, verdicts, recommendations, metric snapshots) are retained and viewable for 30 days, then permanently removed.
  • Pro plan: Uploaded creatives follow the 7-day storage rule. Analysis records are retained and viewable for 60 days, then permanently removed.
  • Shared reports: If you toggle sharing on, the shared URL remains accessible as long as the underlying history record exists (i.e. within the retention period for your plan). Sharing can be turned off at any time from the history view.
  • Client profiles: Retained until you delete them or delete your account.
  • Account data: Retained as long as your account is active. See Section 8 for what happens on account deletion.
  • Payment records (Lemon Squeezy): Invoice and transaction records are retained by Lemon Squeezy and by us for up to 10 years as required by Romanian and EU accounting regulations.
  • Rate limiting data: Hashed identifiers with short TTLs (typically minutes to hours).
  • Error logs (Sentry): Up to 30 days.

8. Your Rights and Account Deletion

Under the GDPR, you have the right to:

  • Access the personal data we hold about you (Article 15)
  • Rectification of inaccurate or incomplete data (Article 16)
  • Erasure (“right to be forgotten”) of your account and associated data (Article 17)
  • Restriction of processing in specific circumstances (Article 18)
  • Data portability: request a copy of your personal data in a structured, commonly used, machine-readable format (Article 20). Adverdly does not currently provide self-service export; email hello@adverdly.com with the subject line “Data Portability Request” and we aim to respond within 30 days (extendable to 60 days for complex requests, in line with GDPR Article 12(3))
  • Object to processing based on legitimate interest (Article 21)
  • Withdraw consent for optional processing (e.g. analytics) at any time, without affecting the lawfulness of prior processing (Article 7)
  • Not be subject to solely automated decisions with legal or similarly significant effects (Article 22)

How to Exercise Your Rights

Submit a written request to hello@adverdly.com with the subject line “Data Subject Request” and sufficient detail to identify your account. We will verify your identity and aim to respond within 30 days (extendable to 60 days for complex requests, in line with GDPR Article 12(3)). Deletions are permanent and cannot be reversed.

What Account Deletion Removes

When you delete your account from the settings page, we immediately remove your analysis history, your client profiles, your uploaded creatives, your account record, and your authentication session (invalidating any active sessions). Payment and invoicing records are retained by Lemon Squeezy and by us as required by accounting law.

Right to Lodge a Complaint

You have the right to lodge a complaint with the Romanian Data Protection Authority (ANSPDCP) at www.dataprotection.ro, or with the data protection authority of any EU Member State where you reside or work.

9. Data Breach Notification

In the event of a confirmed breach of security affecting personal data, we will:

  • Notify the Romanian Data Protection Authority (ANSPDCP) within 72 hours as required by GDPR
  • Notify all affected users without undue delay where the breach poses a high risk
  • Provide details of the breach and recommended protective measures

Where GDPR Article 34 requires direct notification to affected users, we will contact you at the email address registered to your account.

10. Security

We implement industry-standard security measures to protect your data, including encryption in transit (TLS) and at rest, authenticated API access, row-level security on the database, hashed rate-limit identifiers, server-side-only API keys, a strict nonce-based Content Security Policy, and regular dependency audits. However, no method of transmission over the internet is 100% secure.

11. Cookies & Local Storage

Essential cookies: Adverdly uses cookies required for authentication and session management (Supabase session tokens). These are strictly necessary for the service to function and do not require consent.

Analytics (consent-gated): Vercel Analytics is only loaded if you enable the “Analytics” category in the cookie banner. It collects anonymised page views and navigation events.

Performance (consent-gated): Vercel Speed Insights is only loaded if you enable the “Performance” category. It collects Core Web Vitals and browser timing metrics so we can diagnose slow pages.

You can change or withdraw your choice at any time via the “Manage cookies” link in the footer. The banner reopens with your previous selection pre-filled.

Error monitoring (legitimate interest): Sentry loads for all users to capture application errors. It does not set advertising or tracking cookies and does not record session replays. We process this data on the legal basis of legitimate interest (GDPR Article 6(1)(f)), specifically: ensuring the security and reliability of the service. We have conducted a balancing test concluding that this processing is necessary (we cannot diagnose production failures without it), the impact on users is minimal (no advertising use, no profiling, EU-only storage, 30-day retention), and a reasonable user would expect a SaaS product to monitor for errors. Users can object to this processing at any time by emailing hello@adverdly.com; we will document the objection and exclude that user's session from further error capture.

Local storage: We use local storage for your theme preference (light/dark), the cookie-consent flag, and short-lived UI state. These are not cookies and are not shared with any third party.

We do not use advertising, retargeting, or cross-site tracking cookies.

12. EU Artificial Intelligence Act

Adverdly's use of AI for creative analysis is classified as minimal-risk AI under the EU AI Act. Output is informational only and is always presented to a human (you) for review before any decision is taken. We maintain documentation of our AI systems, prompt design, and quality-assurance procedures. Users can request information about our AI governance at hello@adverdly.com.

13. Children's Privacy

In accordance with the GDPR, Adverdly is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we discover that we have collected personal data from a child under 16 without parental consent, we will delete it promptly.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will post any changes on this page and update the “Last updated” date above. Continued use of the service after changes constitutes acceptance. We recommend reviewing this page periodically.

14A. Regional Privacy Rights

In addition to the GDPR rights above, residents of the following jurisdictions have additional rights that we honor globally:

  • California (CCPA/CPRA): You have the right to know what personal information we collect, to request deletion, to correct inaccurate data, and to opt out of the sale or sharing of personal information. Adverdly does not sell or share personal information as those terms are defined by the CCPA/CPRA. You may exercise your rights by emailing hello@adverdly.com. We will not discriminate against you for exercising these rights.
  • Brazil (LGPD): You have the rights of access, correction, anonymization/blocking/deletion, data portability, information about sharing, and revocation of consent under Articles 18-22 of the LGPD. Exercise via hello@adverdly.com.
  • United Kingdom (UK GDPR): You have the same rights as under the EU GDPR. The UK supervisory authority is the Information Commissioner's Office (ICO).

14B. Sub-processors

A dated list of sub-processors used by Adverdly is maintained at adverdly.com/subprocessors. That page is the authoritative source; review it periodically for material changes.

15. Contact

If you have questions about this Privacy Policy, contact us at hello@adverdly.com.

Privacy Contact: Silvia Bosoiu
HIKARI STUDIO S.R.L.
CUI 51137445 • ORC J2025002550005
Str. Sânzienelor nr. 7, Sat Popricani, Comuna Popricani, Jud. Iași, Romania
Adverdly has not appointed a formal DPO under GDPR Art. 37, but the Privacy Contact named above is accountable for responding to data subject requests and supervisory-authority correspondence.