Privacy Policy for AIMEY Google Ads Management

1. What Data We Collect

We collect various types of personal data to provide and improve our services:

Personal Information You Provide

• Contact Details: Name, email address, phone number, company name, and postal address when you register, contact us, or request information
• Account Information: Username, password, and account preferences
• Payment Information: Billing address and payment method details (payment processing is handled securely by third-party processors)
• Communication Data: Messages, inquiries, feedback, and other communications you send to us
• Google Ads Data: When you connect your Google Ads account, we access campaign data, performance metrics, keywords, ad copy, and other advertising information necessary to provide our services
• Business Information: Details about your business, website, products or services, target audience, and marketing objectives
• Support Data: Information provided when you contact customer support, including screenshots, logs, and troubleshooting information

Automatically Collected Information

• Technical Data: IP address, browser type and version, device information, operating system, referring website, pages viewed, and timestamps
• Usage Data: How you interact with our platform, features used, time spent, click patterns, and user journey analytics
• Cookie Data: Information collected through cookies and similar tracking technologies (see our Cookie Policy section below)
• Performance Data: System performance metrics, error logs, and diagnostic information to improve our services

Data from Third Parties

• Google Services: Data from Google Ads, Google Analytics, and other Google services when you grant us access
• Integration Partners: Data from other marketing platforms or tools you choose to integrate with our services
• Public Sources: Publicly available business information to enhance our understanding of your industry and competitive landscape

2. How We Use Your Data (Purposes and Legal Bases)

We process your personal data for the following purposes, based on the legal grounds outlined below:

Service Provision (Legal Basis: Contract Performance - Article 6(1)(b) GDPR)

• Creating and managing your account
• Providing AI-powered Google Ads management services
• Processing payments and managing billing
• Providing customer support and technical assistance
• Communicating about your account and services
• Delivering requested reports and analytics
• Managing and optimizing your advertising campaigns
• Implementing bid strategies and budget allocation

Service Improvement (Legal Basis: Legitimate Interests - Article 6(1)(f) GDPR)

• Training and improving our AI algorithms and machine learning models
• Analyzing usage patterns to enhance user experience and platform functionality
• Developing new features, services, and advertising optimization techniques
• Conducting research and analytics to improve campaign performance and ROI
• Monitoring system performance, security, and platform stability
• Preventing fraud, abuse, and ensuring platform security and integrity
• Benchmarking and competitive analysis (using aggregated, anonymized data)
• Quality assurance and testing of new platform features

Legal Compliance (Legal Basis: Legal Obligation - Article 6(1)(c) GDPR)

• Complying with applicable laws, regulations, and industry standards
• Responding to legal requests, court orders, and regulatory inquiries
• Meeting tax, accounting, and financial reporting requirements
• Fulfilling regulatory reporting obligations and compliance audits
• Maintaining records as required by law or regulation
• Cooperating with law enforcement and regulatory authorities when legally required

Marketing and Communications (Legal Basis: Consent - Article 6(1)(a) GDPR)

• Sending marketing communications, newsletters, and promotional materials (with your explicit consent)
• Providing information about new features, services, and platform updates
• Conducting customer satisfaction surveys and feedback collection
• Personalizing your experience on our platform and tailoring content to your interests
• Inviting you to webinars, events, and educational content related to digital advertising

Note: You can withdraw your consent for marketing communications at any time by clicking the unsubscribe link in our emails, updating your account preferences, or contacting us directly. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

3. Sharing of Data and Third-Party Recipients

We do not sell, rent, or trade your personal data to third parties for their marketing purposes. We only share your information in the following limited circumstances and with appropriate safeguards:

Service Providers and Business Partners

We share personal data with trusted third-party service providers who assist us in delivering our services:

• Cloud Infrastructure Providers: Google Cloud Platform, Amazon Web Services, and other cloud service providers for hosting, data processing, and platform infrastructure
• Payment Processors: Stripe, PayPal, and other secure payment service providers for processing transactions and managing billing
• Analytics and Performance Monitoring: Google Analytics, Mixpanel, and similar services for website analytics and platform performance monitoring (with your consent)
• Customer Support Platforms: Zendesk, Intercom, and other customer support tools for providing technical assistance
• Email and Communication Services: Mailchimp, SendGrid, and similar services for transactional and marketing communications
• Security and Fraud Prevention: Cloudflare, security monitoring services, and fraud prevention providers
• Authentication Services: Single sign-on providers and identity verification services

Google and Advertising Platforms

• We share necessary data with Google Ads and other advertising platforms to manage and optimize your campaigns on your behalf
• This includes campaign settings, bid adjustments, keyword data, ad copy, budget allocations, and performance metrics
• All data sharing with advertising platforms is essential for providing our core AI-powered campaign management services
• We act as a processor of your Google Ads data and only access what is necessary to deliver our services

Legal and Regulatory Requirements

• When required by law, regulation, court order, or other legal process
• To respond to lawful requests from public authorities, law enforcement, or regulatory bodies
• To protect our rights, property, safety, or that of our users, employees, or others
• In connection with fraud prevention, investigation, and protection of intellectual property
• To enforce our terms of service and investigate potential violations

Business Transfers and Corporate Transactions

In the event of a merger, acquisition, corporate divestiture, sale of assets, bankruptcy, or similar business transaction, your personal data may be transferred to the acquiring entity or successor organization, subject to equivalent privacy protections and your rights under applicable data protection laws.

Data Processing Agreements and Safeguards

We maintain comprehensive data processing agreements with all third-party service providers to ensure your data is handled securely and in accordance with applicable data protection laws. These agreements include:

• Strict confidentiality and security requirements
• Limitations on data use to only what is necessary for the specified services
• Requirements for appropriate technical and organizational security measures
• Provisions for data breach notification and incident response
• Rights to audit and monitor compliance with privacy requirements

4. International Data Transfers

AIMEY is based in Germany (European Union), and we primarily process data within the European Economic Area (EEA). However, some of our service providers and business partners may be located outside the EEA, which may involve transferring your personal data to countries with different data protection standards.

When we transfer personal data outside the EEA, we ensure appropriate safeguards are in place to protect your information:

• Adequacy Decisions: Transfers to countries that have received an adequacy decision from the European Commission, confirming they provide an adequate level of data protection
• Standard Contractual Clauses (SCCs): EU Standard Contractual Clauses for transfers to countries without adequacy decisions, ensuring equivalent protection
• Binding Corporate Rules: For transfers within multinational organizations that have approved binding corporate rules
• Certification Schemes: Appropriate certification schemes, codes of conduct, and industry standards where applicable
• Specific Derogations: In limited cases, transfers based on specific derogations under Article 49 GDPR (e.g., with your explicit consent)

Google Services: When using Google Ads and related services, data may be processed in Google's global infrastructure. Google maintains comprehensive international data transfer mechanisms and has received adequacy decisions for some regions.

You may request detailed information about the specific safeguards in place for international transfers by contacting us using the information provided in the "Contact Us" section below.

5. Data Security Measures

We implement comprehensive technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:

Technical Safeguards

• Encryption: Data encryption in transit using TLS 1.3+ and at rest using AES-256 or equivalent encryption standards
• Access Controls: Role-based access controls, multi-factor authentication, and principle of least privilege access
• Network Security: Firewalls, intrusion detection and prevention systems, and regular security monitoring
• Secure Development: Secure coding practices, regular security testing, and vulnerability assessments
• Data Backup and Recovery: Encrypted backups and tested disaster recovery procedures

Organizational Safeguards

• Privacy by Design: Privacy considerations integrated into system design and business processes
• Employee Training: Regular privacy and security training for all employees with access to personal data
• Incident Response: Established procedures for detecting, investigating, and responding to security incidents
• Regular Audits: Periodic security audits, penetration testing, and compliance assessments
• Vendor Management: Due diligence and ongoing monitoring of third-party service providers

Important Note: While we implement industry-standard security measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we continuously work to improve our security practices and respond promptly to any identified vulnerabilities.

6. Data Retention

We retain personal data only as long as necessary for the purposes outlined in this Privacy Policy, to comply with legal obligations, or to establish, exercise, or defend legal claims:

• Account Data: Retained while your account is active and for up to 3 years after account closure for legal, tax, and business continuity purposes
• Campaign and Performance Data: Historical campaign data retained for up to 7 years to maintain service continuity, provide analytics, and meet potential audit requirements
• Communication Records: Customer correspondence and support communications retained for up to 3 years for quality assurance and legal compliance
• Financial and Billing Records: Billing, payment, and transaction information retained for up to 10 years to comply with tax, accounting, and financial regulations
• Marketing Consent Records: Records of marketing consent retained until consent is withdrawn, plus an additional 3 years for regulatory compliance and audit purposes
• Technical Logs and Analytics: Server logs, system analytics, and technical data typically retained for up to 12 months for security monitoring and system optimization
• Legal Hold Data: Data may be retained longer if required for ongoing legal proceedings, investigations, or regulatory inquiries

When personal data is no longer needed for the specified purposes, we securely delete or anonymize it using industry-standard data destruction methods. You can request deletion of your data at any time, subject to our legal obligations and legitimate business interests.

Automated Deletion: We have implemented automated systems to regularly review and delete data that has exceeded its retention period, ensuring compliance with our data minimization principles.

7. Your Rights as a Data Subject

Under the GDPR and other applicable data protection laws, you have comprehensive rights regarding your personal data:

Your Individual Rights

• Right of Access (Article 15 GDPR): Request confirmation of whether we process your personal data and obtain a copy of your data, along with information about processing purposes, categories of data, recipients, retention periods, and your other rights
• Right to Rectification (Article 16 GDPR): Request correction of inaccurate or incomplete personal data without undue delay
• Right to Erasure/Right to be Forgotten (Article 17 GDPR): Request deletion of your personal data in certain circumstances, such as when the data is no longer necessary for the original purpose, when you withdraw consent, or when the data has been unlawfully processed
• Right to Restrict Processing (Article 18 GDPR): Request limitation of processing in specific situations, such as when you contest the accuracy of the data or when processing is unlawful but you prefer restriction over deletion
• Right to Data Portability (Article 20 GDPR): Receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller without hindrance
• Right to Object (Article 21 GDPR): Object to processing based on legitimate interests or for direct marketing purposes. You have an absolute right to object to direct marketing at any time
• Right to Withdraw Consent (Article 7(3) GDPR): Withdraw your consent at any time where processing is based on consent, without affecting the lawfulness of processing before withdrawal
• Rights Related to Automated Decision-Making (Article 22 GDPR): Right not to be subject to decisions based solely on automated processing, including profiling, which produces legal effects or significantly affects you

How to Exercise Your Rights

To exercise any of these rights, please contact us using the information provided in the "Contact Us" section below. We will respond to your request within one month of receipt, and we may extend this period by an additional two months if the request is complex or we receive numerous requests. We will inform you of any such extension and the reasons for it.

Identity Verification: To protect your privacy and security, we may need to verify your identity before processing your request. We may ask for additional information to confirm your identity and ensure we are responding to the correct individual.

Fees and Limitations

We do not charge fees for most requests to exercise your data subject rights. However, we may charge a reasonable fee for obviously unfounded, repetitive, or excessive requests. In such cases, we will inform you of the fee before processing your request.

Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority if you believe our processing of your personal data violates applicable data protection laws. The competent supervisory authority for AIMEY is:

Other EU Residents: If you are a resident of another EU member state, you may also lodge a complaint with the supervisory authority in your country of residence.

8. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience on our platform, provide personalized content, and analyze usage patterns. Cookies are small text files stored on your device that help us provide and improve our services.

Types of Cookies We Use

• Strictly Necessary Cookies: Essential for the platform to function properly, including authentication, security features, and basic functionality. These cookies cannot be disabled without affecting core platform operations
• Performance and Analytics Cookies: Help us understand how visitors interact with our platform by collecting anonymous analytics data about page views, user flows, and feature usage
• Functionality Cookies: Enable enhanced features and personalization based on your preferences, such as language settings, dashboard customizations, and saved preferences
• Marketing and Advertising Cookies: Used to deliver relevant advertisements, track the effectiveness of marketing campaigns, and provide personalized marketing content (with your consent)

Third-Party Cookies and Services

We also use third-party cookies from trusted partners and service providers:

• Google Analytics: For website and platform analytics, user behavior analysis, and performance optimization
• Google Ads and Conversion Tracking: For measuring the effectiveness of our advertising campaigns and optimizing ad performance
• Social Media Platforms: Integration with LinkedIn, Twitter, and other platforms for social sharing and marketing
• Customer Support Tools: Chat widgets and support platforms that may use cookies to enhance user experience

Managing Cookie Preferences

You have full control over your cookie preferences and can manage them through multiple methods:

• Cookie Banner: When you first visit our website, you can accept all cookies, reject non-essential cookies, or customize your preferences through our cookie settings banner
• Account Settings: Update your cookie preferences at any time through your account dashboard
• Browser Settings: Configure your browser to block, delete, or notify you about cookies. Note that disabling certain cookies may affect platform functionality
• Third-Party Opt-Out Tools: Use industry opt-out mechanisms like the Digital Advertising Alliance's opt-out tools or Google's Ad Settings

Cookie Duration: Session cookies are deleted when you close your browser, while persistent cookies remain on your device for a specified period or until manually deleted. We regularly review and minimize cookie duration based on necessity.

9. Children's Privacy

Our services are designed for businesses and are not intended for individuals under the age of 16 (or the minimum age for digital consent in your jurisdiction, whichever is higher). We do not knowingly collect personal data from children without appropriate parental or guardian consent.

Age Verification: We may implement age verification mechanisms to ensure users meet the minimum age requirements for our services.

Parental Rights: If you are a parent or guardian and believe your child has provided us with personal data without appropriate consent, please contact us immediately using the information provided below. We will investigate and take appropriate action, including deleting the child's information if necessary.

Special Protections: In the rare cases where we may process data of individuals under 18 in a business context (e.g., employees of client companies), we implement additional safeguards and protections appropriate for younger individuals.

10. Additional Notices for Certain Regions

California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: Request detailed information about the personal information we collect, use, disclose, and sell about you
• Right to Delete: Request deletion of personal information we have collected about you (subject to certain exceptions)
• Right to Opt-Out of Sale/Sharing: We do not sell personal information in the traditional sense, but you can opt out of certain data sharing practices
• Right to Correct: Request correction of inaccurate personal information
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights
• Right to Limit Use of Sensitive Personal Information: Request limits on our use of sensitive personal information

United Kingdom Residents (UK GDPR)

If you are a UK resident, you have rights under the UK GDPR and Data Protection Act 2018, which are substantially similar to those outlined in the EU GDPR section above. The UK's supervisory authority is the Information Commissioner's Office (ICO).

Canada (PIPEDA)

For Canadian residents, we comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation.

Australia (Privacy Act)

For Australian residents, we comply with the Privacy Act 1988 and the Australian Privacy Principles (APPs).

11. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes that affect your rights or our data processing practices, we will:

• Email Notification: Notify you via email if you have an account with us, at least 30 days before the changes take effect
• Website Notice: Post a prominent notice on our website and platform
• In-Platform Notifications: Display notifications within our platform to inform active users
• Version Control: Update the "Last Updated" date at the top of this policy and maintain version history
• Consent Re-confirmation: For significant changes affecting consent-based processing, we may seek renewed consent where required by law

Continued Use: Your continued use of our services after the updated Privacy Policy becomes effective constitutes acceptance of the changes. If you do not agree with the updated policy, you may discontinue use of our services and request deletion of your data.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information and any changes to our practices.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy, our data practices, or your privacy rights, please contact us using the information below:

Data Protection Officer

While we are not legally required to appoint a Data Protection Officer under current GDPR requirements based on our business model and data processing activities, you can direct any data protection inquiries to our privacy team at privacy@echomotion.de. We have designated internal privacy specialists who are responsible for data protection compliance and can assist with your inquiries.

Response Times and Communication

Standard Response Time: We aim to respond to all privacy-related inquiries within 30 days of receipt. For complex requests requiring extensive investigation or involving multiple systems, we may extend this period and will inform you of any delays and the reasons for them.

Urgent Privacy Matters: For urgent privacy concerns, such as suspected data breaches or unauthorized access to your account, please contact us immediately at privacy@echomotion.de with "URGENT PRIVACY MATTER" in the subject line.

Language and Accessibility: We can communicate with you in English or German. If you need assistance in another language or have accessibility requirements, please let us know and we will make reasonable efforts to accommodate your needs.