Privacy Policy

The controller of your personal data is Space Ads Sp. z o.o., spółka z ograniczoną odpowiedzialnością, registered office in Warszawa (Plac Bankowy 2, 00-095 Warszawa, Polska), Polish VAT ID PL5252938464, REGON 524125730, KRS 0001011955 (the "Controller" or "we").

Contact for data-protection matters: support@spaceads.agency or by post to the registered office.

We have not appointed a Data Protection Officer (DPO) — we do not meet the criteria of GDPR art. 37(1). Please direct all data-protection enquiries to the address in §1.

• Contact data: e-mail address;
• Invoice data: full name (B2C) or company name (B2B), VAT-ID, REGON, address (street, postcode, city, country);
• Transaction data: order history, amounts, currency, payment status, invoice data, payment-operator identifiers;
• Technical data: IP, User-Agent, session id, short UA fingerprint hash, consent timestamps;
• IP-derived country (country-level geolocation performed at the hosting provider's edge) — used to (a) prefill the "country" field at checkout, (b) serve as a non-contradictory location-evidence piece under Council Implementing Regulation (EU) 282/2011 art. 24f, and (c) determine the correct VAT rate / place of supply — in particular, where a declared non-EU country contradicts an IP country pointing to the EU, we apply the VAT rate of the country indicated by the location evidence (your gross price is unchanged). We retain both your self-declared country (shown as the buyer address on the invoice) and the detected one, for tax, accounting and audit purposes;
• Product and access data: purchased products, download timestamps, course progress;
• Cookie data — see the Cookie Policy.

Where processing rests on GDPR art. 6(1)(f), our legitimate interests are:

• defence against and pursuit of legal claims;
• Store security and abuse detection (e.g. payment-fraud prevention);
• internal operational analytics for management.

Your data may be disclosed to the following categories of recipients, acting solely on our instructions and under data-processing agreements:

• Vercel Inc. (USA) — web application hosting;
• Neon Inc. (USA, processing region: Frankfurt, EU) — Postgres database;
• Stripe Payments Europe Ltd. (Ireland, transfers to USA) — the sole payment operator on both markets (PL: card, BLIK, Przelewy24 via Stripe);
• InFakt sp. z o.o. (Poland) — invoice issuance;
• SMTP provider — transactional e-mail delivery;
• Accounting firm — bookkeeping under DPA;
• Legal / tax advisors — under professional secrecy.

Only with your consent (cookie banner), usage data — online identifiers and on-site events — is shared with our analytics and advertising providers (GDPR art. 6(1)(a)). On purchase, to improve conversion matching and only if you have consented to sharing user data for advertising purposes, we additionally share selected contact and billing data in irreversibly hashed (SHA-256) form — the scope depends on the provider:

• Google Ireland Ltd. / Google LLC (Ireland / USA) — Google Analytics 4 (statistics) and Google Ads (conversion measurement, remarketing); on purchase, hashed: e-mail address, phone number, first and last name, and address data (street, city, region, postal code, country);
• Meta Platforms Ireland Ltd. (Ireland, transfers to USA) — Meta Pixel and Conversions API (remarketing, conversion measurement); on purchase, hashed: e-mail address, phone number, first and last name, city, postal code and country;
• TikTok Technology Ltd. (Ireland, possible transfers outside the EEA) — TikTok Pixel and Events API (remarketing, conversion measurement); on purchase, hashed: e-mail address and phone number;
• Microsoft Ireland Operations Ltd. (Ireland, transfers to USA) — Microsoft Clarity (anonymised session recordings, heatmaps).

You can withdraw consent anytime ("Cookie settings" link in the footer) — see the Cookie Policy for details.

Data may also be disclosed to public authorities (e.g. tax office, prosecutor) where such disclosure is mandatory.

OAuth federation partners (independent controllers). When a Space Ads OS subscriber authorizes the CLI to access their advertising accounts, the OAuth dance runs against the following providers in their capacity as independent data controllers (we receive an access token, we do not become a sub-processor of those providers):

• Meta Platforms Ireland Ltd. — Facebook Login for Business → Meta Marketing API. Permissions requested: ads_read, ads_management, business_management. Tokens are issued as non-expiring System User access tokens tied to the subscriber's Business Portfolio.
• TikTok Information Technologies UK Ltd. — TikTok Marketing API authorization. Permissions requested: Ad Account Management, Ads Management, Audience Management, Reporting, Measurement, Creative Management, Pixel Management. Tokens are non-expiring for verified Marketing API apps.
• Google LLC / Google Ireland Ltd. — Google OAuth for Google Analytics Data API and Admin API. Permission requested: a single read-only scope https://www.googleapis.com/auth/analytics.readonly. Access tokens expire after one hour and are refreshed server-side (see §15.2).

Subscribers can revoke any of these authorizations at any time directly with the provider — Meta Business Manager → Business Tools, TikTok Business Center → Members → Apps, or Google Account → Security → Third-party access — independently of their Space Ads OS subscription.

AI processor — operator's own choice, outside the product boundary. Space Ads OS Academy is a standalone Python CLI. It does not bundle, embed, host, or operate any AI model. The Controller is not an AI processor of the operator's data and does not transmit data to any AI provider on the operator's behalf.

The product does ship a set of slash-command definitions and agent prompts in .claude/commands/ and .claude/agents/ that an AI coding assistant — typically Claude Code by Anthropic PBC — can read in order to drive the CLI conversationally. We recommend Claude Code because it is the agent we test against, but it is not bundled. If the operator chooses to install Claude Code (or any equivalent third-party LLM agent) and use it to drive the CLI, the output of CLI commands is sent into that agent's LLM context as a tool result so the model can produce analyses and recommendations for the operator. This transmission is initiated by the operator each time they issue a command in the agent; it does not pass through the Controller's servers, and the Controller is not a party to the agent's data-processing terms.

When the chosen agent is Claude Code, the transmission is governed by Anthropic's Commercial Terms (anthropic.com/legal/commercial-terms). In particular, Anthropic does not use the operator's inputs or outputs to train its models, retains transmitted content for a limited period for trust-and-safety review (30 days by default, configurable to zero for enterprise accounts), and does not share the content with third parties. The operator can equally well drive the CLI through any other compatible agent on their own terms — or run the CLI in bare-shell mode with no AI agent at all, in which case no data leaves the operator's machine beyond the OAuth federations and license verification listed above.

Some sub-processors (Vercel, Neon, Stripe — and, with your consent, Google, Meta, TikTok and Microsoft) are established or process data in the USA or other third countries. Transfers take place on the basis of:

• EU-US Data Privacy Framework (Commission decision of 10 July 2023), where the recipient is enrolled, or
• Standard Contractual Clauses (Commission Implementing Decision 2021/914), supplemented by a Transfer Impact Assessment per EDPB guidance.

Specific safeguards for individual processors are available on request at support@spaceads.agency.

• access (GDPR art. 15);
• rectification (art. 16);
• erasure — "right to be forgotten" (art. 17), subject to retention obligations (e.g. invoices — 5 years);
• restriction (art. 18);
• portability (art. 20) — based on consent or contract;
• objection to processing based on legitimate interests (art. 21);
• consent withdrawal at any time (art. 7(3));
• complaint to the Polish PUODO, ul. Stawki 2, 00-193 Warsaw, uodo.gov.pl.

To exercise these rights please write to support@spaceads.agency. We respond within one month at the latest (GDPR art. 12(3)), extendable by up to two months in complex cases.

Providing the data necessary to conclude and perform the Sales Contract (e-mail, invoice data) is a contractual requirement. Other data (e.g. marketing consent) are voluntary.

We do not make decisions based solely on automated processing, including profiling, that produce legal effects or similarly significantly affect you (GDPR art. 22). Stripe may apply automated fraud-detection systems necessary to process payments — see Stripe's privacy policy.

We apply technical and organisational measures appropriate to the risk:

• TLS 1.2+ encryption;
• encryption at rest at Neon;
• role-based access control (RBAC);
• regular log audits;
• append-only logs for administrative actions.

The Store uses cookies described in detail in the Cookie Policy. Cookies necessary for the Store (session, cart, currency preference) do not require consent. Analytical and marketing cookies are used only with your consent through the cookie banner.

We may update this policy to reflect legal or operational changes. Material changes are announced 14 days in advance. Archived versions available on request.

Matters not regulated herein are governed by GDPR, the Polish Personal Data Protection Act of 10 May 2018, USDE and the Polish Telecommunications Act.

This section applies only to subscribers of Space Ads OS (the CLI is installed locally on the customer's machine). It describes the data flow between the CLI and the Controller's license system.

15.1 License verification

Every CLI invocation sends three items to academy.spaceads.agency/api/license/verify:

• License key — the Controller stores only the SHA-256 hash; the cleartext key is never persisted server-side beyond the moment of issuance.
• Hardware fingerprint — irreversible SHA-256 over OS, architecture and machine ID; used purely as a soft fraud heuristic (count of distinct devices), never blocks execution and cannot identify the hardware.
• CLI version — text field (e.g. 0.1.0) used to surface update availability.

Purpose: contract performance (Art. 6(1)(b) GDPR). Retention: up to 12 months after subscription expiry for accounting and security reasons.

15.2 OAuth tokens (Meta, TikTok, Google Analytics 4)

The customer authorizes ad-account / analytics access through the Controller's OAuth bridge at oauth.spaceads.agency. Access tokens (and where issued by the provider, refresh tokens) are encrypted with AES-256-GCM using a server-side key (VAULT_ENCRYPTION_KEY) and stored in the oauth_vault database row tied to the license identifier and the customer's per-client slug. Plaintext tokens exist only:

• in server memory during the authorization-code exchange and during a server-side refresh (see below);
• in the customer's CLI process memory between the moment they are returned by GET /api/account/credentials/<channel> and the moment the ad-platform API call completes (typically seconds; in-process cache 5 minutes).

Plaintext tokens are never written to the customer's disk by the CLI. The encrypted vault row at the academy is the single canonical store. A redundant AES-256-GCM-encrypted mirror at clients/<slug>/credentials/<channel>.json.enc is written by the setup wizard solely to allow license-recovery after a server-side data loss; it is not consulted by the runtime client.

Server-side refresh (GA4). Google Analytics access tokens expire after one hour. The CLI does not hold the GCP client_secret (only the academy does), so refresh runs server-side: the credentials endpoint, before returning tokens to an authenticated CLI request, checks the stored expiry and — if less than five minutes remain — calls oauth2.googleapis.com/token with the stored refresh_token and client_secret, persists the new access_token and expiry, and returns the refreshed credential. Refresh runs lazily, only on credentials fetches when the token is near expiry. Meta and TikTok issue non-expiring tokens and skip refresh entirely.

The Controller can technically decrypt tokens (the Controller holds the key) but does not do so outside (i) the proactive-refresh path described above and (ii) customer-initiated support. Permissions can be revoked at any time inside Meta Business Manager / TikTok Business Center / Google Account → Third-party access — independently of the subscription.

The customer retains full ownership of the underlying ad accounts and analytics properties. The Controller never assumes ad-account access in its own name and never uses the tokens for any purpose other than executing the customer's own instructions through the CLI.

15.3 Brand-extractor (web scraping the customer's website or their clients')

The /spaceads-brand command fetches public assets from the URL the user provides. The CLI:

• identifies itself with the User-Agent spaceads-os-brand-extractor/<version>;
• honors the source site's robots.txt and X-Robots-Tag headers;
• fetches only the URL the user supplied (no domain crawl) and saves the result locally to brief.yaml.brand_system;
• does not transmit page content to the Controller's servers.

15.4 Telemetry (opt-in)

CLI telemetry is off by default. With explicit customer opt-in (SPACEADS_TELEMETRY=on environment variable) only the following are sent:

• CLI version,
• OS family (macOS / Linux / Windows),
• command name,
• outcome class (success / error category X).

Telemetry does not contain ad-account identifiers, the customer's end-client data, creative content or report content. It can be turned off at any time by setting SPACEADS_TELEMETRY=off.

15.5 Local customer data

The files clients/<slug>/brief.yaml, voice.md, credentials/, logs/<channel>_changes.jsonl and generated reports stay solely on the customer's disk. Cancellation blocks CLI execution at the next billing cycle but does not delete any local files.

15.6 Limited Use of OAuth data & retention

The Controller commits to Limited Use of all data obtained through the OAuth federations described in §6 and §15.2. Specifically, OAuth-derived data — including ad-account metadata, campaign / ad-set / ad / creative content, performance metrics, audience definitions, conversion data, and Google Analytics 4 reports — is:

• used solely to perform the Customer's own instructions through the CLI (read diagnostics, propose changes, execute confirmed mutations, generate reports);
• never used for advertising;
• never used by the Controller, and per Anthropic's Commercial Terms not used by Anthropic either, to develop, train, fine-tune or otherwise improve any machine-learning or generative AI model;
• never sold, transferred, or otherwise made available to any data broker, advertising network, or other commercial third party;
• never disclosed to humans by the Controller except (i) as strictly necessary for customer-initiated support with the Customer's consent, (ii) to comply with a legally binding request, or (iii) where required to protect against fraud or material security risks.

Operator-driven inference through a separately installed AI agent. The Controller does not bundle, host, or operate an AI model and does not transmit the operator's data to any AI provider. The CLI is a standalone Python toolkit. The operator may, on their own initiative, install an AI coding agent — typically Claude Code by Anthropic — and use it to drive the CLI conversationally. When they do, the output of each CLI command is sent by the agent into the LLM context so the model can produce an analysis or recommendation for the operator. This is inference (using a pre-trained model to interpret the operator's data on the operator's instruction) — distinct from model training, fine-tuning, or improvement, all of which are excluded above. The transmission happens between the operator's machine and the agent provider; it does not pass through the Controller. Anthropic, the provider of Claude Code, contractually undertakes not to use such content for model training and applies a short retention window for trust-and-safety review only. The operator can run the CLI in bare-shell mode without any AI agent if no third-party AI processing is desired. See §6 for the full disclosure.

This commitment is the Controller's undertaking under the Google API Services User Data Policy (Limited Use clauses), Meta Platform Terms (Section 3) and the TikTok Marketing API Terms.

Token deletion and revocation. Control over the stored OAuth tokens:

• the Customer can disconnect any integration at any time in the account panel (Settings → Integrations) — the encrypted oauth_vault row is deleted immediately, and the CLI can no longer fetch that channel's token;
• the tokens are likewise deleted when the Customer deletes their account (the RODO Art. 17 erase flow);
• the Customer may also request deletion by emailing support@spaceads.agency;
• revocation can additionally be performed directly with the provider (Meta / TikTok / Google), independently of the subscription.