AdAutomatonPrivacy Policy
This Privacy Policy explains how YBC, s.r.o. (“YBC,” “we,” “us”) collects, uses, shares, and protects personal data when you use AdAutomaton (the “Service”). We process personal data in accordance with Regulation (EU) 2016/679 (the “GDPR”) and applicable Czech law.
1.Who we are & scope
YBC is the controller of personal data processed through the Service. This Policy covers our website adautomaton.com and the AdAutomaton application. Where you use the Service to process information about your own customers or audience, you are the controller of that information and we act as your processor; in that case our processing is also governed by our agreement with you (a data-processing agreement is available on request).
2.Data we collect
| Category | Examples |
|---|---|
| Account & identity | Name, work email, hashed password, workspace/organisation name, your role (Admin/Editor/Viewer), invitations. |
| Content you provide | Product information, documents and images you upload, brand and persona details, topics, URLs, prompts, and settings. |
| Generated content | Scripts, videos, voiceovers, captions, and posts the Service creates from your content. |
| Connected accounts | Authorisation (OAuth) tokens and basic profile/channel identifiers for platforms you link (TikTok, Instagram/Meta, YouTube/Google, X), used to publish and read metrics on your behalf. |
| Performance data | Views, likes, and comments retrieved from platforms where you published. |
| Billing | Top-up amounts, usage and cost records, invoices and tax details, and payment metadata (card payments are handled by our payment provider; we do not store full card numbers). |
| Technical & usage | IP address, browser/user-agent, timestamps, audit and security logs, and a session cookie. |
3.How & why we use it (legal bases)
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Provide, operate, and support the Service; create accounts; generate, schedule, and publish content you request | Performance of a contract — Art. 6(1)(b) |
| Secure the Service, prevent fraud and abuse, debug, and improve our product | Legitimate interests — Art. 6(1)(f) |
| Service-related communications (e.g. invitations, password resets, important notices, optional digests) | Contract — Art. 6(1)(b); or legitimate interests — Art. 6(1)(f) |
| Issue invoices and keep accounting and tax records | Legal obligation — Art. 6(1)(c) |
| Any optional marketing or non-essential processing | Consent — Art. 6(1)(a), which you may withdraw at any time |
We do not sell your personal data, and we do not use it for advertising or cross-context behavioural tracking.
4.AI processing of your content
To generate content, the Service sends your Input Content (for example product information, prompts, and topics) to third-party AI providers that run the underlying language, image, video, and text-to-speech models. We instruct these providers to process the data only to provide the generation service to us. We do not control, and are not responsible for, any independent processing those providers carry out under their own terms. Please avoid submitting special categories of personal data or other sensitive information you do not want processed by AI providers.
5.Sub-processors & recipients
We share personal data with the following categories of recipients, under appropriate contracts (including data-processing agreements where required):
| Recipient | Purpose | Location |
|---|---|---|
| Anthropic | AI language model — scripts, copy, personas, competitor research | USA |
| Replicate | AI image, video, and voice (text-to-speech) generation | USA |
| GoPay s.r.o. | Payment processing | Czech Republic / EU |
| Email delivery provider | Transactional emails (invitations, resets, notices) | [provider / region] |
| Hosting & infrastructure | Application hosting and storage | [provider / region] |
| Connected platforms (TikTok, Meta, Google/YouTube, X) | Publishing and metrics, when you choose to connect and publish | USA / global |
We may also disclose data to professional advisers, or to authorities and courts where required by law or to protect our rights. If we are involved in a merger or sale, data may transfer to the successor under this Policy.
An up-to-date list of sub-processors is available on request at [email protected].
6.International transfers
Some recipients (such as our AI providers) are located outside the European Economic Area, including in the United States. Where we transfer personal data outside the EEA, we rely on an appropriate safeguard under the GDPR — typically the European Commission’s Standard Contractual Clauses, or an adequacy decision where one applies. You can request a copy of the relevant safeguard at [email protected].
7.Cookies
We use a single essential session cookie to keep you signed in. It is strictly necessary to operate
the Service, is set with HttpOnly and SameSite=Lax attributes (and Secure over
HTTPS), and is not used for analytics, profiling, or advertising. Because we use only strictly necessary cookies, no
consent banner is required. You can clear cookies in your browser, but the Service will not function without the
session cookie.
8.Retention
- Account & content — kept while your account is active, and deleted within [e.g. 30–90 days] after you close it, unless a longer period is required by law.
- Connected-account tokens — kept until you disconnect the platform or close your account.
- Invoices & accounting records — retained for the period required by Czech accounting and tax law (generally up to 10 years).
- Security & audit logs — kept for a limited period ([e.g. up to 12 months]) for security and troubleshooting.
9.Your rights
Subject to the GDPR, you have the right to: access your personal data; have it rectified; have it erased; restrict or object to processing; data portability; and to withdraw consent at any time where processing is based on consent (without affecting prior processing). Where we act as your processor, please direct individuals’ requests to you as controller; we will assist you in responding.
To exercise your rights, email [email protected]. We will respond within the time limits set by the GDPR. You also have the right to lodge a complaint with a supervisory authority (see section 13).
10.Security
We apply appropriate technical and organisational measures to protect personal data, including encryption in transit (TLS), storing passwords only in hashed form, access controls and role-based permissions, and protection of secrets and tokens. No system is perfectly secure; we cannot guarantee absolute security, and you are responsible for keeping your credentials safe. We will notify you and the competent authority of a personal-data breach where required by law.
11.Children
The Service is intended for business use by adults and is not directed to children. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us data, contact us and we will delete it.
12.Changes to this Policy
We may update this Policy from time to time. If a change is material, we will give reasonable notice (for example by email or in-app) before it takes effect. The “Last updated” date above shows the latest revision.
13.Contact & complaints
For privacy questions or to exercise your rights, contact YBC, s.r.o. at [email protected].
If you are in the EU and believe we have not handled your data lawfully, you may lodge a complaint with your local supervisory authority. In the Czech Republic this is the Office for Personal Data Protection (Úřad pro ochranu osobních údajů), Pplk. Sochora 27, 170 00 Praha 7, uoou.gov.cz.