Last updated: 27 April 2026 · Version 1.0

Privacy Policy

1. Who we are

EuroAds is a software-as-a-service product operated by:

Filippos Skaronis
trading as EuroAds
Luxembourg, Luxembourg
Email: privacy@euroads.ai

For all questions about this Privacy Policy or how your personal data is handled, contact us at privacy@euroads.ai. We respond to all data protection enquiries within 30 days as required under Article 12(3) of the General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”).

In this Privacy Policy, “EuroAds”, “we”, “us”, and “our” refer to the entity above. “You” refers to any individual whose personal data we process. In practice, that means the people who sign up for and use the EuroAds service on behalf of a business.

2. Scope of this policy

EuroAds is a business-to-business service. Our customers are businesses, small and medium-sized businesses and freelance media buyers operating in the European Union, the European Economic Area, the United Kingdom, and Switzerland. The personal data we process is the data of the individuals who register for and use the service on behalf of those businesses, not the data of end consumers who may eventually see the advertisements our customers publish.

This Privacy Policy applies to the EuroAds website at euroads.ai, the EuroAds web application, and any related services we operate. It does not apply to third-party services you connect to EuroAds (such as Google Ads), those services have their own privacy policies, which govern their own processing of your data.

3. What personal data we collect

We collect the following categories of personal data:

Account information. Your email address and authentication credentials, collected when you create an EuroAds account.

Google Ads integration data. When you connect your Google Ads account to EuroAds, we receive OAuth tokens issued by Google, your Google Ads customer ID, and information about the Google Ads accounts you authorise us to access. OAuth tokens are stored encrypted at rest in our database.

Business information you provide. Business name, business website URL, business description, industry, target geographic markets, advertising goals, and any other information you enter into the EuroAds campaign creation flow.

Campaign content we generate. Advertising headlines, descriptions, keywords, budgets, and other campaign elements generated by our AI and reviewed or edited by you. We retain these to let you reference past campaigns and to improve the service.

Campaign performance data. When campaigns you publish through EuroAds run on Google Ads, we fetch performance data (impressions, clicks, spend, conversions) from the Google Ads API to display in your dashboard.

Agent activity logs. When our autonomous agent features take actions in your Google Ads account on your behalf, we log each action, the reasoning behind it, its reversibility status, and its outcome. These logs exist for transparency, debugging, and to allow you to review and reverse actions.

Audit reports. Automated analyses of your Google Ads account that we generate and store to display in your dashboard.

Billing data. Your Stripe customer ID and invoicing information. Your full payment details (card number, bank details) are handled and stored by Stripe; we do not see them or store them.

Preferences. Your language, theme, and display preferences.

Technical data. Standard web server logs including your IP address, browser type and version, operating system, referrer URL, and timestamps of your visits. Authentication session cookies and payment-processing cookies (see Section 10).

We do not collect special categories of personal data within the meaning of Article 9 GDPR (data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sexual orientation), and we ask you not to enter such data into any free-text field on EuroAds.

4. Why we collect it and on what legal basis

We process your personal data for the following purposes, each with a defined legal basis under Article 6 GDPR:

To provide the EuroAds service under our contract with you (Art. 6(1)(b) GDPR, performance of a contract). This covers creating and maintaining your account, processing your business information to generate campaigns, publishing campaigns to Google Ads on your instruction, fetching and displaying performance data, running the autonomous agent features you enable, and providing customer support.

To process payments and comply with tax and accounting law (Art. 6(1)(b) and Art. 6(1)(c) GDPR, contract performance and legal obligation). Billing, invoicing, and retention of invoicing records as required by Luxembourg tax law.

To operate, secure, and improve our service (Art. 6(1)(f) GDPR, legitimate interests). Technical logs, error monitoring, abuse prevention, and analysing aggregated usage to improve the product. Our legitimate interest is in running a reliable, secure service, and we have assessed this interest against your rights and freedoms.

To communicate with you about the service (Art. 6(1)(b) and Art. 6(1)(f) GDPR). Service-related emails (sign-up confirmation, billing, security notifications, important product changes) are sent on the basis of our contract with you. Marketing emails, if any, are sent only with your separate consent under Art. 6(1)(a) GDPR, and you can withdraw consent at any time.

To comply with legal obligations (Art. 6(1)(c) GDPR). Responding to lawful requests from regulators, tax authorities, or law enforcement, and retaining records where legally required.

5. Who we share your data with

We share your personal data only with the following categories of recipients, each acting as a data processor under a written data processing agreement with us:

Supabase Inc. Our database and authentication provider. Your account data, campaign data, and agent activity logs are stored in Supabase’s EU-West (Ireland) region. Supabase is based in the United States; EU-region data is stored on infrastructure located in Ireland. We have a Data Processing Agreement in place with Supabase that includes the European Commission’s Standard Contractual Clauses (SCCs) for any onward transfer.

Vercel Inc. Our hosting and deployment provider. Vercel serves the EuroAds application from EU-region edge infrastructure. Vercel is based in the United States; we have a Data Processing Agreement in place with Vercel that includes SCCs.

Stripe Payments Europe, Limited (Ireland). Our payment processor. Stripe processes billing data and payment information. Stripe acts as an independent controller for the payment-processing aspects and as our processor for customer management. Stripe’s own Privacy Policy applies: https://stripe.com/privacy.

Anthropic PBC. Our AI provider. When you create a campaign or request an audit, we send the relevant business information you provided (business name, URL, description, target markets, advertising goals) to the Anthropic Claude API to generate keywords, headlines, descriptions, and audit narratives. Anthropic is based in the United States. We have a Data Processing Agreement in place with Anthropic that includes SCCs. Anthropic retains API prompt and output data for up to 30 days for trust, safety, and abuse-prevention purposes, after which it is deleted. We have opted out of the use of your data for training Anthropic’s models. We do not intentionally send directly-identifying personal data (such as your name or email address) to Anthropic, though business-context information sent to generate campaigns may incidentally contain personal data if you include it.

Google Ireland Limited. For the Google Ads API integration. When you authorise EuroAds to access your Google Ads account, data flows both ways: we send campaign instructions to Google, and we receive performance data and account information from Google. Google acts as an independent controller for your Google Ads account data. Google’s Privacy Policy applies: https://policies.google.com/privacy.

We do not sell your personal data. We do not share your personal data with advertising networks, data brokers, or any third party for their own marketing purposes.

We may disclose your personal data where legally required, for example, in response to a valid order from a court or regulator, or where we reasonably believe disclosure is necessary to protect our rights, your safety, or the safety of others.

6. International transfers

Some of our processors (Supabase, Vercel, Anthropic) are based in the United States, even where the data itself is stored on EU-region infrastructure. Each transfer of personal data outside the European Economic Area is covered by the European Commission’s Standard Contractual Clauses (Decision (EU) 2021/914), along with supplementary measures where appropriate, so that your personal data benefits from an adequate level of protection as required by Chapter V of the GDPR.

You can request a copy of the safeguards in place for any specific transfer by contacting us at privacy@euroads.ai.

7. How long we keep your data

We retain personal data only for as long as necessary for the purposes described above, subject to the following retention periods:

Category of data	Retention period
Account information (email, authentication)	For the life of your account. On account deletion, deleted within 30 days of your request.
Google Ads OAuth tokens	Until you disconnect the integration, delete your account, or revoke authorisation in Google; deleted within 30 days thereafter.
Business information and campaign content	24 months after your last activity, then deleted. Deleted within 30 days of account deletion request.
Campaign performance data	24 months after the campaign ended, then deleted.
Agent activity logs	12 months from the date of the action, then deleted.
Audit reports	24 months from generation, then deleted.
Billing records and invoices	10 years, as required by Luxembourg tax law (Article 17 of the Luxembourg VAT Law and general accounting retention rules).
Technical server logs	12 months, then deleted or anonymised.
Customer support correspondence	3 years from the last contact, then deleted.

Where you exercise your right to erasure (see Section 8), we delete your personal data within 30 days except where retention is legally required (for example, for invoicing records). In such cases we will restrict further processing to what is strictly necessary to comply with the legal obligation.

8. Your rights

Under Chapter III of the GDPR, you have the following rights in respect of your personal data. These rights are free to exercise.

Right of access (Art. 15), to obtain confirmation of whether we process your personal data, a copy of that data, and information about how we process it.
Right to rectification (Art. 16), to have inaccurate or incomplete personal data about you corrected.
Right to erasure (Art. 17), the “right to be forgotten”, to have your personal data deleted, subject to the exceptions set out in that Article.
Right to restriction of processing (Art. 18), to have processing of your personal data limited in specific circumstances.
Right to data portability (Art. 20), to receive your personal data in a structured, commonly used, machine-readable format, and to have it transmitted to another controller where technically feasible.
Right to object (Art. 21), to object to processing based on our legitimate interests (Art. 6(1)(f)).
Right to withdraw consent (Art. 7(3)), where processing is based on your consent, you may withdraw it at any time, without affecting the lawfulness of processing before withdrawal.
Right not to be subject to automated individual decision-making (Art. 22). See Section 9.

To exercise any of these rights, contact us at privacy@euroads.ai. We will respond within 30 days. We may need to verify your identity before fulfilling your request, typically by confirming you control the email address on the account.

In addition, EuroAds provides self-service mechanisms within the product:

Data export. You can download a copy of your account data and campaign history from your account settings.
Account deletion. You can delete your account from your account settings; this triggers deletion of your personal data within 30 days, subject to legally-required retention.
Google integration disconnection. You can disconnect your Google Ads account from EuroAds at any time from your integration settings; disconnecting immediately revokes our access tokens.

Your right to lodge a complaint.

If you believe our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority. Because EuroAds is established in Luxembourg, our lead supervisory authority is:

Commission nationale pour la protection des données (CNPD)
15, boulevard du Jazz
L-4370 Belvaux, Luxembourg
Website: https://cnpd.public.lu
Phone: +352 26 10 60 1

You may also lodge a complaint with the supervisory authority of your country of residence or the place of the alleged infringement.

9. Automated decision-making and AI processing

EuroAds uses artificial intelligence, specifically the Anthropic Claude large language model, to generate campaign content (keywords, headlines, descriptions) and to produce automated audit reports of your Google Ads account. You are informed of this processing, you review and approve AI-generated output before it is published, and you retain final authority over whether to publish any campaign.

EuroAds also offers autonomous agent features (“Philip”) that, where you enable them, take actions in your Google Ads account on your behalf, such as adjusting budgets, pausing underperforming ads, or proposing new campaigns. For every such action we log the decision and its reasoning, expose it to you through the agent activity log, and allow you to reverse it where reversible.

These processes do not constitute automated individual decision-making in the sense of Article 22 GDPR, because (a) the service is offered to you in your capacity as a business representative rather than in a purely personal capacity, (b) AI outputs are reviewed and confirmed by you before publication in the campaign-creation flow, and (c) the autonomous agent operates within scopes you explicitly authorise, under your supervision, with full logging and reversibility. Nonetheless, if you wish to object to any specific automated processing, you may do so at any time by contacting us at privacy@euroads.ai.

10. Cookies and similar technologies

EuroAds uses only strictly necessary cookies. We do not use analytics, advertising, or tracking cookies. Specifically:

Authentication cookies set by Supabase Auth, used to keep you logged in. These cookies are essential for the service to function, without them, you cannot maintain a session. Legal basis: Article 5(3) of the ePrivacy Directive (2002/58/EC as amended), which permits cookies strictly necessary for the provision of a service explicitly requested by the user.

Payment cookies set by Stripe during checkout, used for fraud prevention and secure payment processing. These are similarly strictly necessary.

Because we only use strictly necessary cookies, we do not display a cookie consent banner. If we introduce non-essential cookies in the future (for example, analytics), we will update this Privacy Policy and implement appropriate consent mechanisms before doing so.

You can block or delete cookies in your browser settings, but doing so will prevent you from logging in or completing payment.

11. Security

We implement appropriate technical and organisational measures to protect your personal data, as required by Article 32 GDPR. These include encryption in transit (TLS) for all connections to our service, encryption at rest for OAuth tokens and other sensitive fields in our database, access controls limiting employee access to personal data, isolated production infrastructure, and Supabase Row-Level Security to enforce strict data isolation between customer accounts.

No security measure is perfect. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the CNPD within 72 hours as required by Article 33 GDPR, and we will notify you without undue delay where the breach is likely to result in a high risk to your rights and freedoms, as required by Article 34 GDPR.

12. Children

EuroAds is not directed at children. The service is offered only to businesses and to individuals aged 18 or over. We do not knowingly collect personal data from children under 18. If you believe a child has provided us with personal data, contact privacy@euroads.ai and we will delete it.

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top indicates when the policy was last revised. For material changes, for example, introducing a new processor, a new category of data, or a change in legal basis, we will notify you in advance by email, through the service, or both, and give you a reasonable opportunity to review the changes before they take effect.

Prior versions of this Privacy Policy are available on request.

14. Contact

For all questions about this Privacy Policy, to exercise your rights, or to raise any concern about how we process your personal data:

Email: privacy@euroads.ai
Postal: Filippos Skaronis, Luxembourg, Luxembourg

This Privacy Policy is published in English. Translations into German, French, Dutch, and Spanish are provided for convenience. In the event of any conflict between the English version and a translation, the English version prevails.