Privacy policy

Data controller

• Controller: RAFFALLI Laurent Bernard, individual entrepreneur.
• Address: 47 RUE Vivienne, 75002 Paris, France.
• SIREN: 521 250 183.
• Privacy contact: privacy@getadspark.com.

Data we collect

• Account data: name, email, session identifiers, language and professional profile information.
• OAuth connection data: connected social account identifier, public name, authorized scopes, connection and expiry dates, access and refresh tokens where required.
• Content data: drafts, posts, media, calendars, AI-generated variants, links and related statistics.
• Usage data: in-app actions, technical errors, security logs, IP address, browser and timestamps.
• Billing data: plan, subscription status, payment references and invoices when paid plans are enabled.

Purposes and legal bases

• Provide the AdSpark service and perform the contract with the user.
• Connect social accounts through OAuth with the user's explicit consent.
• Publish, schedule and track content approved by the user.
• Measure performance, detect errors and secure the application based on legitimate interest.
• Manage billing and accounting obligations based on legal obligations.
• Send product or marketing communications where the user consented or can opt out.

Social accounts, OAuth and tokens

AdSpark never asks for third-party platform passwords. Connections to Facebook, Instagram, LinkedIn, Google Business Profile or other platforms use OAuth or the official authorization mechanism of the platform. Tokens are used only for actions authorized by the user, such as listing a connected account, publishing approved content, retrieving status or reading authorized analytics. Tokens are stored securely, encrypted at rest where technically applicable, and are never intentionally logged in clear text.

Processors

• Application hosting and backend providers: website hosting, database, server functions and required technical services.
• Social publication infrastructure provider: selected social connections, scheduling and multi-network publication.
• AI generation or orchestration providers: assistance with text or visual content creation.
• Payment provider: payments, subscriptions and invoicing.
• Monitoring provider: error diagnosis and technical supervision.
• Transactional email provider: service, security and support emails.
• Media storage provider: storage for images and files used in posts.

Connected social platforms

When the user connects or uses a social platform, certain data and content is sent to that platform to perform the requested action. Meta Platforms Ireland, LinkedIn Ireland, Google Ireland and other connected platforms act under their own privacy policies and terms.

International transfers

Some processors or platforms may process data outside the European Union. Where this happens, AdSpark relies on available mechanisms such as the Data Privacy Framework, Standard Contractual Clauses, or appropriate contractual and technical safeguards.

Retention periods

• User account: for the duration of service use.
• OAuth tokens: until disconnection, expiry, revocation or account deletion.
• Drafts and posts: for the duration of the account unless deleted by the user.
• Technical and security logs: up to 12 months unless required for security or legal reasons.
• Billing records: 10 years to comply with accounting obligations.
• Prospects and waitlist: up to 3 years after the last active contact.

Your rights

You may request access, rectification, erasure, restriction, portability or objection to the processing of your data. You may also withdraw consent where processing is based on consent. To exercise your rights, contact privacy@getadspark.com from the address linked to your account. We respond within 30 days unless the request is complex.

Security

• HTTPS on public pages and endpoints.
• Encryption of sensitive data where technically applicable.
• Access controls limited to what is strictly necessary.
• Webhook signature verification when platforms provide it.
• Security event logging without intentionally exposing tokens or secrets.
• Backups and incident response process.

Complaints

If you believe your rights are not respected, contact AdSpark at privacy@getadspark.com. You may also contact the French data protection authority, CNIL, at cnil.fr.