Privacy Policy

1. Introduction

Adlio ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use Adlio, our SaaS platform for bulk-uploading ads into Meta Ads Manager. We comply with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Information We Collect

We collect information that you provide directly to us, including:

• Account Information: Your email and name when you create an account or sign in with Facebook or Google
• Meta / Facebook Data: The access token, identifiers and selections described in the section below
• Ad Content & Settings: The media you upload (images, videos), together with ad copy, naming, UTM parameters and advertiser identity
• Payment Information: Billing details processed securely through Stripe (we do not store full payment card details)
• Usage Data: Information about how you interact with the Service, including features used and upload history

Automatically Collected Information:

• IP address and approximate location
• Browser type and device information
• Pages visited and time spent on the Service
• Referring website or source

Connecting Your Facebook / Meta Account

Adlio integrates with Meta (Facebook & Instagram) so you can bulk-upload ad creatives into Meta Ads Manager. When you connect your account, we receive and store the following data from Meta:

• An encrypted, long-lived Facebook access token, plus your Facebook user ID, name and the permissions you granted.
• The Facebook Page, Instagram account and Meta Pixel you choose for your ads.
• Your ad-account identifiers and the defaults you configure (ad copy, naming, UTM parameters and EU advertiser identity).
• A history of your uploads, including campaign, ad set, creative and ad IDs and media references.

We use this data solely to create and manage the ads you upload through Adlio; we never sell it. Your Facebook access token is encrypted at rest (AES-256-GCM) and is only used to call Meta’s Marketing API on your behalf.

You can disconnect Meta or delete all of your data at any time — see our Data Deletion page.

3. How We Use Your Information

We use the information we collect for the following purposes:

• Service Delivery: To provide, maintain and improve our ad-upload service
• Ad Creation: To build and manage the campaigns, ad sets, creatives and ads you upload, by calling the Meta Marketing API on your behalf
• Account Management: To create and manage your account, process payments, and communicate with you
• Service Improvement: To analyze usage patterns and improve our Service
• Security: To detect and prevent fraud, abuse, and security issues
• Legal Compliance: To comply with legal obligations and enforce our Terms of Service

4. How We Handle Your Media and Ad Data

When you use Adlio, your uploaded media and settings are used to create ads in your Meta ad account. Important information about this processing:

• Media you upload is stored (in Supabase Storage) so it can be transmitted to Meta when building your ads
• We do not use your media or ad content to train any AI models
• Your media and upload history remain in your account until you delete them or close your account
• Ads are always created in a paused state; we never publish or spend on your behalf

5. Legal Basis for Processing (GDPR)

Under GDPR, we process your personal data based on the following legal grounds:

• Contract Performance: Processing necessary to provide our Service to you
• Legitimate Interests: For security, fraud prevention, and service improvement
• Legal Obligation: To comply with applicable laws and regulations
• Consent: Where you have given consent, for example for non-essential analytics and advertising cookies

6. Information Sharing and Sub-processors

We do not sell, trade or rent your personal information. We share data only with the trusted providers that help us run the Service, and only as needed:

• Infrastructure & Processing: Supabase (database, authentication and media storage), Vercel (hosting), and Stripe (payments)
• Meta Platforms: We send the media and ad data you choose to upload to Meta in order to create your ads
• Analytics: OpenPanel, Microsoft Clarity and the Meta Pixel help us understand product usage and improve our advertising (see Cookies below)
• Legal & Business Transfers: When required by law, court order or government request, or in connection with a merger, acquisition or sale of assets

7. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. Your encrypted Facebook access token is kept until you disconnect Meta or it expires (Facebook user tokens typically expire after around 60 days). Uploaded media and upload history are retained in your account until you delete them. We may retain certain information after account deletion for legal compliance, dispute resolution or legitimate business purposes.

8. Data Security

We implement appropriate technical and organizational security measures to protect your personal information, including encryption in transit and at rest, access controls and regular review. Your Facebook access token is encrypted at rest using AES-256-GCM. However, no method of transmission over the Internet is 100% secure, and we cannot guarantee absolute security.

9. Your Rights (GDPR)

Under GDPR, you have the following rights regarding your personal data:

• Right of Access: Request a copy of your personal data
• Right to Rectification: Request correction of inaccurate data
• Right to Erasure: Request deletion of your personal data ("right to be forgotten")
• Right to Restrict Processing: Request limitation of how we use your data
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent

To exercise these rights, please contact us at privacy@adlio.ai

10. International Data Transfers

Some of our providers (such as Stripe, Vercel, Microsoft and Meta) may process data in countries outside the EEA, including the United States. Where this happens, we rely on appropriate safeguards such as the EU Standard Contractual Clauses and EU-U.S. Data Privacy Framework certifications where applicable.

11. Cookies and Tracking

We use cookies and similar technologies for the following purposes:

• Essential: session and authentication cookies (via Supabase) that are required for you to sign in and use the Service
• Analytics: OpenPanel, a privacy-friendly analytics tool served from our own domain, to measure product usage
• Product analytics & session replay: Microsoft Clarity, which records aggregated interaction and heatmap data to help us improve the interface
• Advertising: the Meta Pixel, which sets cookies and shares activity with Meta to measure and improve our own advertising

Essential cookies are necessary for the Service to function. Non-essential analytics and advertising technologies (Microsoft Clarity and the Meta Pixel) are used for our own measurement; you can control cookies through your browser settings, and we are rolling out a consent control for visitors in the EU. Disabling certain cookies may affect functionality.

12. Children's Privacy

Our Service is not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will take steps to delete that information.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new Privacy Policy on this page and updating the "Last updated" date. We encourage you to review this Privacy Policy periodically.

14. Data Controller

Adlio is operated by:

• Company: Brodaro
• KvK Number: 87989700
• VAT Number: NL004519220B66
• Address: Klaproos 21, 7483AR Haaksbergen, Netherlands