Privacy Policy.

1. Scope

This Privacy Policy applies to personal information we collect when you:

• visit or use adalyst.app;
• create, access, or manage an Adalyst account;
• sign in using Google or Microsoft;
• connect any marketing, analytics, CRM, or data platform to your Adalyst account (including LinkedIn Ads, Google Ads, Google Analytics, HubSpot, Meta, Microsoft Ads, Salesforce, and BigQuery);
• upload spreadsheets, images, or other campaign-related content;
• purchase or manage a paid subscription; or
• contact us for support, security, or privacy matters.

This Privacy Policy does not apply to websites, applications, or services we do not own or control, including LinkedIn, Google, Microsoft, Meta, HubSpot, Salesforce, Stripe, and Resend. Those services are governed by their own privacy policies and terms.

2. Information We Collect

We collect the following categories of information.

a. Account Information

When you create an account, we collect your email address and account-related information needed to create, authenticate, and manage your account.

If you sign in using Google, we receive your Google account identifier and the information needed to support that authentication method, such as your email address. We do not store your Google password.

b. Connected Platform Data

When you connect a third-party platform to your Adalyst account, we store encrypted OAuth access tokens and refresh tokens so we can interact with that platform's API on your behalf. We never store or receive the passwords you use with the underlying platform.

Depending on the permissions you grant and the features you use, we may access and process the following categories of data from each connected platform:

LinkedIn Ads (LinkedIn Marketing API)

• ad accounts, campaigns, campaign groups, and ads;
• lead gen forms and their metadata;
• saved audiences and targeting criteria;
• campaign performance metrics, spend, and engagement data.

Google Ads

• ad accounts, campaigns, ad groups, and ads;
• keywords, search terms, and audience data;
• spend, conversions, and performance metrics.

Google Analytics

• property and stream identifiers;
• traffic, session, and acquisition data;
• conversion events and funnel metrics;
• aggregated audience and landing-page performance data.

HubSpot

• contact, company, and deal records relevant to pipeline analysis;
• lifecycle stages, lead scores, and activity timestamps;
• pipeline, deal-stage, and revenue attribution data;
• list and workflow metadata.

Meta (Facebook, Instagram Ads)

• ad accounts, campaigns, ad sets, and ads;
• audience data, spend, and performance metrics.

Microsoft Ads

• ad accounts, campaigns, ad groups, and ads;
• keywords, spend, conversions, and performance metrics.

Salesforce

• account, contact, lead, and opportunity records relevant to pipeline analysis;
• opportunity stages, revenue, and close-date data;
• campaign attribution and activity history.

BigQuery

• dataset and table metadata you authorise;
• query results from the specific datasets you map to Adalyst for analysis.

We only access data from platforms you explicitly connect, and only the scopes authorised through the provider's OAuth flow. You can review the scopes at the point of connection and revoke access at any time from the Adalyst connections page or from the provider's own account settings.

c. Uploaded Content

We collect and store the content you upload or submit through the Service, including:

• spreadsheets,
• image files,
• campaign configuration data, and
• other materials used for campaign creation, editing, or management.

Uploaded content is stored securely and associated with your account.

d. Payment and Subscription Information

We use Stripe to process payments. We store billing-related identifiers and subscription information needed to manage your account and subscription, such as:

• your Stripe customer ID,
• subscription ID,
• plan information, and
• limited billing or subscription status information.

We do not store your full credit card number, CVV, or full payment credentials. Payment information is processed by Stripe in accordance with Stripe's own privacy and security practices.

e. Usage and Operational Data

We collect limited usage and operational data needed to operate, secure, and administer the Service, including:

• the number of rows processed during a billing period for plan enforcement,
• records of campaign-related operations,
• audit logs, and
• related account activity needed for troubleshooting, security, and recordkeeping.

f. Communications

If you contact us, including by email or in connection with a support or privacy request, we may collect:

• the contents of your message,
• your contact details, and
• any other information you choose to provide.

g. Cookies and Similar Technologies

We use a strictly necessary session cookie to authenticate requests and keep you signed in. We may also use third-party analytics and advertising technologies as described in Section 8 of this Privacy Policy.

3. Information You Provide About Other People

The Service may allow you to upload or process content that includes information about other individuals, such as campaign-related or lead-related data.

You are responsible for ensuring that you have the necessary rights, permissions, notices, and legal basis to provide that information and instruct us to process it. We process that information only as needed to provide the Service, perform your instructions, and comply with our legal obligations.

4. How We Use Your Information

We use personal information for the following purposes:

• to provide, operate, maintain, and improve the Service;
• to create, authenticate, and manage your account;
• to connect to the third-party platforms you authorise (including ad platforms, analytics, CRM, and data warehouses) and perform read and write operations you request through their APIs;
• to read, correlate, and analyse data across your connected platforms to generate findings, actions, and weekly briefings;
• to store and process uploaded spreadsheets, images, and campaign-related files;
• to create, edit, manage, and maintain records of advertising campaigns on your behalf when you request it;
• to process billing, manage subscriptions, and enforce plan limits;
• to send transactional and service-related communications, including password resets, billing notices, security notices, and important service updates;
• to respond to support and privacy inquiries;
• to monitor usage, detect misuse, maintain audit logs, troubleshoot issues, and protect the security and integrity of the Service; and
• to comply with legal obligations and enforce our terms, policies, and agreements.

5. Aggregated and De-identified Data

Operational data, including ad platform data, CRM records, and account-level metadata, is isolated per organisation and is not shared with other customers. For product research, benchmarking, and recommendation quality, Adalyst may derive de-identified aggregate statistics across its customer base. These aggregates contain no company names, no personal data, and are suppressed below a minimum cohort size of five organisations.

Aggregates are used to improve the accuracy of the recommendations Adalyst surfaces to all customers and to support Adalyst’s internal product research.

Your organisation may opt out of benchmark contribution at any time by emailing privacy@adalyst.app. Opting out stops further contribution; it does not affect your access to benchmarks Adalyst has already produced.

6. Legal Bases for Processing

If you are located in the European Economic Area, the United Kingdom, or Switzerland, our legal bases for processing personal information generally include:

• Performance of a contract: where processing is necessary to provide the Service you requested.
• Legitimate interests: such as operating and securing the Service, preventing abuse, enforcing plan limits, maintaining records, troubleshooting issues, and improving the Service.
• Consent: where required by law or where you choose to authorize optional processing or integrations.
• Legal obligation: where we must retain, use, or disclose information to comply with applicable law.

Where we rely on consent, you may withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing that occurred before withdrawal.

7. How We Share Your Information

We disclose personal information only as reasonably necessary to operate the Service, fulfill your requests, or comply with law.

a. Third-Party Services You Choose to Use

We may share information with third parties you choose to connect through the Service, including:

• Connected ad platforms, to read campaign, audience, and performance data — and, where you request it, to create or edit advertising entities on your behalf;
• Analytics platforms, to read traffic, conversion, and funnel data;
• CRM platforms, to read pipeline, contact, and deal data relevant to revenue attribution;
• Data warehouses, to read datasets you authorise for analysis;
• Single sign-on providers, if you choose Google or Microsoft sign-in for authentication.

b. Service Providers and Sub-Processors

We engage a limited set of sub-processors to help us host, secure, deliver, maintain, and operate the Service — including infrastructure hosting, transactional email, payment processing, and the large language model processing that powers Adalyst's analysis features. These providers process information on our behalf only as necessary to provide services to us or as otherwise required by law. The live, authoritative list of named sub-processors — including purpose, data categories, and processing region — is published at adalyst.app/sub-processors. Workspaces can opt in to be emailed when the list changes.

c. Legal and Compliance Disclosures

We may disclose information if we believe doing so is necessary to:

• comply with applicable law, regulation, legal process, or governmental request;
• enforce our terms or other agreements;
• detect, investigate, or prevent fraud, security issues, or other illegal activity; or
• protect the rights, property, and safety of Adalyst, our users, or others.

d. Business Transactions

We may disclose information in connection with a merger, acquisition, financing, reorganization, sale of assets, bankruptcy, or similar business transaction, subject to customary confidentiality and legal safeguards.

e. With Your Direction or Consent

We may share information when you instruct us to do so or otherwise consent to the sharing.

f. Google API Services User Data Policy Compliance

Adalyst's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

We do not sell your personal information.

We do not share personal information for cross-context behavioral advertising.

8. Third-Party Accounts and Platform Integrations

When you sign in with Google or Microsoft, or connect any of the third-party platforms Adalyst supports (including LinkedIn Ads, Google Ads, Google Analytics, HubSpot, Meta, Microsoft Ads, Salesforce, and BigQuery), you authorise us to access and use information from those services consistent with the permissions you grant and the features you choose to use. Scope details for each platform are listed in Section 2(b).

You can revoke access at any time by:

• disconnecting the connected platform from the Adalyst connections page, or
• using the privacy or connected-app settings made available by the relevant third-party provider.

When you disconnect a connected platform, we stop future API access and invalidate the stored OAuth tokens for that platform as part of the disconnection process.

Disconnecting a third-party account does not automatically delete information already created, retrieved, or stored in your Adalyst account unless you also delete that content or request account deletion. See Section 10 (Data Retention) for retention periods by data category.

9. Cookies and Similar Technologies

a. Essential Cookies

Adalyst uses a session cookie called adalyst_session that is strictly necessary for authentication and core Service functionality. Because this cookie is essential to the operation of the Service, disabling it may prevent you from logging in or using the platform properly.

b. Analytics and Performance

We may use third-party analytics services such as Google Analytics, PostHog, or similar tools to understand how our Service is used, measure performance, and improve the user experience. These services may use cookies, device identifiers, and similar technologies to collect information about your interactions with the Service, including pages visited, time spent, and general location data derived from your IP address.

c. Advertising and Retargeting

We may use third-party advertising technologies such as the LinkedIn Insight Tag, Google Ads remarketing, Meta (Facebook) Pixel, or similar tools to measure the effectiveness of our advertising, deliver relevant advertisements to you on other platforms, and build custom audiences for retargeting purposes. These technologies may collect information such as your IP address, browser type, pages visited, and interactions with our Service.

Information collected by these tools is subject to the privacy policies of the respective third-party providers, including:

• Google Privacy Policy
• LinkedIn Privacy Policy
• Meta Privacy Policy

d. Your Choices

You can control or disable non-essential cookies through your browser settings. You may also opt out of interest-based advertising through the following:

• Google Analytics Opt-out
• LinkedIn Ad Preferences
• Your Online Choices (EU/UK)
• DAA Opt-Out (US)

Please note that opting out of non-essential cookies does not affect the essential session cookie required for authentication.

10. Data Retention

We retain personal and operational information only for as long as reasonably necessary to provide the Service, meet our legal and contractual obligations, and fulfil the purposes described in this Privacy Policy. Default retention periods are:

Per-workspace retention may be customised by a workspace administrator in Settings → Data policy; the values shown above are defaults. Workspace administrators can also request a full data export at any time from Settings → Export, and initiate workspace deletion from Settings → Delete.

If you delete your workspace, we remove or anonymise your personal information within the retention windows above, except where we are required or permitted to retain certain information by law, for legitimate security or fraud-prevention purposes, to resolve disputes, to enforce our agreements, or as part of routine backup and disaster-recovery processes for the periods above.

You may request a copy of your personal information or its deletion at any time by emailing privacy@adalyst.app. See Section 13 (Your Rights and Choices) for details.

11. Data Security

We implement reasonable technical and organizational measures designed to protect personal information against unauthorized access, loss, misuse, alteration, or disclosure.

These measures include:

• AES-256-GCM encryption at rest for OAuth access and refresh tokens across every connected platform;
• hashing of passwords using industry-standard methods;
• HTTPS / TLS 1.2+ encryption for data in transit; and
• secure, HTTP-only storage of session tokens in cookies.

No method of transmission over the internet or method of electronic storage is completely secure. While we work to protect your information, we cannot guarantee absolute security.

12. International Data Transfers

Adalyst and the third-party providers we use may process personal information in countries other than the country where you live. As a result, your information may be transferred to and processed in jurisdictions that may have data protection laws different from those in your jurisdiction.

Where required by applicable law, we will use appropriate safeguards for international transfers of personal information, which may include contractual protections or other lawful transfer mechanisms.

You may contact us using the details below for more information about applicable transfer safeguards.

13. Your Rights and Choices

Depending on your jurisdiction, you may have the right to:

• access the personal information we hold about you;
• request correction of inaccurate or incomplete information;
• request deletion of your personal information;
• object to or request restriction of certain processing;
• request a portable copy of certain personal information;
• withdraw consent where our processing is based on consent; and
• lodge a complaint with the data protection authority or regulator in your jurisdiction.

You may also:

• disconnect any connected platform from the Adalyst connections page,
• manage your account settings, or
• request deletion of your account by contacting us.

To exercise privacy rights, contact us at privacy@adalyst.app.

We may need to verify your identity before fulfilling a request. In some cases, we may deny or limit a request where permitted by law. If applicable law provides a right to appeal our decision on a privacy request, you may do so by replying to our response or contacting us again at the same email address.

If your request relates to data primarily controlled by a third party — such as LinkedIn, Google, Microsoft, Meta, HubSpot, Salesforce, or Stripe — we may direct you to that provider for the portions of data it controls independently.

How to delete your data

You can delete your data from Adalyst in three ways:

1. Self-service workspace deletion. Sign in to Adalyst, go to Settings → Delete workspace, and confirm. This starts a 30-day soft-delete window after which all account, organisation, uploaded content, and platform-integration data is permanently deleted from primary storage and object storage. The workspace's audit encryption key is destroyed, rendering any residual audit ciphertext unreadable.
2. Disconnect a single connected platform. From Settings → Connections, click Disconnect on any provider (Meta, LinkedIn, Google Ads, Google Analytics, HubSpot, Microsoft Ads, Salesforce, BigQuery). Adalyst's stored OAuth tokens for that platform are immediately revoked and future API access ends. Data already imported follows the retention schedule in Section 10 unless you also delete your workspace.
3. Email request. Send a deletion request from the email address on your account to privacy@adalyst.app. We verify your identity and complete deletion within the timelines in Section 10.

You can also revoke Adalyst's access directly from each provider:

• Meta: business.facebook.com → Business Settings → Apps
• LinkedIn: linkedin.com/psettings/permitted-services
• Google: myaccount.google.com/permissions
• Microsoft: account.microsoft.com/privacy/app-access

Limited records may be retained following deletion only where required by law (for example, billing and tax records for seven years; see Section 10).

14. Children's Privacy

The Service is not intended for anyone under the age of 18, and we do not knowingly collect personal information from anyone under 18.

If we learn that we have collected personal information from a child without appropriate authorization, we will take steps to delete that information.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will post the revised version on this page and update the "Last updated" date at the top of the Policy.

If we make material changes, we may also provide additional notice, such as by email or through the Service, where required by law.

Your continued use of the Service after the updated Privacy Policy becomes effective means that you acknowledge the revised Policy.