Privacy policy

1. Who we are

Adsor is built and run by Bullmade ApS — a small e-commerce agency from Aarhus, Denmark, that has been doing performance work since 2011. We registered the company under CVR 35840885. When this policy says "we", "us" or "Adsor", it means us.

We are the data controller for everything you do inside Adsor. That is a legal way of saying: if you want something changed, deleted or explained, we are the people to ask.

Reach us any time at privacy@adsor.ai. We try to reply within a working day.

2. What we collect

We try to keep this list short. Everything we hold falls into one of these buckets:

Account information

Your name, email, the workspace you belong to, your role inside that workspace, and either a hashed password or an SSO provider id. That is it for the basic account.

The work you do inside Adsor

Campaigns, ad sets, ads, audiences, drafts, assets, comments, naming templates, settings — everything you create inside the product. This is your data. We just store it for you and show it back when you log in.

Connected platforms

When you connect Meta Ads, Google Ads, GA4, Search Console, PrestaShop, Klaviyo or BullCRM, we hold the OAuth tokens those platforms hand us. We use those tokens to read and write on your behalf — only when you ask us to. Tokens live encrypted at rest. You can revoke them at any time, both inside Adsor and inside the platform itself.

Billing

Company name, billing address, VAT number, and a payment method handled by our payment processor. We never see your full card number — only a token that lets us charge a recurring subscription.

Operational logs

Standard server logs (which paths were called, how long they took, what error code came back). An audit log of who-did-what inside the product, because that is also a feature we sell to you. An error log so we can fix bugs.

What we do not collect

We do not run third-party tracking on the marketing site or inside the app. No Facebook Pixel, no Google Analytics on the dashboard, no behavioural ad-tech. The cleanest way we know to keep your data safe is to not have it in the first place.

3. What we do with it

Five things, in this order:

1. Run the product. Fetch your campaigns, show them, save your edits, push the right thing to Meta or Google when you click publish.
2. Keep things accountable. Every change is attributed to the user who made it. That is what makes the audit trail trustworthy.
3. Bill you. Charge the right amount on the right day. Keep the records the Danish bookkeeping law tells us to keep.
4. Help when you ask. Read your support email, look at the relevant logs, write back with an answer.
5. Improve the product. Look at aggregated, anonymised usage so we know what to work on next. We are not interested in what individual users are doing.

We do not use your data to train any AI model. The AI features in Adsor send your prompts to model providers (Anthropic, Google, Higgsfield, OpenRouter) under their APIs. We choose providers that contractually do not train on customer prompts.

4. Why we are allowed to (legal basis)

Under GDPR we have to point at a legal basis for each thing we do. Here are ours:

• Contract. Most of what we do is to deliver the service you signed up for.
• Legitimate interest. Security, fraud prevention, audit logs, and aggregate product analytics. We have weighed these against your privacy and we think the trade-off is fair — but you can always object.
• Legal obligation. Accounting and tax records.
• Consent. If we ever ask you to opt into something extra (like a beta program or a marketing newsletter), that runs on your consent and you can withdraw it any time.

5. Where the data lives

Production data sits in EU regions. We use Turso (libsql, edge-replicated SQLite) for primary storage and Redis for caching, both with EU-only configuration. Backups are encrypted and stored in the same jurisdiction.

A handful of providers are based outside the EU — most notably the AI model providers. Where we send prompts to them, we rely on Standard Contractual Clauses, encryption in transit, and provider terms that prohibit training on customer data. If that ever stops being true for a specific provider, we drop them.

6. Who else touches your data (sub-processors)

We use a small number of vendors. Each one only sees the slice of data they need to do their job. You can ask for the full current list any time.

• Hosting & DB. Turso (libsql) and Redis Labs — both EU regions.
• Authentication. Stack — for sign-in, SSO and session management.
• Email delivery. Postmark / SMTP provider — for transactional and product emails.
• Payments. Stripe — for subscription billing.
• AI model providers. Anthropic (Claude), Google (Gemini / Nano Banana), Higgsfield (video), and OpenRouter (routing fallback).
• Error monitoring. Internal — we keep this in our own infrastructure.

On Agency and Scale plans we let you know in advance before adding a new sub-processor that touches customer data, so you have time to object.

7. How long we keep things

While your subscription is active, your data stays in the product. If you cancel, we hold it for 30 days as a buffer in case you change your mind, then delete it. Audit logs and billing records have to be kept longer because the Danish bookkeeping law requires it (up to 5 years).

Backups roll on a 30-day cycle — so if you ask us to delete something, it disappears from production immediately and from backups within that month.

8. What you can ask us to do

Under GDPR you have a list of rights. We respect every one of them. In plain words:

• "Show me what you have on me." We will export your personal data in a readable format.
• "Fix this — it is wrong." We will correct any inaccurate or out-of-date data.
• "Delete it." We will erase your personal data, subject to the few records bookkeeping law forces us to keep.
• "Stop using it for that one thing." You can object to specific uses, like product analytics.
• "Pause processing." You can ask us to hold off until something is sorted out.
• "Send my data to another provider." We will export it in a portable format (JSON / CSV).
• "I want to complain." You have the right to complain to the Danish Data Protection Agency (Datatilsynet) or your local equivalent.

Email privacy@adsor.ai and we will sort it within 30 days, usually a lot faster.

9. How we keep things safe

Security is mostly boring, which is the way we like it.

• All traffic to Adsor is TLS 1.2+. The browser has the green padlock; we do not have an unencrypted endpoint.
• Passwords are hashed with bcrypt. We could not see your password even if we wanted to.
• OAuth tokens for Meta, Google and other connected platforms are encrypted at rest.
• Production access is limited to a small number of engineers. Their access is logged and reviewed.
• We run automated dependency scans and static analysis on every deploy.
• We do regular backup-and-restore drills so we know the backups actually work.
• If we ever discover a real security incident, we follow GDPR's 72-hour breach notification rule.

10. Cookies and tracking

We use the smallest possible set of cookies — basically just the one that keeps you logged in. No third-party analytics cookies on this marketing site. No advertising pixels. No "consent banner you have to click before you can read the page" nonsense.

Inside the product itself, the only persistent storage we use is what we need to remember your preferences (date range, column layout, account picker). All first-party.

11. About AI

Adsor has an AI Builder. Here is exactly what happens when you use it:

• Your prompt and any uploaded reference images are sent to a model provider over an encrypted connection.
• We only send what is needed for that specific generation. Brand context, product data and notes are added when relevant — but only inside that one request.
• We log the request metadata (which model, how many tokens, how long it took, what it cost) so you can see usage in settings.
• The generated output lands in your drafts. It is yours.
• We do not save provider responses outside your workspace.
• None of our providers train on customer prompts under our contracts.

If you would rather use your own API keys with a provider you have your own contract with, you can do that on every plan. Drop them in settings and all calls will go that way.

12. Data from connected platforms

When you connect Meta, Google or another ad platform, you authorise Adsor to read and write data inside that platform on your behalf. Two important things:

• We only act inside the scopes you grant during OAuth. If you grant read-only access, we never write.
• We never share data between unrelated workspaces. Your competitor on Adsor cannot see your campaigns. Your account manager at our agency cannot see another agency's clients.

You can disconnect any platform at any time, both inside Adsor and inside the platform's own settings.

13. Children

Adsor is a B2B product for ad professionals. We do not knowingly collect personal data from anyone under 16. If you think a minor has signed up, write to us and we will remove the account.

14. Changes to this policy

If we change anything material, we email every active customer at least 14 days before it takes effect. Tiny edits — fixing typos, adding a new sub-processor that handles the same kind of data — get a "Last updated" bump but do not need a full email. The current version is always at this URL.

15. Talk to us

That is the whole policy. If anything is unclear, or if you want a Data Processing Agreement signed for your enterprise, just write:

• Privacy questions: privacy@adsor.ai
• Security incidents: security@adsor.ai
• Anything else: hello@adsor.ai