Privacy Policy
Last updated: [DATE]
This Privacy Policy explains how Caeros Technologies LLC ("Caeros," "we," "us") collects, uses, and shares personal data in connection with caeros.app and the Caeros service (the "Service").
Two roles. For your own account and our website, Caeros is a controller. For the data you connect or upload into the Service to run your ad-budget operations (including any personal data within it), Caeros acts as a processor on behalf of your organization (the controller); that processing is governed by our Data Processing Agreement.
1. Information we collect (and CCPA categories)
| Data | CCPA category | Examples |
|---|---|---|
| Account data | Identifiers; professional/employment info | name, work email, hashed password, org name, role, 2FA |
| Billing data | Commercial info | plan, subscription status (card data handled by Paddle, our Merchant of Record — we don't store full card numbers) |
| Connected-platform data | Commercial info; your business data | OAuth access/refresh tokens, ad-account IDs, campaign/budget metadata, spend figures |
| Usage data | Internet/network activity; geolocation (coarse, from IP) | logs, device/browser, IP, pages/actions, performance/errors |
| Cookies | Internet activity | see Cookie Policy |
| Support/comms | Identifiers; customer records | messages you send us, email engagement |
We do not intend to collect special-category/sensitive personal data. OAuth tokens are access credentials; we use them only to provide the Service (Section 3) and protect them with secrets management.
2. How we use information & legal bases (GDPR/UK-GDPR)
| Purpose | Legal basis (and specific legitimate interest) |
|---|---|
| Provide, secure, and operate the Service | Performance of a contract |
| Billing and account management | Contract / legal obligation |
| Product analytics and improvement | Legitimate interests — to maintain, secure, and improve the Service (or consent where required) |
| Customer support | Contract / legitimate interests — to respond to your requests |
| Marketing emails | Consent (EU/UK), with opt-out; for existing customers, limited soft opt-in for similar products |
| Non-essential cookies/analytics | Consent |
| Fraud prevention, security, legal compliance | Legitimate interests — to prevent abuse / legal obligation |
We do not make decisions producing legal or similarly significant effects about you based solely on automated processing; the Service's pacing and forecasts are decision-support only.
3. Connected platforms & token use
When you connect Google Ads, Meta, or LinkedIn, we access them on your behalf using your credentials only to provide the Service. We request the minimum scopes needed, do not use the data or tokens for any secondary purpose or to train models, and comply with each platform's limited-use requirements. Disconnecting a platform revokes and deletes the stored token; tokens are also deleted on account closure.
4. How we share information
- Sub-processors / service providers (hosting, database, email, support, analytics). See the current Sub-processor list.
- Paddle, our Merchant of Record, an independent controller for payment data.
- Legal / safety; business transfers (merger/acquisition/asset sale).
- We do not sell personal data for money. Some analytics/advertising cookies may constitute "sharing"/"sale" under US state laws; opt out via the "Do Not Sell or Share My Personal Information" link in our footer, the cookie settings, and Global Privacy Control (GPC), which we honor.
5. International transfers
We are US-based. For EU/UK personal data, we rely on the EU Standard Contractual Clauses and the UK Addendum to those Clauses, and conduct transfer assessments where required (see DPA).
6. Retention
We keep personal data only as long as needed for the purposes above:
- Account data: for the life of the account, deleted within 30 days of closure.
- Connected-platform tokens: until disconnection or closure.
- Billing/tax records: as required by law (typically 7 years).
- Logs/usage: 12 months.
- Support records: 24 months. Longer retention applies only where required for legal, tax, or dispute purposes.
7. Your rights
You may have rights to access, correct, delete, port, restrict, or object to processing, to withdraw consent, and to opt out of targeted advertising, profiling, or the "sale"/"sharing" of personal data. To exercise rights, email privacy@caeros.app or use the in-app Privacy Center. We verify your identity, respond within the time required by law (GDPR ~1 month; US state laws ~45 days), and do not discriminate against you for exercising rights.
- Authorized agents may submit requests on your behalf with proof of authority and your verified identity.
- Appeals: if we deny a request, you may appeal by emailing privacy@caeros.app; we will respond within the period required by your state's law.
- EU/UK: where we are a processor, contact the organization that controls your data; you may also lodge a complaint with your supervisory authority.
8. Security
We use encryption in transit and at rest, access controls, 2FA, and secrets management for connected- platform credentials, plus logging, backups, and incident response. No method is 100% secure; we notify users and authorities of breaches as required by law.
9. Children
The Service is intended for business users 18 and older and is not directed to children. We do not knowingly collect data from children.
10. Changes & contact
We post updates here and provide additional notice of material changes. Caeros Technologies LLC — privacy@caeros.app — [MAILING ADDRESS]
- EU Representative (GDPR Art. 27): [EU REP NAME / ADDRESS] — appoint before EU launch
- UK Representative (UK-GDPR Art. 27): [UK REP NAME / ADDRESS] — appoint before UK launch