Privacy Policy

1. Data Controller

The data controller responsible for your personal data is:

Maxme Digital Media Limited

Email: lewis@maxmegroup.com

Website: campaiyn.ai

For data protection inquiries, contact us at privacy@campaiyn.ai.

2. What Data We Collect

2.1 Account Information

When you register for Campaiyn, we collect:

• Email address - for authentication, communication, and account recovery.
• Name - to personalize your experience.
• Authentication credentials - passwords are hashed and salted; OAuth tokens are encrypted. We never store plaintext passwords.

2.2 Business Profile Data

During onboarding and account setup, you provide:

• Business name and type (e.g., e-commerce, service-based, local business).
• Industry and niche.
• Target audience description (demographics, interests, location).
• Product or service details (offer description, price points, unique value proposition).
• Business location.

2.3 Meta Ad Account Data

When you connect your Meta ad account, we access the following through the Meta Marketing API with your explicit authorization:

• Campaign structure - campaigns, ad sets, and ads (names, statuses, objectives, settings).
• Performance metrics - spend, impressions, reach, clicks, conversions, ROAS, CPA, CTR, CPM, and other standard Meta reporting metrics.
• Ad creatives - ad copy, images, and video thumbnails associated with your ads (for creative analysis and suggestions).
• Audience configurations - targeting parameters, custom audiences (metadata only, not individual user data), and lookalike audience settings.
• Account settings - currency, timezone, billing information status (not actual billing details).
• Conversion tracking setup - pixel configuration and Conversions API (CAPI) integration status.

Important: We do not access the personal data of individuals who see or interact with your ads. We only access aggregated advertising metrics and your ad account configuration.

2.4 Usage Data

We automatically collect:

• Feature interactions - which features you use, scan history, recommendations viewed and acted upon, health score history.
• Autopilot activity - actions executed by the autopilot system, including before/after states.
• Trust score history - how your trust score changes over time.
• Session data - login times, session duration, device type, browser type, and IP address.
• Error and performance logs - to diagnose and fix technical issues.

2.5 Payment Information

When you subscribe to a paid plan:

• Payment method details are collected and processed directly by Paystack. We do not receive or store your full card number, CVV, or other sensitive payment credentials.
• We receive and store: transaction IDs, subscription status, plan type, billing dates, and payment confirmation status from Paystack.

2.6 Communication Data

• Emails you send us (support requests, feedback).
• Email interaction data (open rates and click tracking on transactional and digest emails sent via Resend).

3. How We Use Your Data

We process your data for the following purposes:

3.1 Service Delivery

• Calculate account health scores using the Andromeda scoring engine (analyzing CAPI integration, ad diversity, account structure, creative freshness, and performance).
• Generate AI-powered optimization recommendations for your ad campaigns.
• Power the progressive trust system by tracking recommendation outcomes.
• Execute autopilot actions on your ad account (when enabled by you).
• Generate creative suggestions, ad copy, and visual assets.
• Display dashboards and performance reports.

3.2 AI Processing

• Your ad account data (campaign structure, performance metrics, and account settings) is sent to Anthropic's Claude API for analysis and recommendation generation.
• Data sent to Claude is anonymized where possible. Business names and specific identifiers are included only when necessary for contextual recommendations.
• We do not use your data to train our own or any third-party AI models. Data sent to Anthropic via the API is not used by Anthropic for model training (per Anthropic's API terms).

3.3 Payment Processing

• Process subscription payments and manage billing through Paystack.
• Send payment confirmation and billing notification emails.

3.4 Communication

• Send transactional emails (account verification, password resets, billing confirmations).
• Send product emails (daily AI digest emails for Agency users, weekly health score updates).
• Send important service announcements (Terms changes, security notices, scheduled maintenance).

3.5 Service Improvement

• Analyze aggregated, anonymized usage patterns to improve our scoring algorithms and recommendation quality.
• Identify and fix bugs and performance issues.
• Develop new features based on aggregated usage insights.

3.6 Security and Compliance

• Detect and prevent fraud, abuse, and unauthorized access.
• Comply with legal obligations and respond to lawful requests.

4. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA) or the United Kingdom, we process your data under the following legal bases:

5. Data Sharing and Third-Party Processors

We share your data only with the following third-party service providers, and only to the extent necessary to deliver the Service:

5.1 Data Processors

5.2 We Do Not Sell Your Data

We do not sell, rent, lease, or trade your personal data or your ad account data to any third party for their own purposes, under any circumstances.

5.3 Legal Disclosures

We may disclose your data if required to do so by law or if we believe in good faith that such disclosure is necessary to:

• Comply with a legal obligation, court order, or governmental request.
• Protect the rights, property, or safety of Maxme Digital Media Limited, our users, or the public.
• Detect, prevent, or address fraud, security issues, or technical problems.

6. International Data Transfers

Your data may be transferred to and processed in countries outside your country of residence, including the United States, where our primary data processors are located.

For transfers from the EEA or UK to countries that have not received an adequacy decision from the European Commission, we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission.
• Data processing agreements with each processor that include appropriate safeguards.

For transfers under the Ghana Data Protection Act, 2012, we ensure that data processors outside Ghana comply with the relevant data protection laws of their respective jurisdictions, as required by the Act.

7. Data Retention

We retain your data for the following periods:

When you delete your account, all personally identifiable data is permanently removed within 30 days, except where retention is required by law (e.g., payment records for tax compliance).

8. Data Security

We implement industry-standard security measures to protect your data:

• Encryption in transit: All data transmitted between your browser and our servers uses TLS 1.2 or higher.
• Encryption at rest: Meta access tokens are encrypted using AES-256-GCM before storage. Database records are encrypted at rest by our infrastructure providers.
• Access control: Internal access to production data is restricted to authorized personnel on a need-to-know basis.
• Authentication: We support secure authentication through email/password and Google OAuth, with passwords hashed using bcrypt.
• Infrastructure security: Our infrastructure providers (Convex, Vercel) maintain SOC 2 compliance and implement their own security measures.
• Monitoring: We monitor for unusual activity and security threats.

While we take reasonable precautions, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

9. Your Rights

9.1 Rights Under GDPR (EEA and UK Users)

If you are located in the EEA or UK, you have the following rights:

• Right of Access (Article 15): Request a copy of the personal data we hold about you.
• Right to Rectification (Article 16): Request correction of inaccurate or incomplete data.
• Right to Erasure (Article 17): Request deletion of your personal data ("right to be forgotten").
• Right to Restriction (Article 18): Request that we restrict processing of your data in certain circumstances.
• Right to Data Portability (Article 20): Request your data in a structured, commonly used, machine-readable format.
• Right to Object (Article 21): Object to processing based on legitimate interest.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time.

9.2 Rights Under Ghana Data Protection Act, 2012

If you are located in Ghana, you have similar rights under the Data Protection Act, 2012 (Act 843), including the right to access, correct, and request deletion of your personal data.

9.3 Exercising Your Rights

To exercise any of these rights:

• Self-service: Many rights can be exercised directly through your Campaiyn account settings (data export, account deletion, profile correction).
• Email: Contact us at privacy@campaiyn.ai with your request.
• Response time: We will respond to your request within 30 days (or within the timeframe required by applicable law).
• Verification: We may need to verify your identity before processing your request.

9.4 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority:

• Ghana: Data Protection Commission (dataprotection.org.gh)
• UK: Information Commissioner's Office (ico.org.uk)
• EU: Your local data protection authority

10. Cookies and Tracking

10.1 Cookies We Use

10.2 We Do Not Use

• Third-party advertising cookies or trackers.
• Cross-site tracking pixels.
• Social media tracking widgets.

10.3 Cookie Management

Essential cookies are required for the Service to function. You can disable non-essential cookies through your browser settings, though this may affect some features.

11. Third-Party Links

The Service may contain links to third-party websites or services (e.g., Meta Business Suite, Meta Ad Library). We are not responsible for the privacy practices or content of these external sites. We encourage you to review the privacy policies of any third-party service you access through our platform.

12. Children's Privacy

Campaiyn is a business-to-business service and is not directed at children under the age of 18 (or the applicable age of majority in your jurisdiction). We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected data from a child, we will promptly delete it. If you believe a child has provided us with personal data, please contact us at privacy@campaiyn.ai.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Update the "Last Updated" date at the top of this page.
• Notify you by email at least 14 days before the changes take effect.
• Provide a summary of the key changes.

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.

14. Data Processing Addendum

If you require a Data Processing Addendum (DPA) for GDPR compliance purposes, please contact us at lewis@maxmegroup.com, and we will provide one.