Privacy Policy
support@adrefresh.io
On this page

Privacy Policy

Last updated: 26 August 2025

This policy explains how AdRefresh (the “Service”) processes personal data, including data contained in user‑uploaded media (images/videos) and related metadata. It covers website visitors, account holders, and team members.

1) Who we are

AdRefresh provides tools to transform advertising creatives.

Legal entity:
TDY Group LLC
Registered address:
30 N Gould St Ste R, Sheridan, WY 82801, USA
Contact:
support@adrefresh.io
EU GDPR representative (Art. 27):
We are in the process of appointing an EU representative. Until then, contact support@adrefresh.io.
UK GDPR representative (Art. 27):
We are in the process of appointing a UK representative. Until then, contact support@adrefresh.io.

For personal data processed in the EEA and the UK, we act as a data controller for data like website analytics and account administration, and as a data processor when we process Customer Content under our customers’ instructions.

2) What we collect

a) Account & Contact Data

  • Email address, name (if provided), password hash, role/team.
  • Authentication logs (login time, IP, user‑agent).

b) Billing & Subscription Data

  • Plan, invoices, tax info (e.g., VAT), payment status.
  • Processed via third‑party payment processors; we do not store full card numbers.

c) Customer Content you upload

  • Images/videos, embedded metadata (e.g., EXIF), output files we generate.
  • Transformation instructions (e.g., install AI mesh, replace music, color correction, trimming, speed, metadata edits).

d) Usage & Device Data

  • IP address, device/browser, language, referral, feature usage, crash logs.
  • Cookies or similar technologies for essential operations; analytics/marketing only with consent where required.

e) Support & Communications

  • Messages you send us (email, in‑app, optional channels), timestamps, and attachments.

f) Third‑Party Sources

  • If you sign in via SSO/social login, we receive basic profile identifiers.
  • Service delivery & account administration (GDPR Art. 6(1)(b) – contract): create/manage your account; process uploads; deliver outputs; provide support.
  • Security & fraud prevention (Art. 6(1)(f) – legitimate interests; and legal obligations): detect abuse, protect accounts, rate‑limit, audit access.
  • Improve and develop the Service (Art. 6(1)(f)): diagnostics, performance metrics, feature usage. Customer Content: we do not use your uploaded media to train models or improve features unless you opt in.
  • Billing & taxation (Art. 6(1)(b)/(c)).
  • Analytics & marketing (Art. 6(1)(a) – consent, where required): email updates and non‑essential cookies only with consent; you may withdraw anytime.

4) Customer Content, AI/ML, and confidentiality

  • We process Customer Content only to provide the transformations you request.
  • No model training by default. We do not use Customer Content, prompts, or outputs to train or fine‑tune models unless you explicitly opt in (via in‑product settings or written agreement).
  • Human access is restricted to authorized personnel for (i) support you request, (ii) security, or (iii) legal obligations.
  • We maintain logical separation between customer workspaces.

5) Data retention

  • Uploads: kept for processing and short‑term reliability; deleted from active storage within 24–72 hours after job completion unless you keep them in a project.
  • Outputs: stored per plan — Basic: 7 days, Team: 14 days. You can delete earlier from the dashboard.
  • Account & billing: retained while your account is active and as required by law (e.g., tax/audit: typically 6–10 years).
  • Logs/telemetry: retained for 30–90 days unless needed for security or dispute resolution.
  • Where immediate deletion is not feasible (e.g., backups), we isolate and securely store until deletion is possible.

6) Sharing and sub‑processors

We do not sell personal data. We share data only with:

  1. Vendors / Sub‑processors under data‑processing agreements (see Annex A).
  2. Affiliates & professional advisors (accounting, legal) under confidentiality.
  3. Law enforcement or regulators when legally required.
  4. Business transfers (e.g., merger/acquisition) with notice where required.

An up‑to‑date Sub‑processor List is maintained here: /subprocessors. We will notify customers of material changes as required.

7) International transfers

If we transfer personal data outside your jurisdiction, we rely on appropriate safeguards, such as EU Standard Contractual Clauses, the UK Addendum, or other lawful mechanisms. Hosting regions: European Union (Germany/Finland).

8) Your rights

Depending on your location, you may have rights to access, correct, delete, or port your data; object to or restrict certain processing; withdraw consent; and lodge a complaint with a data‑protection authority. Requests: contact support@adrefresh.io. We may verify your identity and will respond within the timelines set by law.

California (CPRA): We do not “sell” personal data or share it for cross‑context behavioral advertising without consent. You may exercise rights to know, delete, correct, and limit use of sensitive data where applicable.

9) Cookies and tracking

  • Essential cookies: required for login, sessions, CSRF, and rate‑limiting.
  • Analytics/marketing cookies: used only with consent where required. Manage preferences in our cookie banner or browser settings.

See our Cookie Notice for details.

10) Security

We implement technical and organizational measures, including encryption in transit, access controls, least‑privilege, and regular backups. However, no method of transmission or storage is 100% secure.

11) Children

The Service is not directed to children under 16 (or the age required by your jurisdiction). We do not knowingly collect data from children. If you believe a child has provided data, contact us to delete it.

12) Data Processing Addendum (DPA)

For customers who are controllers, our DPA governs processing of Customer Content and includes the SCCs/UK Addendum where applicable. See: /dpa.

13) Changes to this Policy

We may update this Policy from time to time. We will post the updated version with a new “Last updated” date and, where required, provide additional notice.

14) Contact

Questions or requests about privacy? Email support@adrefresh.io.

Annex A — Example Sub‑processor List

  • Hosting/Storage: Hetzner GmbH — EU (data centers in Germany/Finland).
  • Payments: Third‑party payment processor (e.g., Stripe/Paddle). We do not store full card numbers.
  • Email & notifications: Email delivery provider (e.g., Postmark/SendGrid/SES).
  • Analytics (consent‑based): Privacy‑friendly analytics provider (e.g., Plausible) or equivalent.
  • Support channels (optional): Customer support platform or community channel; your use of such platforms is subject to their privacy policies.

Note: We keep an up‑to‑date list at /subprocessors.