This Data Processing Agreement ("DPA") forms part of the Terms of Service between Adtool ApS ("Adtool", "we", "us", "Processor") and the customer ("Customer", "you", "Controller") using Adtool.io services.
By using Adtool.io, you automatically agree to this DPA. You may download or print this document for your records.
"Personal Data" means any information relating to an identified or identifiable natural person as defined in applicable Data Protection Laws.
"Data Protection Laws" means the General Data Protection Regulation (EU) 2016/679 ("GDPR") and any other applicable data protection legislation.
"Controller" means the entity that determines the purposes and means of Processing Personal Data (you, the Customer).
"Processor" means the entity that Processes Personal Data on behalf of the Controller (Adtool).
"Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
"Sub-processor" means any third party engaged by Adtool to Process Personal Data on behalf of the Customer.
"Personal Data Breach" means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
2. Scope and Roles
2.1 Relationship of the Parties
In the context of this DPA:
You (Customer) are the Controller of Personal Data processed through Adtool.io
Adtool is the Processor, processing Personal Data on your behalf to provide the services
If you use Adtool to manage advertising for your own clients (e.g., as an agency or freelancer), you remain the Controller responsible for ensuring compliance with Data Protection Laws in your relationship with your clients.
2.2 Subject Matter and Purpose
Adtool processes Personal Data solely to provide the Facebook advertising management services described in our Terms of Service, including:
Managing Facebook/Meta advertising campaigns on your behalf
Storing and organizing creative assets (images, videos)
Synchronizing data with Facebook/Meta and Google Drive
Providing analytics and reporting on campaign performance
3. Data Processing Details
3.1 Categories of Data Subjects
Your employees and team members who use Adtool
Your clients (if you are an agency managing campaigns on their behalf)
3.2 Types of Personal Data
Account information (name, email address)
Authentication data (Facebook/Google OAuth tokens)
Facebook ad account and business manager data
Campaign and ad set configurations
Creative assets and metadata
Usage data and activity logs
3.3 Duration of Processing
Personal Data will be processed for the duration of your use of Adtool.io services and deleted upon termination of your account, subject to any legal retention requirements.
4. Obligations of Adtool (Processor)
Adtool agrees to:
Process on Instructions: Process Personal Data only on your documented instructions, unless required by law
Confidentiality: Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
Security: Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk
Sub-processors: Not engage another processor without your authorization (see Section 6)
Assistance: Assist you in responding to data subject requests and ensuring compliance with your obligations under Data Protection Laws
Deletion: Delete or return all Personal Data upon termination of services, at your choice
Audit: Make available information necessary to demonstrate compliance with this DPA
5. Obligations of Customer (Controller)
You agree to:
Ensure you have a lawful basis for processing Personal Data through Adtool
Provide clear instructions regarding the processing of Personal Data
Comply with all applicable Data Protection Laws in your use of Adtool
Ensure that any data you upload or process through Adtool is collected lawfully
If you are an agency or freelancer, ensure you have appropriate agreements with your own clients
6. Sub-processors
6.1 Authorized Sub-processors
You authorize Adtool to engage the following sub-processors to assist in providing the services:
Sub-processor
Purpose
Location
Supabase Inc.
Database and authentication services
US (with DPF)
Vercel Inc.
Application hosting and delivery
EU/US (with DPF)
Stripe Inc.
Payment processing
EU/US (with DPF)
PostHog Inc.
Product analytics
EU
Upstash Inc.
Caching services
EU
Crisp IM SARL
Customer support chat
France (EU)
ActiveCampaign LLC
Email communications
US (with DPF)
Google LLC
Analytics (Google Analytics)
US (with DPF)
Meta Platforms Inc.
Facebook/Instagram API integration
US (with DPF)
"DPF" refers to the EU-U.S. Data Privacy Framework, which provides a legal mechanism for data transfers to the United States.
6.2 Changes to Sub-processors
We will notify you of any intended changes to sub-processors by updating this DPA. You may object to a new sub-processor by contacting us within 30 days of the update. If we cannot reasonably accommodate your objection, you may terminate your account.
7. Security Measures
Adtool implements appropriate technical and organizational measures to protect Personal Data, including:
Encryption: All data is encrypted in transit (TLS) and at rest
Access Controls: Role-based access controls and authentication requirements
Database Security: Row-level security (RLS) policies ensuring data isolation
Infrastructure: Data stored on Supabase servers (US) with EU-US Data Privacy Framework protections
Token Security: OAuth tokens and sensitive credentials are encrypted
Monitoring: Regular security monitoring and updates
8. Personal Data Breach
8.1 Notification
In the event of a Personal Data Breach affecting your data, Adtool will notify you without undue delay and in any event within 72 hours of becoming aware of the breach.
8.2 Breach Information
The notification will include, to the extent known:
A description of the nature of the breach
Categories and approximate number of data subjects affected
Likely consequences of the breach
Measures taken or proposed to address the breach
8.3 Cooperation
Adtool will cooperate with you and provide reasonable assistance in investigating the breach and meeting your notification obligations to supervisory authorities and data subjects.
9. Data Subject Rights
Adtool will assist you in responding to requests from data subjects exercising their rights under Data Protection Laws, including:
Right of access
Right to rectification
Right to erasure
Right to restriction of processing
Right to data portability
Right to object
If Adtool receives a request directly from a data subject, we will promptly forward it to you unless legally prohibited from doing so.
10. International Data Transfers
Personal Data is stored in the United States (Supabase) and processed by various sub-processors in the US and EU. All transfers from the EU to the US are protected by:
EU-U.S. Data Privacy Framework certification of the recipient
Standard Contractual Clauses approved by the European Commission
Other appropriate safeguards as required by GDPR
11. Data Retention and Deletion
Upon termination of your Adtool account:
You may request deletion of all your Personal Data
Adtool will delete your data within 30 days of such request
Some data may be retained as required by law or for legitimate business purposes (e.g., billing records)
Data in backups will be deleted according to our standard backup rotation schedule
To request data deletion, contact: hello@adtool.io
12. Liability
Each party's liability under this DPA is subject to the limitations set forth in the Terms of Service. Adtool's total aggregate liability for any claims arising under this DPA shall not exceed the fees paid by you in the 12 months preceding the claim.
13. Term and Termination
This DPA remains in effect for as long as Adtool processes Personal Data on your behalf. Upon termination of your Adtool account, this DPA will automatically terminate, subject to Adtool's obligations regarding data deletion and return.
14. Governing Law
This DPA is governed by Danish law. Any disputes arising from this DPA shall be resolved by the competent courts of Denmark.
15. Contact Information
For questions about this Data Processing Agreement or to exercise your rights: