Privacy Policy

1. Overview

AriaAI Ltd ("AriaAI", "we", "us") is committed to protecting your personal information. This Privacy Policy explains what data we collect, how we use it, and your rights regarding it.

AriaAI is the data controller for personal data you provide directly. For data processed through your connected advertising accounts, you remain the controller and AriaAI acts as a data processor on your instructions.

2. What We Collect

2.1 Account Information

When you create an account: name, work email address, company name, and billing information (processed by Stripe — we never see full card numbers).

2.2 Google Ads Account Data

When you connect your Google Ads account, we access: campaign performance data, keyword data, auction insights, ad creative, Quality Scores, budget data, and account settings. This access is strictly scoped to what's required to provide the Service.

2.3 Usage Data

We collect information about how you use the platform: pages visited, features used, AI Chat conversations, recommendations accepted or declined, and session data. This is used to improve the Service.

2.4 Technical Data

IP address, browser type, device information, and cookies as described in our Cookie Policy. We do not use cross-site tracking cookies.

2.5 Communications

If you contact support or submit feedback, we retain that correspondence.

3. How We Use Your Data

We use your data to:

• Provide the Service — connect to your ad accounts, run AI optimisations, generate reports, and send alerts
• Improve the Service — analyse aggregated usage patterns to make the platform better
• AI model training — anonymised, aggregated signals from across accounts are used to improve recommendation accuracy. Your specific data (keywords, ad copy, campaign names) is never included in cross-account training data
• Billing and account management — process payments, send invoices, and manage your subscription
• Security — detect and prevent fraud, abuse, and unauthorised access
• Legal compliance — comply with applicable laws and respond to lawful requests

We do not use your data for advertising, sell it to third parties, or share it with partners for their own marketing purposes.

4. Data Sharing

We share data with the following categories of third parties, strictly for service delivery:

• Stripe — payment processing. Subject to Stripe's Privacy Policy.
• Google — API access to your connected Google Ads accounts, as authorised by you.
• Infrastructure providers — cloud hosting (AWS/GCP) under data processing agreements.
• AI providers — prompts sent to OpenAI/Anthropic APIs for copy generation are processed under our data processing agreements with those providers. Campaign-identifying information is not included in these prompts.

We may share data if required by law, court order, or to protect the rights and safety of AriaAI, our users, or the public.

5. Data Retention

We retain your personal data for as long as your account is active and for a period of 36 months thereafter, unless you request earlier deletion or a longer retention period is required by law.

Google Ads performance data is retained for 24 months from collection to support historical analysis features. AI Chat conversations are retained for 12 months.

You may request deletion of your personal data at any time by contacting [email protected]. We will complete deletion within 30 days, except where retention is required by law or our legitimate business interests (e.g. fraud prevention, accounting records).

6. Your Rights

Depending on your jurisdiction, you have rights including:

• Access — request a copy of your personal data
• Rectification — correct inaccurate data
• Erasure — request deletion of your data ('right to be forgotten')
• Portability — receive your data in a machine-readable format
• Objection — object to processing based on legitimate interests
• Restriction — request we limit processing in certain circumstances
• Withdrawal of consent — where processing is based on consent, withdraw it at any time

EU/EEA users have rights under GDPR. California residents have rights under CCPA/CPRA. To exercise your rights, contact [email protected]. We will respond within 30 days.

You have the right to lodge a complaint with your local supervisory authority (for UK users: the ICO at ico.org.uk).

7. Security

We implement industry-standard security measures including:

• AES-256 encryption of data at rest
• TLS 1.3 encryption in transit
• OAuth 2.0 for third-party integrations (no passwords stored)
• Encrypted storage of API tokens and secrets
• Access controls and audit logging for all internal data access
• Regular penetration testing by third-party security firms

Despite these measures, no internet transmission is 100% secure. Please notify us immediately at [email protected] if you suspect a security breach.

8. Cookies

We use cookies for:

• Strictly necessary — authentication session, CSRF protection. Cannot be disabled.
• Functional — remember your preferences (theme, timezone). Disabled on opt-out.
• Analytics — understand how the platform is used (we use a privacy-first analytics tool; no cross-site tracking). Disabled on opt-out.

We do not use advertising cookies or third-party tracking pixels. You can manage cookie preferences in your account settings.

9. Contact Us

For privacy-related queries, data subject requests, or to exercise your rights:

• Email: [email protected]
• Post: AriaAI Ltd, Data Protection, [Address], London, United Kingdom
• DPO: [email protected]

We aim to respond to all requests within 30 days. If you are not satisfied with our response, you may complain to the Information Commissioner's Office (ICO) in the UK or your local data protection authority.