Privacy Policy

Effective date: 1 May 2026 — Last updated: 1 May 2026

1. Identity of the data controller

Jakala Performance Agent (the "Application") is operated by Jakala S.p.A., Via Carlo Tenca 8, 20124 Milan, Italy (VAT IT08462130968), acting as the data controller for the purposes of Regulation (EU) 2016/679 ("GDPR"). The Application is an internal operational tool used by Jakala employees and explicitly authorised partners to manage Google Ads and Google Analytics 4 performance for accounts that Jakala manages on behalf of its clients.

2. Categories of data processed

The Application processes the following categories of personal and operational data:

• Authenticated user identity: email address, full name, role, organisation. Provided at account creation by a Jakala administrator.
• OAuth tokens: refresh and access tokens issued by Google after the user explicitly authorises access to Google Ads, Google Analytics 4, and Google Drive (file-restricted scope only).
• Advertising performance data: campaign, ad group, keyword, and asset-level metrics retrieved via the Google Ads API for accounts the user is authorised to manage.
• Web analytics data: aggregated GA4 events, sessions, conversions, and user properties for properties the user is authorised to access.
• Generated artefacts: PDF and Slides exports created by the Application at the user's explicit request, stored in the user's Google Drive (only files this Application creates).
• Operational telemetry: action logs, page views, error events, and runtime metrics for the user accessing the Application.

The Application does not intentionally process special categories of personal data (Article 9 GDPR). End consumers of the advertised products are observed only in aggregated form via standard web analytics tooling.

3. Purposes and legal bases of processing

• Performance analysis and reporting — legitimate interest of Jakala and its clients in delivering contracted media management services (Article 6(1)(f) GDPR).
• Account access and authentication — performance of a contract with the user's employer or partner relationship (Article 6(1)(b) GDPR).
• Compliance with legal obligations — record-keeping for tax, audit, and statutory media reporting where applicable (Article 6(1)(c) GDPR).
• Security, fraud prevention, abuse detection — legitimate interest in preserving the integrity of the Application (Article 6(1)(f) GDPR).

4. Google API Services User Data Policy — Limited Use

The Application's use and transfer to any other app of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• Data obtained from Google APIs is used solely to provide and improve user-facing features that are prominent within the Application.
• Google user data is not transferred to third parties except (i) as necessary to provide the user-facing feature requested by the user, (ii) for security purposes, or (iii) to comply with applicable law.
• Google user data is not used or transferred for serving advertisements, including retargeting or interest-based advertising.
• Google user data is not used to train, develop, or improve generalised AI / ML models. Anthropic Claude is used as the inference engine for analytical narratives on a per-request basis under contractual no-training terms; no Google user data is retained by the model provider for training.
• Humans do not read Google user data unless (i) the user provides explicit consent, (ii) it is necessary for security purposes (such as investigating abuse), (iii) it is required to comply with applicable law, or (iv) the data is aggregated and used for internal operational debugging by an authorised Jakala engineer.

5. Drive (file-restricted) scope

The Application requests the https://www.googleapis.com/auth/drive.file scope. This scope grants access only to Google Drive files that the Application itself creates or that the user explicitly opens with the Application. The Application cannotread, modify, delete, or list any other files in the user's Drive. Files created by the Application (such as exported Slides decks) remain owned by the user and may be deleted by the user at any time from Drive.

6. Recipients and sub-processors

Personal data is processed by Jakala internally and by the following sub-processors, each subject to GDPR-compliant data processing agreements:

• Vercel Inc. — web hosting and edge functions, EU data region.
• Railway Corp. — container runtime for the analytical sidecar.
• Supabase Inc. — managed PostgreSQL database, EU region (eu-central-1).
• Anthropic, PBC — large language model inference for analytical narratives, contractual no-training terms.
• Google LLC — Google Ads API, Google Analytics Data API, Google Slides API, Google Drive API (file-restricted scope only).
• SerpApi LLC — Google Trends data retrieval (does not receive any Google user data).

No personal data is shared with advertising networks, data brokers, or third parties for profiling or marketing purposes.

7. Security

Data is encrypted in transit (TLS 1.2+) and at rest (AES-256). OAuth refresh tokens are stored encrypted as managed secrets on the hosting platforms and are accessible only to the runtime components that require them. Access to administrative interfaces is gated by Supabase Auth, role-based access control, and Postgres-level Row Level Security policies. Internal access is logged. Authorised personnel are bound by confidentiality obligations.

8. International transfers

Personal data is primarily processed within the European Economic Area. Where transfers outside the EEA are necessary (Anthropic and Google), they are protected by Standard Contractual Clauses approved by the European Commission and supplementary measures commensurate with the assessed risk.

9. Retention

Aggregated performance data and analytical outputs are retained for the duration of the underlying client engagement plus 90 days, after which they are deleted or anonymised. OAuth refresh tokens are retained until the user revokes the Application's access via https://myaccount.google.com/permissions or until the user's account is deactivated, whichever occurs first. Audit and access logs are retained for 12 months unless a longer period is required by applicable law.

10. Cookies

The Application sets only strictly necessary cookies to maintain the authenticated session (Supabase Auth cookie family) and a single first-party cookie used to deduplicate daily-activity events per user. No advertising, profiling, or third-party tracking cookies are used.

11. Children

The Application is a business tool not directed at minors. Jakala does not knowingly process personal data of children under 16 through the Application.

12. Your rights

Under GDPR you have the right to:

• Access the personal data Jakala holds about you (Article 15).
• Request rectification of inaccurate data (Article 16).
• Request erasure where applicable (Article 17).
• Restrict processing (Article 18).
• Receive your data in a portable format (Article 20).
• Object to processing based on legitimate interest (Article 21).
• Withdraw consent at any time, without affecting the lawfulness of prior processing.
• Lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali) or with another supervisory authority in your country of residence.

Requests may be submitted to the contact below and will receive a response within 30 days. Revocation of Google API access can be performed independently at https://myaccount.google.com/permissions; revocation immediately stops the Application from accessing further Google data.

13. Automated decision-making

The Application generates recommendations using AI components. These recommendations are advisory; no decision producing legal or similarly significant effects on a data subject is taken by the Application without human review by a qualified Jakala media analyst.

14. Changes to this policy

Material changes to this Privacy Policy will be communicated to active users at least 14 days before they take effect. The effective date at the top of this page reflects the most recent update. Continued use of the Application after the effective date constitutes acceptance of the updated policy.

15. Contact

Data Controller: Jakala S.p.A., Via Carlo Tenca 8, 20124 Milan, Italy. Email: amedeo.guffanti@jakala.com. Privacy questions may also be addressed to privacy@jakala.com.