Privacy Policy
NextStat, S.L. ("NextStat", "we", "us", or "our") operates the NextStat Ads platform at ads.nextstat.io. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.
1. Information We Collect
1.1 Account Information
When you create an account, we collect:
- Email address
- Display name
- Organization name
- Authentication credentials (hashed, never stored in plaintext)
1.2 Google Ads Data
When you connect your Google Ads account, we access the following data through the Google Ads API:
- Campaign metadata — campaign names, IDs, status, settings
- Ad group metadata — ad group names, IDs, targeting
- Performance metrics — impressions, clicks, cost, conversions, CTR, CPC, ROAS
- Account metadata — customer ID, account name, currency, timezone
1.3 Usage Data
We automatically collect:
- IP address and approximate location
- Browser type, device information
- Pages visited, features used, timestamps
- Compute usage metrics (for billing)
2. How We Use Your Information
We use collected information to:
- Provide the Service — run A/B tests, compute attribution, generate forecasts, detect anomalies on your advertising data
- Authenticate and authorize — verify your identity and manage access
- Bill and meter — track usage for plan limits and invoicing
- Improve the Service — analyze usage patterns, fix bugs, develop features
- Communicate — send experiment alerts, security notices, service updates
3. Google Ads Data: Limited Use Disclosure
We strictly limit our use of Google Ads data:
- Google Ads data is used only to provide and improve the NextStat Ads features you request (A/B testing, attribution, forecasting, anomaly detection)
- We do not sell, rent, or share your Google Ads data with third parties for advertising, data brokerage, or any purpose unrelated to the Service
- We do not use Google Ads data for training machine learning models unrelated to your account
- Google Ads data is stored encrypted at rest and in transit
- You can disconnect your Google Ads account and request deletion of all associated data at any time
4. Data Storage and Security
- Infrastructure — hosted on Hetzner Cloud (EU, Germany)
- Encryption — TLS 1.3 in transit; AES-256 at rest for sensitive data (OAuth tokens, credentials)
- Access control — role-based, tenant-isolated, audit-logged
- Retention — account data retained while account is active; deleted within 30 days of account deletion request
- Google Ads tokens — refresh tokens are encrypted with versioned keys; access tokens are short-lived and never persisted
5. Data Sharing
We do not sell your data. We share data only:
- With your consent — when you explicitly authorize sharing
- Infrastructure providers — Hetzner (hosting), Stripe (billing), Logto (authentication) — only the minimum data required for service operation
- Legal requirements — when required by law, regulation, or legal process
6. Your Rights
Under GDPR and applicable law, you have the right to:
- Access — request a copy of your personal data
- Rectification — correct inaccurate data
- Erasure — request deletion of your data
- Portability — receive your data in a machine-readable format
- Restriction — limit processing in certain circumstances
- Object — object to processing based on legitimate interest
- Withdraw consent — revoke consent at any time without affecting prior processing
7. Cookies
We use minimal cookies:
- Authentication cookies — session management (essential, no consent required)
- Preference cookies — theme selection (functional)
We do not use advertising or tracking cookies.
8. Children's Privacy
NextStat Ads is not directed at individuals under 16. We do not knowingly collect data from children.
9. Changes to This Policy
We may update this Privacy Policy. Material changes will be communicated via email or in-app notification at least 30 days before they take effect.
10. Contact
For privacy inquiries or to exercise your rights:
- Email: privacy@nextstat.io
- Address: NextStat, S.L., Valencia, Spain