Privacy Policy

Last updated: 2026-06-01 Effective date: 2026-06-01

1. Who we are

Consultad ("Consultad", "we", "us") is a SaaS platform for advertising data management, AI-powered analytics, and automated creative generation, operated by Karol Kwiatkowski, a sole trader doing business as Consultad Karol Kwiatkowski, registered in the Polish Central Register and Information on Economic Activity (CEIDG), with a registered business address at ul. Dereniowa 60/104, 02-776 Warszawa, Poland, Poland (NIP 9512411426, REGON 364233908).

For privacy questions: karol@consultad.io.

We have not appointed a Data Protection Officer. Based on our current scale and the nature of our processing (no large-scale systematic monitoring of individuals as our core business; no large-scale processing of special-category data), Article 37 GDPR does not require us to. We re-assess this position regularly and will appoint a DPO if and when our processing crosses the GDPR thresholds.

2. Scope

This policy covers personal data we process when you:

visit https://consultad.io or any subdomain,
create an account or use the Consultad application,
connect a third-party advertising platform (Meta Ads, TikTok Ads, Google Ads) to Consultad,
contact us by email or through in-app chat.

This policy does not cover the privacy practices of the advertising platforms themselves (Meta, TikTok, Google). Those are governed by their own policies.

Consultad is available both to organizations (agencies, advertisers, in-house teams) and to individual self-serve users; the self-serve signup path does not require company information or a VAT number. Where this policy refers to "you" as a natural person, it applies to individual users; where it refers to "you" as an account-holding entity, it applies to the customer organization.

3. Controller / processor roles

Controller for: account data, billing data, support communications, website analytics, login telemetry.
Processor (on behalf of you, the customer) for: advertising performance data ingested from your connected ad accounts, creatives you upload, prompts and chat content you submit to the assistant, and any personal data contained in your campaign audiences or conversion events.

A separate Data Processing Agreement (DPA) governs our processor obligations (see https://consultad.io/dpa and the Sub-processor list). The DPA is incorporated into our Terms by reference and takes precedence over this Privacy Policy in respect of personal data processed by Consultad as a processor.

4. Categories of personal data we process

As controller (about you, the user):

Category	Examples	Source
Identity	Name, email, organization name, role	You / Google OAuth
Authentication	Firebase UID, hashed credentials, session tokens, MFA factors	Firebase Authentication
Billing	Billing address, VAT/NIP, payment method last-4, invoice history	You / Stripe
Usage	Pages visited, features used, API calls, AI tokens consumed, error logs	Cloud Logging
Communications	Support emails, in-app messages, demo requests	You
Device/network	IP address, user agent, locale, timezone	HTTP requests
Consent records	Acceptance of Terms / Privacy / DPA at signup (version, timestamp, mechanism)	Signup flow

As processor (on behalf of customer, on customer's connected ad accounts):

Category	Examples	Source
Ad performance data	Impressions, clicks, spend, conversions, audience IDs	Meta / TikTok / Google Ads APIs
Creative content	Images, video, copy uploaded by customer	Customer upload
Chat content	Prompts and responses in the AI assistant	Customer input
Hashed audience identifiers	Where customer uploads custom audiences	Customer input

We do not intentionally process special-category data (Art. 9 GDPR). Do not upload health, biometric, political, religious, or sexual-orientation data.

5. Legal bases (Art. 6 GDPR)

Purpose	Legal basis
Provide the service you signed up for	Contract (Art. 6(1)(b))
Send transactional emails (receipts, security alerts)	Contract
Comply with tax, accounting, KSeF e-invoicing obligations	Legal obligation (Art. 6(1)(c))
Product analytics, fraud prevention, security monitoring	Legitimate interest (Art. 6(1)(f))
Periodic analytics reports (weekly campaign performance digest for users with connected ad accounts)	Contract (Art. 6(1)(b))
Marketing emails to prospects / cookies for marketing	Consent (Art. 6(1)(a))
AI model improvement using your data	We do not train on customer data. See §9

6. Cookies and similar technologies

See our separate Cookie Policy and our consent banner. We use:

Strictly necessary cookies: Firebase session, CSRF, load balancing. No consent required.
Functional: language and theme preferences. No consent required (implied by use).
Analytics: only with consent. Off by default.
Marketing / advertising: only with consent. Off by default. No third-party tracking pixels (Google Analytics, Meta Pixel, etc.) are loaded at the time of this policy.

7. Recipients (sub-processors)

A current list of sub-processors is published at https://consultad.io/subprocessors. Customers receive at least 30 days notice of any new sub-processor and may object in writing; if we cannot reasonably accommodate the objection, you may terminate the affected service per the DPA.

Beyond sub-processors, we may share personal data with:

professional advisors (auditors, lawyers, insurers) under confidentiality, when needed to defend our rights or comply with the law;
public authorities when legally required (court order, supervisory authority, tax authority, law-enforcement request) and only to the minimum extent required;
a successor entity in the event of a sale, merger, or insolvency, with prior notice to you and continuing protection of your data under terms at least as protective as this Policy.

8. International transfers

Some sub-processors (notably Anthropic PBC, Stripe Inc., SendGrid/Twilio Inc., Google LLC) are headquartered in the United States. Data may be transferred outside the EEA on the basis of:

the EU-U.S. Data Privacy Framework (where the recipient is certified), and/or
Standard Contractual Clauses (2021/914) with supplementary measures (encryption in transit and at rest, access controls, audit logging);
our transfer impact assessment (TIA) is available to customers on request.

EEA-region storage: BigQuery, Firestore, Cloud Storage, Memorystore, and Cloud Run are deployed in europe-central2 (Warsaw). Inference for Anthropic Claude is routed via Vertex AI in EU regions where available; fallback to Anthropic US is gated on a customer setting.

9. AI processing and training

Customer prompts and responses through the AI assistant are processed as a processor under the DPA.
We use Anthropic Claude (via AsyncAnthropic or AsyncAnthropicVertex) and Google Vertex AI for inference. Per their enterprise terms, customer prompts are not used to train their foundation models.
Consultad does not train any model on identifiable customer content. Aggregate, de-identified usage metrics may be used to improve the product.
AI outputs may be inaccurate. Customers are responsible for reviewing outputs before relying on them for ad-spend decisions.
The AI assistant does not take legally or significantly affecting actions on you on a solely automated basis. Tool calls that write to your Connected Accounts require explicit confirmation in the Platform before they execute.

10. Retention

Data	Retention
Account data	While account is active + 90 days after deletion
Consent records (Terms / Privacy / DPA acceptance)	While account is active + 3 years after deletion. Kept as proof of consent (Art. 7(1) GDPR)
Billing / invoices	5 years (Polish tax law, Ordynacja podatkowa Art. 86 §1). This statutory retention overrides deletion requests for these records
Chat history	While account is active. User-deletable in-app
Ad performance data (processor)	While account is active + 30 days. Per customer DPA
Backups	Per Google Cloud Platform standard procedures; used solely for disaster recovery, not exposed to customers as a restore mechanism
Security / audit logs	12 months
Support tickets	24 months after closure

11. Your rights (Arts. 15-22 GDPR)

You may at any time:

access, rectify, erase, restrict, port, or object to processing of your data,
withdraw consent (without affecting prior lawful processing),
lodge a complaint with the Polish DPA (UODO, ul. Stawki 2, 00-193 Warszawa, uodo.gov.pl) or your local EEA DPA.

To exercise rights: karol@consultad.io. We respond within the statutory one-month deadline (extendable by two months for complex requests under Art. 12(3) GDPR, with notice to you).

You can self-serve several of these rights directly in the Platform:

Access / portability: Settings → Account → Export my data
Rectification: Settings → Profile
Erasure: Settings → Account → Delete account (subject to statutory retention for billing / invoices and consent records, see §10)
Withdraw consent for cookies: Cookie banner / footer "Cookie preferences"
Weekly analytics reports opt-out: Settings → Notifications → Weekly reports

12. California residents (CCPA/CPRA)

If you are a California resident, this section supplements the rest of this Policy and applies to you.

Categories of personal information we collect (in the 12 months preceding the date of this Policy), per Cal. Civ. Code §1798.140:

CCPA category	Examples in our context
(A) Identifiers	Name, email, account identifier, IP address
(B) Customer records (Civ. Code §1798.80(e))	Billing address, billing email, tax ID
(C) Characteristics protected by California or federal law	None
(D) Commercial information	Plan, subscription history, invoices
(E) Biometric information	None
(F) Internet or network activity	Session metadata, technical logs, in-product telemetry
(G) Geolocation	Coarse, IP-derived only. No precise location
(H) Sensory data (audio, video, etc.)	None, except creatives you upload
(I) Professional / employment information	Organization name, role within the organization
(J) Education information	None
(K) Inferences drawn	None. We do not build behavioral profiles
Sensitive personal information	None knowingly collected

We do not sell personal information. We do not "share" personal information for cross-context behavioral advertising. We have not done so in the preceding 12 months. We do not knowingly collect or sell personal information of consumers under 16 years of age.

Your rights as a California resident:

right to know what personal information we have collected, the sources, the purposes, and the categories of recipients,
right to delete personal information we have collected, subject to statutory exceptions,
right to correct inaccurate personal information,
right to limit the use of sensitive personal information (effectively unused because we do not collect sensitive PI for purposes that would trigger this right),
right to opt out of sale or sharing (effectively unused because we do not sell or share),
right to non-discrimination for exercising any of these rights.

To exercise California rights: write to karol@consultad.io with "California privacy request" in the subject line. We verify requests against the email registered on the account. An authorized agent may submit on your behalf with documented authority. We respond within 45 days (extendable by 45 days with notice).

13. Minimum age

Consultad is available to individuals aged sixteen (16) or older. Article 8 GDPR sets the minimum age for consent at 16 by default, with Member State discretion to lower it; Poland's Personal Data Protection Act of 10 May 2018 sets the floor at 13, but we have chosen the higher 16 threshold as a service rule. We do not knowingly collect personal data from anyone under 16.

If you are a parent or guardian and believe your child has provided us with personal data, write to karol@consultad.io and we will delete it without undue delay.

The Consultad service itself is not directed at children: it is primarily used by professionals and organizations operating advertising campaigns, though individual self-serve users (freelancers, sole traders, contractors) are also welcome.

14. Security

TLS 1.2+ in transit, AES-256 at rest (Google-managed keys).
Firebase Authentication with MFA support.
Secrets in Google Secret Manager. Never in source code.
Multi-tenant isolation via per-tenant BigQuery datasets and Firestore namespaces.
Least-privilege IAM, audit logging, vulnerability scanning in CI.
Operational backups of the hosting infrastructure are performed by Google Cloud Platform in accordance with its standard procedures. These backups are used solely for disaster recovery and are not exposed to customers as a data-recovery mechanism. Customers requiring point-in-time recovery should use the in-app Export feature (Settings → Account → Export my data).

No system is perfectly secure. We will notify affected customers without undue delay, and in any event within 72 hours of becoming aware of a personal data breach affecting their data (Art. 33 GDPR).

15. Marketing communications

We send three classes of email:

Transactional and account email (receipts, security alerts, password resets, material policy changes). Required for service operation. You cannot opt out of these as long as you have an active account.
Periodic analytics reports (weekly campaign performance digest). Sent as part of the service to users who have connected at least one ad account. Basis: performance of the contract (Art. 6(1)(b)). Toggle off in Settings → Notifications → Weekly reports.
Prospect / newsletter (sent only if you actively subscribe). Sent on a consent basis. Withdraw at any time.

We do not buy contact lists. We do not enrich your profile from data brokers.

16. Changes to this Policy

We will publish any material change at https://consultad.io/privacy and notify account owners by email at least 30 days before it takes effect. Non-material changes (clarifications, typographical fixes, formatting) take effect when published.

A change log of material updates is maintained at the bottom of this page when changes occur.

17. Contact

For privacy or data-protection questions:

Karol Kwiatkowski (sole trader) ul. Dereniowa 60/104, 02-776 Warszawa, Poland, Poland karol@consultad.io

For other matters: see Terms of Service, DPA, Cookie Policy, Sub-processor list.