Demandary - Autonomous Marketing Operations

Data Controller

HoltenSys is the data controller responsible for your personal data collected through Demandary.

Location: Norway

1. Introduction

Demandary, a product of HoltenSys ("we," "our," or "us"), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our autonomous marketing operations platform.

By using Demandary, you agree to the collection and use of information in accordance with this policy. We process data in compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Information We Collect

2.1 Information You Provide

Account information (name, email address, company name)
Payment and billing information (processed by Stripe)
Business context and advertising preferences
Brand guidelines and compliance requirements
Communications with our support team

2.2 Information from Connected Advertising Platforms

When you connect your advertising accounts, we receive data from these platforms to provide our services:

Meta (Facebook/Instagram) Platform Data

We collect the following data through Meta's APIs:

Account Information: Meta User ID, name, email address, profile picture
Page Data: List of Pages you manage, Page IDs, Page names
Business Data: Business Manager information, ad account IDs and names
Ad Campaign Data: Campaign structure, ad sets, ads, targeting settings, budgets, bids, schedules
Performance Metrics: Impressions, clicks, spend, conversions, ROAS, CPM, CPC, CTR
Creative Assets: Ad images, videos, copy, headlines, descriptions
Engagement Data: Page likes, comments, shares, reactions on ads
Access Tokens: OAuth tokens for API access (stored encrypted)

Google Ads Platform Data

We collect the following data through Google Ads APIs:

Account Information: Google User ID, email address, name
Manager Account Data: MCC structure, linked accounts
Ad Campaign Data: Campaigns, ad groups, ads, keywords, targeting, budgets, bids
Performance Metrics: Impressions, clicks, cost, conversions, conversion value, Quality Score
Creative Assets: Ad copy, responsive ad assets, image assets, video assets
Audience Data: Remarketing lists, customer match audiences (metadata only)
Conversion Data: Conversion actions, conversion tracking data
Access Tokens: OAuth tokens for API access (stored encrypted)

2.3 Automatically Collected Information

Device and browser information
IP address and approximate location
Usage patterns and feature analytics
Cookies and similar tracking technologies
Error logs and diagnostic data

3. How We Use Your Information

We use the collected information for the following purposes:

3.1 Service Delivery

Display your advertising campaigns and performance metrics in our dashboard
Generate AI-powered optimization recommendations
Execute approved changes to your ad campaigns (with your consent)
Monitor campaigns for anomalies and apply safety controls
Provide audit logs of all actions taken on your accounts

3.2 Platform Operations

Authenticate your identity and maintain account security
Process payments and manage subscriptions
Communicate important updates about your account
Provide customer support

3.3 Improvement and Analytics

Improve our AI algorithms and recommendation engine
Analyze aggregate usage patterns to enhance features
Debug issues and ensure platform stability

4. Data Processors and Service Providers

We share data with the following categories of service providers who process data on our behalf:

Provider	Purpose	Location
DigitalOcean, LLC	Cloud infrastructure hosting	Netherlands (EU)
Stripe, Inc.	Payment processing	USA
Sentry (Functional Software)	Error monitoring	USA
Google Cloud (Vertex AI)	AI/ML processing	USA/EU

All processors are bound by Data Processing Agreements (DPAs) and are contractually obligated to process data only according to our instructions and in compliance with applicable data protection laws.

5. Data Sharing and Disclosure

We do not sell your personal data.

We may share data in the following circumstances:

With advertising platforms: We send data back to Meta and Google as necessary to execute campaign changes you have approved
With service providers: As described in Section 4, for operational purposes
For legal compliance: When required by law, court order, or government request
To protect rights: To enforce our terms, protect our rights, or ensure user safety
Business transfers: In connection with a merger, acquisition, or sale of assets (with notice to you)

6. Data Security

We implement comprehensive security measures to protect your data:

Encryption: All data encrypted in transit (TLS 1.3) and at rest (AES-256)
Access Controls: Role-based access control (RBAC) and multi-factor authentication
Token Security: OAuth tokens are encrypted with per-tenant keys and never logged
Audit Logging: Immutable audit trails of all data access and modifications
Security Testing: Regular penetration testing and vulnerability assessments
Incident Response: Documented procedures for security incident handling

See our Security page for more details.

7. Data Retention

We retain data according to the following schedule:

Account Data: Retained while your account is active, deleted within 30 days of account closure
Platform Data (Meta/Google): Performance metrics retained for up to 24 months for historical analysis; deleted upon account closure or disconnection
OAuth Tokens: Deleted immediately upon disconnection of an ad account
Audit Logs: Retained for 7 years for compliance purposes
Backup Data: Removed from backups within 90 days of deletion

You may request earlier deletion of your data at any time (see Section 8).

8. Your Rights

Under GDPR and other applicable laws, you have the following rights:

Right of Access: Request a copy of all personal data we hold about you
Right to Rectification: Request correction of inaccurate data
Right to Erasure: Request deletion of your data ("right to be forgotten")
Right to Portability: Receive your data in a machine-readable format
Right to Restrict Processing: Limit how we use your data
Right to Object: Object to processing based on legitimate interests
Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent

How to Exercise Your Rights

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

Disconnecting Platform Accounts

You can disconnect your Meta or Google ad accounts at any time from your Demandary dashboard under Settings → Connections. Upon disconnection:

OAuth tokens are immediately deleted
We stop accessing data from that platform
Historical data is deleted within 30 days (unless you request immediate deletion)

9. Meta Platform Data Usage

Our use of information received from Meta APIs adheres to the Meta Platform Terms and Developer Policies.

We only request permissions necessary for the features you use
We do not sell Meta Platform Data to third parties
We do not use Meta Platform Data for purposes unrelated to our services
We do not transfer Meta Platform Data to data brokers
We provide transparency about how we use your data
You can revoke access at any time through your Meta account settings or our platform

10. Google API Services Usage

Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

We only access the Google user data necessary to provide our advertising management services
We do not use Google user data for serving advertisements
We do not allow humans to read your data unless required for security, legal compliance, or with your consent
We do not transfer Google user data to third parties except as necessary to provide our services
You can revoke access at any time through your Google account settings or our platform

11. International Data Transfers

As a Norwegian company, we primarily process data within the European Economic Area (EEA). When data is transferred outside the EEA (e.g., to US-based service providers), we ensure appropriate safeguards are in place:

Standard Contractual Clauses (SCCs) approved by the European Commission
Data Processing Agreements with all processors
Additional technical and organizational measures as needed

12. Cookies and Tracking

We use cookies and similar technologies for:

Essential Cookies: Required for authentication and security
Functional Cookies: Remember your preferences
Analytics Cookies: Understand how you use our platform

You can manage cookie preferences through the cookie consent banner or your browser settings.

13. Government Data Requests

We have not received any national security requests for user data in the past 12 months. If we receive such requests, we have policies in place to:

Review the legality of all requests
Challenge requests we believe are unlawful
Minimize data disclosed to what is strictly necessary
Document all requests and our responses
Notify affected users where legally permitted

14. Children's Privacy

Demandary is not intended for use by individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe we have collected data from a minor, please contact us immediately.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

Posting the updated policy on this page with a new "Last updated" date
Sending an email notification for significant changes
Displaying a notice in the Demandary dashboard

16. Contact Us

For privacy-related questions, to exercise your rights, or to file a complaint, contact us:

HoltenSys

[email protected]

Norway

You also have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet) or your local supervisory authority.