Data Protection & GDPR Compliance
Last updated: April 7, 2026
Adisoma is committed to protecting your personal data and complying with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection laws. This page provides detailed information about how we process and protect your data.
1. Data Controller
Adisoma Inc. acts as the data controller for personal data collected through our platform. As the data controller, we determine the purposes and means of processing your personal data.
When you use Adisoma to manage advertising campaigns on behalf of your end users or customers, you act as the data controller for their data, and Adisoma acts as a data processor on your behalf.
2. Legal Basis for Processing
Under the GDPR, we process personal data based on the following legal grounds:
- Contract Performance (Article 6(1)(b)): Processing necessary to provide the Adisoma platform and services you have subscribed to. This includes account management, campaign deployment, analytics generation, and billing.
- Legitimate Interest (Article 6(1)(f)): Processing necessary for our legitimate business interests, such as improving our services, preventing fraud, and ensuring platform security. We conduct balancing tests to ensure our interests do not override your fundamental rights.
- Consent (Article 6(1)(a)): Where we process data based on your explicit consent, such as sending marketing communications or using non-essential cookies. You may withdraw consent at any time.
- Legal Obligation (Article 6(1)(c)): Processing necessary to comply with legal requirements, such as tax reporting and responding to lawful government requests.
3. Data Processing Activities
The following table summarizes our key data processing activities:
| Activity | Data Categories | Legal Basis | Retention |
|---|---|---|---|
| Account registration | Name, email, password | Contract | Account lifetime |
| Campaign management | Campaign data, creatives, targeting | Contract | 24 months post-campaign |
| Payment processing | Billing address, card details (via Stripe) | Contract / Legal obligation | 7 years |
| Platform OAuth | Access tokens, account IDs | Contract | Until disconnection |
| Analytics & reporting | Usage data, performance metrics | Legitimate interest | 24 months |
| Marketing communications | Email, preferences | Consent | Until withdrawal |
| Security logging | IP address, user agent, actions | Legitimate interest | 90 days |
4. International Data Transfers
Adisoma is headquartered in the United States. If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, your personal data may be transferred to and processed in the United States and other countries where our service providers operate.
We ensure appropriate safeguards for international transfers through:
- Standard Contractual Clauses (SCCs): We use EU-approved Standard Contractual Clauses with all sub-processors located outside the EEA.
- Adequacy Decisions: Where applicable, we rely on adequacy decisions by the European Commission.
- Supplementary Measures: We implement technical and organizational measures including encryption in transit and at rest, access controls, and regular security assessments.
5. Sub-processors
We use the following sub-processors to deliver our services. All sub-processors are bound by data processing agreements that include GDPR-compliant terms:
| Sub-processor | Purpose | Location |
|---|---|---|
| Cloudflare | CDN, DNS, R2 object storage | Global (US HQ) |
| Stripe | Payment processing | United States |
| Resend | Transactional email | United States |
| Sentry | Error monitoring | United States |
| Anthropic | AI creative adaptation | United States |
We will notify you of any changes to our sub-processors at least 30 days before the change takes effect, giving you the opportunity to object.
6. Data Breach Notification
In the event of a personal data breach, we will:
- Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where the breach is likely to result in a risk to the rights and freedoms of individuals.
- Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
- Document all breaches, including the facts, effects, and remedial actions taken, regardless of whether notification is required.
- Notify you as our customer within 48 hours if the breach involves data we process on your behalf.
7. Security Measures
We implement robust technical and organizational measures to protect your data:
- All data is encrypted in transit using TLS 1.3 and at rest using AES-256.
- OAuth tokens for connected advertising platforms are encrypted using application-level encryption before storage.
- Access to production systems is restricted to authorized personnel and requires multi-factor authentication.
- We conduct regular security assessments and penetration testing.
- All database backups are encrypted and stored in geographically separate locations.
- We maintain detailed audit logs for all administrative and data access actions.
8. Data Protection Officer Contact
For any data protection inquiries, to exercise your rights under GDPR, or to file a complaint, please contact our Data Protection Officer:
You also have the right to lodge a complaint with your local supervisory authority if you believe your data protection rights have been violated.