Privacy Policy

Last updated: 19 May 2026

This Privacy Policy explains how Excite Foundry Ltd (registered in England and Wales, registered office at 85 Great Portland Street, London, W1W 7LT) collects, uses, and protects your personal information when you use AdsIQ ("the Service") at ads-iq.com.

1. Information we collect

• Account information — your name, email address, and company affiliation, provided when you sign up or sign in.
• Authentication tokens — secure access tokens issued by the platforms you connect, used to access the accounts you have explicitly authorized.
• Connected account data — campaign data, performance metrics, creative assets, audience configurations, product catalogs, and account metadata from the advertising and ecommerce platforms you connect to AdsIQ.
• Public profile information — where the connected platform exposes it, publicly available profile information such as display names, profile pictures, and follower counts for accounts referenced in your connected campaigns or partnerships.
• Service-generated content — analyses, scores, tags, summaries, and recommendations produced by the Service from the data above.
• Usage data — pages visited, features used, session duration, and interaction patterns within the Service.

2. How we use information

We use the information we collect to:

• Provide cross-channel performance analytics and recommendations.
• Power features such as creative analysis, scoring, and AI-assisted insights.
• Execute actions you explicitly approve on connected platforms.
• Operate, debug, and improve the Service.
• Communicate with you about your account, billing, security, and Service updates.

We do not use your data to deliver advertising to you or anyone else, and we do not use your data to train general-purpose AI models.

3. Legal basis for processing (UK GDPR / EU GDPR)

Excite Foundry Ltd processes personal data under the following lawful bases set out in Article 6 of the UK GDPR and EU GDPR:

• Contract (Art. 6(1)(b)) — processing necessary to deliver the AdsIQ service to you under our Terms of Service, including authentication, account management, billing, and the core advertising-analytics and optimisation features you have subscribed to.
• Legitimate Interests (Art. 6(1)(f)) — processing necessary to operate, secure, debug, and improve the Service, to detect and prevent fraud or abuse, to maintain audit logs, and to communicate service-related notices. We balance these interests against your rights and have determined they do not override your fundamental rights and freedoms.
• Consent (Art. 6(1)(a)) — where you explicitly authorise us (for example, via OAuth) to access third-party advertising accounts (Amazon Advertising, Google Ads, Meta, TikTok) on your behalf. You may withdraw this consent at any time by revoking the connection in your AdsIQ account or directly with the third-party platform.
• Legal Obligation (Art. 6(1)(c)) — where processing is required to comply with applicable law, including tax, accounting, and regulatory record-keeping obligations in the United Kingdom.

Where we rely on Legitimate Interests, you have the right to object to that processing; contact privacy@ads-iq.com.

4. Third-party services

AdsIQ integrates with third-party services to deliver its functionality. Your use of each integration is governed by the respective provider's terms and privacy policy.

• Advertising platforms — Meta (Facebook, Instagram), Google Ads, Amazon Advertising, TikTok, and similar networks, for campaign data, creative assets, performance reporting, and any actions you authorize.
• Ecommerce platforms — Shopify, Amazon Selling Partner, and similar, for product catalog and order data where relevant to advertising decisions.
• Authentication providers — Google and Facebook OAuth for sign-in.
• Infrastructure — Google Cloud Platform for hosting, databases, and storage.
• AI providers — Anthropic and Google Gemini for natural-language analysis, vision tagging, and transcript generation. Per their API terms, content sent for processing is not used to train their foundation models.

A full list of sub-processors is available at ads-iq.com/subprocessors.

Amazon Selling Partner data

Where you connect an Amazon Selling Partner or Amazon Advertising account to AdsIQ, we receive data from Amazon's APIs (including, depending on the scope you authorise, advertising performance data, campaign data, listing data, and order or sales data). This data is used solely to provide the AdsIQ service to you — analytics, reporting, optimisation, and automated actions that you have authorized. We do not use Amazon Selling Partner data for any other purpose, do not share it with third parties except as strictly necessary to deliver the service (e.g. our cloud infrastructure provider), and do not use it to train general-purpose machine-learning models. If you revoke AdsIQ's access via Amazon Seller Central or terminate your AdsIQ account, we will delete all Amazon Information from our active systems within 30 days of revocation or termination, with backup copies expiring on our standard backup-retention schedule (no longer than 90 days).

5. Data storage and security

Your data is stored on Google Cloud Platform infrastructure in the United States. We use industry-standard security practices including encryption in transit (TLS 1.2+), encryption at rest (AES-256), encrypted storage of access tokens (Google Cloud Secret Manager, KMS-encrypted), role-based access controls, and audit logging. For full details, see our Security page.

6. Information security controls

In addition to the encryption commitments above, Excite Foundry Ltd maintains the following technical and organisational controls in line with the Amazon Selling Partner API Data Protection Policy and industry standard practice:

• Access control and authentication — multi-factor authentication is enforced on all administrative and engineering accounts with access to production systems. AdsIQ end users sign in via Google OAuth or magic-link email; there are no end-user passwords. User accounts are locked after ten (10) consecutive failed login attempts and require an out-of-band reset.
• Least-privilege access — production access is granted on a role-based, need-to-know basis. Access is reviewed at least quarterly.
• Personnel offboarding — access for terminated personnel or contractors is revoked within 24 hours of termination, including credentials, SSO, VPN, cloud-platform IAM roles, source-code repositories, and third-party tooling.
• Vulnerability management — production systems are subject to automated dependency scanning at least every 30 days and annual third-party penetration testing. Critical-severity vulnerabilities are remediated within seven (7) days of identification and high-severity vulnerabilities within thirty (30) days of identification, in line with the Amazon SP-API DPP §2.7.
• Anti-malware and endpoint protection — endpoint anti-malware is deployed on all workstations and servers that access production data, with definitions automatically updated.
• Network protection — production environments are protected by network-layer firewalls, private VPC isolation, and intrusion-detection monitoring. Administrative access is restricted to authenticated channels.
• Logging and monitoring — security-relevant events including authentication, privileged access, and data access are logged, retained for at least twelve (12) months, and reviewed for anomalies (in real-time via automated alerting or on a bi-weekly basis at minimum).
• Asset inventory — we maintain and update at least quarterly an inventory of systems that store, process, or transmit Amazon Information.
• API credential rotation — application API keys and LWA client secrets are rotated at minimum once every twelve (12) months, or immediately following any suspected compromise.
• Annual risk assessment — Excite Foundry Ltd's senior management reviews the information security risk assessment at least annually.
• Third-party risk assessments — sub-processors are assessed at least annually for security posture and confirmed to maintain controls at least as strict as our own (Amazon SP-API Acceptable Use Policy §4.7).
• Encryption — TLS 1.2 or higher in transit; AES-256 encryption at rest; OAuth tokens and API credentials encrypted at the application layer with keys managed via Google Cloud KMS.
• Secure development — code changes are subject to peer review prior to deployment to production. Secrets are stored in a dedicated secret manager and never committed to source control.
• Business continuity — production data is backed up on an automated schedule with documented restore procedures tested periodically.

7. Security incident and breach notification

Excite Foundry Ltd maintains a documented Security Incident Response Plan. In the event of a confirmed or reasonably suspected security incident affecting personal data or third-party platform data (including Amazon Selling Partner data) under our control, we will:

• Notify Amazon within 24 hours of becoming aware of any Security Incident affecting Amazon Information, in accordance with the Amazon Selling Partner API Data Protection Policy.
• Notify the UK Information Commissioner's Office (ICO) within 72 hours of becoming aware of a personal data breach where the breach is likely to result in a risk to the rights and freedoms of data subjects, as required by Article 33 of the UK GDPR.
• Notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms, as required by Article 34 of the UK GDPR.
• Notify affected customers of any incident materially affecting their data or their connected third-party accounts.

Notifications will include the nature of the incident, categories and approximate number of records affected, likely consequences, and measures taken or proposed to address the incident and mitigate its effects. We maintain an internal incident log for all reportable and non-reportable events.

8. Sharing

We do not sell your personal information. We share data only:

• With the third-party services listed above, and only as necessary to provide the Service you have requested.
• With service providers acting on our behalf under written confidentiality obligations.
• If required by law or valid legal process, or to protect our or our users' legal rights.
• In connection with a corporate transaction (merger, acquisition, restructuring), in which case the acquiring entity will be bound by this Policy.

9. Your rights

You have the right to access, correct, or request deletion of your personal data; to export your content and data; and to revoke any third-party integration at any time through your account settings or the relevant platform's permissions page. To exercise any of these rights, email privacy@ads-iq.com. We will respond within 30 days.

10. California resident rights (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (as amended by the CPRA) grants you the following rights in addition to those described above:

• Right to Know — request disclosure of the categories and specific pieces of personal information we have collected about you in the preceding 12 months, the sources of that information, the business purposes for collecting it, and the categories of third parties with whom we share it.
• Right to Delete — request deletion of personal information we have collected from you, subject to exceptions permitted by law.
• Right to Correct — request correction of inaccurate personal information.
• Right to Opt Out of Sale or Sharing — Excite Foundry Ltd does not sell personal information and does not share personal information for cross-context behavioural advertising as those terms are defined under the CPRA.
• Right to Limit Use of Sensitive Personal Information — we do not use sensitive personal information for purposes beyond those permitted by the CPRA.
• Right to Non-Discrimination — we will not discriminate against you for exercising any of these rights.

To exercise any of these rights, email privacy@ads-iq.com from the email address associated with your account. We will verify your request and respond within 45 days. You may also designate an authorised agent to act on your behalf, subject to verification.

11. Data retention

We retain your data for as long as your account is active. If you delete your account, we will remove your personal data within 30 days, except where retention is required by law (e.g., billing records). Aggregated, anonymized analytics may be retained indefinitely for Service improvement.

12. International transfers

Excite Foundry Ltd is established in the United Kingdom, and our infrastructure is hosted in the United States. If you access the Service from outside the United States, your data will be transferred to and processed in the United States. Where applicable, we rely on the UK International Data Transfer Agreement, the EU Standard Contractual Clauses, or equivalent safeguards.

If you are located in the United Kingdom or European Economic Area, you have additional rights under the UK GDPR and EU GDPR, including the right to lodge a complaint with a supervisory authority. The UK supervisory authority is the Information Commissioner's Office at ico.org.uk.

13. Children's privacy

AdsIQ is a business-to-business service intended for professional advertisers. It is not directed to children, and we do not knowingly collect personal information from individuals under the age of 16.

14. Changes to this Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service at least 14 days before they take effect. Continued use after changes take effect constitutes acceptance of the updated Policy.

15. Contact

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at privacy@ads-iq.com.