Ads Manager Tools — Winevizer SRL
Privacy Policy
Last updated: 31/05/2026
This policy explains how Winevizer SRL ("we", "our", the "publisher") collects, uses, shares and protects personal data in the context of the online service Ads Manager Tools, accessible at tools.winevizer.com (the "Service"), as well as on the associated presentation pages.
We process data in accordance with Regulation (EU) 2016/679 (the "GDPR") and the Belgian Act of 30 July 2018 on the protection of individuals with regard to the processing of personal data.
1. Data Controller
- Controller: Winevizer SRL
- Registered office: Mons, Belgium
- Company / VAT number (CBE): BE 1034.941.894
- Privacy contact: operations@winevizer.com
For data imported from your advertising and analytics accounts (see §3.3), we act as a data processor on behalf of the professional user operating the workspace; that user remains the data controller for such data. For account, billing and browsing data, we act as the data controller.
2. Scope
This policy covers (a) account holders and members of a Service workspace, (b) visitors to our presentation pages, and (c) individuals whose data appears in advertising and measurement data imported into the Service by our users.
3. Data We Process
3.1 Account and Workspace Data
- Display name, email address, password (stored only as a salted hash, never in plaintext);
- Workspace name, member roles and memberships, invitations;
- Email verification status, account preferences.
3.2 Third-Party Platform Credentials
When you connect a platform, we store the OAuth access tokens, refresh tokens and/or API keys required. These secrets are encrypted at rest using envelope encryption, with a per-workspace data key (see §8). We never store the passwords of your third-party accounts.
3.3 Data Imported from Connected Platforms
Depending on the connectors you activate, we retrieve performance data, for example:
- Google Ads — campaigns, costs, clicks, impressions, conversions;
- Meta Ads (Facebook/Instagram) — campaigns, spend, insights;
- Google Analytics 4 — aggregated sessions, events and audiences;
- Google Search Console — search performance (queries, clicks, positions);
- Microsoft Clarity — aggregated engagement and behavioural metrics;
- WordPress — content and landing page data you authorise us to read.
These data are predominantly aggregated and statistical. Where they contain personal identifiers, the data controller is the relevant professional user.
3.4 Audience Measurement and Conversions on Landing Pages
If you deploy our measurement scripts on your pages, we may process:
- advertising click identifiers (
gclid,fbclid) and an attribution cookie; - an email address hashed server-side with SHA-256 for the purposes of advanced conversion measurement (Meta Conversions API, Google Enhanced/Offline Conversions) — the plaintext email is neither transmitted nor retained for this purpose;
- minimal technical data (truncated IP address, user agent, page visited).
3.5 Technical Data and Logs
- IP address, browser type, timestamps, pages visited, security logs;
- Strictly necessary cookies (session, anti-CSRF token, "remember me").
Our application logs are anonymised and contain no secrets or plaintext email addresses.
4. Purposes and Legal Bases
| Purpose | Legal basis (GDPR) |
|---|---|
| Providing the Service, managing your account and workspaces | Performance of a contract (Art. 6.1.b) |
| Connecting your platforms and importing your campaign data | Performance of a contract (Art. 6.1.b) |
| Generating daily analyses and recommendations | Performance of a contract (Art. 6.1.b); legitimate interest (Art. 6.1.f) |
| Security, fraud prevention, logging | Legitimate interest (Art. 6.1.f) |
| Service emails (verification, daily digest) | Performance of a contract (Art. 6.1.b) |
| Audience measurement and third-party marketing pixels | Consent (Art. 6.1.a) |
| Compliance with our legal obligations (accounting, etc.) | Legal obligation (Art. 6.1.c) |
5. Cookies and Trackers
We use two categories of cookies:
- Strictly necessary cookies — session, security (anti-CSRF), "remember me". These do not require consent.
- Measurement and marketing cookies — set via third-party tools (Google Analytics 4, Meta pixel, LinkedIn Insight Tag, Google Tag Manager, Microsoft Clarity) only after your consent, collected via our cookie banner.
You may withdraw your consent at any time by resetting your cookie preferences or via your browser settings.
6. Recipients and Sub-processors
We do not sell your data. We share it only with providers necessary to operate the Service:
- OVHcloud (EU) — infrastructure hosting and email delivery;
- Google LLC — Google Ads, Analytics 4, Search Console (depending on your connectors);
- Meta Platforms, Inc. — Meta Ads and Conversions API (depending on your connectors);
- Microsoft Corporation — Microsoft Clarity (depending on your connectors);
- LinkedIn (Microsoft) — Insight Tag, if enabled;
- Anthropic, PBC — processing via the Claude API of aggregated campaign data and landing page content, solely for the purpose of generating your analyses and recommendations.
7. Transfers Outside the European Union
Certain sub-processors (Google, Meta, Microsoft, LinkedIn, Anthropic) are established in the United States. Where data are transferred outside the EEA, such transfers are subject to appropriate safeguards: Standard Contractual Clauses issued by the European Commission and/or certification under the EU-U.S. Data Privacy Framework. Primary hosting and the database are located within the European Union (OVHcloud).
8. Security
We implement robust technical and organisational measures:
- Envelope encryption of third-party credentials, with a separate data key per workspace (libsodium); deleting a workspace destroys its key ("crypto-shredding"), rendering the associated data permanently irrecoverable;
- passwords stored as salted hashes; conversion emails hashed with SHA-256;
- strict multi-tenant isolation between tenants;
- encryption in transit (HTTPS/TLS), hardened security headers, anti-CSRF protection;
- anonymised logs, principle of least privilege, secrets stored in an encrypted vault.
9. Retention Periods
- Account data: for the duration of your account, then deleted within a reasonable period after closure;
- Third-party platform credentials: until the connector is disconnected or the workspace is deleted;
- Imported campaign / measurement data: retained for historical and analytical purposes, then deleted with the workspace;
- Technical logs: retained for a limited period for security and diagnostic purposes.
10. Your Rights
Under the GDPR, you have the following rights:
- right of access and rectification;
- right to erasure ("right to be forgotten");
- right to restriction of processing;
- right to data portability;
- right to object to processing based on legitimate interest;
- right to withdraw your consent at any time (without retroactive effect).
To exercise these rights, write to us at operations@winevizer.com. We respond within one month. You may also lodge a complaint with the Belgian supervisory authority:
11. Minors
The Service is intended for professionals and is not designed for persons under the age of 16. We do not knowingly collect data relating to minors.
12. Changes
We may update this policy. Any material change will be indicated on this page with a revised update date.
13. Contact
For any questions regarding this policy or your data: operations@winevizer.com.