BackAdload

Last updated: 2026-05-13

Privacy Policy

This Privacy Policy explains how Adload ("Adload", "we", "us") collects, uses, stores, and protects personal data when you use the service available at adload.app. Adload is operated by Larin Talabani-Durmus (see Imprint). We are committed to compliance with the EU General Data Protection Regulation (GDPR / DSGVO) and the German Federal Data Protection Act (BDSG).

1. Data Controller

The controller responsible for processing your personal data under Article 4(7) GDPR is:

Larin Talabani-Durmus
Zwieselbachweg 9
90451 Nürnberg, Germany
Email: support@adload.app

For all privacy-related questions, requests, or complaints, please use the email above.

2. Information We Collect

2.1 Account information

When you sign in, we collect your email address through our authentication provider (Supabase). Authentication uses a passwordless magic-link flow; we do not store a password.

2.2 Meta Marketing API integration

After you click "Connect Meta", you authorize Adload via Facebook's OAuth flow. Facebook returns an access token that grants Adload limited access to your Meta ad accounts. We store:

  • Your Meta user ID and display name
  • A long-lived access token (~60 days) and its expiry timestamp
  • The list of OAuth scopes you granted
  • Metadata about ad accounts you have access to (name, currency, timezone, account status, owning business), cached to power the ad account picker

Tokens are stored server-side in our database and are never exposed to your browser.

2.3 Ad assets you upload

Videos and images you upload to build ads are stored temporarily in our object storage (Supabase Storage). Each file is scoped to your user account via row-level security and is only used to (a) generate a short-lived signed URL that Meta downloads when creating the ad, and (b) preview the asset inside your browser.

2.4 Ad presets you create

Presets you create (default copy, link URLs, enhancement opt-out settings) are stored against your account. This is content you author — you retain ownership.

2.5 Technical data

Our hosting provider (Vercel) and our database/auth provider (Supabase) automatically log request metadata necessary for service operation and security: IP address, user agent, request paths, timestamps, and error logs. We do not use analytics, advertising, or tracking cookies. The only cookies we set are essential session cookies required to keep you logged in.

We rely on the following legal bases under Article 6(1) GDPR:

  • Performance of a contract (Art. 6(1)(b)): processing necessary to provide the Adload service to you (account, Meta integration, ad creation features).
  • Legitimate interests (Art. 6(1)(f)): server logs, security monitoring, abuse prevention, and product improvement.
  • Consent (Art. 6(1)(a)): when you explicitly grant OAuth permissions to Meta. You can revoke that consent at any time via your Facebook settings or by disconnecting Meta from inside Adload.
  • Legal obligation (Art. 6(1)(c)): retention of records that German law requires us to keep.

4. How We Use Your Information

  • To create, authenticate, and maintain your account
  • To call the Meta Marketing API on your behalf in order to read your ad accounts and create ads you instructed us to create
  • To temporarily host ad assets you upload to ship to Meta
  • To send you essential transactional emails (magic links, security notices)
  • To prevent abuse, detect fraud, and secure the service
  • To comply with legal obligations and respond to lawful requests

We do not sell your data. We do not use your data to train AI models. We do not use your data for advertising targeting outside of the ads you yourself instruct us to create on Meta.

5. Cookies

Adload uses only strictly necessary cookies: a session cookie set by our authentication provider to keep you signed in, and a CSRF-state cookie set transiently during the Meta OAuth flow. We do not use marketing cookies, analytics cookies, or third-party tracking cookies. No cookie banner is required because all cookies set are essential under Section 25 (2) of the German Telecommunications and Telemedia Data Protection Act (TTDSG).

6. Sharing with Third Parties

We do not sell or trade your personal data. We share it only with service providers (data processors under Article 28 GDPR) strictly necessary to operate Adload:

  • Supabase (database, authentication, file storage). Data is stored in the EU (Frankfurt, eu-central-1).
  • Vercel (application hosting). Application logs and edge-rendered responses may traverse Vercel infrastructure.
  • Meta Platforms Ireland Ltd.When you authorize the Meta integration, we send API requests on your behalf to Meta's Graph API. The processing of your data by Meta is governed by Meta's own privacy policy.

7. International Data Transfers

Adload primarily stores personal data in the European Union. Some sub-processors (e.g. Vercel for edge hosting, Meta for the Meta integration) may process data outside the EU. Where transfers occur, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or on the EU–US Data Privacy Framework where applicable.

8. Data Retention

  • Account data: retained for as long as your account exists.
  • Meta tokens: stored until they expire (~60 days) or until you disconnect Meta from your account.
  • Uploaded ad assets: retained until you delete them or your account is closed, then purged within 30 days.
  • Server logs: rotated and deleted within 30 days unless required for security or legal reasons.
  • Account deletion: when you delete your account, we remove your personal data within 30 days, except where retention is required by law (e.g. tax records: up to 10 years per § 147 AO).

9. Data Security

We protect your data using industry-standard measures: TLS in transit, encrypted database storage at rest, row-level security on every table so you only see your own data, and least-privilege access controls for operational staff. We will notify you and the competent supervisory authority of any personal data breach without undue delay and within 72 hours where required by Art. 33 GDPR.

10. Your Rights

Under GDPR you have the following rights:

  • Right of access (Art. 15 GDPR) — request a copy of the personal data we hold about you
  • Right to rectification (Art. 16 GDPR) — correct inaccurate or incomplete data
  • Right to erasure (Art. 17 GDPR) — request deletion of your personal data
  • Right to restriction (Art. 18 GDPR) — limit how we process your data
  • Right to data portability (Art. 20 GDPR) — receive your data in a machine-readable format
  • Right to object (Art. 21 GDPR) — object to processing based on legitimate interests
  • Right to withdraw consent (Art. 7(3) GDPR) — where processing is based on consent
  • Right to lodge a complaint with the supervisory authority. In Bavaria this is the Bayerisches Landesamt für Datenschutzaufsicht (BayLDA): www.lda.bayern.de

To exercise any of these rights, email support@adload.app. We respond within 30 days.

11. Automated Decision-Making

Adload does not engage in automated decision-making or profiling within the meaning of Article 22 GDPR. The ads you create are based on instructions you provide; we do not target audiences for you.

12. Children's Privacy

Adload is a B2B tool for advertisers and is not directed to children. We do not knowingly collect data from anyone under 16. If you believe a minor has provided us with personal data, please contact us so we can delete it.

13. Changes to This Policy

We may update this Privacy Policy to reflect changes to the service or the law. Material changes will be communicated by email to signed-in users. The "Last updated" date at the top reflects the most recent revision.

14. Contact

Questions about this policy or your data: support@adload.app.