Privacy Policy

Version 1.0 | Effective Date: February 6, 2026 | Last Updated: February 6, 2026

Key Points at a Glance

  • We collect your email, password, and profile info to provide your account.
  • We access analytics data from platforms you connect (Google, Meta, LinkedIn, TikTok, etc.) on behalf of your agency clients.
  • Your data is stored on Cloudflare infrastructure, primarily in the EU.
  • We share data with specific service providers (listed below) solely to operate the service.
  • You can request access, correction, or deletion of your data at any time.
  • We use AI (Anthropic Claude) to generate report insights — these are advisory only, not automated decision-making with legal effects.
  • We use only essential cookies for session management — no tracking or analytics cookies.
  • Questions? Contact us at [email protected]

1. Identity & Contact Details

Data Controller: ProvenLeap SRL, Bucharest, Romania

Data Protection Contact: [email protected]

Note: ProvenLeap does not currently appoint a Data Protection Officer (DPO) under GDPR Article 37(1), as our core activities do not involve large-scale systematic monitoring of individuals or large-scale processing of special category data. A dedicated data protection contact email is provided for all privacy-related inquiries. We will reassess DPO appointment as the service scales.

Supervisory Authority: ANSPDCP (Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal)

Address: B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, 010336 Bucharest, Romania
Website: https://www.dataprotection.ro

↑ Back to top

2. Data We Collect

We collect the following categories of data:

Account Data

  • Email address and password hash (for email/password registration)
  • Display name and profile information you choose to provide
  • OAuth profile data (name, email, avatar) when using Google sign-in

OAuth Tokens

When you connect third-party platforms, we store encrypted OAuth access and refresh tokens to maintain your integrations. These tokens allow us to access data from the connected platforms on your behalf.

Analytics Data from Integrations

We access analytics and performance data from the platforms you connect. This data is accessed on your behalf to generate reports for your agency clients. See the User Data vs. End-Client Data section for how we distinguish between your data and your clients' data.

Usage Data

  • Feature usage patterns (which features you use, how frequently)
  • Page views and navigation patterns within ProvenLeap
  • Error logs for debugging and service improvement

Essential Cookies

A single session cookie for authentication. See the Cookies section for details.

Platform-Specific Data Access

The following table details the specific permission scopes we request from each platform and the data types accessed through each scope:

PlatformPermission ScopeData Types Accessed
Google Analytics 4analytics.readonlySessions, users, pageviews, bounce rate, events, conversions
Google Search Consolewebmasters.readonlySearch queries, impressions, clicks, CTR, position
Google AdsadwordsCampaigns, ad spend, impressions, clicks, conversions, ROAS
YouTube Analyticsyt-analytics.readonlyViews, watch time, subscribers, engagement, demographics
Google Business Profilebusiness.manageReviews, ratings, posts, photos, insights
Google PageSpeedPublic API (no OAuth)Performance scores, Core Web Vitals, recommendations
Facebook Pagespages_show_list, pages_read_engagementPage names, IDs, impressions, reach, engaged users, post performance
Facebook Adsads_readCampaign names, spend, impressions, clicks, conversions
Instagraminstagram_basic, instagram_manage_insightsProfile info, media, impressions, reach, engagement
LinkedIn Pagesr_organization_socialCompany page analytics, follower counts, engagement
LinkedIn Adsr_ads_reportingCampaign performance, spend, impressions, clicks
TikTok Businessanalytics.readVideo views, engagement, follower growth, demographics
↑ Back to top

3. How We Use Your Data

We process your data only for specific, legitimate purposes. Below is a breakdown of each processing activity and its legal basis under GDPR Article 6(1):

DataPurposeLegal Basis
Email, passwordAccount creation and authenticationContract (Art. 6(1)(b))
OAuth tokensPlatform integration accessContract (Art. 6(1)(b))
Analytics data (your platforms)Report generationContract (Art. 6(1)(b))
End-client analytics dataReport generation for agency clientsContract (Art. 6(1)(b)) — ProvenLeap as processor
Usage dataService improvement and debuggingLegitimate interest (Art. 6(1)(f))
Email addressTransactional emails (verification, password reset, notifications)Contract (Art. 6(1)(b))
Analytics dataAI-powered insight generationContract (Art. 6(1)(b))
Essential cookiesSession managementLegitimate interest (Art. 6(1)(f))

Legitimate Interests Assessment: Where we rely on legitimate interest, we have assessed that our processing is necessary for our legitimate purposes and does not override your fundamental rights and freedoms. You may object to processing based on legitimate interest at any time. See Your Rights.

Provision of data: Providing your email and password (or OAuth credentials) is necessary to create an account and use the service. Without this data, we cannot provide the service to you.

↑ Back to top

4. Third-Party Processors

We share your data with the following third-party service providers solely to operate and deliver the ProvenLeap service. Each processor operates under a Data Processing Agreement (DPA) that ensures GDPR compliance.

ProcessorPurposeData TransferredLocationTransfer Mechanism
CloudflareInfrastructure (Workers, D1, KV, R2, Pages)All application dataGlobal (EU preferred)DPA + SCCs
AnthropicAI insights generationAnalytics data (anonymized)USADPA + SCCs
Amazon SESTransactional email deliveryEmail addresses, email contentEU (eu-west-1)DPA + SCCs
Stripe *Payment processingName, email, payment methodUSA/EUDPA + EU-US DPF
Google APIs *Analytics, Search Console, Ads, YouTube, GMB, PageSpeedOAuth tokens, analytics metricsUSADPA + EU-US DPF
Meta APIsFacebook Pages, Facebook Ads, InstagramOAuth tokens, social metricsUSADPA + SCCs
LinkedIn APICompany Pages, AdsOAuth tokens, marketing metricsUSALinkedIn Business DPA
TikTok APIBusiness analyticsOAuth tokens, content metricsSingapore/USADPA + SCCs

* Denotes processors certified under the EU-US Data Privacy Framework (DPF). All other processors rely on Standard Contractual Clauses (SCCs) as the transfer mechanism.

↑ Back to top

5. International Data Transfers

Your data is primarily stored and processed within the European Union using Cloudflare's infrastructure. Cloudflare may process data in other regions for network performance purposes, subject to Standard Contractual Clauses.

When we transfer personal data outside the European Economic Area (EEA), we rely on the following safeguards:

  • EU-US Data Privacy Framework (DPF): Certain processors (Stripe, Google) are certified under the DPF, which the European Commission has recognized as providing adequate protection for personal data transfers to certified US organizations.
  • Standard Contractual Clauses (SCCs): For all other international transfers, we use the European Commission's Standard Contractual Clauses, which provide appropriate safeguards for the protection of personal data. This applies to transfers to Anthropic, Meta, TikTok, and Cloudflare.

You may request a copy of the relevant safeguards by contacting us at [email protected].

↑ Back to top

6. Data Retention

We retain your data only for as long as necessary to provide our services and fulfill the purposes described in this policy. Specific retention periods are:

Data CategoryRetention PeriodBasis
Account dataDuration of account + 30 days after deletionContractual
OAuth tokensUntil you disconnect the integration or delete your accountContractual
Analytics/report data (general)Duration of accountContractual
LinkedIn social activity dataMaximum 48 hoursLinkedIn API Terms
LinkedIn profile dataDeleted within 24 hoursLinkedIn API Terms
Meta integration dataWhile integration is connected; deleted on disconnectMeta Platform Terms
Cached metrics (KV)24 hoursTechnical necessity
Generated PDFs (R2)Duration of accountContractual
Transactional email logs90 daysLegitimate interest
Payment records7 yearsLegal obligation (Romanian accounting law, Art. 6(1)(c))
Audit logs2 yearsLegitimate interest

When your account is deleted, we will delete or anonymize your personal data within 30 days, except where longer retention is required by law (e.g., payment records for tax compliance).

↑ Back to top

7. Your Rights and How to Exercise Them

Under the GDPR, you have the following rights regarding your personal data:

  • Right of Access (Art. 15): Request a copy of the personal data we hold about you.
  • Right to Rectification (Art. 16): Request correction of inaccurate or incomplete personal data.
  • Right to Erasure (Art. 17): Request deletion of your personal data (“right to be forgotten”).
  • Right to Restriction (Art. 18): Request that we limit how we process your data in certain circumstances.
  • Right to Data Portability (Art. 20): Receive your personal data in a structured, commonly-used, machine-readable format.
  • Right to Object (Art. 21): Object to processing based on legitimate interest.
  • Right to Withdraw Consent: Where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of prior processing.

How to Exercise Your Rights

  1. Self-service (in-app): Use Settings > Delete Account to delete your account and all associated data.
  2. Email: Send your request to [email protected].
  3. Platform-specific deletion: Platform-specific programmatic deletion callbacks will be available when integrations are fully deployed (Meta Data Deletion Callback, etc.).

Response time: We will respond to your request within 30 days as required by the GDPR. We target a response within 72 hours.

Lodge a Complaint

If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local supervisory authority. Our lead supervisory authority is:

ANSPDCP (Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal)
B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, 010336 Bucharest, Romania
Website: https://www.dataprotection.ro

↑ Back to top

8. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:

  • Encryption at rest: All data stored in Cloudflare D1 is encrypted at rest using Cloudflare's default encryption.
  • Encryption in transit: All connections use TLS 1.3, enforced automatically by Cloudflare.
  • Per-tenant data isolation: Each user account's data is isolated using tenant-scoped database queries, preventing cross-account data access.
  • Session security: Authentication sessions use HttpOnly, Secure, SameSite=Lax cookies, preventing client-side script access and cross-site request forgery.
  • Password security: Passwords are hashed using industry-standard algorithms and are never stored in plain text.
  • OAuth token encryption: Third-party platform tokens are stored encrypted and are only decrypted when needed to access platform APIs.
↑ Back to top

9. Cookies

ProvenLeap uses only essential cookies required for the service to function. We do not use any analytics, advertising, or tracking cookies.

CookiePurposeTypeFlags
Session cookieMaintains your authenticated sessionEssentialHttpOnly, Secure, SameSite=Lax

Because we only use strictly necessary cookies, no cookie consent banner is required under the ePrivacy Directive (Article 5(3) exemption for essential cookies). If non-essential cookies are introduced in the future, a consent mechanism will be implemented before they are activated. For the complete engineering inventory of cookies and client-side storage used by ProvenLeap, see docs/compliance/cookies.md in our source repository.

↑ Back to top

10. Automated Decision-Making & AI

ProvenLeap uses artificial intelligence (provided by Anthropic Claude) to generate report insights and recommendations based on your analytics data. This disclosure is made pursuant to GDPR Articles 13(2)(f) and 22.

Logic Involved

Our AI analyzes aggregated analytics data from your connected platforms (traffic patterns, engagement metrics, campaign performance) to generate executive summaries, identify trends, detect anomalies, and provide actionable recommendations for your marketing reports.

Significance and Consequences

AI-generated insights are advisory only. They do not constitute automated decision-making with legal or similarly significant effects as defined by GDPR Article 22. All insights are presented as suggestions within reports; no automated actions are taken based on AI output. You retain full control over whether to include, edit, or discard AI-generated content in your reports.

Your Rights

You have the right to request human review of any AI-generated insight, express your point of view, and contest the output. Contact us at [email protected] for any concerns about AI processing.

Data Sent to AI Provider

Only aggregated, anonymized analytics data is sent to our AI provider (Anthropic). Personal identifiable information is stripped before processing. Anthropic does not use your data to train their models.

AI Assistant Access (MCP Connector)

ProvenLeap offers an optional connector (built on the Model Context Protocol) that lets you link your account to third-party AI assistants such as Anthropic Claude, OpenAI ChatGPT, and other MCP-compatible clients, so you can ask questions about your analytics conversationally. The connector is off by default and is enabled only when you explicitly authorize it.

What it can access: access to your own marketing analytics within your account — your clients, reports, and metric summaries. It is strictly tenant-scoped and cannot read any other customer's data. If you grant the optional draft-creation permission on the consent screen, the assistant can additionally create draft reports in your account; drafts are never published, shared, or sent to your clients without your explicit action in ProvenLeap, and the assistant can never modify or delete anything.

Authorization & control: you grant access through a standard OAuth consent screen and can revoke it at any time from Settings → AI Access. When you ask a question through a connected assistant, the analytics needed to answer it are sent to that assistant's provider (e.g. Anthropic or OpenAI), whose own privacy terms govern their handling. Responses are passed through an automated sanitization layer that redacts secrets and personal data before they leave our servers, and we never sell this data. Connector activity is logged for security (the tool invoked and a timestamp — never the raw text of your questions).

↑ Back to top

11. Children's Data

ProvenLeap is a business-to-business service designed for marketing agencies and professionals. Our service is not intended for users under 16 years of age, in accordance with GDPR Article 8.

We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16, we will take steps to delete that data promptly. If you believe a child under 16 has provided us with personal data, please contact us at [email protected].

↑ Back to top

12. User Data vs. End-Client Data

ProvenLeap serves marketing agencies who connect their clients' platforms. It is important to understand the distinction between different types of data we handle:

Your Account Data (ProvenLeap as Data Controller)

This includes your email, password, profile information, billing data, and usage patterns. This is your personal data as a ProvenLeap subscriber. We determine the purposes and means of processing this data.

End-Client Analytics Data (ProvenLeap as Data Processor)

This includes Google Analytics metrics, social media engagement data, ad performance data, and other analytics accessed through OAuth integrations on behalf of your agency clients. This data belongs to your agency's clients.

ProvenLeap processes end-client data solely to provide the reporting service as instructed by you (the agency user). We do not use end-client data for any other purpose.

As the agency, you are the data controller for your clients' data and are responsible for having appropriate data processing agreements with your own clients, as well as ensuring you have the necessary authorization to connect their platforms to ProvenLeap.

↑ Back to top

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements.

  • Notification: We will notify you of material changes via email to the address associated with your account at least 30 days before the changes take effect.
  • Versioning: Each version of this policy is identified by a version number and effective date at the top of this page. Previous versions are retained in our version control system and can be provided upon request.
  • Non-material changes: Minor clarifications or formatting changes that do not affect your rights will be updated without prior notification, with the “Last Updated” date reflecting the change.

Your continued use of ProvenLeap after the effective date of an updated policy constitutes acceptance of the changes. If you do not agree with the updated policy, you may terminate your account.

↑ Back to top

If you have any questions about this Privacy Policy or our data practices, please contact us at [email protected].