Privacy Policy
Version 1.0 | Effective Date: February 6, 2026 | Last Updated: February 6, 2026
Key Points at a Glance
- We collect your email, password, and profile info to provide your account.
- We access analytics data from platforms you connect (Google, Meta, LinkedIn, TikTok, etc.) on behalf of your agency clients.
- Your data is stored on Cloudflare infrastructure, primarily in the EU.
- We share data with specific service providers (listed below) solely to operate the service.
- You can request access, correction, or deletion of your data at any time.
- We use AI (Anthropic Claude) to generate report insights — these are advisory only, not automated decision-making with legal effects.
- We use only essential cookies for session management — no tracking or analytics cookies.
- Questions? Contact us at [email protected]
1. Identity & Contact Details
Data Controller: ProvenLeap SRL, Bucharest, Romania
Data Protection Contact: [email protected]
Note: ProvenLeap does not currently appoint a Data Protection Officer (DPO) under GDPR Article 37(1), as our core activities do not involve large-scale systematic monitoring of individuals or large-scale processing of special category data. A dedicated data protection contact email is provided for all privacy-related inquiries. We will reassess DPO appointment as the service scales.
Supervisory Authority: ANSPDCP (Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal)
Address: B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, 010336 Bucharest, Romania
Website: https://www.dataprotection.ro
2. Data We Collect
We collect the following categories of data:
Account Data
- Email address and password hash (for email/password registration)
- Display name and profile information you choose to provide
- OAuth profile data (name, email, avatar) when using Google sign-in
OAuth Tokens
When you connect third-party platforms, we store encrypted OAuth access and refresh tokens to maintain your integrations. These tokens allow us to access data from the connected platforms on your behalf.
Analytics Data from Integrations
We access analytics and performance data from the platforms you connect. This data is accessed on your behalf to generate reports for your agency clients. See the User Data vs. End-Client Data section for how we distinguish between your data and your clients' data.
Usage Data
- Feature usage patterns (which features you use, how frequently)
- Page views and navigation patterns within ProvenLeap
- Error logs for debugging and service improvement
Essential Cookies
A single session cookie for authentication. See the Cookies section for details.
Platform-Specific Data Access
The following table details the specific permission scopes we request from each platform and the data types accessed through each scope:
| Platform | Permission Scope | Data Types Accessed |
|---|---|---|
| Google Analytics 4 | analytics.readonly | Sessions, users, pageviews, bounce rate, events, conversions |
| Google Search Console | webmasters.readonly | Search queries, impressions, clicks, CTR, position |
| Google Ads | adwords | Campaigns, ad spend, impressions, clicks, conversions, ROAS |
| YouTube Analytics | yt-analytics.readonly | Views, watch time, subscribers, engagement, demographics |
| Google Business Profile | business.manage | Reviews, ratings, posts, photos, insights |
| Google PageSpeed | Public API (no OAuth) | Performance scores, Core Web Vitals, recommendations |
| Facebook Pages | pages_show_list, pages_read_engagement | Page names, IDs, impressions, reach, engaged users, post performance |
| Facebook Ads | ads_read | Campaign names, spend, impressions, clicks, conversions |
instagram_basic, instagram_manage_insights | Profile info, media, impressions, reach, engagement | |
| LinkedIn Pages | r_organization_social | Company page analytics, follower counts, engagement |
| LinkedIn Ads | r_ads_reporting | Campaign performance, spend, impressions, clicks |
| TikTok Business | analytics.read | Video views, engagement, follower growth, demographics |
3. How We Use Your Data
We process your data only for specific, legitimate purposes. Below is a breakdown of each processing activity and its legal basis under GDPR Article 6(1):
| Data | Purpose | Legal Basis |
|---|---|---|
| Email, password | Account creation and authentication | Contract (Art. 6(1)(b)) |
| OAuth tokens | Platform integration access | Contract (Art. 6(1)(b)) |
| Analytics data (your platforms) | Report generation | Contract (Art. 6(1)(b)) |
| End-client analytics data | Report generation for agency clients | Contract (Art. 6(1)(b)) — ProvenLeap as processor |
| Usage data | Service improvement and debugging | Legitimate interest (Art. 6(1)(f)) |
| Email address | Transactional emails (verification, password reset, notifications) | Contract (Art. 6(1)(b)) |
| Analytics data | AI-powered insight generation | Contract (Art. 6(1)(b)) |
| Essential cookies | Session management | Legitimate interest (Art. 6(1)(f)) |
Legitimate Interests Assessment: Where we rely on legitimate interest, we have assessed that our processing is necessary for our legitimate purposes and does not override your fundamental rights and freedoms. You may object to processing based on legitimate interest at any time. See Your Rights.
Provision of data: Providing your email and password (or OAuth credentials) is necessary to create an account and use the service. Without this data, we cannot provide the service to you.
4. Third-Party Processors
We share your data with the following third-party service providers solely to operate and deliver the ProvenLeap service. Each processor operates under a Data Processing Agreement (DPA) that ensures GDPR compliance.
| Processor | Purpose | Data Transferred | Location | Transfer Mechanism |
|---|---|---|---|---|
| Cloudflare | Infrastructure (Workers, D1, KV, R2, Pages) | All application data | Global (EU preferred) | DPA + SCCs |
| Anthropic | AI insights generation | Analytics data (anonymized) | USA | DPA + SCCs |
| Amazon SES | Transactional email delivery | Email addresses, email content | EU (eu-west-1) | DPA + SCCs |
| Stripe * | Payment processing | Name, email, payment method | USA/EU | DPA + EU-US DPF |
| Google APIs * | Analytics, Search Console, Ads, YouTube, GMB, PageSpeed | OAuth tokens, analytics metrics | USA | DPA + EU-US DPF |
| Meta APIs | Facebook Pages, Facebook Ads, Instagram | OAuth tokens, social metrics | USA | DPA + SCCs |
| LinkedIn API | Company Pages, Ads | OAuth tokens, marketing metrics | USA | LinkedIn Business DPA |
| TikTok API | Business analytics | OAuth tokens, content metrics | Singapore/USA | DPA + SCCs |
* Denotes processors certified under the EU-US Data Privacy Framework (DPF). All other processors rely on Standard Contractual Clauses (SCCs) as the transfer mechanism.
5. International Data Transfers
Your data is primarily stored and processed within the European Union using Cloudflare's infrastructure. Cloudflare may process data in other regions for network performance purposes, subject to Standard Contractual Clauses.
When we transfer personal data outside the European Economic Area (EEA), we rely on the following safeguards:
- EU-US Data Privacy Framework (DPF): Certain processors (Stripe, Google) are certified under the DPF, which the European Commission has recognized as providing adequate protection for personal data transfers to certified US organizations.
- Standard Contractual Clauses (SCCs): For all other international transfers, we use the European Commission's Standard Contractual Clauses, which provide appropriate safeguards for the protection of personal data. This applies to transfers to Anthropic, Meta, TikTok, and Cloudflare.
You may request a copy of the relevant safeguards by contacting us at [email protected].
6. Data Retention
We retain your data only for as long as necessary to provide our services and fulfill the purposes described in this policy. Specific retention periods are:
| Data Category | Retention Period | Basis |
|---|---|---|
| Account data | Duration of account + 30 days after deletion | Contractual |
| OAuth tokens | Until you disconnect the integration or delete your account | Contractual |
| Analytics/report data (general) | Duration of account | Contractual |
| LinkedIn social activity data | Maximum 48 hours | LinkedIn API Terms |
| LinkedIn profile data | Deleted within 24 hours | LinkedIn API Terms |
| Meta integration data | While integration is connected; deleted on disconnect | Meta Platform Terms |
| Cached metrics (KV) | 24 hours | Technical necessity |
| Generated PDFs (R2) | Duration of account | Contractual |
| Transactional email logs | 90 days | Legitimate interest |
| Payment records | 7 years | Legal obligation (Romanian accounting law, Art. 6(1)(c)) |
| Audit logs | 2 years | Legitimate interest |
When your account is deleted, we will delete or anonymize your personal data within 30 days, except where longer retention is required by law (e.g., payment records for tax compliance).
7. Your Rights and How to Exercise Them
Under the GDPR, you have the following rights regarding your personal data:
- Right of Access (Art. 15): Request a copy of the personal data we hold about you.
- Right to Rectification (Art. 16): Request correction of inaccurate or incomplete personal data.
- Right to Erasure (Art. 17): Request deletion of your personal data (“right to be forgotten”).
- Right to Restriction (Art. 18): Request that we limit how we process your data in certain circumstances.
- Right to Data Portability (Art. 20): Receive your personal data in a structured, commonly-used, machine-readable format.
- Right to Object (Art. 21): Object to processing based on legitimate interest.
- Right to Withdraw Consent: Where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of prior processing.
How to Exercise Your Rights
- Self-service (in-app): Use Settings > Delete Account to delete your account and all associated data.
- Email: Send your request to [email protected].
- Platform-specific deletion: Platform-specific programmatic deletion callbacks will be available when integrations are fully deployed (Meta Data Deletion Callback, etc.).
Response time: We will respond to your request within 30 days as required by the GDPR. We target a response within 72 hours.
Lodge a Complaint
If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local supervisory authority. Our lead supervisory authority is:
ANSPDCP (Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal)
B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, 010336 Bucharest, Romania
Website: https://www.dataprotection.ro
8. Data Security
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:
- Encryption at rest: All data stored in Cloudflare D1 is encrypted at rest using Cloudflare's default encryption.
- Encryption in transit: All connections use TLS 1.3, enforced automatically by Cloudflare.
- Per-tenant data isolation: Each user account's data is isolated using tenant-scoped database queries, preventing cross-account data access.
- Session security: Authentication sessions use HttpOnly, Secure, SameSite=Lax cookies, preventing client-side script access and cross-site request forgery.
- Password security: Passwords are hashed using industry-standard algorithms and are never stored in plain text.
- OAuth token encryption: Third-party platform tokens are stored encrypted and are only decrypted when needed to access platform APIs.
10. Automated Decision-Making & AI
ProvenLeap uses artificial intelligence (provided by Anthropic Claude) to generate report insights and recommendations based on your analytics data. This disclosure is made pursuant to GDPR Articles 13(2)(f) and 22.
Logic Involved
Our AI analyzes aggregated analytics data from your connected platforms (traffic patterns, engagement metrics, campaign performance) to generate executive summaries, identify trends, detect anomalies, and provide actionable recommendations for your marketing reports.
Significance and Consequences
AI-generated insights are advisory only. They do not constitute automated decision-making with legal or similarly significant effects as defined by GDPR Article 22. All insights are presented as suggestions within reports; no automated actions are taken based on AI output. You retain full control over whether to include, edit, or discard AI-generated content in your reports.
Your Rights
You have the right to request human review of any AI-generated insight, express your point of view, and contest the output. Contact us at [email protected] for any concerns about AI processing.
Data Sent to AI Provider
Only aggregated, anonymized analytics data is sent to our AI provider (Anthropic). Personal identifiable information is stripped before processing. Anthropic does not use your data to train their models.
AI Assistant Access (MCP Connector)
ProvenLeap offers an optional connector (built on the Model Context Protocol) that lets you link your account to third-party AI assistants such as Anthropic Claude, OpenAI ChatGPT, and other MCP-compatible clients, so you can ask questions about your analytics conversationally. The connector is off by default and is enabled only when you explicitly authorize it.
What it can access: access to your own marketing analytics within your account — your clients, reports, and metric summaries. It is strictly tenant-scoped and cannot read any other customer's data. If you grant the optional draft-creation permission on the consent screen, the assistant can additionally create draft reports in your account; drafts are never published, shared, or sent to your clients without your explicit action in ProvenLeap, and the assistant can never modify or delete anything.
Authorization & control: you grant access through a standard OAuth consent screen and can revoke it at any time from Settings → AI Access. When you ask a question through a connected assistant, the analytics needed to answer it are sent to that assistant's provider (e.g. Anthropic or OpenAI), whose own privacy terms govern their handling. Responses are passed through an automated sanitization layer that redacts secrets and personal data before they leave our servers, and we never sell this data. Connector activity is logged for security (the tool invoked and a timestamp — never the raw text of your questions).
11. Children's Data
ProvenLeap is a business-to-business service designed for marketing agencies and professionals. Our service is not intended for users under 16 years of age, in accordance with GDPR Article 8.
We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16, we will take steps to delete that data promptly. If you believe a child under 16 has provided us with personal data, please contact us at [email protected].
12. User Data vs. End-Client Data
ProvenLeap serves marketing agencies who connect their clients' platforms. It is important to understand the distinction between different types of data we handle:
Your Account Data (ProvenLeap as Data Controller)
This includes your email, password, profile information, billing data, and usage patterns. This is your personal data as a ProvenLeap subscriber. We determine the purposes and means of processing this data.
End-Client Analytics Data (ProvenLeap as Data Processor)
This includes Google Analytics metrics, social media engagement data, ad performance data, and other analytics accessed through OAuth integrations on behalf of your agency clients. This data belongs to your agency's clients.
ProvenLeap processes end-client data solely to provide the reporting service as instructed by you (the agency user). We do not use end-client data for any other purpose.
As the agency, you are the data controller for your clients' data and are responsible for having appropriate data processing agreements with your own clients, as well as ensuring you have the necessary authorization to connect their platforms to ProvenLeap.
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements.
- Notification: We will notify you of material changes via email to the address associated with your account at least 30 days before the changes take effect.
- Versioning: Each version of this policy is identified by a version number and effective date at the top of this page. Previous versions are retained in our version control system and can be provided upon request.
- Non-material changes: Minor clarifications or formatting changes that do not affect your rights will be updated without prior notification, with the “Last Updated” date reflecting the change.
Your continued use of ProvenLeap after the effective date of an updated policy constitutes acceptance of the changes. If you do not agree with the updated policy, you may terminate your account.