Privacy Policy

1. Introduction

ePipra takes your privacy very seriously. This Privacy Policy explains how we collect, store, use, share, and otherwise process your personal information in connection with your use of epipra.com, ad.epipra.com, and our related services (collectively, the “Service”). Please read this carefully — it contains important information about your rights and our obligations.

This Policy applies to all visitors and users of our platform, including users located in the European Economic Area (EEA), United Kingdom, Switzerland, the United States, and anywhere else in the world. ePipra LLC is the data controller for personal information processed in connection with this Service.

2. Key Definitions

3. Information We Collect

3.1 Information You Provide Directly

• Account registration information (name, email address, business name)
• Meta Business account credentials and API tokens (OAuth-granted access only)
• Ad account identifiers and campaign configuration preferences
• Advertising campaign content (ad copy, images, videos, targeting parameters)
• Payment and billing information (processed by our payment provider)
• Communication data (support requests, feedback, emails)

3.2 Information Collected Through Meta APIs

When you connect your Meta (Facebook/Instagram) Business account to our Service, we may access and process the following on your behalf:

• Ad account information (account ID, name, status, currency, spend limits)
• Campaign, ad set, and ad performance data (impressions, clicks, conversions, spend)
• Audience insights and targeting data
• Page information (Page ID, name, engagement metrics)
• Pixel and conversion event data
• Catalog and product information (for e-commerce campaigns)
• Business Manager assets and granted permissions

3.3 Information Collected Automatically

• IP address (used at country/region level — not precise geolocation)
• Browser type and version, device type and operating system
• Pages visited, features used, time spent on the Service
• Log data: access times, error logs, referring URLs
• Interaction data: clicks, scrolls, engagement metrics

3.4 Tracking Technologies

3.5 Sensitive Data We Do Not Collect

We do not knowingly collect government-issued IDs, financial account numbers, health or medical records, biometric data, or racial/ethnic origin data. If you inadvertently submit such information via support channels, we will delete it promptly.

4. How and Why We Use Your Information

• Provide, operate, maintain, and improve the Service
• Create, manage, test, scale, and optimize Meta advertising campaigns on your behalf via the Meta Marketing API
• Automate ad testing, budget management, bidding adjustments, and campaign scaling
• Monitor and report campaign performance metrics (impressions, clicks, conversions, spend, RPC)
• Serve relevant advertising on our platform properties (see §§5–9 below)
• Respond to support requests, feedback, and inquiries
• Process transactions and manage your account and billing
• Monitor site security and prevent fraudulent activity (IAB TCF Special Purpose 1)
• Deliver and present advertising and content (IAB TCF Special Purpose 2)
• Save and communicate your privacy choices (IAB TCF Special Purpose 3)
• Comply with legal obligations under GDPR, UK GDPR, CCPA, and other applicable laws
• Enforce our Terms of Service and protect our legal rights

5. Cookies and Tracking Technologies

EEA / UK / Switzerland Users — Cookie Consent (GDPR + Google EUUCP)

Opt-Out Options

6. Google AdSense and Display Advertising

We use Google AdSense to serve display advertisements on our platform properties. Google AdSense uses the DoubleClick DART cookie to serve ads based on your visits to this and other websites on the internet. The DART cookie enables Google and its partners to serve ads based on your interests and prior browsing activity.

You may opt out of the use of the DART cookie by visiting Google’s ad and content network privacy policy at: business.safety.google/privacy/

You may also manage your Google ad personalisation settings at: adssettings.google.com

Google, as a third-party vendor, uses cookies to serve ads on our site. Google’s use of advertising cookies enables it and its partners to serve ads based on your visits to our site and/or other sites on the internet. For EEA, UK, and Switzerland users, Google AdSense cookies are only activated after you provide consent via our CMP, in accordance with Google’s EU User Consent Policy (mandatory from January 16, 2024) and GDPR Art. 6(1)(a). Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) acts as an independent data controller for EU/UK users.

7. AFS / RSOC Search Advertising

Our platform and associated publisher properties may display search-based advertisements powered by Google AdSense for Search (AFS) and Related Search on Content (RSOC). These units show contextually relevant search-term suggestions that, when clicked, display paid search results from Google’s Search Partner Network.

How AFS / RSOC Works

• Suggestion units are generated from page content and contextual signals
• Clicking a suggested term may load paid advertiser results in a new search results page
• Revenue is earned per qualifying click through Google’s AFS programme
• No additional personal data beyond standard AdSense cookies is collected specifically by these units

Feed providers: AFS/RSOC may be delivered through authorised feed providers including Sedo/TMP, Predicto, MidoWeb, System1, Tonic, Bodis, and similar. The publisher (ePipra LLC) remains responsible for policy compliance regardless of the feed source used, in accordance with Google’s Restricted Access Features (RAF) policy (effective August 25, 2025).

8. Video Advertising

Our platform properties may display video advertisements including outstream video ads (within content, autoplay muted), interstitial video ads (between page sections), and in-stream video ads (within video player content where applicable). Video ads are served by Google (Interactive Media Ads / IMA SDK) and other IAB-certified video ad technology vendors listed in the IAB Europe Global Vendor List (GVL).

These providers may use cookies, pixels, and device identifiers to measure video ad viewability and completion rates, serve relevant video ads based on interests or contextual signals, limit frequency of video ads shown, and report aggregate performance data to advertisers. For EEA/UK/Switzerland users, video advertising cookies are only activated after you provide explicit consent via our CMP, in accordance with IAB TCF v2.3 (Purposes 2, 7, and Special Purpose 2).

9. Native Advertising and Content Recommendations

Our platform properties may display native advertising widgets and content recommendation units powered by third-party networks including Taboola, Outbrain, MGID, and similar platforms. These units are labelled “Sponsored” or “Recommended” and blend with editorial content. Native ad providers may use cookies to serve relevant sponsored content based on your browsing behaviour. Each operates under its own privacy policy. For EEA/UK/Switzerland users, native advertising cookies require consent via our CMP.

10. Meta Platform Data Use

When you connect your Meta (Facebook/Instagram) Business account to ePipra via OAuth, you authorise us to access and manage your advertising assets through the Meta Marketing API in accordance with the permissions you grant. Our use of information received from Meta APIs strictly adheres to the Meta Platform Terms and Developer Policies. Specifically:

• We only access data that is necessary to provide the advertising automation services you have requested
• We do not sell Meta user data to third parties
• We do not use Meta data for purposes unrelated to the services we provide to you
• We delete Meta data upon your request or when it is no longer needed for the stated purpose
• We comply with all applicable Meta Platform policies regarding data handling and user privacy

You may revoke ePipra’s access to your Meta account at any time through your Meta Business Settings → Integrations. Revoking access does not automatically delete data already processed; contact [email protected] to request deletion.

11. Who We Share Your Information With

12. Third-Party Links and External Content

The Service may contain links to third-party websites, integrations, and external content for additional information or convenience. These links do not constitute an endorsement of those websites or their content. We have no control over the content, privacy practices, or availability of third-party sites. We encourage you to review the privacy policy of any external site before providing personal information. Your use of third-party sites is at your own risk.

13. Third-Party Data Processors

Data transferred to the United States is governed by Standard Contractual Clauses (SCCs) per GDPR Article 46 and/or the EU-US Data Privacy Framework where applicable.

14. Data Security

We implement appropriate technical and organisational security measures to protect your personal information against unauthorised access, alteration, misuse, or disclosure. These include:

• Encryption of data in transit (TLS/SSL) and at rest
• Secure storage of API tokens and credentials in encrypted environment variables
• Access controls, role-based permissions, and authentication mechanisms
• Regular security assessments and monitoring
• Server-level firewalls and intrusion detection systems

However, no method of data transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security. Any transmission of personal data is at your own risk.

15. Your Rights — EEA / UK / Switzerland (GDPR)

If you are located in the EEA, United Kingdom, or Switzerland, you have the following rights under GDPR, UK GDPR, and Swiss nFADP:

Legal Basis for Data Processing

Independent Data Controller (EU/UK): Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland — operates as an independent controller for Google’s advertising and analytics products.

To exercise any right, contact us at [email protected]. We will respond within 30 days (extendable by a further 60 days for complex requests, with notice).

16. US State Privacy Rights

California (CCPA / CPRA)

If you are a California resident, you have the following rights:

• Right to Know: Request the categories and specific pieces of personal information we have collected, disclosed, or sold in the past 12 months.
• Right to Delete: Request deletion of your personal information, subject to certain exceptions.
• Right to Opt-Out of Sale / Sharing: We do not sell personal information. However, sharing with ad technology partners for cross-context behavioural advertising may be considered “sharing” under CPRA. Opt out via: adssettings.google.com or our CMP.
• Right to Correct: Request correction of inaccurate personal information we hold about you.
• Right to Non-Discrimination: We will not discriminate against you for exercising any CCPA rights.

To submit a CCPA request: [email protected]

Other US States

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), and other states with applicable privacy laws may have similar rights including access, correction, deletion, portability, and opt-out from targeted advertising. Contact us at [email protected] to exercise these rights.

17. Children’s Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. For EEA/UK/Switzerland users: personalised advertising is not served to users identified as under 18, per Google’s child privacy policies, the EU Age Appropriate Design Code (AADC), and related child privacy regulations (GDPR Article 8).

Publishers may include the TFUA (Treatment for Users under the Age of Consent) parameter in ad tags to request restricted data processing for underage users, disabling personalised ads and third-party ad vendor data requests.

If you believe a child has provided personal information to us, please contact us immediately at [email protected] and we will take steps to delete it promptly.

18. Data Retention

You may request deletion of your data at any time: [email protected]

19. International Data Transfers

Your personal data may be transferred to and processed in countries outside your country of residence, including the United States, where Google LLC operates its core advertising services (Analytics, AdSense, AFS/RSOC, IMA SDK) and where our infrastructure providers may have data centres.

For EEA and UK users: transfers to third countries are governed by Standard Contractual Clauses (SCCs) per GDPR Article 46 and/or the EU-US Data Privacy Framework (DPF) where applicable. Google LLC is certified under the EU-US DPF. We take appropriate safeguards to ensure your personal information remains protected in accordance with this Privacy Policy regardless of where it is processed.

20. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the revised Policy on our website and updating the “Last Updated” date at the top of this page. Where required by applicable law, we will provide additional notice (e.g. by email). Your continued use of the Service after any changes constitutes your acceptance of the revised Privacy Policy. We encourage you to review this page periodically.

21. Contact Us

For privacy-related requests, questions, or to exercise your data subject rights: