Last updated: 2026-04-23

Privacy Policy

We take your privacy seriously. This policy explains what we collect, how we use it, and who we share it with. We comply with the EU General Data Protection Regulation (GDPR), the ePrivacy Directive, Saudi Arabia's Personal Data Protection Law (PDPL) as our home jurisdiction, and equivalent frameworks where they apply to you.

1. Introduction

Welcome to AdFluxa — the AI-powered advertising platform. Operated through app.adfluxa.ai, we are committed to protecting your privacy and personal data in accordance with the Saudi Personal Data Protection Law (PDPL). This policy explains how we collect, use, protect, and share your information.

2. Information We Collect

2.1 Account Information

  • Full name, email, and phone number
  • Business name, industry, and city
  • Business logo, website, and WhatsApp number
  • Commercial Registration and VAT number (optional)

2.2 Campaign & Design Data

  • Ad content (headlines, copy, images, CTAs)
  • Targeting settings (age, location, interests)
  • Budgets, schedules, and performance metrics
  • AI-generated designs and reference images

2.3 Payment & Wallet Data

  • Transaction history (top-ups, debits, refunds)
  • Credit balance and usage history
  • We do NOT store card details — payments handled by a SAMA-licensed gateway

2.4 Technical Usage Data

  • IP address, browser type, operating system
  • Login records and session timestamps
  • Audit logs for security purposes

3. How We Use Your Information

  • Providing platform services: campaigns, designs, publishing
  • Processing payments and managing credits
  • Generating ad copy and visuals with AI
  • Publishing campaigns on social media on your behalf
  • Sending campaign performance notifications via WhatsApp or email
  • Improving our services and developing new features
  • Complying with legal and regulatory requirements

4. Legal Basis for Processing

We process your data based on the following legal bases in line with Saudi PDPL and accepted international practice:

  • Contract performance — to deliver services you signed up for (campaigns, publishing, payments)
  • Explicit consent — for Meta & WhatsApp account linking and optional marketing notifications
  • Legitimate interest — for platform improvement, fraud prevention, and account security
  • Legal obligation — to maintain financial and tax records per Saudi regulations

5. Third-Party Services

We share only the minimum data necessary with the following parties to operate the platform:

Meta (Facebook / Instagram)
Campaign and targeting data for ad publishing. Subject to Meta's privacy policy.
AI Providers — OpenAI, Anthropic (via OpenRouter), fal.ai
Design content and images you upload are sent to these services to generate results. We do not send your name, email, or payment info. Subject to each provider's privacy policy.
Payment Gateway
Transaction data only for payment processing. Provided by licensed payment processors — Saudi customers are routed through gateways regulated by the Saudi Central Bank (SAMA); international customers through PCI-DSS certified processors.
Evolution API (WhatsApp)
Phone number and notification content for campaign updates.

6. Meta Platform Data

When you link your Facebook or Instagram account to AdFluxa, we request only the minimum permissions needed to deliver the service. We do not use your Meta data for any external marketing purpose.

6.1 Permissions We Request

  • pages_show_list — to display your pages so you can choose a target page
  • pages_manage_posts — to publish posts you approve to your page
  • instagram_basic + instagram_content_publish — to publish designs to the connected Instagram account
  • ads_management + ads_read — to create ad campaigns and view performance (optional)
  • business_management — to manage the connected Meta Business Manager

6.2 Use of Meta Data

  • We show your pages and Instagram accounts so you can pick the right one to publish from
  • We publish only content you approve yourself — we do not auto-publish without consent
  • We collect performance stats (views, clicks, engagement) to show you in your dashboard only
  • We do not sell or share your Meta data with any third party
  • We do not store your historical posts, and we do not read your private messages

6.3 Revoking Access & Unlinking

You can disconnect AdFluxa from your Meta account at any time via:

  • Facebook → Settings → Apps and Websites → AdFluxa → Remove
  • Instagram → Settings → Apps and Websites → AdFluxa → Remove
  • Or from AdFluxa Dashboard → Settings → Connected Accounts → Disconnect

7. AI & Automated Decisions

  • We use AI to generate ad copy, design images, and suggest audiences
  • All generated content is shown for your review and editing before publishing
  • We make no automated financial decisions — deductions occur only after your approval
  • You can always modify or reject any AI-generated content
  • Providers used: OpenAI (GPT-5, gpt-image-2), Anthropic Claude via OpenRouter, fal.ai (Nano Banana, BiRefNet, Bria). All contractually committed to not training on your content (API terms).

8. International Data Transfers

Some of the service providers we rely on operate servers outside Saudi Arabia. Parts of your data (design content, uploaded images, text prompts) may be transferred to:

  • United States — OpenAI, Anthropic, fal.ai, Meta
  • European Union — some infrastructure providers

We ensure adequate safeguards during transfer through: Data Processing Agreements (DPAs) with each provider, required in-transit encryption (TLS 1.2+), and transmitting only the minimum necessary data.

9. Data Security

  • All communications encrypted via HTTPS/TLS
  • API keys and passwords encrypted and stored securely
  • HMAC-SHA256 verification for payment webhooks
  • Rate limiting to prevent abuse
  • Full audit trail for all financial and sensitive operations
  • Input sanitization to prevent injection attacks
  • Permission checks on every operation — users cannot access others' data

10. Data Retention

  • We retain your data while your account is active
  • Financial records are kept for 5 years per regulation
  • Audit logs are retained for 1 year
  • Upon account deletion, personal data is removed within 30 days — except as legally required

11. Your Rights

Under GDPR, Saudi PDPL, and equivalent data protection frameworks, you have the following rights:

  • Access and view your personal data
  • Request correction of inaccurate data
  • Request deletion of your personal data
  • Withdraw your consent for data processing at any time
  • Export your data in a portable format
  • Lodge a complaint with your local supervisory authority — for EU users this is your national Data Protection Authority; for Saudi users this is the Saudi Data & AI Authority (SDAIA); for US residents, the Federal Trade Commission (FTC) and applicable state regulators
You can exercise these rights in-app via: Settings → Privacy & Data. For third-party or guest requests, email dpo@adfluxa.ai.

12. Data Deletion

You have the full right to delete your data at any time. We offer two clear paths:

12.1 Delete Your Entire Account

  • Open the 'Data Deletion' page below or from your account settings
  • Enter your registered email and reason (optional)
  • All your personal data, designs, campaigns, and wallet will be deleted within 30 days
  • Financial records (payment invoices) are excepted — regulations require 5-year retention

12.2 Remove Meta Linking Only

  • To disconnect AdFluxa from your Meta account without deleting your AdFluxa account, follow §6.3 above
  • We delete all Meta access tokens immediately on disconnect
  • Your other data (designs, wallet) remains in your AdFluxa account
Open data deletion page

13. Children's Privacy

  • AdFluxa services are intended for business owners aged 18 and older
  • We do not knowingly collect data from minors
  • If we learn that a user under 18 has registered, we delete the account and data immediately
  • If you are a parent or guardian and notice a minor has signed up, contact us immediately to delete the data

14. Cookies

We use cookies across 4 categories. On your first visit a consent banner lets you accept or reject the optional ones. Only essential cookies are always on because the platform can't work without them.

  • Essential: login, CSRF protection, language selection, saving your cookie choices themselves
  • Preferences: UI state (collapsed panels, last-used tool) — optional
  • Analytics: aggregated usage statistics via self-hosted Umami (no personal IDs) — optional
  • Marketing: not currently used. Reserved for future advertising measurement if enabled
  • You can change your choices anytime via the 'Cookie Preferences' link in the footer
  • We keep a record of your consent (anonymized fingerprint + timestamp) for Saudi PDPL and EU GDPR compliance

15. Policy Updates

We may update this policy from time to time. We will notify you of any material changes via email or in-app notification at least 14 days before they take effect. The English version is the governing reference in case of any linguistic conflict.

16. Contact Us

To contact us regarding privacy, data protection, or to submit a formal data subject request, the following channels are available:

Privacy Email
privacy@adfluxa.ai
Data Protection Officer (DPO)
dpo@adfluxa.ai
Support Ticket System
Open a new ticket

Privacy requests are responded to within 30 days maximum in accordance with PDPL requirements.

Finished reading? See also:
Terms of Service
Authenticated & Registered
Saudi Business Center
Authentication Number: 000280841