BUBBLEYE
Privacy Policy

1. Data collection

1.1. Our public website

1.2. Our Services

2. Data storage

2.1. Security and protection of your data

3. Data usage

4. Data sharing

5. Retention and deletion of your data

6. Updates to our privacy policy

Bubbleye Ltd. (“Bubbleye” or “we”) provides aggregation and automation services (“Services”) to individual or corporate advertisers (“Clients”), aimed at collecting advertising performance data from multiple sources, predicting the value of different sources of advertising traffic, and optimizing the way how advertisers’ marketing budget is deployed across multiple advertising platforms.

Bubbleye respects the privacy of its users (“User(s)” or “you”) and is committed to protect any personal information that you may share with us in connection with the use of our Services (as defined in our Terms of Service). This Privacy Policy describes our practices regarding the information we may collect when you use the Services, the manners in which we may use such information, and the options and rights available to you.

1. Data collection

1.1. Our public website

Our website provides informative content to the general public. It does not collect any personal information from web visitors. If you wish to leave a message through the Chat feature of our website to be recontacted later, you have the option to voluntarily provide your email address in which case we will store such email address and use it for further communication.

1.2. Our Services

Only qualified Clients entering a commercial agreement with Bubbleye are granted access to the Services. If you gain access to the Services, we will record any personal data that you wish to share with us such as your name, address, telephone number, email address or billing information. We solely record personal data that is voluntarily provided by you. We may also collect information about how you interact with our software platform, such as date and time, pages viewed and actions taken within the application.

We will also collect user performance information (such as advertisement impressions, clicks, installs, spend, revenue, in-app behavior) in order to provide you with reports and optimize your advertising configuration.

When you become a Client and access the Services, the following information about individual users viewing your advertisements and installing your applications (“End User(s)”) may be provided to us by the third parties that you choose to interface us with:

1. “Device specs”: this refers to technical information related to an End User’s mobile device or computer, such as: browser type, device type and model, CPU, system language, memory, OS version, Wi-Fi status, time stamp and zone, device motion parameters and carrier.
2. “Client issued user ID”: this refers to a unique identifier that may be generated by the Client and generally only identifies a computer, device, browser or Application.
3. “IFA”: this refers to an anonymous identifier of a mobile device, which is generated by the operating system on such device specifically for advertising targeting purposes, may be reset by end users at will, and does not directly identify an individual.
4. “Engagement Information”: this refers to information relating to the End User’s actions, such as: clicks on ads, ad impressions viewed, audiences or segments to which an ad campaign is attributed, the type of ads viewed by the End User, the Application from which such ads were displayed, downloads and installations of Applications by the End User, and other interactions, events and actions that the Client chooses to collect in order to measure and analyze user behavior within their Application.

We do not collect any financial information, health information or any other type of sensitive personal information (“PII“) related to End Users.

Google user data. When a Client authorises Bubbleye through Google OAuth (for Google Ads, YouTube, or Google Drive), we receive the data covered by the OAuth scopes the Client grants — for example, the Client’s Google Ads account structure and performance metrics, the Client’s YouTube channel upload-eligibility state and uploaded video identifiers, and the Google Drive files the Client specifically selects to use in Bubbleye workflows. Bubbleye does not use Google user data for advertising, profiling, or training generalised AI/ML models, and does not allow humans to read it except (a) with the Client’s explicit permission, (b) when necessary for security purposes (such as investigating abuse), (c) to comply with applicable law, or (d) where the data has been aggregated and anonymised. Google user data is treated under the security safeguards described in §2.1 and the retention/deletion terms in §5. The same protections apply to data Bubbleye receives from any other advertising network a Client chooses to connect (for example, Meta, AppLovin, Mintegral, Unity, Moloco, and similar platforms).

2. Data storage

We use third-party cloud hosting vendors to provide the necessary hardware, software, networking, storage, and related technology required to run the Services.

Unless otherwise requested by a Client or End User, Bubbleye actively deletes the data received from its Clients after 2 years from the date of collection.

We follow generally accepted industry standards to protect the Personal Information submitted to us, both during transmission and once we receive it. However, no method of transmission over the Internet, or method of electronic storage is 100% secure. Therefore, while we strive to use commercially-reasonable means to protect your Personal Information, we cannot guarantee its absolute security.

2.1. Security and protection of your data

We take the security of the data entrusted to us seriously and apply industry-standard safeguards to protect it — including data we receive through advertising-network APIs (such as the Google Ads API, YouTube Data API, Google Drive API, Meta, AppLovin, Mintegral, Unity, Moloco, and any other network a Client connects) when a Client authorises Bubbleye to access those accounts on their behalf:

1. Encryption in transit. All data exchanged between the Client’s browser, Bubbleye servers, and Google APIs is transmitted over TLS 1.2 or higher (HTTPS).
2. Encryption at rest. Data persisted on our servers — including OAuth refresh tokens, uploaded creative assets, and campaign records — is stored on encrypted volumes provided by our cloud infrastructure vendors. OAuth tokens are additionally protected at the application layer and are never logged or exposed in URLs.
3. Access controls. Access to production systems and customer data is restricted to a small number of authorised engineers, requires individual credentials and multi-factor authentication, and is logged for audit. Bubbleye personnel access customer data only when needed to operate, support, or troubleshoot the Services.
4. Scope minimisation. We request only the OAuth scopes strictly required to perform the action the Client initiated — for example, YouTube’s upload scope is requested only on accounts on which the Client chooses to publish videos, and the equivalent restraint applies to every other network we integrate with.
5. Vendor diligence. Our cloud infrastructure providers are selected for their published security posture (SOC 2, ISO 27001, or equivalent attestations).

No method of transmission over the Internet or method of electronic storage is 100% secure; we work continuously to identify and reduce risks to the data we hold.

3. Data usage

We may use information that we collect about you or End Users for the following purposes:

1. To provide and improve our Services and manage our business;
2. To create cumulative, non-personal statistical data reports
3. To modify the configuration of advertising campaigns to improve their performance while maximizing advertising relevance to End Users
4. To prevent, detect, mitigate, and investigate fraud, security breaches or other potentially prohibited or illegal activities;
5. To send you updates, notices, or notifications related to the Services;
6. To manage your account and provide you with customer support;
7. To comply with any applicable rule or regulation and/or response or defend against legal proceedings versus us or our affiliates.

As defined in our Terms of Service, Bubbleye shall have a worldwide, perpetual, irrevocable, royalty-free right to use aggregated and/or anonymous data in connection with our and our vendor’s, supplier’s and partner’s business operations including, without limitation, combining such data with other similar data from you and other Clients.

4. Data sharing

We will not share your data (or that of your End Users) with any third parties without your explicit permission, except when required by law, regulation, subpoena or court order or as otherwise expressly set forth herein. We may use such data internally – for example, to provide the Services, billing, identification and authentication, contact, research, to help diagnose problems with our servers, and to make the Application more useful for you and for our other clients.

We will never sell your Personal Information to any third party.

5. Retention and deletion of your data

We retain Personal Information and advertising-network user data (including Google user data) only as long as needed to provide the Services the Client requested. When a retention period expires, the relevant data is automatically deleted from our active systems; backups are overwritten on rolling schedules and are not used to restore deleted data outside of disaster recovery scenarios.

The retention windows below apply uniformly to data obtained from any advertising network a Client connects (Google Ads, YouTube, Google Drive, Meta, AppLovin, Mintegral, Unity, Moloco, and similar platforms):

1. OAuth tokens and equivalent network credentials (covering Google Ads, YouTube, Google Drive, Meta, AppLovin, Mintegral, Unity, Moloco and any other connected network) are kept for as long as the Client’s Bubbleye account has the corresponding integration enabled, and are deleted within 30 days of the Client disconnecting the integration or closing their Bubbleye account.
2. Campaign, ad-group, asset, and performance records fetched from any connected advertising network are retained for up to 2 years from the date of collection, after which they are automatically deleted, unless a longer retention period is required by applicable law or explicitly requested by the Client.
3. Creative files that the Client uploads to Bubbleye for the purpose of publishing to a connected advertising network (YouTube, Google Ads, Meta, AppLovin, Mintegral, Unity, Moloco, and others) are deleted from our servers once the upload to the destination network has been confirmed; only the resulting network-side asset or creative identifier is kept for ongoing reporting.

How to revoke access and request deletion. A Client may revoke Bubbleye’s access to a connected network at any time using that network’s own controls (for Google: myaccount.google.com/permissions; equivalent self-service revocation pages exist for Meta, AppLovin, Mintegral, Unity, Moloco, and other networks). To request that Bubbleye delete the data we have stored on the Client’s behalf, email contact@bubbleye.com with the subject line “Data deletion request” — or, specifically for Google user data, “Google data deletion request”. We will confirm and complete the deletion within 30 days of receipt and remove the corresponding records from our active production systems.

End Users (i.e. individuals whose engagement data is reported to Bubbleye through a Client’s app or campaign) should contact the relevant Client directly to exercise their access, correction, or deletion rights, since the Client is the data controller for that data. Bubbleye will support the Client’s response within 30 days. Read more about Bubbleye’s use of Google’s API here.

6. Updates to our privacy policy

We may update this Privacy Policy from time to time. We encourage you to review it periodically and we will notify our active clients of any major updates by email, at the contact address provided in the commercial agreement.