ADpilot
Waitlist
Legal · Privacy Policy Effective May 12, 2026

Privacy Policy

ADpilot OÜ is the data controller for personal data processed through the Service. This policy explains what we collect, why, how we share it, and the rights you have under the GDPR.

ADpilot OÜ · Tallinn, Estonia 14 sections · GDPR-native
Data Controller

AdPilot OÜ ("we", "our", "us", "AdPilot") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website adpilot.ee and related services (collectively, the "Services"). On third-party social media developer platforms (including the Meta Developer Platform), our application is registered and may appear under the name "ADpilot Engine"; ADpilot Engine and the AdPilot Services described in this Policy are the same product operated by AdPilot OÜ.

This Privacy Policy is designed to comply with the General Data Protection Regulation (GDPR) (EU) 2016/679, the Estonian Personal Data Protection Act (isikuandmete kaitse seadus), and other applicable data protection laws.

AdPilot OÜ

Registry code: 17376620

Address: Harju maakond, Tallinn, Kesklinna linnaosa, Ahtri tn 12, 15551, Estonia

Email: [email protected]

01

Information We Collect

1.1 Information You Provide Directly

  • +Account Information: Name, email address, password, and profile information when you create an account.
  • +Payment Information: Billing address and payment card details (processed securely by Stripe and Paddle).
  • +Communications: Messages, support requests, and feedback you send to us.
  • +User Content: Videos, images, text, and other content you upload through our Services.

1.2 Information from Third-Party Platforms (OAuth Connections)

When you connect a third-party platform to the Services, you authorise that platform — via its OAuth consent screen — to grant us a scoped access token. We only request the minimum scopes needed to deliver the Services. We never request scopes that read content you did not publish through our app, and we never request advertising, audience, or messaging scopes.

Across all connected platforms, we receive the following categories of data:

  • +Profile basics: account name, username, profile picture, account ID — to display which account is connected and which account we will publish to.
  • +Access tokens: the OAuth access token (and refresh token when issued) — stored encrypted at rest and used solely to call the platform APIs on your behalf.
  • +Publishing targets: Page IDs, Board IDs, Channel IDs, Subreddit lists — so you can choose where to publish.
  • +Engagement metrics on posts you published through AD-Pilot: likes, replies/comments, reposts/shares, quotes, views, impressions, reach, saves, pin clicks — read via the platform’s analytics endpoint after your post is live. We do not read engagement for posts you did not publish through our app.
  • +Search Console performance (Google only): impressions, clicks, position, query data for properties you authorise — used to power the SEO dashboard for sites you own.

The exact OAuth scopes we request, per platform, are listed below. You can review and revoke any of these at any time — either from Brand Setup → Connections inside AD-Pilot, or from the corresponding platform’s own “Apps and Websites” / “Connected Apps” settings.

Meta Platforms (operated under our app “ADpilot Engine”)

  • Facebook Pages — scopes: pages_show_list, pages_read_engagement, pages_manage_posts, pages_manage_metadata, business_management. Used to list the Pages you administer, publish content you approved in AD-Pilot, read engagement (likes/comments/shares) on those posts, and manage post metadata required for scheduling.
  • Instagram (Business) — scopes: instagram_business_basic, instagram_business_content_publish. Used to identify the connected business account and publish content you approved in AD-Pilot. Engagement reads (likes, comments, impressions, reach, saves) are made on the published media’s /insights endpoint within the granted scope.
  • Threads — scopes: threads_basic, threads_content_publish, threads_manage_insights. Used to identify the connected Threads profile, publish posts you approved in AD-Pilot, and read engagement metrics (likes, replies, reposts, quotes, views) on those published posts via the Threads /insights endpoint.

Our use of data received from Meta Platforms complies with the Meta Platform Terms and Developer Policies. We do not transfer Meta-sourced data to third parties, do not use it for advertising targeting outside your own account, and delete it on disconnect or request as described in Section 7.

LinkedIn

  • Scopes: openid, profile, w_member_social. Used to identify the connected member, publish posts you approved in AD-Pilot, and read post-level social actions (likes, comments, shares) for posts published through our app.

X (formerly Twitter)

  • Scopes: tweet.read, tweet.write, users.read, media.write, offline.access. Used to identify the connected user, upload media, publish posts you approved in AD-Pilot, and refresh access without re-prompting. tweet.read is used solely to fetch public_metrics (likes, replies, reposts, impressions, bookmarks) on posts published through our app.

TikTok

  • Scopes: user.info.basic, video.publish, video.upload. Used to identify the connected account, upload video content you approved in AD-Pilot, and publish it to your TikTok feed. Engagement counters (likes, comments, shares, views) are read for videos uploaded through our app via the TikTok Display API.

Pinterest

  • Scopes: user_accounts:read, boards:read, pins:read, pins:write. Used to identify the account, list boards available for publishing, create new pins from content you approved in AD-Pilot, and read pin analytics (impressions, saves, pin clicks, outbound clicks) on pins created through our app.

YouTube (Google)

  • Scopes: https://www.googleapis.com/auth/youtube.upload, https://www.googleapis.com/auth/youtube.readonly. Used to upload video content you approved in AD-Pilot to your own YouTube channel and read basic metadata for videos uploaded through our app. We do not access subscribers’ data, watch history, or videos you did not upload through AD-Pilot.

Google Search Console

  • Scope: https://www.googleapis.com/auth/webmasters.readonly. Read-only access to Search Console performance data (impressions, clicks, average position, top queries) for properties you have already verified ownership of in Google Search Console. Used to render the SEO Performance dashboard inside AD-Pilot. We cannot modify, submit, or remove anything on your behalf.

Our use of Google API data complies with the Google API Services User Data Policy, including the Limited Use requirements. Google user data is not transferred to third parties, not used for advertising, not read by humans except when required for security/legal/operator-requested support, and not used to train generalised AI/ML models.

Reddit

  • Scopes: identity, submit. Used to identify the connected Reddit account and submit posts to subreddits you have permission to post in, content you approved in AD-Pilot. We do not read your private messages, voting history, or content you did not submit through our app.

Blog destinations (WordPress, Tumblr, custom webhooks)

  • WordPress and Tumblr connections use application passwords / platform-issued tokens (no OAuth scopes). Used solely to publish blog posts you approved in AD-Pilot to your own site. Custom webhooks fire to URLs you configure with payloads you control.

1.3 Information Collected Automatically

  • +Device Information: IP address, browser type, operating system, device identifiers.
  • +Usage Data: Pages visited, features used, time spent, click patterns.
  • +Log Data: Server logs, error reports, API requests.
  • +Cookies and Similar Technologies: See Section 8 for details.
02

Legal Basis for Processing (GDPR)

We process your personal data based on the following legal grounds:

  • +Contract Performance (Art. 6(1)(b) GDPR): Processing necessary to provide our Services and fulfil our contractual obligations to you.
  • +Legitimate Interests (Art. 6(1)(f) GDPR): Processing for our legitimate business interests, such as improving our Services, fraud prevention, and security.
  • +Consent (Art. 6(1)(a) GDPR): Processing based on your explicit consent, such as marketing communications.
  • +Legal Obligation (Art. 6(1)(c) GDPR): Processing required to comply with legal requirements.
03

How We Use Your Information

3.1 Service Provision

  • +Creating and managing your account.
  • +Processing and posting your content to connected social media platforms.
  • +Processing payments and subscriptions.
  • +Providing customer support.

3.2 Service Improvement

  • +Analysing usage patterns to improve our Services.
  • +Developing new features and functionality.
  • +Conducting research and analytics.

3.3 Communication

  • +Sending service-related notifications (transactional emails).
  • +Responding to enquiries and support requests.
  • +Sending marketing communications (with your consent).

3.4 Security and Compliance

  • +Detecting, preventing, and addressing fraud and abuse.
  • +Enforcing our Terms of Use.
  • +Complying with legal obligations.

3.5 Automated Processing

Our Services rely on automated systems to process and deliver your content to connected social media platforms. This includes scheduling, formatting, and transmitting your content. While we implement safeguards to ensure accuracy, automated processing may occasionally result in errors, including content being delivered to incorrect accounts or platforms.

We do not use automated decision-making that produces legal effects or similarly significantly affects you within the meaning of Article 22 GDPR. If you believe an automated process has adversely affected you, please contact us at [email protected] to request human review.

3.6 Engagement Metrics & AI Content Scoring

Engagement metrics that we read from connected platforms (Section 1.2) — likes, comments/replies, shares/reposts, quotes, views, impressions, reach, saves, pin clicks — are used for two purposes, both strictly scoped to your own organisation:

  1. Your own analytics surface. Per-post engagement is displayed back to you in the Analytics dashboard so you can see which of your posts performed best on each connected platform.
  2. Per-organisation AI scoring. Your historical engagement is used to train and rank AI content models that are scoped to your organisation only. The models inform future content drafts and posting-time recommendations for your account. Each customer’s engagement data is database-isolated by an immutable organisation identifier on every row; cross-tenant reads are blocked at the data-access layer.

We do not use engagement metrics from your connected platforms for any of the following: advertising or audience targeting; training generalised foundation models or any model that benefits other AD-Pilot customers; resale or sharing with third parties; manual review by AD-Pilot staff except where strictly required for security investigations, fraud prevention, legal compliance, or support requests you initiate.

04

Information Sharing and Disclosure

We do NOT sell your personal data. We may share your information in the following circumstances:

4.1 Service Providers

We share data with trusted third-party service providers who assist us in operating our Services:

  • +Payment Processors: Stripe and Paddle (for payment processing).
  • +Cloud Infrastructure: For hosting and data storage.
  • +Analytics: Plausible Analytics - privacy-focused, no personal data shared.
  • +Email Services: For transactional and marketing emails.

4.2 Social Media Platforms

When you use our Services to post content, your content and associated metadata are transmitted to the social media platforms you have connected. This transmission is necessary to provide our core service functionality. You acknowledge that once content is transmitted to a third-party platform, it is subject to that platform's terms and privacy policies.

4.3 Legal Requirements

We may disclose your information if required by law, court order, or governmental authority, or when we believe disclosure is necessary to comply with legal obligations, protect our rights, safety, or property, prevent fraud, or respond to lawful requests from public authorities.

4.4 Business Transfers

In the event of a merger, acquisition, reorganisation, or sale of assets, your personal data may be transferred as part of that transaction. We will notify you of any such change and your choices regarding your data.

05

International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA). When we transfer data outside the EEA, we ensure appropriate safeguards are in place, including:

  • +Adequacy decisions by the European Commission.
  • +Standard Contractual Clauses (SCCs) approved by the European Commission.
  • +Binding Corporate Rules where applicable.
  • +EU-US Data Privacy Framework certification where applicable.
06

Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

  • +Encryption of data in transit (TLS/SSL) and at rest.
  • +Regular security assessments and penetration testing.
  • +Access controls and authentication mechanisms.
  • +Employee training on data protection.
  • +Incident response procedures.

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

07

Data Retention & Platform Disconnect

7.1 Retention Periods

We retain your personal data for as long as necessary to provide our Services, comply with legal obligations, resolve disputes, and prevent fraud. Specific retention periods:

  • +Account Data: Until account deletion + 30 days.
  • +Transaction Records: 7 years (in accordance with Estonian Accounting Act requirements).
  • +User Content: Until deletion by user or account termination.
  • +Log Data: 90 days.
  • +Analytics Data: 26 months (aggregated and anonymised).
  • +Platform Access Tokens: Until disconnect, expiry, or revocation by the user. Tokens are encrypted at rest.
  • +Platform Engagement Metrics: While the connection is active and for up to 90 days after disconnect, then purged (or sooner upon request).

7.2 Disconnecting a Platform

You may disconnect any third-party platform connection at any time from Brand Setup → Connections inside AD-Pilot. On disconnect we will, within 24 hours:

  • +Stop all API calls to that platform on your behalf (no further posting, no further metric fetching).
  • +Revoke the stored access token by calling the platform’s token revocation endpoint where one is provided.
  • +Delete the access token (and refresh token where present) from our active database.

You may additionally revoke our access directly from the platform’s own settings — e.g. Facebook Settings → Apps and Websites, LinkedIn → Data Privacy → Permitted Services, X → Settings & Privacy → Connected Apps, Google Account → Security → Third-party access, TikTok → Settings → Authorized Apps, Pinterest → Settings → Apps, Reddit → Preferences → Apps.

7.3 Deleting Platform-Sourced Data on Request

To request deletion of all data we have received from a specific third-party platform (engagement metrics, profile basics, account identifiers), email [email protected] or submit a request via our data subject request form. We will purge the requested records within 30 days and confirm completion. If you submit a deletion request from the platform itself (e.g. Meta’s data deletion callback), we will honour it on the same timeline.

08

Cookies and Tracking Technologies

8.1 Essential Cookies

Required for the website to function properly (authentication, security, preferences). These cannot be disabled.

8.2 Analytics Cookies

We use Plausible Analytics, a privacy-focused analytics service that does not use cookies and does not collect personal data. No consent is required for Plausible.

8.3 Marketing Cookies

With your consent, we may use cookies for advertising and conversion tracking (e.g., Google Ads). You can withdraw consent at any time through our cookie consent banner or your browser settings.

09

Your Rights (GDPR)

Under the GDPR, you have the following rights regarding your personal data:

  • +Right of Access (Art. 15): Request a copy of your personal data we hold.
  • +Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data.
  • +Right to Erasure (Art. 17): Request deletion of your data (the "right to be forgotten").
  • +Right to Restriction of Processing (Art. 18): Request that we limit how we use your data.
  • +Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format.
  • +Right to Object (Art. 21): Object to processing based on legitimate interests or direct marketing.
  • +Right to Withdraw Consent (Art. 7): Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing.
  • +Right to Lodge a Complaint (Art. 77): File a complaint with a supervisory authority.

9.1 Exercising Your Rights

To exercise any of these rights, please contact us at:

Email: [email protected]
Or use our data subject request form.
Address: Harju maakond, Tallinn, Kesklinna linnaosa, Ahtri tn 12, 15551, Estonia.

We will respond to your request within 30 days. We may need to verify your identity before processing your request.

10

Children’s Privacy

Our Services are not intended for children under the age of 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal data from children. If we become aware that we have collected data from a child without verifiable parental consent, we will delete that information immediately. If you believe we have collected data from a child, please contact us at [email protected].

11

Third-Party Links

Our Services may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party services you access.

12

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a prominent notice on our website at least 30 days before the changes take effect. Your continued use of our Services after the effective date constitutes your acceptance of the updated Privacy Policy.

13

Supervisory Authority

If you are located in Estonia or the European Union and believe we have not adequately addressed your data protection concerns, you have the right to lodge a complaint with the relevant supervisory authority.

Andmekaitse Inspektsioon (AKI)

Estonian Data Protection Inspectorate

Website: www.aki.ee

Email: [email protected]

Phone: +372 627 4135

14

Contact Us

For any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

AdPilot OÜ

Registry code: 17376620

Address: Harju maakond, Tallinn, Kesklinna linnaosa, Ahtri tn 12, 15551, Estonia

Email: [email protected]

Website: adpilot.ee

Document Version: 4.0 · Effective Date: May 12, 2026 · Last Updated: May 12, 2026