Privacy Policy

Effective date: March 15, 2026

1. Data Controller

The data controller for personal data processed through the Janus platform is:

Digitalni marketing, Mitja Horvat s.p.
Oplotnica, Slovenia
Email: [email protected]

Digitalni marketing, Mitja Horvat s.p. is a sole proprietorship registered in the Republic of Slovenia. In this policy, "we", "us", and "our" refer to Digitalni marketing, Mitja Horvat s.p. operating the Janus platform.

2. What Data We Collect

Janus is a B2B creative intelligence platform. We collect and process the following categories of data:

Ad performance data from Meta Marketing API

When you connect your Meta (Facebook/Instagram) ad account via OAuth using the ads_read permission, we access and store:

• Ad account identifiers (account IDs and names)
• Campaign, ad set, and ad names
• Performance metrics: spend, impressions, clicks, CTR, CPC, CPM, ROAS, reach, frequency, and conversion actions
• Creative metadata: creative names, titles, body text, and thumbnail references

This data consists of aggregated business metrics about advertising performance. It does not include personal data of individuals who view or interact with your ads.

Account data

• Admin accounts: email address and bcrypt-hashed password
• Brand user accounts: email address and bcrypt-hashed password, created by a Janus administrator
• OAuth tokens: encrypted access tokens required to retrieve ad data on your behalf

Data we do not collect

• Personal Facebook or Instagram profiles, friends lists, or messages
• Personal data of end users who see your ads
• Payment or billing information from your Meta account
• Browsing behavior, device fingerprints, or cross-site tracking data

3. Legal Basis for Processing

We process personal data under the following legal bases as defined by the General Data Protection Regulation (EU) 2016/679 ("GDPR"):

• Contractual necessity (Article 6(1)(b)) — processing of account data (email, hashed password) is necessary for the performance of the service agreement between you and Janus
• Legitimate interest (Article 6(1)(f)) — processing of ad performance data to analyze advertising performance and inform creative production, which is the core purpose of the platform. The data processed consists of aggregated business metrics, not personal data of individuals, and the processing is directly expected by the client who connects their ad account for this purpose

4. Purpose of Processing

We process your data exclusively for the following purposes:

• Retrieving and displaying your ad account performance data through the Janus dashboard
• Analyzing performance patterns to generate creative intelligence insights
• Using those insights to inform and produce better ad creatives for your business
• Maintaining the security and integrity of the platform (audit logging, access control)

5. How Data Is Stored

Your data is protected with the following security measures:

• Encryption at rest — all OAuth tokens are encrypted using AES-256-CBC with a unique encryption key per deployment
• Encryption in transit — all data transmitted between your browser, our servers, and Meta's API is encrypted via HTTPS (TLS)
• Per-client data isolation — each brand's data is stored separately and cannot be accessed by other brands on the platform
• Password security — all passwords are hashed using bcrypt and are never stored in plaintext
• Access control — the platform is invite-only and password-protected; access is restricted by role-based authentication (JWT)
• Audit logging — all ad account connection, disconnection, and rejection events are logged with timestamps for security and compliance

6. Data Retention

We retain your data according to the following schedule:

• Ad performance data — retained for the duration of the client relationship. Upon termination, data is deleted within 30 days
• OAuth tokens — stored until they expire (up to 60 days), you disconnect the account, or the client relationship ends
• Account information — retained until you or a Janus administrator request deletion
• Audit logs — retained for a minimum of 12 months for compliance and security purposes

Upon disconnection of an ad account or termination of the client relationship, all associated data including cached performance metrics, tokens, and account information is permanently deleted within 30 days.

7. Data Sharing and Sub-processors

We do not sell, rent, license, or share your data with any third party for marketing, advertising, or any other commercial purpose.

Your data is processed only by Janus's automated systems. We use the following sub-processors, all of which are compliant with EU data protection requirements:

• Railway (Railway Corporation) — application hosting and database infrastructure
• Cloudflare (Cloudflare, Inc.) — DNS management and content delivery
• Anthropic (Anthropic, PBC) — AI-powered analysis of ad performance data and creative recommendations (US-based; Standard Contractual Clauses in place)
• Google Cloud / Gemini (Google LLC) — AI image analysis for creative intelligence (US-based; Standard Contractual Clauses in place)

Your data is used as input context for AI-powered analysis to generate creative recommendations and ad concepts for your account only. We do not use your data to train or fine-tune foundation AI models. Your data is never mixed with other clients' data. We do not combine your data with data from third-party sources.

8. International Data Transfers

Data is stored within the EU (Railway, Cloudflare). AI analysis involves processing by Anthropic and Google, which may process data in the United States under Standard Contractual Clauses (SCCs) ensuring GDPR-equivalent protection.

Data retrieved from Meta's API originates from Meta's global infrastructure. By connecting your Meta account, you acknowledge that Meta processes your data according to their own privacy policy and data processing terms.

9. Your Rights Under GDPR

Under the GDPR and the Slovenian Personal Data Protection Act (ZVOP-2), you have the following rights regarding your personal data:

• Right of access (Article 15) — request a copy of all personal data we hold about you
• Right to rectification (Article 16) — request correction of inaccurate or incomplete data
• Right to erasure (Article 17) — request deletion of your personal data ("right to be forgotten")
• Right to restriction of processing (Article 18) — request that we limit how we process your data
• Right to data portability (Article 20) — receive your data in a structured, commonly used, machine-readable format
• Right to object (Article 21) — object to processing based on legitimate interest

To exercise any of these rights, contact us at [email protected]. We will respond to your request within 30 days. If we need additional time due to the complexity of the request, we will inform you within the initial 30-day period.

10. Data Deletion

You may request full deletion of all your data at any time by contacting [email protected] or by disconnecting your ad account through the Janus dashboard. Upon a deletion request:

• All cached ad performance metrics are permanently deleted
• All OAuth tokens are invalidated and deleted
• All account information is removed from our systems
• Deletion is completed within 30 days of the request

11. Cookies

The Janus platform uses only essential session cookies required for authentication and security. These cookies are strictly necessary for the platform to function and do not require consent under the ePrivacy Directive.

We do not use:

• Tracking cookies or advertising cookies
• Analytics cookies or third-party analytics services
• Third-party cookies of any kind
• Browser fingerprinting or cross-site tracking

12. Security Measures

We implement appropriate technical and organizational measures to protect your data, including:

• AES-256 encryption for sensitive data at rest
• HTTPS encryption for all data in transit
• Per-client data isolation at the database level
• OAuth with read-only scope (ads_read) — we cannot modify your ad account
• Admin-only account pre-approval (whitelist) before any ad account can be connected
• Connection audit logging for all account events
• Invite-only, password-protected access

13. Security Incidents

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by Article 33 of the GDPR. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, as required by Article 34.

14. Meta Platform Data

Data obtained through Meta's Marketing API is used in compliance with Meta's Platform Terms and Developer Data Use Policy. Specifically:

• Data obtained through Meta's API is used only for the purposes stated in this privacy policy
• We do not sell data obtained through Meta's API
• We do not use Meta data to build or augment user profiles for targeting by third parties
• We do not combine Meta data with personally identifiable information from third-party sources
• Data usage is subject to Meta's Platform Terms, and we will delete data upon Meta's request

15. Supervisory Authority

If you believe your data has not been handled correctly, you have the right to lodge a complaint with the competent supervisory authority. For the Republic of Slovenia, this is:

Informacijski pooblaščenec (Information Commissioner of the Republic of Slovenia)
Dunajska cesta 22
SI-1000 Ljubljana, Slovenia
Phone: +386 1 230 97 30
Email: [email protected]
Website: www.ip-rs.si

16. Changes to This Policy

We may update this privacy policy from time to time. Any changes will be posted on this page with an updated effective date. If changes are material, we will notify affected users via email at the address associated with their account.