Privacy Policy

a. Account and contact data — name, business email, phone number, company name, role, and billing details of Client contacts.

b. Connected-platform data — when a Client connects social media or advertising accounts (TikTok, Instagram, Meta, Google, and similar) to the Dashboard, we collect data the platform makes available through its official APIs, including:

• Account identifiers (handles, account IDs, display names, avatars)
• Content metadata and performance metrics: views, impressions, reach, likes, comments, shares, saves, watch time, follower counts, audience demographics
• Advertising metrics: spend (cost), CPM, CPC, CPA, CTR, ROAS, conversions, attribution data
• Creative assets and captions published on the connected accounts
• Access and refresh tokens required to call the platform APIs (stored encrypted)

c. Dashboard usage data — login timestamps, pages viewed, actions taken, IP address, device and browser information, captured for security, debugging, and product improvement.

d. Creative and project data — recordings, scripts, briefs, content plans, contact lists, and other materials Clients upload or that we produce as part of the engagement.

e. Communications — emails, meeting notes, and messages exchanged in the course of the engagement.

We process personal data for the following purposes:

• Service delivery — managing campaigns, producing content, reporting performance, and operating the Dashboard.
• Analytics and benchmarking — analysing performance across our client base to improve strategy, generate internal benchmarks, and refine our methodologies. Results used outside of a Client's own reporting are aggregated and de-identified.
• Training and model improvement — connected-platform metrics and creative metadata may be used to train and improve internal analytical models, scoring systems, and decision-support tools. We do not use a Client's data to train models for the benefit of a competing client in an identifiable way; outputs that leave a Client's own workspace are aggregated.
• Billing and administration — invoicing, accounting, and legal record-keeping.
• Security — detecting abuse, fraud, and unauthorised access.
• Legal compliance — meeting our obligations under applicable law.

We rely on: (a) performance of a contract for service delivery and billing; (b) legitimate interests for analytics, benchmarking, model improvement, and security (balanced against your rights); (c) legal obligation for tax and accounting records; (d) consent where required for marketing communications or non-essential cookies (see Cookie Statement).

When a Client links an account (e.g., TikTok Business, Instagram Business, Meta Ads, Google Ads), we access only the scopes the Client authorises. Tokens can be revoked at any time from the Dashboard or from the relevant platform's app settings. Upon revocation we stop calling the platform's API; previously retrieved analytical data may be retained as described in Section 7.

We share personal data only with:

• Sub-processors that help us operate the Service (hosting, database, email, analytics, AI infrastructure). Current key sub-processors include Cloudflare, Supabase / Lovable Cloud, and OpenAI / Google / Anthropic model providers used for analytical features.
• Connected platforms (only data the Client authorises us to push back, e.g., publishing content or uploading ad creatives).
• Professional advisers (accountant, lawyer) bound by confidentiality.
• Authorities when legally required.

We do not sell personal data.

Some sub-processors are based outside the European Economic Area. Where this is the case, we rely on EU Standard Contractual Clauses or an adequacy decision to safeguard the transfer.

• Connected-platform analytics: retained for the duration of the engagement and up to 24 months after termination, for historical reporting and benchmarking.
• Aggregated / de-identified analytics: retained indefinitely.
• Account and contact data: for the duration of the engagement plus 7 years for legal/tax purposes where required.
• Access and refresh tokens: deleted promptly upon disconnection or revocation.

We apply industry-standard technical and organisational measures, including encryption in transit (TLS), encryption at rest for credentials and tokens, role-based access control, audit logging, and regular review of sub-processors.

Under the GDPR you have the right to access, rectify, erase, restrict, or port your personal data, and to object to processing based on legitimate interests. You may also lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens). To exercise these rights, contact business@sov-agency.com.

Where Clients' connected accounts contain personal data of their followers, customers, or audiences, Sov Agency acts as a data processor on behalf of the Client. The Client is the controller for that data; processing is governed by our Data Processing Agreement (available on request).

Our Service is intended for businesses and is not directed at children under 16.

We may update this Privacy Policy. Material changes will be communicated by email or via the Dashboard.

GRAND B.V. (Sov Agency), TT Vasumweg 58B, Amsterdam, The Netherlands. Email: business@sov-agency.com. KvK 99356848.