Legal
Privacy Policy
Last updated: April 7, 2026
1. Controller
The controller responsible for data processing on this website within the meaning of the General Data Protection Regulation (GDPR) is:
Baoks UG (haftungsbeschränkt)
Kruppstraße 41
72760 Reutlingen
Deutschland
E-Mail: privacy@baoks.de
2. Data We Collect
We collect only the data required to provide the service:
- Account data: name, email address, login metadata, and billing status.
- Amazon credentials: OAuth connection tokens provided to connect your Amazon Ads account. Refresh tokens are encrypted at rest with AES-256-GCM.
- Amazon Data (via the Amazon Ads API): We access and process the following data from your Amazon Advertising account through the Amazon Ads API:
- Campaign data: campaign names, campaign types, states, budgets, and targeting settings for Sponsored Products, Sponsored Brands, and Sponsored Display campaigns
- Keyword and targeting data: keywords, search terms, bids, match types, and negative keywords
- Performance metrics: impressions, clicks, spend, sales, orders, ACOS, ROAS, and conversion data
- Placement data: top-of-search, rest-of-search, and product page performance breakdowns
This data is classified as "Amazon Data" under the Amazon Ads Partner Network Policies. We process it solely to provide automated bid optimization, search term harvesting, reporting, and dashboard functionality as described in our service.
- Technical data: IP address (for rate limiting only; not stored persistently), browser type, and device information transmitted automatically by your browser.
3. Legal Basis for Processing
We process personal data on the following legal bases (Art. 6(1) GDPR):
- Art. 6(1)(b) — Contract performance: account creation, authentication, bid optimization, search term harvesting, reporting, and billing.
- Art. 6(1)(f) — Legitimate interest: platform security, abuse prevention, error diagnostics, and service improvement. Our legitimate interest is ensuring reliable and secure operation of the platform.
- Art. 6(1)(a) — Consent: where you explicitly opt in (e.g. connecting your Amazon Ads account). You may withdraw consent at any time by disconnecting your account.
4. How We Use Data
- Operate automated bid optimization, search term harvesting, and scheduled automation runs.
- Provide dashboards, reporting, and account functionality.
- Maintain platform security, prevent abuse, and troubleshoot errors.
- Process billing and send essential service communications.
4a. Amazon Data - Use and Restrictions
This service interfaces with the Amazon Ads API. Our use of Amazon Advertising data is governed by the Amazon Ads Partner Network Policies in addition to this Privacy Policy.
- Amazon Data is used only to operate the service on behalf of the user who connected their Amazon Advertising account.
- We do not sell, license, sublicense, rent, or make available Amazon Data to any unauthorized third party.
- We do not use Amazon Data for interest-based advertising, behavioral retargeting, or unauthorized profiling.
- We do not combine Amazon Data with third-party data sources without express prior written approval from Amazon.
- Upon account deletion or disconnection, Amazon Data is deleted within 30 days.
- We comply with the Amazon Ads Partner Network Policies: Amazon Ads Partner Network Policies.
5. Subprocessors and Data Sharing
We do not sell, rent, or share your Amazon Data with third parties for their marketing purposes. We use the following subprocessors to operate the service:
| Subprocessor | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database, authentication | USA (EU-US DPF) |
| Vercel Inc. | Application hosting, CDN | USA (EU-US DPF) |
| Stripe Inc. | Payment processing | USA (EU-US DPF) |
| Amazon Web Services | Amazon Ads API (data sync) | USA (EU-US DPF) |
6. Third-Country Transfers
Our subprocessors are located in the United States. Transfers are safeguarded by the EU-US Data Privacy Framework (DPF) adequacy decision of the European Commission (10 July 2023). All listed subprocessors are certified under the DPF. Where the DPF does not apply, we rely on Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR.
7. Cookies
This website uses only essential cookies required for authentication and session management (Supabase auth tokens). We do not use analytics cookies, tracking pixels, or third-party advertising cookies. Because these cookies are strictly necessary for the service, no consent is required under Art. 5(3) of the ePrivacy Directive.
8. Data Retention
- Account data: retained while your account is active. Deleted within 30 days of account deletion.
- Amazon Data: retained while your account is active. Deleted within 30 days of account deletion or Amazon account disconnection.
- Billing records: retained for 10 years after the end of the calendar year in which the transaction occurred, as required by German tax law (§ 147 AO).
- Server logs (IP addresses): not stored persistently; used only for in-memory rate limiting.
9. Your Rights
Under the GDPR, you have the following rights regarding your personal data:
- Right of access (Art. 15 GDPR)
- Right to rectification (Art. 16 GDPR)
- Right to erasure (Art. 17 GDPR)
- Right to restriction of processing (Art. 18 GDPR)
- Right to data portability (Art. 20 GDPR)
- Right to object (Art. 21 GDPR)
To exercise these rights, contact us at privacy@baoks.de.
You may also withdraw consent at any time where processing is based on consent (Art. 7(3) GDPR), without affecting the lawfulness of processing prior to withdrawal.
10. Right to Lodge a Complaint
You have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR). The competent authority for our company is:
Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg (LfDI)
Lautenschlagerstraße 20
70173 Stuttgart
www.baden-wuerttemberg.datenschutz.de
11. Changes to This Policy
We may update this policy from time to time. Material changes will be posted on this page with an updated effective date.