Amazon Ads Optimizer

Legal

Privacy Policy

Last updated: March 2026

1. Controller

The controller responsible for data processing on this website within the meaning of the General Data Protection Regulation (GDPR) is:

Baoks UG (haftungsbeschränkt)
Kruppstraße 41
72760 Reutlingen
Deutschland

E-Mail: baoks.company@gmail.com

2. Data We Collect

We collect only the data required to provide the service:

  • Account data: name, email address, login metadata, and billing status.
  • Amazon credentials: OAuth connection tokens provided to connect your Amazon Ads account. Refresh tokens are encrypted at rest with AES-256-GCM.
  • Amazon advertising data: campaigns, keywords, search terms, bids, spend, clicks, conversions, and revenue metrics synced via the Amazon Ads API.
  • Technical data: IP address (for rate limiting only; not stored persistently), browser type, and device information transmitted automatically by your browser.

3. Legal Basis for Processing

We process personal data on the following legal bases (Art. 6(1) GDPR):

  • Art. 6(1)(b) — Contract performance: account creation, authentication, bid optimization, search term harvesting, reporting, and billing.
  • Art. 6(1)(f) — Legitimate interest: platform security, abuse prevention, error diagnostics, and service improvement. Our legitimate interest is ensuring reliable and secure operation of the platform.
  • Art. 6(1)(a) — Consent: where you explicitly opt in (e.g. connecting your Amazon Ads account). You may withdraw consent at any time by disconnecting your account.

4. How We Use Data

  • Operate automated bid optimization, search term harvesting, and scheduled automation runs.
  • Provide dashboards, reporting, and account functionality.
  • Maintain platform security, prevent abuse, and troubleshoot errors.
  • Process billing and send essential service communications.

5. Subprocessors and Data Sharing

We do not sell, rent, or share your Amazon advertising data with third parties for their marketing purposes. We use the following subprocessors to operate the service:

SubprocessorPurposeLocation
Supabase Inc.Database, authenticationUSA (EU-US DPF)
Vercel Inc.Application hosting, CDNUSA (EU-US DPF)
Stripe Inc.Payment processingUSA (EU-US DPF)
Amazon Web ServicesAmazon Ads API (data sync)USA (EU-US DPF)

6. Third-Country Transfers

Our subprocessors are located in the United States. Transfers are safeguarded by the EU-US Data Privacy Framework (DPF) adequacy decision of the European Commission (10 July 2023). All listed subprocessors are certified under the DPF. Where the DPF does not apply, we rely on Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR.

7. Cookies

This website uses only essential cookies required for authentication and session management (Supabase auth tokens). We do not use analytics cookies, tracking pixels, or third-party advertising cookies. Because these cookies are strictly necessary for the service, no consent is required under Art. 5(3) of the ePrivacy Directive.

8. Data Retention

  • Account data: retained while your account is active. Deleted within 30 days of account deletion.
  • Amazon advertising data: retained while your account is active. Deleted within 30 days of account deletion or Amazon account disconnection.
  • Billing records: retained for 10 years after the end of the calendar year in which the transaction occurred, as required by German tax law (§ 147 AO).
  • Server logs (IP addresses): not stored persistently; used only for in-memory rate limiting.

9. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure (Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object (Art. 21 GDPR)

To exercise these rights, contact us at baoks.company@gmail.com.

You may also withdraw consent at any time where processing is based on consent (Art. 7(3) GDPR), without affecting the lawfulness of processing prior to withdrawal.

10. Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR). The competent authority for our company is:

Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg (LfDI)
Lautenschlagerstraße 20
70173 Stuttgart
www.baden-wuerttemberg.datenschutz.de

11. Changes to This Policy

We may update this policy from time to time. Material changes will be posted on this page with an updated effective date.