Privacy Policy

1. Data Controller

The data controller responsible for the processing of your personal data within the Adlumeno platform is:

Marketbox Kft.
Company registration number: registered in Hungary
Website: https://marketbox.hu
Contact: gyula@marketbox.hu

2. Scope of This Policy

This Privacy Policy applies to the Adlumeno platform, accessible at https://adlumeno.com (the "Service"). Adlumeno is a Google Ads campaign management and AI-powered optimization platform developed and operated by Marketbox Kft.

This policy describes what personal data we collect, how we use it, with whom we share it, and what rights you have in relation to your data, in accordance with Regulation (EU) 2016/679 (GDPR) and applicable Hungarian data protection law.

3. Data We Collect

3.1 Account Data

When you register for or use Adlumeno, we collect:

Full name
Email address
Password (stored as a secure hash, never in plaintext)
Account plan / subscription tier
Registration date and last login timestamp

3.2 Google Authentication Data

When you connect your Google Ads account via Google OAuth 2.0, we store:

Google OAuth refresh token (used to maintain API access on your behalf)
Google Ads Customer ID (CID) for each connected account
Google account email (if provided during OAuth flow)

OAuth tokens are stored encrypted in our database and are never exposed to the browser or third parties.

3.3 Google Ads Campaign Data

To provide our service, we retrieve and temporarily store the following data from your connected Google Ads account via the Google Ads API:

Campaign names, statuses, budgets, and performance metrics (clicks, impressions, cost, CTR, conversions)
Ad group names and statuses
Keyword texts, match types, bids, quality scores, and performance metrics
Ad headlines, descriptions, statuses, and performance metrics
Search term report data (queries that triggered your ads)
First-page CPC bid estimates

This data is used exclusively to display campaign information to you and to generate optimization recommendations. It is never shared with other users or third parties.

3.4 Click Fraud & Security Data

For click fraud protection features, we may collect:

IP addresses of ad clicks (via our tracking endpoint)
User agent strings and click timestamps
Referrer URLs associated with click events

3.5 Usage & Log Data

Like most web applications, we automatically collect standard server log data, including IP addresses, browser type, pages visited, and timestamps of requests. This data is used solely for security and operational purposes.

4. How We Use Your Data

Purpose	Data used
Providing the Service (account management, dashboard)	Account data, Google Ads data
Authenticating your identity and maintaining sessions	Email, password hash, session token
Connecting to your Google Ads account via API	OAuth refresh token, Customer ID
Generating AI-powered optimization recommendations	Campaign metrics, keywords, search terms
Executing approved changes in Google Ads (user-initiated only)	OAuth token, campaign/keyword/ad data
Click fraud detection and IP blacklisting	IP addresses, click timestamps
Service security, debugging, and error monitoring	Log data, usage data
Sending transactional emails (account notifications)	Email address, name

We never use your data for advertising, profiling, or any purpose beyond operating the Adlumeno service.

5. Legal Basis for Processing

We process your personal data on the following legal grounds under GDPR Article 6:

Contract performance (Art. 6(1)(b)): Processing necessary to provide the Adlumeno service you have signed up for.
Legitimate interests (Art. 6(1)(f)): Security monitoring, fraud prevention, and service improvement — where these interests are not overridden by your privacy rights.
Consent (Art. 6(1)(a)): Where you have explicitly authorized us, for example by granting Google OAuth permissions.
Legal obligation (Art. 6(1)(c)): Where applicable law requires us to retain or process data.

6. Third-Party Services

Adlumeno integrates with the following third-party services:

Service	Purpose	Data Shared	Privacy Policy
Google Ads API (Google LLC)	Campaign data synchronization and management	OAuth token, API requests on your behalf	Google Privacy Policy
Anthropic Claude API	AI-powered optimization recommendations and AI assistant	Anonymized campaign performance data (no PII)	Anthropic Privacy Policy
Hosting Provider (cPanel shared hosting)	Web hosting infrastructure	Server logs, database storage	Provider's own policy

We do not sell, rent, or trade your personal data to any third party. Campaign data sent to the Anthropic API for AI analysis is minimized and does not include personally identifiable information.

7. Data Retention

Data Type	Retention Period
Account data (name, email, password hash)	For the duration of your account, plus 30 days after deletion request
Google OAuth tokens	Until you disconnect your Google Ads account
Campaign performance data (synced from Google Ads)	12 months from last sync, or until account deletion
Optimization recommendations & history	24 months for audit trail purposes
Click fraud / IP data	90 days
Server log data	30 days

8. Your Rights (GDPR)

Under GDPR, you have the following rights regarding your personal data:

Right of access (Art. 15): You can request a copy of all personal data we hold about you.
Right to rectification (Art. 16): You can request correction of inaccurate or incomplete data.
Right to erasure (Art. 17): You can request deletion of your account and associated data ("right to be forgotten").
Right to restriction (Art. 18): You can request that we restrict processing of your data in certain circumstances.
Right to data portability (Art. 20): You can request your data in a structured, machine-readable format.
Right to object (Art. 21): You can object to processing based on legitimate interests.
Right to withdraw consent: Where processing is based on consent (e.g., Google OAuth), you can withdraw it at any time by disconnecting your Google Ads account.

To exercise any of these rights, please contact us at gyula@marketbox.hu. We will respond within 30 days. You also have the right to lodge a complaint with the Hungarian National Authority for Data Protection and Freedom of Information (NAIH) at naih.hu.

9. Data Security

We take the security of your data seriously and implement appropriate technical and organizational measures, including:

All database queries use PDO prepared statements (SQL injection prevention)
CSRF tokens on all state-changing forms
Output escaping on all displayed data (XSS prevention)
Session-based authentication with secure session naming
Per-user data isolation — each user can only access their own data
OAuth tokens stored securely in the database, never exposed in the browser or frontend
HTTPS enforced for all connections
Directory listing disabled

While we strive to protect your data, no method of electronic transmission or storage is 100% secure. We will notify affected users and relevant authorities in the event of a data breach, as required by GDPR Article 33.

10. Cookies

Adlumeno uses only strictly necessary cookies:

Session cookie: A server-side session identifier used to maintain your login state. This cookie is deleted when you close your browser or sign out.
CSRF token: A security token embedded in forms to prevent cross-site request forgery attacks.

We do not use tracking cookies, advertising cookies, or any third-party analytics cookies. No cookie consent banner is required as we only use strictly necessary cookies.

11. Children's Privacy

Adlumeno is a professional B2B tool intended for use by adults (18+) and businesses. We do not knowingly collect personal data from minors. If you believe a minor has submitted personal data to us, please contact us immediately so we can delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make significant changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify registered users by email.

Your continued use of the Service after any changes constitutes acceptance of the updated policy.

13. Contact

For any questions, requests, or concerns regarding this Privacy Policy or the processing of your personal data, please contact us:

Marketbox Kft. — Data Controller
Email: gyula@marketbox.hu
Website: https://marketbox.hu
Supervisory authority: NAIH — National Authority for Data Protection and Freedom of Information (Hungary)