Legal

Privacy Policy

Last updated: June 2026

This policy explains how Ephermal collects, uses, and protects your personal data. It is written to comply with the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), and applicable e-privacy law.

1. Data Controller

The data controller responsible for processing your personal data is:

Hicham Settah
Rapsweg 18, 47906 Kempen, Deutschland
E-Mail: hello@ephermal.app

2. Data We Collect

Account data - collected via Clerk: email address, name, and authentication credentials. Used to create and secure your account.
Usage data - stored in Supabase: connected ad account IDs, campaign performance metrics, ROAS data, spend history, and product catalog references from your Shopify store.
Payment data - processed by Stripe: billing name, email, card last four digits, and billing address. Raw card numbers are never stored by Ephermal.
Store data - received from the Shopify API: product titles, descriptions, images, prices, and inventory levels needed to generate ad creatives.

3. How We Use Your Data

Provide the service - managing your ad campaigns, generating AI creatives, and reporting performance metrics.
AI-powered recommendations - your store and campaign data is sent to AI processors (Anthropic, Groq) solely to generate ad copy and budget recommendations on your behalf. Your data is not used to train third-party AI models.
Transactional emails - billing receipts, trial expiry reminders, and security alerts via Resend.
Legal compliance - retaining records as required by applicable law.

Legal bases: contract performance (Art. 6(1)(b) GDPR), legitimate interests (Art. 6(1)(f) GDPR), and legal obligation (Art. 6(1)(c) GDPR).

4. Third-Party Processors

We use the following sub-processors to deliver the service. All are bound by data processing agreements:

Processor	Purpose	Location
Clerk	User authentication and session management	US (SCCs apply)
Supabase	Application database and storage	US / EU (configurable)
Stripe	Payment processing and billing	US / EU
Anthropic	AI content generation (ad copy)	US (SCCs apply)
Groq	AI inference for budget recommendations	US (SCCs apply)
Meta / Google	Ad platform APIs for campaign management	US / EU
Resend	Transactional email delivery	US (SCCs apply)

5. Data Retention

Account data - retained until you delete your account. Deleted within 30 days of account closure.
Campaign data - retained for 24 months from the date of creation to enable trend analysis and forecasting.
Application logs - retained for 30 days, then automatically purged.
Billing records - retained for 10 years as required by German tax law (§ 147 AO).

6. Your Rights (GDPR Art. 15–22)

As a data subject, you have the following rights:

Access (Art. 15) - request a copy of all personal data we hold about you.
Rectification (Art. 16) - request correction of inaccurate data.
Erasure (Art. 17) - request deletion of your data ("right to be forgotten").
Portability (Art. 20) - receive your data in a machine-readable format.
Objection (Art. 21) - object to processing based on legitimate interests.
Restriction (Art. 18) - request that we restrict processing of your data.

To exercise any of these rights, contact: hello@ephermal.app. We will respond within 30 days.

You also have the right to lodge a complaint with a supervisory authority. In Germany: Bundesbeauftragter für den Datenschutz und die Informationsfreiheit (BfDI).

7. Cookies

Ephermal uses essential cookies only. These are set by Clerk for session authentication and are strictly necessary to keep you logged in. We do not use advertising cookies, third-party analytics cookies, or tracking pixels without your explicit consent.

No cookie consent banner is required for strictly necessary cookies under the ePrivacy Directive. If we introduce non-essential cookies in the future, we will update this policy and implement a consent mechanism.

8. International Data Transfers

Some of our processors (Clerk, Anthropic, Groq, Resend) are based in the United States. Data transfers to the US are protected by Standard Contractual Clauses (SCCs) approved by the European Commission under Art. 46 GDPR.

We take commercially reasonable steps to ensure that our US-based processors maintain appropriate technical and organisational safeguards equivalent to EU standards.

9. Contact

For all privacy-related inquiries, data subject requests, or complaints:

hello@ephermal.app

For requests under German law (BDSG), you may also contact us by post at the address listed in our Impressum.