Privacy Policy

Maddict Audience Cloud (“Maddict”, “we”) is an invite-only, business-to-business platform operated by [legal entity], [registered address]. It is used by authorized advertising agencies and their invited team members; it is not a consumer service. This policy explains what data we process and why.

• Account data — your email address, a password (stored only as a salted hash by our authentication provider; we never see or store it in plaintext), and your display name.
• Tenant & membership data — which agency you belong to, your role (agency admin or member), seat status, and invitation records.
• Audit records— an append-only log of privileged actions (e.g. provisioning, status and entitlement changes, member invites and removals) capturing the action, the acting user’s email, the affected target, and a timestamp.
• Security & operational metadata — your IP address and basic request metadata are processed transiently to enforce rate limits, run the sign-in bot challenge, and detect abuse. Error and performance telemetry is collected to keep the service reliable, with personal data and secrets scrubbed (email addresses and credentials are redacted and request bodies are never transmitted).

We use only essential cookies: the session/authentication cookies that keep you signed in, a short-lived password-recovery cookie, and the Cloudflare Turnstile challenge used on the sign-in screen. We do not use advertising or cross-site tracking cookies.

• Provide, secure, and operate the platform.
• Authenticate you and enforce your agency's plan, entitlements, and seat limits.
• Send transactional email (invitations and password recovery).
• Maintain an integrity-protected audit trail of privileged actions.
• Monitor reliability and investigate errors and abuse.

We rely on a small set of vendors that process data on our behalf under data-processing terms:

• Supabase — authentication, database, and email delivery infrastructure.
• Vercel — application hosting and content delivery.
• Resend — transactional email delivery.
• Cloudflare — Turnstile bot/abuse protection on sign-in.
• Sentry — error and performance monitoring (with personal data and secrets scrubbed).

Hosting and processing take place in [hosting region(s)]. A formal data-residency decision and the per-vendor data-processing agreements are being finalized before external launch.

Account and tenant data are retained for the duration of your agency’s relationship with us. Audit records are retained for [retention period] as an integrity record. Security and rate-limit metadata is short-lived. On account removal or agency offboarding, data is deleted or anonymized except where we must retain it to meet a legal obligation.

Subject to applicable law, you may request access to, correction of, export of, or deletion of your personal data. Most account and seat changes are handled by your agency administrator; for anything else, contact us at privacy@maddict.net.

We may update this policy as the service evolves. Material changes will be reflected by the “last updated” date above and, where appropriate, communicated to agency administrators.

Privacy questions: privacy@maddict.net. Data controller: [legal entity, registered address].