No AI Training
Your advertising data is never used to train any AI model — ours or any provider's.
AES-256 Encryption
All credentials and tokens are encrypted at rest. Agencies' platform access is never exposed to AI agents.
Client Isolation
Data isolation is enforced in software at every layer. No client can access another's data.
1. Who We Are
mktskills.ai is a B2B SaaS platform providing AI-assisted marketing analytics and reporting for marketing agencies. We are incorporated in the United States.
Privacy contact: privacy@mktskills.ai — We respond to GDPR/LGPD inquiries within 30 days.
EU/UK Representative: As required by GDPR Article 27 for EU-targeting services without an EU establishment, we will appoint an EU/UK representative before launch. Contact privacy@mktskills.ai for current details.
2. Our Roles Under Data Protection Law
Our legal role varies by data category:
| Data Category | Our Role | Legal Basis |
|---|---|---|
| Agency user identity (name, email, role) | Controller | Performance of Contract; Legitimate Interest (security) |
| Advertising platform data (campaigns, spend) | Processor | Agency's instructions as Controller |
| AI-generated insights and reports | Processor | Agency's instructions as Controller |
| OAuth tokens and platform credentials | Processor | Performance of Contract |
| Platform audit logs | Controller | Legal obligation; Legitimate Interest (security) |
| Payment and billing data | Controller | Performance of Contract |
For data where we are a Processor (advertising data, AI reports), data subject requests should be directed to your agency as Controller — we assist the agency in fulfilling them. For data where we are a Controller (user identity, audit logs, billing), we respond directly.
3. Information We Collect
Account and identity data (Controller): Name, email, job role, organization name, billing address, IP address, and session metadata managed by Clerk.
Advertising platform data (Processor): Campaign performance data (impressions, clicks, spend, ROAS, conversions), ad creative metadata, audience segment names and reach estimates (not individual-level behavioral data), account structure data, and conversion tracking configurations — retrieved via OAuth on your explicit instruction, retained only as long as needed to complete the requested analysis.
Usage and technical data (Controller — Legitimate Interest): Feature usage events, error and diagnostic logs, aggregated browser/OS data, and audit trail records (who ran what skill, on which client, at what time).
AI prompt and output logs (Controller — Security): Prompts submitted to AI providers and outputs received may be logged for security monitoring, debugging, and abuse prevention — not for model training.
4. How We Use Your Data
- Execute analysis Skills and generate reports using AI inference
- Authenticate your identity and authorize client workspace access
- Enforce client isolation across all tenants
- Route API calls to Connected Platforms on your behalf
- Monitor service health, diagnose errors, detect fraud and unauthorized access
- Maintain audit logs for security and compliance
- Deliver transactional notifications and respond to support requests
- Respond to lawful legal process and enforce our Terms of Service
5. AI Processing, Provider Routing, and the No-Training Commitment
When you run a Skill, relevant advertising data is submitted as part of a prompt to an AI inference endpoint. We may route requests to different providers based on availability, capability, and performance. All providers are under contract with equivalent data protection obligations.
AI Providers in use may include — but are not limited to — providers of large language model inference services. The current provider list is disclosed in our Data Processing Agreement (DPA) and available to customers upon written request to privacy@mktskills.ai. Customers receive at least 15 days' notice before any new provider that processes personal data is activated. For each AI Provider, we disclose: country of processing, data retention period, whether zero-data-retention (ZDR) is enforced, and the contractual basis for no-training commitments.
No AI Training — Our Commitment
Your data is never used to train, fine-tune, or improve any AI model — ours or any provider's. We enforce this by: (1) selecting providers that contractually prohibit using API data for model training; (2) not activating providers that cannot make this commitment contractually or technically; (3) requiring this prohibition in our DPA with each AI Provider. We will never use a provider that cannot make this guarantee.
Note: Training restrictions and data-retention periods are distinct. A provider may commit to no-training while retaining prompt/output data for safety monitoring for a limited period (typically 7–30 days). Provider-specific retention periods are disclosed in the DPA and available upon request.
Google API — Limited Use: Information from Google APIs (Google Ads, GA4) is used only for the Platform's user-facing features. To generate reports, Google-derived data is sent to AI Providers as part of a skill execution prompt — limited to data necessary for the specific report requested, sent only to providers prohibited from training on it, for the sole purpose of generating your requested output. No Google-derived data is shared for advertising, profiling, or any purpose outside the Platform's stated features. This complies with Google's API Services User Data Policy Limited Use requirements.
Meta API: Data from the Meta Marketing API is used exclusively for advertising performance reporting. Meta-derived data transferred to AI Providers for report generation is subject to the same no-training and limited-use conditions. Meta-derived data is not retained beyond what is necessary to complete the analysis and is not cached independently of the Platform's audit and security logging.
Automated decision-making: AI outputs are analytical recommendations for human review. No legally significant automated decisions are made without a human marketer evaluating and acting on Platform outputs first (human-in-the-loop). Under LGPD Article 20, you may request human review of AI-generated assessments: contact privacy@mktskills.ai.
6. Subprocessors
The complete and current subprocessor list is disclosed in our Data Processing Agreement (DPA) and available to customers upon written request to privacy@mktskills.ai. Customers receive at least 15 days' notice before any new subprocessor that processes personal data is activated.
| Subprocessor | Purpose | Location |
|---|---|---|
| Clerk | User authentication and identity | US (DPF certified) |
| Neon (Postgres) | Primary database | US (configurable) |
| Google Cloud Platform | Compute, secrets, hosting | US (configurable) |
| AI inference providers (disclosed via DPA) | LLM inference for Skill execution | Varies by provider |
| Payment processor | Billing and subscription | US |
7. Data Retention
| Data Category | Retention Period |
|---|---|
| Account and identity data | Subscription duration + 30 days |
| Advertising platform data (session) | Cleared after skill execution (unless saved/exported) |
| Saved reports | Until deleted by user or 12 months after last access |
| AI prompt/output logs | 90 days (security); audit entries 3 years |
| Audit logs | Minimum 3 years |
| Support communications | 2 years |
| Payment and billing records | 7 years (tax/accounting) |
8. Data Security
- Encryption at rest: AES-256 for all stored credentials including OAuth tokens
- Encryption in transit: TLS 1.3 for all data in motion
- Access control: Role-based access, principle of least privilege
- Sandbox isolation: AI agents run in ephemeral sandboxes with short-lived session tokens — they never hold raw platform credentials
- Audit logging: All data access and skill execution events are logged and immutable
- Credential rotation: OAuth tokens and service credentials rotated on a documented schedule
In the event of a data breach involving personal data, we will notify affected customers without undue delay in accordance with applicable law.
9. Your Rights
| Right | Applies Under |
|---|---|
| Access — obtain a copy of your personal data | GDPR, CCPA, LGPD |
| Correction — correct inaccurate data | GDPR, CCPA, LGPD |
| Deletion / Erasure | GDPR, CCPA, LGPD |
| Restriction / Portability / Objection | GDPR, LGPD |
| Human review of AI-generated assessments | LGPD Art. 20 |
| Opt-out of sale/sharing (we do not sell data) | CCPA/CPRA |
CCPA Notice at Collection (California Residents): Categories collected: Identifiers (name, email, IP); Professional information (title, employer); Usage/activity data (skills run, reports accessed); Inferences (activity patterns for fraud detection only). We do not sell or share personal data for cross-context behavioral advertising. California employees of marketing agencies have full CCPA/CPRA rights. Authorized agents may submit requests with written proof of authorization.
LGPD (Brazilian Users): Rights include confirmation, correction, anonymization, deletion, portability, information about shared entities, human review of automated decisions, and right to revoke consent. International transfers of Brazilian personal data rely on mechanisms recognized by the ANPD, including standard contractual clauses formalized by the ANPD.
To exercise any right, contact: privacy@mktskills.ai. Response time: 30 days (GDPR/LGPD), 45 days (CCPA). Identity verification may be required.
10. International Data Transfers
- Standard Contractual Clauses (SCCs): Our primary mechanism for EU/EEA-to-US transfers, incorporated into our DPA.
- UK Addendum to SCCs: For UK transfers.
- EU-US Data Privacy Framework (DPF): We are pursuing DPF self-certification. Until listed on the official DPF list, SCCs are the operative mechanism.
- Brazil (LGPD): We rely on SCCs or equivalent mechanisms recognized by the ANPD.
11. GDPR — EU/EEA Disclosures
| Processing Activity | Legal Basis (Controller activities) |
|---|---|
| Account management and authentication | Art. 6(1)(b) — Performance of contract |
| Platform security and fraud prevention | Art. 6(1)(f) — Legitimate interests |
| Audit log retention | Art. 6(1)(c) — Legal obligation |
| Marketing communications (optional) | Art. 6(1)(a) — Consent |
Advertising platform data is processed as a Processor on agency instructions — the agency as Controller determines the legal basis for that processing. You have the right to lodge a complaint with your national supervisory authority: edpb.europa.eu.
12. Cookies and Tracking
We use essential cookies for authentication session management only. No third-party advertising cookies or cross-site tracking. Analytics tools are configured for privacy-preserving, aggregated measurement and honor Global Privacy Control (GPC) signals. Full cookie disclosure is in the Platform's cookie banner.
13. Children's Privacy
The Platform is not intended for individuals under 18. Contact privacy@mktskills.ai if you believe a child has provided data and we will delete it promptly.
14. Changes to This Policy
We will notify you of material changes at least 30 days before the effective date via email and in-platform notice. Continued use after the effective date constitutes acceptance.
Contact
Privacy requests / GDPR / LGPD: privacy@mktskills.ai
Security incidents: security@mktskills.ai
General: hello@mktskills.ai
Subprocessor list available upon request: privacy@mktskills.ai