1. Data Controller and Contact
Prelo is currently operated as an unincorporated project by its founders (the “Operator”), located in Hungary. A limited liability entity will be formed once the Service reaches commercial validation; until then, the Operator acts as the data controller within the meaning of Article 4(7) GDPR.
For any privacy-related enquiry, including requests to exercise your rights under the GDPR, please contact: info@prelomarketing.com. Given our size, we have not appointed a Data Protection Officer; however, the above address is monitored and will function as the single point of contact for data subjects and supervisory authorities.
2. Scope of this Policy
This Policy applies to personal data we process about (a) visitors to our marketing website, (b) individuals who register for an account, and (c) authorised users of customer organisations that subscribe to the Service. It does not apply to third-party websites, advertising platforms, or analytics tools that we integrate with but do not control; those services are governed by their own privacy notices.
3. Categories of Personal Data We Process
We process the following categories of personal data:
- Identity and contact data: full name, business email address, job title, company name, telephone number (where voluntarily provided).
- Account and authentication data: hashed passwords, OAuth identifiers, session tokens, IP address at login, timestamps.
- Connected-account data: access tokens and metadata for advertising and commerce platforms that you elect to connect (e.g., Meta Ads, Google Ads, TikTok Ads, Shopify, Klaviyo). Tokens are encrypted at rest and used solely to retrieve the marketing data required to deliver the Service.
- Marketing performance data: campaign, ad-set, creative, spend, reach, conversion, and audience metrics returned by connected platforms. This data typically concerns your business rather than identifiable natural persons, but may include employee identifiers surfaced by those platforms.
- Usage and technical data: pages viewed, features used, device type, browser, operating system, referring URL, and diagnostic logs.
- Billing data (when payments are enabled): billing name, address, VAT number, and transaction history. Payment card details are handled directly by our payment processor and are not stored on our systems.
- Communications: messages you send us by email, chat, or contact form, including any personal data contained therein.
4. Sources of Personal Data
We collect personal data directly from you when you interact with the Service, from your device automatically through cookies and similar technologies, and from third-party services that you authorise us to access via OAuth. Where you invite team members, we rely on your authority to provide us with their business contact details.
5. Purposes and Legal Bases
We process personal data only where a lawful basis under Article 6(1) GDPR applies. The relationship between purpose and legal basis is as follows:
- Providing the Service — performance of a contract with you or with the organisation you represent (Art. 6(1)(b) GDPR).
- Account creation, authentication, and security — performance of a contract and our legitimate interest in protecting the Service (Art. 6(1)(b) and (f) GDPR).
- Analysing marketing performance and generating recommendations — performance of a contract; where automated processing produces effects on your business operations, you retain full manual control over whether recommendations are executed.
- Product analytics and service improvement — our legitimate interest in operating and improving the Service, balanced against your rights (Art. 6(1)(f) GDPR).
- Marketing communications — your consent (Art. 6(1)(a) GDPR) or our legitimate interest in promoting comparable services to existing customers, in each case subject to your right to object at any time.
- Compliance with legal obligations — compliance with tax, accounting, and other statutory duties (Art. 6(1)(c) GDPR).
6. Automated Decision-Making
The Service uses artificial-intelligence models to analyse marketing performance and surface recommendations. Recommendations are informational by default and require an affirmative action by an authorised user before they take effect. Where you enable “Autopilot” for a specific action, execution occurs within budget guardrails you configure and remains subject to your right under Article 22 GDPR to obtain human intervention, express your point of view, and contest the decision.
7. Disclosure to Third Parties
We disclose personal data only to the following categories of recipients and only to the extent strictly necessary:
- Processors acting on our instructions, including cloud hosting and database providers, email delivery services, and AI model providers, each under a written processing agreement compliant with Article 28 GDPR.
- Advertising and commerce platforms that you connect, solely to authenticate API calls made at your direction.
- Professional advisers such as auditors, lawyers, and accountants, bound by confidentiality.
- Competent authorities where required by law or to protect our legal rights.
- Successors in interest in the event of a merger, acquisition, or reorganisation, subject to equivalent confidentiality obligations.
We do not sell personal data and do not disclose it for third-party advertising.
8. International Data Transfers
Personal data may be processed in countries outside the European Economic Area, in particular the United States, where certain of our processors are established. In such cases we rely on adequacy decisions of the European Commission or on Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), supplemented as necessary by technical and organisational measures. A copy of the safeguards in place is available upon request to the email address above.
9. Retention
We retain personal data only for as long as necessary to fulfil the purposes described above:
- Account data: for the duration of the account plus up to 24 months thereafter.
- Connected-platform tokens: until the connection is revoked by the user or the account is closed.
- Marketing performance data: while the connection is active; aggregate, non-identifying derivatives may be retained longer for benchmarking.
- Billing and accounting records: for the statutory period required under Hungarian law (currently eight years for accounting documents pursuant to Act C of 2000).
- Support communications: up to 24 months from the last exchange.
10. Security
We implement appropriate technical and organisational measures under Article 32 GDPR, including encryption of data in transit (TLS 1.2 or higher) and at rest, encrypted storage of API tokens, row-level access controls, principle-of-least-privilege access management, audit logging, and routine backups. No method of transmission or storage is entirely secure, and we cannot guarantee absolute security.
11. Your Rights
Subject to conditions set out in the GDPR, you have the right to:
- request access to your personal data (Art. 15);
- request rectification of inaccurate data (Art. 16);
- request erasure where the legal grounds apply (Art. 17);
- request restriction of processing (Art. 18);
- receive your data in a portable format (Art. 20);
- object to processing based on legitimate interests or direct marketing (Art. 21);
- withdraw consent at any time where processing is based on consent (Art. 7(3));
- lodge a complaint with the Hungarian National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság, NAIH; www.naih.hu) or with the supervisory authority in your Member State of habitual residence.
To exercise any of these rights, please write to info@prelomarketing.com. We will respond within one month of receipt, extendable by up to two further months where necessary in light of the complexity and number of requests.
13. Children
The Service is intended for business users and is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can delete it.
14. Changes to this Policy
We may update this Policy from time to time to reflect operational, legal, or regulatory changes. Where changes are material, we will notify registered users by email or through the Service at least fifteen (15) days before the new version takes effect. The effective date at the top of this page indicates the current version.
