Privacy Policy
Last updated: June 2025
1. Who We Are
AdLeak Shield ("we", "us", "our") is a software-as-a-service platform that helps businesses identify wasted Google Ads spend. We are operated by Mehrad Haftsavar (trading as AdLeak Shield), based in the United Kingdom.
Contact: info@adleakshield.com
2. Data We Collect
2.1 Account Data
When you register, we collect your email address and a hashed version of your password. We never store your password in plain text.
2.2 Billing Data
Subscription payments are handled by Stripe. We store only your Stripe Customer ID and subscription status. We never see or store your full card number, CVV, or bank details — those remain with Stripe. See Stripe's privacy policy at stripe.com/gb/privacy.
2.3 Tracking Data (Processed on Your Behalf)
When you install the AdLeak Shield tracking snippet on your website, we collect the following data about visitors to your site who arrive via Google Ads:
- The Google Ads keyword that triggered the ad click
- Match type and device type (desktop, mobile, tablet)
- A masked, truncated IP address (last octet removed — not re-identifiable)
- Page paths visited during the session
- Session duration and engagement signals (scroll depth, clicks)
- Google Click ID (gclid) — used to link sessions, not stored permanently
You, as the website owner, are the data controller for this visitor data. AdLeak Shield acts as a data processor on your behalf. See Section 8 and our Terms of Service for your responsibilities in this regard.
2.4 Usage Data
We collect standard server logs and application usage data to operate, maintain, and improve the service (e.g. which features are used, error rates). This data is not sold or shared with third parties for marketing purposes.
2.5 Cookie and Browser Data
We use session cookies for authentication and, where you have consented, analytics cookies to understand how the dashboard is used. See our Cookie Policy for full details.
3. How We Use Your Data
- To provide, operate, and improve the AdLeak Shield service
- To process payments and manage your subscription via Stripe
- To send transactional emails (account verification, password reset, billing receipts)
- To detect abuse, enforce our Terms of Service, and prevent fraud
- To fulfil legal obligations (e.g. retaining billing records)
- To contact you about material changes to this policy or the service
We do not sell your data to third parties. We do not use your data for advertising purposes.
4. Data Retention
- Visitor tracking data (sessions, keywords, journey events): automatically deleted after 90 days by our automated data retention process.
- Account data: retained for the lifetime of your account, then anonymised immediately upon account deletion (email replaced with an anonymised identifier, password hash cleared).
- Billing records: retained for 7 years as required by UK financial regulations.
- Email logs: retained for up to 30 days for delivery troubleshooting.
5. Third-Party Services
We share data with the following sub-processors to operate the service:
| Service | Purpose | Location |
|---|---|---|
| Stripe | Payment processing and subscription management | USA / EU |
| Microsoft Azure | Database hosting and background processing | West Europe |
| Vercel | Frontend hosting and edge network | USA / EU |
| Resend | Transactional email delivery | USA |
All sub-processors are contractually bound to process data only as instructed and to maintain appropriate security measures. Where data is transferred outside the UK/EEA, appropriate safeguards (such as Standard Contractual Clauses) are in place.
6. Your Rights Under GDPR / UK GDPR
If you are located in the UK or EEA, you have the following rights:
- Right of access — request a copy of the personal data we hold about you
- Right to rectification — request correction of inaccurate data
- Right to erasure — delete your account at any time from Settings → Danger Zone. This immediately anonymises your account data and permanently deletes all tracking data.
- Right to data portability — request your data in a machine-readable format
- Right to object — object to processing based on legitimate interests
- Right to restrict processing — request we limit how we use your data
- Right to withdraw consent — where processing is based on consent, you may withdraw it at any time
To exercise any of these rights, email info@adleakshield.com. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
7. Legal Basis for Processing
- Contract performance — processing your account data and tracking data to provide the service you signed up for
- Legal obligation — retaining billing records as required by law
- Legitimate interests — fraud detection, abuse prevention, service improvement
- Consent — analytics cookies (where applicable)
8. Your Responsibilities as a Merchant
By using AdLeak Shield, you install a tracking script on your website. As the operator of that website, you are the data controller for your visitors' data. You are responsible for:
- Disclosing the use of AdLeak Shield in your own website's Privacy Policy
- Ensuring you have a lawful basis for collecting visitor data (e.g. legitimate interest or consent)
- Providing your visitors with appropriate notice of data collection and tracking
- Complying with the UK GDPR, EU GDPR, PECR, or any other applicable data protection law in your jurisdiction
AdLeak Shield collects only the minimum data necessary (masked IP, keyword, device type, page paths). No full IP addresses or personally identifiable visitor information is stored. You may request a Data Processing Agreement (DPA) by emailing info@adleakshield.com.
9. Security
We implement appropriate technical and organisational measures to protect your data, including encryption in transit (TLS), hashed password storage (bcrypt), row-level security on our database (tenant data is fully isolated), and regular automated data purges. However, no system is 100% secure. If you discover a security issue, please disclose it responsibly to info@adleakshield.com.
10. Children
AdLeak Shield is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
11. Changes to This Policy
We may update this policy from time to time. Material changes will be communicated by email or by a prominent notice in the dashboard at least 14 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.
12. Contact
For any privacy-related queries, requests, or complaints:
AdLeak Shield — PrivacyEmail: info@adleakshield.com
Manchester, United Kingdom
AdLeak Shield is registered with the Information Commissioner's Office (ICO) under registration number C1953337.