Last updated: May 12, 2026
This Privacy Policy describes how Alb3r7 Oy ("we", "us", "our"), a marketing agency based in Espoo, Finland, handles personal data in connection with:
We are the data controller for personal data we process in our role as an agency operator. Our clients remain the controllers of the advertising and analytics accounts they own; we act as a processor when operating those accounts under their authorization.
Our website is a static site hosted on Cloudflare Pages. It does not use cookies, tracking pixels, or analytics scripts. No personal data is collected from visitors through browsing.
If you contact us via a mailto: link, your message is handled by your own email client and any reply correspondence is stored in our business email account (Google Workspace) for the duration necessary to respond to your inquiry and maintain business records.
The site uses Google Fonts served through Cloudflare. No other third-party scripts are loaded.
We operate internal applications — referred to here as "MCP servers" — that connect to third-party marketing APIs using OAuth 2.0. These tools support our day-to-day agency operations: campaign management, performance reporting, optimization, and reconciliation across the marketing accounts our clients have asked us to manage.
Key characteristics:
We use Google APIs including the Google Ads API, Google Analytics Data API, Search Console API, and selected Google Workspace APIs (Gmail, Drive, Calendar, Sheets, Docs, Slides) where these are required to operate a client's account or to manage business correspondence and reporting on their behalf.
Limited Use disclosure (Google API Services). Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not use Google user data to train, develop, or fine-tune AI or machine-learning models. We do not transfer Google user data to third parties except as necessary to provide and improve the agency services the client has requested, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with prior notice to the client. We do not use Google user data for advertising purposes outside of the client account from which it originated.
Data accessed is limited to what is necessary to perform the contracted agency work (campaign reporting, optimization, conversion tracking review, email correspondence with the client, and document/report delivery).
We connect to Meta's Marketing API and Graph API to manage advertising accounts, Pages, and Instagram business accounts that our clients have granted us access to via Meta Business Manager. Permissions requested typically include ads_management, ads_read, business_management, pages_show_list, pages_read_engagement, pages_manage_posts, and instagram_basic.
We use this access strictly to operate campaigns and report on performance for the client account in question. We do not access personal user profiles, messages, or any data beyond what is necessary for managing the client's ad accounts and business assets. We do not sell or share Meta-derived data with third parties.
Our use of Meta APIs is governed by the Meta Platform Terms and Developer Policies.
We connect to the LinkedIn Marketing Developer Platform (Ads API, Pages API, Reporting API) to manage advertising accounts and Company Pages that our clients have granted us access to. Scopes requested include r_ads, rw_ads, r_ads_reporting, r_organization_social, w_organization_social, and r_basicprofile where required by the integration.
Access is used solely to manage campaigns, publish content, and produce reporting for the authorized client account. We do not access individual member profiles beyond what the API exposes for the authenticated business operator, and we do not sell, share, or otherwise redistribute LinkedIn member data.
Our use of LinkedIn APIs is governed by the LinkedIn API Terms of Use.
We connect to TikTok's Business (Marketing) API to manage advertising accounts and reporting granted to us via TikTok Business Center, covering ad-account management, audiences, and reporting. For organic publishing we use the TikTok Content Posting API together with Login Kit: the account holder authorizes our application, and we request the scopes user.info.basic, video.upload, and video.publish solely to upload and publish video and photo content to their connected TikTok profile at their direction.
We use this access strictly to operate campaigns, publish content the account holder has approved, and report on performance for the account in question. We do not access private messages or any data beyond what is necessary to manage the connected account, and we do not sell or share TikTok-derived data with third parties. We do not use TikTok data to train, develop, or fine-tune AI or machine-learning models. Where the TikTok Pixel and Events API are deployed on a website, they measure conversions behind the site's cookie-consent banner.
Our use of TikTok APIs is governed by the TikTok Developer Terms of Service and the applicable TikTok for Business terms.
We do not maintain a separate database of personal data retrieved through third-party APIs. Data is fetched on demand for reporting and optimization tasks, processed in memory or in temporary files, and then discarded. Aggregated, non-personal performance reports (e.g. weekly Google Ads audits) may be archived locally for the duration of the client relationship and a reasonable period afterwards for legal and accounting purposes.
OAuth refresh tokens are retained for as long as we operate the corresponding client account, and are deleted within 30 days of termination of the engagement or earlier upon request.
Because we do not run a public service and do not collect end-user data, there is normally nothing for us to delete on your behalf. If you are an account owner who has previously granted us OAuth access and you wish to revoke it and have any associated tokens deleted, you have two options:
Under the EU General Data Protection Regulation (GDPR), you also have the right to access, rectify, restrict, or object to processing of personal data we hold about you, the right to data portability, and the right to lodge a complaint with a supervisory authority (in Finland: the Office of the Data Protection Ombudsman, tietosuoja.fi).
We use the following third-party services as sub-processors for our agency operations:
Personal data may be processed in the EU/EEA or in the United States. Where US transfers occur, they are covered by Standard Contractual Clauses and the EU–US Data Privacy Framework as applicable.
Operational hardware uses full-disk encryption. OAuth tokens are stored in secure secret stores (macOS Keychain or equivalent). Access to client accounts is performed only from authorized devices. We follow the principle of least privilege when requesting API scopes.
We may update this Privacy Policy from time to time. The "Last updated" date at the top of the page reflects the latest revision. Material changes affecting clients with active engagements will be communicated directly.
For any questions about this policy, or to exercise your data-protection rights:
Alb3r7 Oy
Espoo, Finland
al@bert.fi