Privacy policy.

The data controller is Harry Abib EI, publisher of the Jarvan service. For any question or request to exercise privacy rights, contact [email protected].

Jarvan processes identification and authentication data, workspace information, Google Ads connection data, campaign briefs, generated assets, created or imported campaigns, optimization events, Stripe billing data, chat messages, and technical security logs.

Processing is carried out to provide the service and perform the contract, secure accounts and prevent abuse on the basis of legitimate interest, comply with legal billing and retention obligations, and collect consent when non-essential trackers or optional processing require it.

Data may be processed by Supabase for authentication and database services, OpenAI for AI inference, Google for connected Google Ads operations, Stripe for billing, and the hosting and monitoring providers needed to operate the service.

Jarvan accesses Google user data only after you grant consent through Google OAuth. This covers your Google account identity used to sign in (name, email address, profile, and openid) and the Google Ads data accessed through the adwords scope, including accessible accounts, campaigns, and performance metrics. Jarvan never sells Google user data and never uses it to serve advertising or to train machine-learning or AI models. Google user data is disclosed only to the service providers strictly required to deliver the features you use: Supabase (database and storage), our hosting and infrastructure providers, and OpenAI (to generate the campaign drafts and recommendations you request). It is also sent to Google to carry out the Google Ads operations you initiate. These providers act on Jarvan's instructions and may not use the data for their own purposes. Jarvan's use and transfer of information received from Google APIs adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Jarvan protects user data, including sensitive Google credentials, with layered security measures. All data is transmitted over encrypted connections (HTTPS/TLS). Google OAuth refresh tokens are encrypted at rest using AES-256-GCM and stored only on the server; they are never exposed to the browser or to client-side code. Access to stored data is restricted through row-level security and least-privilege service credentials, and Google Ads operations run only in server-only code paths. Tokens and connection data are deleted when you disconnect your Google Ads account or delete your Jarvan account. The service is fronted by edge protection and rate limiting, and access is monitored to detect and prevent abuse.

Some providers may process data outside the European Union. Jarvan relies on applicable transfer mechanisms, including standard contractual clauses, security measures, and contractual safeguards from processors.

Account and workspace data is retained for the duration of service use. Billing data is retained according to applicable accounting obligations. Security and operational logs are kept for a limited period necessary for security and evidence of operations. Deleted data may temporarily remain in technical backups.

Users may request access, rectification, erasure, restriction, objection, portability where applicable, and withdrawal of consent for processing based on consent. A complaint may also be filed with the CNIL. The publisher's legal information is available in the legal notice.