Sign In

GDPR Compliance

Last updated: July 2025

This section provides a focused examination of Adspectre's adherence to the General Data Protection Regulation (GDPR), detailing its application of principles, management of data subject rights, and specific requirements for data processing and transfers. While much of this content is reflected in our Privacy Policy, this section offers a deeper dive into our internal compliance framework.

Adspectre does NOT engage in web scraping, data crawling, or any unauthorized data collection from social media platforms or third-party websites. All data processing occurs through legitimate, authorized API connections (Facebook Graph API, Google Ads API, etc.) that require explicit user authentication and consent. We strictly adhere to GDPR Article 6 (lawfulness of processing) and never employ bots, scrapers, or automated harvesting tools.

GDPR Principles

Adspectre's data processing activities are guided by the core principles of GDPR:

  • Lawfulness, Fairness & Transparency: All data processing is conducted lawfully, fairly, and in a transparent manner, with clear and accessible information provided to data subjects regarding processing activities.
  • Purpose Limitation: Personal data is collected for specified, explicit, and legitimate purposes and is not further processed in a manner incompatible with those purposes.
  • Data Minimization: Only personal data that is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed is collected.
  • Accuracy: Personal data is kept accurate and, where necessary, up to date. Reasonable steps are taken to ensure that inaccurate personal data is rectified or erased without delay.
  • Storage Limitation: Personal data is retained only for as long as necessary to fulfill the purposes for which it was collected, including adherence to legal, accounting, or reporting requirements.
  • Integrity & Confidentiality: Appropriate technical and organizational measures are implemented to ensure the security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
  • Accountability: Adspectre maintains documentation of its processing activities and demonstrates compliance with all GDPR principles.

Data Subject Rights

Adspectre is committed to facilitating the exercise of all GDPR data subject rights, as detailed in the Privacy Policy (Section 2.5). This includes the right to be informed, right of access, right to rectification, right to erasure ("right to be forgotten"), right to restrict processing, right to data portability, right to object, and rights related to automated decision-making and profiling. Adspectre responds to requests from data subjects without undue delay, and in any event within one month of receipt of the request.

Consent Management

Where processing is based on consent, Adspectre adheres to stringent GDPR conditions:

Conditions for Consent

Consent must be freely given, specific, informed, and unambiguous. It must be presented in a manner that is clearly distinguishable from other matters, in an intelligible and easily accessible form, using clear and plain language. The performance of a contract is not made conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

Withdrawal of Consent

Data subjects have the right to withdraw their consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. It must be as easy to withdraw consent as it was to give it.

Documentation

Adspectre maintains records to demonstrate that the data subject has consented to the processing of their personal data.

Data Processing Agreements

For Adspectre's core service offering, establishing robust Data Processing Agreements (DPAs) with each client is a fundamental legal imperative under data protection regulations. Adspectre acts as a Data Processor for its clients' Facebook ad and Instagram business page data. GDPR Article 28(3) explicitly mandates that a legally binding contract must be in place when a controller engages a processor to process personal data on its behalf.

These DPAs must include specific provisions:

  • Subject Matter, Duration, Nature, and Purpose of Processing: Clearly defining what personal data is being processed, for how long, the type of processing activities involved, and the reason for the processing.
  • Type of Personal Data Processed: Specifying the categories of personal data that will be handled by Adspectre.
  • Categories of Data Subjects: Identifying the groups of individuals whose personal data is subject to the processing.
  • Obligations and Rights of the Controller: Detailing the responsibilities and entitlements of the client in relation to the processing activities.

It is also highly recommended to include non-mandatory provisions such as liability clauses, detailed technical security provisions, and additional cooperation provisions between the controller and processor.

Data Breach Notification

In the event of a personal data breach, Adspectre adheres to strict notification requirements under GDPR:

  • Notification to Supervisory Authority: We will notify the competent supervisory authority without undue delay and, where feasible, not later than 72 hours after becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.
  • Content of Notification: The notification will describe the nature of the breach, including categories and approximate numbers of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach.
  • Notification to Data Subjects: When a breach is likely to result in a high risk to individuals, we will communicate the breach to affected data subjects without undue delay.
  • Documentation: We maintain a comprehensive record of all personal data breaches, documenting the facts, effects, and remedial action taken.
  • Proactive Response Plan: We have established a detailed data breach response plan, identifying key personnel, outlining protocols for communication and incident management, and including steps for containment, investigation, and notification.

International Data Transfers

For transfers of personal data from the EU/EEA/UK to countries not deemed to provide an adequate level of data protection, Adspectre employs robust mechanisms:

Standard Contractual Clauses (SCCs)

SCCs are the primary mechanism used. These standardized legal provisions provide a framework for transferring personal data outside of a jurisdiction, establishing clear obligations for both the transferring and receiving parties.

Transfer Impact Assessments (TIAs)

When utilizing SCCs for cross-border data transfers, Adspectre conducts Transfer Impact Assessments to identify and evaluate the risks involved, taking into account the specific circumstances of the transfer and the relevant laws and practices in the destination country.

Binding Corporate Rules (BCRs)

BCRs provide an alternative framework for organizations operating in multiple jurisdictions to transfer personal data within their corporate groups, subject to approval by relevant data protection authorities.

Data Privacy Framework (DPF)

If Adspectre becomes certified under the EU-US Data Privacy Framework, this mechanism will be utilized for transfers to the United States.

Other Key Privacy Regulations

Beyond GDPR, Adspectre ensures compliance with other significant data privacy regulations relevant to its global user base.

CCPA/CPRA (California)

For California residents, Adspectre adheres to the CCPA and CPRA. A conspicuous "Do Not Sell or Share My Personal Information" link is provided on the website. We respect rights to know what personal information is collected, to request deletion, to correct inaccurate personal information, and to limit the use and disclosure of sensitive personal information. When using the Meta Pixel, Adspectre enables Meta's Limited Data Use (LDU) for California users.

PIPEDA (Canada)

For Canadian residents, Adspectre complies with PIPEDA, founded on ten fair information principles:

  • Accountability: A designated individual is responsible for PIPEDA compliance, with policies in place to protect personal information.
  • Identifying Purposes: We identify and document the purposes for collecting personal information and inform customers of these purposes.
  • Consent: Informed consent is obtained with clear, concise, and user-friendly disclosures explaining why data is collected and how it will be used.
  • Limiting Collection: Only personal information necessary to fulfill an identified, legitimate purpose is collected.
  • Limiting Use, Disclosure, and Retention: Personal information is used solely for the purpose(s) for which it was collected. Once no longer needed, it is destroyed, erased, or anonymized.
  • Accuracy: We ensure the accuracy, completeness, and timeliness of personal information.
  • Safeguards: Appropriate security safeguards are implemented to protect all personal information.
  • Openness: Policies and practices related to personal information are easy to understand and readily available.
  • Individual Access: Individuals have the right to access and challenge the personal information we hold about them. Access requests are resolved within 30 days.
  • Challenging Compliance: Simple complaint handling and investigation procedures are in place.
  • Data Breach Reporting: We report breaches that pose a real risk of significant harm to the Privacy Commissioner of Canada and notify affected individuals.

Quebec Law 25

The regulatory landscape in Quebec presents particularly stringent demands, especially concerning the "privacy by default" principle and mandatory Privacy Impact Assessments for cross-border data transfers.

  • Consent: Explicit and informed consent is mandated. Requests must be made in clear, simple, and isolated language.
  • Privacy by Default: All profiling or tracking technology must be deactivated by default, requiring explicit opt-in consent. An "accept all" or "reject all" option must be presented on the same layer of the CMP notice.
  • Sensitive Information: Express consent is required for the use of sensitive personal information for any purpose other than its original collection.
  • Minors: Personal information concerning children under 14 cannot be collected without parental consent.
  • Cross-Border Data Transfers: Privacy Impact Assessments (PIAs) are mandatory when communicating personal information outside of Quebec, including transfers to Meta's servers.
  • Penalties: Non-compliance can result in fines up to CAD $25,000,000 or 4% of worldwide turnover, whichever is greater.

Questions?

Contact us at [email protected] or visit our Contact Page.