Privacy Policy
Adward
Last updated: 8 May 2026 Effective date: 8 May 2026
This Privacy Policy describes how Conversion Design d.o.o. (โAdwardโ, โweโ, โusโ, โourโ), the operator of the Adward platform at adward.io, collects, uses, discloses, and protects personal data. We process personal data in accordance with the General Data Protection Regulation (โGDPRโ), the Slovenian Personal Data Protection Act (ZVOP-2), and other applicable laws.
By using the Services, you acknowledge that you have read and understood this Privacy Policy.
1. Data Controller
Conversion Design d.o.o. Ljubljana, Slovenia Contact: privacy@adward.io
For personal data submitted to the Services by you in the course of using the platform (such as personal data of third parties contained in your Brand Inputs), we act as a data processor on your behalf, and you act as the data controller.
2. Personal Data We Collect
2.1 Information You Provide
- Account data: name, email, password (hashed), company name (where applicable), job title (where applicable), billing address, VAT number (where applicable), country, phone (where provided).
- Payment data: processed by Stripe; we do not store full card details. We retain a payment method reference, last four digits, expiry, card brand, and billing country for invoicing and reconciliation.
- Communications: messages, support tickets, feedback, surveys, replies to transactional and marketing emails.
- Marketing preferences: consent and channel choices.
2.2 Subscription, Billing, and Usage Data
- Subscription state: tier, billing cycle (monthly, six-monthly, yearly), renewal date, price, applicable price-lock state, promotional code usage, first-time-paid flag.
- Plan history: upgrades, downgrades, cycle changes, cancellations, reactivations, deferred changes, and the timestamps and reasons for each.
- Credit ledger: monthly credit allocations and drip events, top-up purchases, credit consumption per generation, rollovers from subscription credits to top-up pool, signup bonuses, goodwill credits, refunds applied to credit balances.
- Transactions: invoices, receipts, charges, refunds, chargebacks, and disputes.
- Refund history: requests submitted, decisions made, reasons recorded, and any related communications.
- Usage analytics: features used, generations performed, prompts submitted, templates and styles selected, time on platform, error events, performance signals, burn-rate metrics over short and long windows.
2.3 Customer Content
- Brand Inputs: logos, briefs, product images, prompts, reference materials, and other content submitted to generate output.
- Generated Content: outputs created by the Services and metadata about how they were produced.
Where Brand Inputs or Generated Content contain personal data of third parties (such as employee photos, customer testimonials, or model imagery), we process that data on your behalf as a processor.
2.4 Information Collected Automatically
- Technical data: IP address, browser type, operating system, device identifiers, time zone, language, referring URL.
- Cookies and similar technologies: see our Cookie Notice at adward.io/cookies.
2.5 Information From Third Parties
- Authentication providers: if you sign in via Google or another single sign-on provider, we receive name, email, and profile picture as authorized.
- Payment processors: Stripe transmits transaction status, fraud signals, chargeback notifications, and risk scores associated with your payment activity.
- Advertising platforms: where you reach Adward through a paid campaign on Meta, Google, TikTok, or similar platforms, we may receive attribution and conversion data from those platforms in accordance with their terms.
3. Why We Process Personal Data
We process personal data only where we have a lawful basis under Article 6 GDPR.
| Purpose | Legal Basis |
|---|---|
| Providing and operating the Services | Contract performance |
| Account creation, authentication, and access management | Contract performance |
| Processing payments, subscriptions, renewals, and refunds | Contract performance; legal obligation |
| Subscription administration (drips, rollover, plan changes, cycle locks, price lock) | Contract performance |
| Anti-fraud, anti-abuse, and security monitoring | Legitimate interests; legal obligation |
| Refund eligibility review and decision-making | Legitimate interests; contract performance |
| Service improvement, debugging, and analytics | Legitimate interests |
| Usage analytics, burn-rate analysis, and tier recommendations | Legitimate interests |
| Customer support and communications | Contract performance; legitimate interests |
| Renewal notifications and other transactional communications | Contract performance; legitimate interests |
| Marketing to existing customers | Legitimate interests, with right to object |
| Marketing to prospects | Consent |
| Advertising campaign measurement and attribution | Legitimate interests; consent where required |
| Legal compliance, accounting, dispute resolution | Legal obligation; legitimate interests |
| Corporate transactions | Legitimate interests |
Where we rely on legitimate interests, we have conducted a balancing assessment against the rights and freedoms of data subjects. You may request information about this assessment by contacting privacy@adward.io.
4. AI Processing and Automated Decision-Making
The Services use generative AI to produce content based on your inputs. The Services do not make automated decisions that produce legal or similarly significant effects on data subjects within the meaning of Article 22 GDPR.
In particular:
- Tier recommendations displayed in the upgrade modal are suggestions based on your usage patterns. They do not change your subscription unless you explicitly confirm a change.
- Refund decisions are made by Adward personnel after review of the request and any anti-abuse signals. Where signals indicate potential abuse (such as repeated subscribe-refund cycles, multiple accounts associated with the same payment method, or unusual generation volume preceding a refund request), the request is referred to manual review. The final decision is human, not solely automated.
- Anti-fraud and anti-abuse detection uses signals such as IP address, device fingerprint, payment method patterns, and account behavior to flag potentially abusive activity. Flags trigger human review and do not, by themselves, restrict your account.
- Account suspension or termination under our Acceptable Use Policy is decided by Adward personnel.
We do not use customer content containing identifiable personal data of third parties for AI model training. Aggregated, anonymized, or de-identified derivatives may be used for service improvement.
If you submit personal data of third parties (such as photographs, names, or testimonials), you are responsible for establishing a lawful basis, providing appropriate notices, and obtaining consents required by law.
5. How We Share Personal Data
5.1 We Do Not Sell Personal Data
5.2 Service Providers and Subprocessors
We share personal data with trusted providers who help us deliver the Services. The current list is at adward.io/subprocessors and includes:
- Infrastructure: Vercel, Supabase, Amazon Web Services, Cloudflare.
- AI model providers: OpenAI, Anthropic, Google, Black Forest Labs, FAL, Replicate, RunwayML, Stability AI.
- Payment processing: Stripe (including Stripe Billing, Stripe Customer Portal, and Stripe Radar fraud detection).
- Email and communications: transactional and marketing email providers.
- Analytics and monitoring: product analytics, error tracking, performance monitoring providers.
- Customer support: support ticketing platforms.
- Advertising platforms: Meta, Google, TikTok, and similar, for attribution and remarketing in accordance with the Cookie Notice.
Subprocessors process personal data only on our documented instructions. When you access the Stripe Customer Portal to manage your subscription or payment method, you are interacting directly with Stripe, and Stripeโs privacy practices apply to that interaction in addition to ours.
5.3 Legal and Regulatory Disclosures
We may disclose personal data where required by law, court order, or governmental authority, or where we believe in good faith that disclosure is necessary to comply with legal obligations, enforce our Terms, protect rights and safety, or investigate fraud or abuse.
5.4 Corporate Transactions
In connection with a merger, acquisition, sale of assets, financing, reorganization, bankruptcy, or insolvency, personal data may be transferred to the relevant counterparty or successor.
5.5 With Your Consent
We share personal data with additional parties where you have given us your consent.
6. International Transfers
Some of our subprocessors are located outside the European Economic Area, including in the United States and the United Kingdom. We rely on appropriate safeguards under Article 46 GDPR, including:
- Standard Contractual Clauses adopted by the European Commission;
- The EU-US Data Privacy Framework, where the recipient is certified;
- Supplementary technical and organizational measures, including encryption.
You may request a copy of the applicable safeguards by contacting privacy@adward.io.
7. How Long We Retain Personal Data
We retain personal data only for as long as necessary for the purposes described in this Privacy Policy, including legal, accounting, or reporting obligations.
| Category | Retention |
|---|---|
| Active account data | Duration of account plus 30 days |
| Account data after termination | Up to 12 months for legal and dispute purposes |
| Subscription state and plan history | Duration of account plus 12 months |
| Credit ledger and transaction records | Duration of account plus 12 months, then archived in aggregated form |
| Invoices, receipts, and tax records | 10 years (Slovenian tax law) |
| Refund requests and decisions | 5 years for audit and compliance |
| Anti-fraud signals and risk scores | Up to 24 months, or longer where required for ongoing investigations |
| Customer content (Brand Inputs and Generated Content) | Duration of subscription plus 30 days |
| Communications and support records | Up to 3 years |
| Marketing data | Until consent withdrawal or objection, plus reasonable archive |
| Server logs and security data | Up to 12 months |
| Backup copies | Up to 90 days after deletion from primary systems |
After applicable retention periods, we delete, anonymize, or aggregate personal data in a manner that no longer permits identification, except where retention is required by law.
8. Security
We implement industry-standard technical and organizational measures, including:
- Encryption in transit (TLS) and at rest;
- Role-based access controls and multi-factor authentication for administrative access;
- Network segmentation, firewalling, and intrusion detection;
- Regular security testing, vulnerability management, and patching;
- Logging, monitoring, and incident response procedures;
- Confidentiality obligations and security awareness training for personnel;
- Vendor due diligence and contractual safeguards.
No system is completely secure. While we strive to protect personal data, we cannot guarantee absolute security.
9. Your Rights
Subject to applicable law, you have the following rights:
- Access: to obtain confirmation of processing and a copy of your personal data.
- Rectification: to request correction of inaccurate or incomplete data.
- Erasure: to request deletion, subject to legal grounds for retention (including tax, accounting, and dispute resolution requirements that may oblige us to retain billing and transaction data for up to 10 years).
- Restriction: to request that we limit processing in certain circumstances.
- Data portability: to receive your data in a structured, machine-readable format.
- Objection: to object to processing based on legitimate interests, including direct marketing at any time.
- Withdraw consent: where processing is based on consent, you may withdraw at any time, without affecting the lawfulness of processing before withdrawal.
- Not be subject to automated decision-making producing legal or similarly significant effects (see Section 4).
- Lodge a complaint with the Information Commissioner of the Republic of Slovenia (Informacijski pooblaลกฤenec, ip-rs.si) or your local supervisory authority.
To exercise these rights, contact privacy@adward.io. We respond within one (1) month, with the possibility of a two (2) month extension where necessary.
We may request information to verify your identity. Where requests are manifestly unfounded or excessive, we may charge a reasonable fee or refuse the request.
10. Cookies
We use cookies and similar technologies as described in our Cookie Notice at adward.io/cookies. You can manage preferences through our cookie banner or browser settings.
11. Marketing and Transactional Communications
11.1 Transactional Emails
We send transactional emails to keep you informed about your Account and Subscription. These include welcome messages, payment confirmations, invoices, renewal notifications (sent in advance of automatic renewal of yearly subscriptions), credit and usage alerts, security notifications, and policy updates. Transactional emails are sent on the basis of contract performance and legitimate interests and cannot be opted out of while your Account is active, except by closing your Account.
11.2 Marketing Emails
We may send marketing communications about features, updates, offers, events, and content we believe may interest you. You can opt out at any time by clicking the unsubscribe link in any marketing email, updating your account settings, or contacting privacy@adward.io. Opting out does not affect transactional communications described in Section 11.1.
12. Children
The Services are not intended for individuals under sixteen (16). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact privacy@adward.io.
13. Third-Party Links
The Services may contain links to third-party websites or content, including the Stripe Customer Portal for managing your subscription. We are not responsible for the privacy practices of third parties. Please review their policies before interacting with them.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. The updated version will be indicated by a revised โLast updatedโ date. For material changes, we will provide additional notice (such as by email or in the Services) at least fourteen (14) days before the changes take effect, except where immediate effect is required by law.
15. Contact
For questions or to exercise your rights:
Conversion Design d.o.o. Ljubljana, Slovenia privacy@adward.io
For complaints, you may contact:
Informacijski pooblaลกฤenec (Information Commissioner of the Republic of Slovenia) Dunajska cesta 22, 1000 Ljubljana gp.ip@ip-rs.si ip-rs.si