Privacy Policy
Effective date: 9 November 2025
This Privacy Policy explains how Luca Bonura Onlinehandel (trading as Adlarion) processes personal data in connection with our website and SaaS platform when we are subject to the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).
1) Who we are (Controller)
Controller: Luca Bonura Onlinehandel (sole proprietorship)
Address: Große Bleiche 5, 65719 Hofheim am Taunus, Germany
Email: info@adlarion.com
Telephone: +49 176 81255742
We provide a software‑as‑a‑service platform for small businesses under the brand Adlarion.
Roles: For data processed on behalf of our business customers inside the Adlarion platform, we generally act as a processor and our customer is the controller. This Policy governs our processing as controller (e.g., website visits, account sign‑ups, billing and support). Processor relationships are governed by a separate Data Processing Agreement (DPA) with our customers (https://adlarion.com/legal/dpa).
2) UK Representative (Article 27 UK GDPR)
UK Representative: Not appointed at this time. We will reassess periodically and update this section if an appointment becomes necessary.
3) Personal data we collect
Depending on how you interact with us, we may process:
Account & profile data: name, business name, email, hashed password, role, preferences.
Contact & enquiry data: email address, phone number, message content, metadata (time, IP).
Subscription & billing data: billing address, VAT ID, plan, transaction metadata. We do not store full card numbers.
Usage & device data: IP address, device identifiers, browser/OS, referral URLs, pages viewed, timestamps, log files.
Cookies/online identifiers: cookie IDs and analytics/advertising identifiers (see Section 8 and the Cookie Policy).
Support & communications: tickets, emails, chat logs, and related metadata.
We do not intentionally collect special category data. Please avoid submitting such data unless strictly necessary and instructed by your controller.
4) Purposes and legal bases (UK GDPR, Art. 6)
We use personal data for:
Service delivery & contracts (Art. 6(1)(b)): create/manage accounts, authenticate users, provide platform features, billing, and customer support.
Security & operations (Art. 6(1)(f)): operate, maintain, and secure the website/platform; prevent fraud/abuse; debug and ensure availability (our legitimate interest in a secure, reliable service).
Analytics & performance (Art. 6(1)(a)): on consent, measure and improve performance using tools such as Google Analytics (IP anonymisation enabled in GA4).
Advertising/measurement (Art. 6(1)(a)): on consent, deploy advertising/measurement tags (e.g., Meta, Google Ads, Taboola) to measure campaign performance and, where enabled, improve ad delivery.
Marketing communications (Art. 6(1)(a) or 6(1)(f) as permitted): send newsletters or updates if you opt in; you can opt out anytime.
Legal compliance (Art. 6(1)(c)): meet accounting/tax requirements; respond to lawful requests and enforce terms.
DSR handling: We respond to data‑subject requests within one month (extendable by up to two months where requests are complex) and may take reasonable steps to verify identity.
Where we rely on legitimate interests, we balance our interests with your rights and implement safeguards.
5) How we obtain data
Directly from you: when you browse our site, create an account, purchase a subscription, or contact us.
Automatically: via cookies, pixels and similar technologies (see Section 8).
From processors: e.g., payment providers for transaction reconciliation or email delivery providers for sending service emails.
6) Disclosure to third parties
We share data only as necessary, under agreements that include appropriate safeguards:
Hosting & infrastructure: Bubble (application hosting) and Framer (website hosting), with cloud/CDN resources in the EEA and the UK where available.
Service providers / processors:
Email delivery & communications: SendGrid, Twilio
Marketing email/newsletters (planned): Mailchimp
Outreach tooling: Instantly
Analytics: Google Analytics
Payments: Stripe
Logging/monitoring/security tools as applicable
Business customers (platform use): when we act as processor, we process data on the customer’s instructions.
Legal/compliance: where required by law or to protect rights, safety, and security.
Corporate events: in case of reorganisation, merger, or sale of assets, subject to applicable law.
A current list of sub‑processors is available here: https://adlarion.com/legal/subprocessors.
7) Payments
Payments are processed by Stripe (Stripe Payments Europe, Limited and/or Stripe Payments UK, Limited, depending on your location). We receive limited payment metadata (e.g., transaction ID, status) but do not store full card details.
Payment methods via Stripe may include cards as well as Klarna, PayPal, and bank/direct debit where available (availability depends on your country and Stripe’s offering).
Stripe Privacy Notice: https://stripe.com/privacy
8) Cookies, tracking & consent (PECR)
We use cookies and similar technologies:
Strictly necessary cookies (no consent required): essential for core functionality, authentication and secure payments. This includes session/authentication cookies from Bubble/Framer and security cookies from Stripe (e.g.,
__stripe_mid,__stripe_sid).
Legal basis: performance of a contract (session/checkout) and our legitimate interests in security and fraud prevention (Art. 6(1)(f)).Analytics/performance cookies (consent): e.g., Google Analytics to understand usage and improve our services.
Advertising/measurement cookies (consent): e.g., Google Ads tags, Meta Pixel, Taboola Pixel to measure campaign performance and, where enabled, improve ad delivery. Tags may be deployed via Google Tag Manager (GTM); GTM itself does not set cookies.
We obtain consent for non‑essential cookies via our cookie banner (Framer), which provides “Accept all”, “Reject all”, and granular choices. You can withdraw or update your consent at any time via Cookie Settings (https://adlarion.com/cookie-settings). We log consent signals (e.g., cookie/marketing choices) and retain proof for at least 24 months. You can also configure your browser to block or delete cookies.
For cookie names, providers, purposes, and lifetimes, see our Cookie Policy (UK) (https://adlarion.com/legal/cookies-uk).
Account connections & API access (Meta/Google)
We offer integrations with Meta (Facebook/Instagram) and Google (Ads/Analytics/Tag Manager). When you connect your accounts, you complete the provider’s OAuth flow. We receive access tokens (and, where applicable, refresh tokens) for the scopes you authorise; we do not receive or store passwords.
Categories of data (depending on scopes you grant): ad-account IDs, campaign/ad set/ad metadata, performance metrics (e.g., impressions, clicks, conversions), pixel/tag events, audience/attribution data, and limited account/billing identifiers to the extent authorised.
Purposes & legal bases: provide platform features (campaign management, reporting, automation) — Art. 6(1)(b) UK GDPR; operate, secure and troubleshoot the service — Art. 6(1)(f) UK GDPR (legitimate interests).
Recipients/categories: Meta Platforms Ireland Ltd.; Google Ireland Ltd. (and affiliates). International transfers (e.g., to the United States) rely on appropriate safeguards such as the International Data Transfer Agreement (IDTA) or Standard Contractual Clauses with the UK Addendum, and — where applicable — certification under the UK‑US Data Bridge.
Revocation & disconnect: you can revoke access anytime in your Meta Business integrations or Google account security settings, and you can also disconnect the integration within Adlarion.
Retention: tokens are stored encrypted and deleted upon revocation, account closure, or prolonged inactivity (e.g., 24 months). Retrieved metrics/log data are retained only as needed for reporting/billing/diagnostics (see Retention).
Joint controllership (Meta): for certain event data (e.g., website event data), we may act as joint controllers with Meta under the applicable Joint Controller Addendum (JCA); see Meta’s documentation for the essence of the arrangement.
Media library & user content (uploads)
We provide a Media Library where you can upload and manage creative assets (e.g., images, videos, logos). We may process file metadata (e.g., filename, size, type, dimensions), EXIF/IPTC data where present, user‑supplied tags/folders, approval status, versions, and derivatives we generate (e.g., thumbnails, renditions, ad creatives). For service integrity we may perform malware scanning and basic content validation; key user actions (e.g., approvals) may be logged with a timestamp and user ID.
Purposes & legal bases: deliver core features (storage, organisation, approvals, creative generation) — Art. 6(1)(b) UK GDPR; ensure security, availability, and abuse prevention — Art. 6(1)(f); comply with legal obligations (e.g., notice‑and‑takedown) — Art. 6(1)(c).
Recipients/categories: hosting/CDN and image processing/rendering providers acting as processors (see sub‑processor list: https://adlarion.com/legal/subprocessors). International transfers (e.g., to the United States) rely on IDTA or SCC + UK Addendum, and where applicable, the UK‑US Data Bridge.
Retention: assets remain while your account is active and until you delete them; residual copies may persist briefly in backups/logs. Generated derivatives are deleted or regenerated when you remove the source file.
Your responsibilities: if you upload third‑party personal data (e.g., photos of employees/customers), you must have a lawful basis and provide required notices/consents. Avoid uploading special category data unless strictly necessary and lawful; do not upload minors’ data without an appropriate basis. Access is limited to authorised users in your account; sharing/publishing is under your control.
AI/training: We do not use your uploaded content to train general‑purpose AI models. If this changes, we will obtain explicit consent and update this Policy in advance.
Direct Marketing (PECR)
We send electronic direct marketing only in line with PECR. For B2C contacts, we rely on prior consent or the soft opt‑in where permitted. For B2B contacts, we rely on legitimate interests with a clear and easy opt‑out. Every marketing message includes an unsubscribe link, and you can opt out at any time.
9) International data transfers
We are established in Germany (EEA) and may process data in the EEA and the UK. Where data is transferred outside the UK/EEA (e.g., to service providers in the United States), we use appropriate safeguards such as the International Data Transfer Agreement (IDTA) or Standard Contractual Clauses with the UK Addendum, and implement supplementary measures where necessary. Where a service provider is certified under the UK‑US Data Bridge (UK extension to the EU‑US Data Privacy Framework), we may rely on that certification.
10) Retention
We keep personal data only as long as necessary for the purposes described above and to satisfy legal requirements:
Account data: retained for the life of the account and deleted upon account closure (subject to legal holds).
Billing & transactional records: retained as required by applicable accounting/tax laws (typically up to 6 years in the UK).
Support & communications: retained for operational needs (e.g., 12 months) and longer where required to resolve issues or comply with law.
Marketing contact data: until you opt out or after 24 months of inactivity (whichever comes first).
Logs/security telemetry: around 12 months (shorter/longer where necessary for security/investigation).
Analytics & advertising identifiers: per tool settings and your consent (e.g., 12–26 months).
Backups: we retain encrypted backups for a limited period (typically 30–90 days) for disaster recovery; deletions may propagate to backups with a delay.
When data is no longer needed, we delete or anonymise it unless legal obligations require longer storage.
11) Your rights (UK GDPR)
Subject to conditions and legal exemptions, you have the right to:
Access your personal data (copy and information about processing)
Rectify inaccurate or incomplete data
Erase data (right to be forgotten) in certain circumstances
Restrict processing in certain circumstances
Data portability for data you provided to us
Object to processing based on legitimate interests and to direct marketing
Withdraw consent at any time (without affecting prior processing)
How to exercise your rights: contact us at info@adlarion.com. We may need to verify your identity. If your data is processed on the Adlarion platform under a contract with one of our business customers, please contact that customer (controller) directly, as we act as their processor.
12) Complaints
If you have concerns about our data practices, please contact us first. You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO):
www.ico.org.uk — ICO Helpline: 0303 123 1113.
13) Security
We implement appropriate technical and organisational measures to protect personal data (e.g., encryption in transit, access controls, least‑privilege, backups, monitoring). No method of transmission over the internet is 100% secure; we work continuously to improve our safeguards.
14) Children
Our services are not directed to children under 13, and we do not knowingly collect personal data from children. If you believe a child has provided personal data to us, please contact us so we can delete it.
15) Personal data breaches
We maintain procedures to detect, investigate, and respond to personal data breaches. Where a breach is likely to result in a risk to individuals’ rights and freedoms, we will notify the ICO without undue delay and, where feasible, within 72 hours. Where the risk is high, we will also inform affected individuals without undue delay.
16) Changes to this Policy
We may update this Policy from time to time. The effective date appears at the top. Where appropriate, we will notify you of material changes.
17) Contact
Questions about this Policy or our data practices?
Email: info@adlarion.com
Postal: Luca Bonura Onlinehandel, Große Bleiche 5, 65719 Hofheim am Taunus, Germany