Privacy Policy
Last updated: 11 May 2026
1. Who we are (Data Controller)#
The Service is operated by SERVO Group, SIA ("Servo", "we", "us"), a Latvian limited liability company registered with the Commercial Register of Latvia under registration number 40203738300.
2. What this policy covers#
This Privacy Policy explains how we collect, use, store, and share data when you use the Servo web app and related services (the "Service"), including when you connect advertising accounts (currently Meta / Facebook & Instagram), connect Google services (Google Sign-In, Google Analytics), or upload CSV files for analytics.
3. Data we collect#
A) Account & workspace data
Name (if provided), email address, authentication identifiers, workspace/team membership and roles.
B) Advertising data (Meta Marketing API)
When you connect a Meta account, we retrieve and store: Campaign/Ad Set/Ad names and IDs, structured performance metrics (Spend, ROAS, CPC, impressions, clicks, conversions), and creative fields (thumbnail_url, title, body).
C) Google Analytics data (GA4)
When you connect a Google Analytics property, we retrieve read-only analytics data including website traffic metrics, page views, session counts, user counts, event data, user demographics (age brackets, gender), geographic location (country), device categories, traffic sources and channels, and user engagement status (new vs. returning visitors). We access this data using the Google Analytics Data API with the analytics.readonly scope. See Section 7 for full details on Google user data handling.
D) CSV uploads
If you upload CSV files for analytics, we process them to generate insights. We focus on performance metrics and do not intentionally extract PII for profiling.
E) Technical & usage data
Device/browser metadata, timestamps, error logs, and first-party analytics events for product reliability.
4. How we use data#
We use data to: provide the Service (dashboards, reporting, insights), maintain accounts/workspaces, secure the Service, provide customer support, and manage billing/subscriptions.
5. Legal bases (EEA/UK)#
Where GDPR applies, we rely on:
- Contract necessity— providing the Service, account management, billing
- Legitimate interests— security, fraud prevention, error monitoring
- Consent— analytics cookies and usage tracking (opt in/out via cookie banner)
- Legal obligation— accounting/tax requirements
6. AI processing (Google Gemini)#
Servo uses Google Gemini API to generate analytics insights. Inputs may include performance metrics, ad copy, and ad images. We do not intend to send personal identifiers. Google may retain prompts for abuse monitoring for up to 55 days.
7. Google user data#
When you connect your Google account to Servo, we access, use, and store certain Google user data as described below.
A) Data accessed
- Google Sign-In: your name, email address, and profile picture (used for account authentication).
- Google Analytics (GA4): read-only analytics property data including traffic metrics, page views, sessions, users, events, demographics (age brackets, gender), geography (country), device categories, traffic sources/channels, and engagement status. Scope:
analytics.readonly. We do not access or modify your GA configuration.
B) How we use Google user data
- Google Sign-In data is used solely to authenticate you and create your Servo account.
- GA4 analytics data is used to display cross-platform performance dashboards, generate AI-powered marketing insights, and provide campaign optimization recommendations within the Servo app.
- We do not use Google user data for advertising, to build user profiles for third parties, or for any purpose unrelated to the core functionality of the Service.
C) Data sharing
Google user data is not sold, rented, or shared with third parties except as required to operate the Service:
- Google Gemini API: anonymized, aggregated analytics metrics may be included in AI prompts to generate insights. No personal identifiers are sent.
- Firebase / Google Cloud: data is stored on Google Cloud infrastructure as part of our hosting.
We do not share Google user data with any other third parties, data brokers, or advertising networks.
D) Data storage and protection
Google OAuth tokens (access and refresh tokens) are stored securely in Firestore with encryption at rest. Tokens are scoped to the minimum permissions required (read-only analytics access). All communication with Google APIs uses HTTPS/TLS encryption in transit. Access to stored tokens is restricted to authenticated backend functions and is not accessible from the client side.
E) Data retention and deletion
Google OAuth tokens are retained while your Google account remains connected to Servo. You can disconnect your Google account at any time from your account settings, which immediately revokes and deletes stored tokens. When you delete your Servo account, all Google user data (tokens, cached analytics data) is permanently deleted as part of our standard account deletion process. You may also request deletion at any time by emailing servo@servoad.com.
8. Sharing and disclosures#
We share data only with service providers necessary to operate the Service (Subprocessors):
| Service | Purpose | Data location |
|---|---|---|
| Google Cloud / Firebase | Authentication, database, file storage, hosting | US (us-central1) |
| Google Analytics Data API | Read-only GA4 website analytics | US |
| Google Vertex AI (Gemini models) | AI-powered analytics and insights. Inputs are not used to train foundation models. | US (us-central1) |
| Stripe | Payment processing, subscriptions | US / EU |
| Meta Platforms | Ad campaign data retrieval and publishing | US |
| Resend | Transactional and newsletter email delivery | US / EU |
| Sentry | Application error tracking and performance monitoring (stack traces, user IDs, breadcrumbs) | US / EU |
| Microsoft Clarity | Product analytics: aggregated heatmaps and session replays (sensitive inputs auto-masked, no PII captured) | US / EU |
| Google Fonts | Font delivery (IP address only) | Global CDN |
We may disclose information if required by law or valid legal process.
9. International transfers#
Our infrastructure is on Google Cloud / Firebase (multi-region). Some vendors may process data outside Latvia / the EEA. We use appropriate contractual safeguards (EU Standard Contractual Clauses) where required.
10. Data security#
We use technical and organizational measures including: Firestore encryption at rest, encryption in transit, secure token storage, and role-based access controls.
11. Data retention#
Account data: retained until you request deletion. Advertising analytics: retained for historical reporting while your account is active. Logs: retained for a limited period for security and troubleshooting.
12. Your rights (EEA/UK)#
If GDPR applies, you may have rights to access, rectify, erase, restrict processing, object, and data portability. We respond to requests within one month.
To exercise these rights, email servo@servoad.com.
You have the right to lodge a complaint with your supervisory authority — in Latvia, this is Datu valsts inspekcija (dvi.gov.lv).
13. Cookies & similar technologies#
When you first visit Servo, a consent banner lets you choose which cookie categories to enable:
- Necessary(always active) — Firebase Auth session, campaign draft persistence, OAuth flow tokens. Required for the Service to function.
- Analytics(opt-in) — Firebase Analytics, first-party usage tracking, and Microsoft Clarity (heatmaps and session replays with sensitive inputs auto-masked). Helps us improve the product.
- Marketing(opt-in) — Currently unused. Prepared for potential future integrations. Disabled by default.
You can change your preferences at any time from your account settings. We do not use third-party marketing cookies.
14. Account & data deletion#
You can request deletion of your account and all associated data:
- Self-service— use "Delete Account" in your account settings. This initiates a 14-day grace period, after which all data is permanently deleted.
- Email— email us with subject "Data Deletion Request" at servo@servoad.com.
Deletion covers: Firestore data (profile, campaigns, creatives, reports), Firebase Storage files, Stripe subscription cancellation, and Firebase Auth account.
15. Changes to this policy#
We may update this policy from time to time. Material changes will be posted with an updated "Last updated" date.