Privacy Policy

Tiki-Taka Media GmbH, Curschmannstraße 9, 20251 Hamburg, Germany ("we", "us") is the controller within the meaning of Art. 4(7) GDPR for all personal data processed through the CrunchJunky platform (app.crunchjunky.io) and the website crunchjunky.io ("Service"). Contact: hello@crunchjunky.io We have assessed our processing activities and have determined that, at the current scale of operations, the appointment of a Data Protection Officer is not mandatorily required under Art. 37 GDPR. We keep this assessment under review as the business grows. For all data-protection enquiries, please contact hello@crunchjunky.io.

We process personal data for the following purposes and on the following legal bases: 2.1 Account management (Art. 6(1)(b) GDPR — contract performance) We process your name, email address, and (where applicable) a password hash in order to create and maintain your account and provide you with access to the Service. OAuth sign-in (Google) gives us your name, email, and profile picture; we do not receive your social-media password. 2.2 Delivery of the Service (Art. 6(1)(b) GDPR — contract performance) We store the advertising and analytics data you import (ad-account metrics, client names, campaign names, report content) and use it exclusively to render reports and provide the features you have subscribed to. This data originates from the advertising platforms you connect (e.g. Google Ads, Meta, LinkedIn) under OAuth authorisation you have granted. 2.3 Billing and invoicing (Art. 6(1)(b) GDPR — contract, Art. 6(1)(c) GDPR — legal obligation) We pass your payment information to our payment processor Stripe, Inc. We retain invoice-relevant data (plan, amount, date) for 10 years to comply with German commercial-law retention obligations (§ 257 HGB, § 147 AO). 2.4 Service improvement and security (Art. 6(1)(f) GDPR — legitimate interest) We collect page-view data, feature-interaction logs, and error reports. Our legitimate interest is to diagnose bugs, prevent abuse, and improve the product. This data is not used for advertising profiling. 2.5 Direct communication (Art. 6(1)(f) GDPR — legitimate interest, or Art. 6(1)(a) GDPR — consent where required) We send transactional emails (password resets, scheduled report delivery, critical service notices). Promotional emails are only sent with your explicit consent. You may withdraw consent at any time via the unsubscribe link or by emailing hello@crunchjunky.io. 2.6 AI API keys (Art. 6(1)(b) GDPR — contract performance) If you optionally connect your own AI provider key (e.g. Anthropic, OpenAI, Google), we store that key in encrypted form and use it solely to fulfil AI-feature requests you initiate. We do not use this key for any other purpose.

We do not sell your personal data. We share data only with the following categories of recipients: 3.1 Infrastructure sub-processors As required by Art. 28 GDPR, we have concluded Data Processing Agreements with all sub-processors who handle personal data on our behalf. The current list: • Vercel Inc. (USA) — Hosting, CDN, serverless functions. EU data region (Frankfurt). Transfer safeguard: EU–US Data Privacy Framework + Standard Contractual Clauses. DPA: vercel.com/legal/dpa • Neon Inc. (USA) — PostgreSQL database. EU data region (Frankfurt, eu-central-1). Transfer safeguard: Standard Contractual Clauses. DPA: neon.tech/dpa • Stripe, Inc. (USA) — Payment processing. Transfer safeguard: Standard Contractual Clauses. DPA: stripe.com/legal/dpa • Resend Inc. (USA) — Transactional email delivery. Transfer safeguard: Standard Contractual Clauses. 3.2 Your AI provider (when you connect your own key) When you initiate an AI feature, your query and relevant report data are sent to the API endpoint of the provider whose key you have configured (e.g. api.anthropic.com, api.openai.com). You are the controller of that processing; please review your AI provider's privacy policy and terms of service separately. CrunchJunky does not send data to AI providers without your explicit action. 3.3 Law enforcement We may disclose data if required by a valid legal order, court ruling, or applicable law. We will, where legally permitted, notify you before complying. 3.4 Business transfers If CrunchJunky is sold, merged, or restructured, your data may transfer to the successor entity under the same privacy commitments.

Our primary infrastructure (Vercel, Neon) is deployed in the EU (Frankfurt). Where data is transferred to sub-processors in third countries (primarily the United States), we rely on: • EU Standard Contractual Clauses (SCCs) pursuant to Commission Implementing Decision (EU) 2021/914. • The EU–US Data Privacy Framework (DPF) where the sub-processor is certified. You may request a copy of the applicable transfer mechanism by emailing hello@crunchjunky.io.

• Account and workspace data: retained for the duration of your subscription and deleted or anonymised within 30 days of account deletion. • Ad-metric data you import: retained for up to 36 months, then deleted. • Billing records: retained for 10 years (§ 257 HGB, § 147 AO). • Server logs and error traces: retained for 90 days. • AI API keys: deleted immediately upon removal or account deletion. Where you request deletion before these periods expire, we will honour your request except where a longer retention period is required by law.

CrunchJunky uses cookies and similar storage technologies for the following purposes: • Session cookie (strictly necessary): keeps you logged in. Without this cookie the Service cannot function. No consent required under § 25(2) TTDSG. • CSRF token (strictly necessary): protects your account from cross-site request attacks. No consent required. • Performance / analytics cookies: we use privacy-respecting analytics to understand how the product is used. These cookies are only set with your consent, which you can manage via the cookie-preference centre on our website. We do not use third-party advertising or retargeting cookies. You can withdraw consent for non-essential cookies at any time via the cookie-preference centre or by clearing your browser's cookie storage.

We implement the following technical and organisational measures (TOMs) in accordance with Art. 32 GDPR: • Encryption in transit: all connections use TLS 1.2 or higher (HSTS enforced). • Encryption at rest: OAuth tokens, refresh tokens, and AI API keys are encrypted with AES-256 before storage. Passwords are hashed with bcrypt (cost factor 12) and never stored in plain text. • Tenant isolation: all database queries are scoped to the authenticated team ID at the application layer; cross-tenant data access is architecturally prevented. • Access control: production database access is restricted to a minimal set of authorised personnel; multi-factor authentication is required; access is logged and reviewed. • Rate limiting: authentication endpoints and critical API routes are rate-limited per IP to prevent brute-force and credential-stuffing attacks. • Incident response: a documented process is in place to detect, assess, and notify data breaches within 72 hours of discovery in accordance with Art. 33 GDPR. A detailed description of our TOMs is available in our Data Processing Agreement (see /legal/dpa).

Under GDPR you have the following rights, exercisable at any time by emailing hello@crunchjunky.io: • Access (Art. 15): obtain a copy of the personal data we hold about you. • Rectification (Art. 16): ask us to correct inaccurate or incomplete data. • Erasure (Art. 17): ask us to delete your data ("right to be forgotten") where no overriding legal basis applies. • Restriction of processing (Art. 18): ask us to restrict how we process your data while a dispute is resolved. • Data portability (Art. 20): receive your data in a structured, machine-readable format. • Objection (Art. 21): object to processing based on legitimate interest; we will stop unless we demonstrate compelling grounds. • Withdrawal of consent (Art. 7(3)): where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing. We respond to all verifiable requests within 30 days (extendable by 2 months for complex requests, with notice). You also have the right to lodge a complaint with your local supervisory authority. In Germany, the federal supervisory authority is: Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI) Husarenstraße 30, 53117 Bonn www.bfdi.bund.de

We do not use automated decision-making, including profiling, that produces legal or similarly significant effects on you within the meaning of Art. 22 GDPR.

The Service integrates with third-party advertising and analytics platforms (Google Ads, Meta, LinkedIn, TikTok, etc.). When you connect these platforms via OAuth, their own privacy policies govern the data held within their systems. We are not responsible for their data-processing practices.

When you connect a Google account (Google Ads, Google Analytics 4, or Google Search Console), CrunchJunky requests read-only access to your own advertising and analytics data via Google APIs in order to display those metrics back to you inside the reports and dashboards you build. CrunchJunky's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy (https://developers.google.com/terms/api-services-user-data-policy), including the Limited Use requirements. Specifically: • We only access the Google user data needed to provide and improve the reporting features you have requested. • We do not sell Google user data, and we do not use it for advertising. • We do not transfer Google user data to third parties except as necessary to provide or improve the Service (our sub-processors listed in section 3), to comply with applicable law, or as part of a merger/acquisition under equivalent commitments. • We do not allow humans to read your Google user data unless we have your affirmative agreement for specific data, it is necessary for security purposes (e.g. investigating abuse), to comply with applicable law, or the data is aggregated and anonymised for internal operations. • OAuth tokens are stored encrypted, used solely to fulfil the features you initiate, and can be revoked at any time from your Google Account settings or by disconnecting the integration in CrunchJunky.

We may update this policy as our Service evolves or legal requirements change. Material changes will be communicated by email or in-app notice at least 14 days before taking effect. The "last updated" date at the top of this page indicates when the most recent revision was made. Continued use of the Service after the effective date constitutes acknowledgement of the updated policy.