Privacy Policy - Virtual 360 ADS

1. Introduction

Virtual 360 ADS ("we", "us", "our") operates the website https://virtual360ads.com and the Virtual 360 ADS platform (the "Service").

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

By accessing or using the Service, you agree to this Privacy Policy. If you disagree, please discontinue use.

This policy applies to all users worldwide, with additional provisions for specific regions detailed in the regional sections below.

2. Data Controller

Virtual 360 ADS is a product of VIRTUAL RL ESPECIALIZADA LTDA, a company registered in Brazil under CNPJ 52.197.772/0001-69. Virtual 360 ADS is part of the Virtual 360 Zone group (www.virtual360zone.com), with over 10 years of experience in national and international digital marketing projects.

Contact: contact@virtual360ads.com.
Country of operation: Brazil.
We process data globally and comply with applicable data protection laws in all regions where we operate.

3. Information We Collect

3.1 Information You Provide Directly

Account registration: full name, email address, password (stored as a bcrypt hash, never in plain text).
Profile information: optional business details you choose to provide.
Billing information: payment processing is handled entirely by Stripe Inc. We do NOT store credit card numbers, bank account details, or full payment credentials. We only store Stripe customer IDs and payment method metadata (card brand and last 4 digits) for display purposes.
Team management: names and email addresses of team members you invite.
Support communications: content of emails and messages you send to our support team.
Custom KPIs and business settings: marketing metrics and goals you configure within the platform.

3.2 Information Collected Automatically

Log data: browser type, device type, operating system, referring URL, pages visited within our platform, timestamps.
IP addresses: hashed using SHA 256 with a unique salt before storage (for conversion tracking features). We do NOT store raw IP addresses.
Cookie data: essential session cookies and, with your consent, analytics cookies. See our Cookie Policy for details.
Device information: screen resolution, language settings, timezone (collected via standard browser APIs).

3.3 Information from Third Party Integrations (OAuth Connected Platforms)

When you connect third party platforms through OAuth authorization (such as Google Analytics, Google Ads, Google Search Console, YouTube Analytics, Google Business Profile, Meta Ads, Instagram, and others), we access data from those platforms ONLY within the scopes you explicitly authorize.
Google API Services: We access Google user data through authorized OAuth 2.0 scopes. The specific data accessed depends on which Google services you connect. See Section 5 (Google API Services) and our dedicated Google API Services Usage Disclosure page for complete details.
Meta Platform Data: When you connect Facebook or Instagram accounts, we access advertising campaign data, page insights, and audience metrics as authorized through Meta's OAuth flow.
Other Platforms: Each platform integration accesses only the data necessary to display your marketing analytics within our dashboard. Scopes are documented per platform in your integration settings.
You can disconnect any platform at any time through Settings > Integrations, which revokes our access to that platform's data.

3.4 Payment Processor Information

Stripe Inc. provides us with: transaction status, subscription status, invoice history, and payment method metadata (card brand, last 4 digits, expiration month/year). Stripe's handling of your payment data is governed by Stripe's Privacy Policy.

4. How We Use Your Information

Provide, operate, and maintain the Service.
Process payments and manage your subscription through Stripe.
Display your advertising campaign data and analytics from connected platforms within our dashboard.
Generate AI powered insights and recommendations using Google Gemini API (we send ONLY aggregated campaign metrics to the API, never personal identity information, names, emails, or raw user data).
Send transactional emails: OTP verification codes, billing notifications (payment confirmations, failed payments, subscription changes), and cart recovery emails (if you use the Abandoned Cart module).
Send product updates and marketing communications ONLY with your explicit consent, and you can opt out at any time via Settings > Preferences.
Detect and prevent fraud, abuse, and security incidents.
Improve and optimize our platform's performance and user experience.
Comply with legal obligations (tax reporting, law enforcement requests).

What we never do: We do NOT sell your personal information to any third party. We do NOT use your personal information for advertising, retargeting, or interest based advertising. We do NOT use your data to determine creditworthiness or for lending purposes.

5. Google API Services Usage Disclosure

Virtual 360 ADS's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

We access Google user data ONLY to provide user facing features within the Virtual 360 ADS platform, specifically: displaying your Google Analytics reports, Google Search Console data, Google Ads campaign performance, YouTube channel analytics, and Google Business Profile insights in a unified dashboard.

Limited Use Compliance

Our use of Google user data is limited to providing or improving user facing features that are prominent in our platform's user interface. Specifically:

We do NOT transfer Google user data to third parties unless necessary to provide or improve user facing features, as part of a merger or acquisition with user consent, or for legal and security compliance.
We do NOT use Google user data for serving ads, including retargeting, personalized, or interest based advertising.
We do NOT allow humans to read Google user data unless: (a) we have your affirmative agreement, (b) it is necessary for security purposes such as investigating abuse, (c) to comply with applicable law, or (d) the data is aggregated and anonymized for internal operations.
We do NOT use Google user data to train generalized (non personalized) artificial intelligence or machine learning models.
We do NOT sell Google user data.
We do NOT use Google user data to determine creditworthiness or for lending purposes.

Data Accessed per Google Service

Google Analytics (scope: analytics.readonly): website traffic data, user behavior metrics, audience demographics, acquisition channels, conversion data.
Google Search Console (scope: webmasters.readonly): search performance data, impressions, clicks, average position, crawl errors, indexed pages.
YouTube Analytics (scopes: yt-analytics.readonly, youtube.readonly): channel statistics, video performance metrics, audience retention, traffic sources.
Google Business Profile (scope: business.manage): business listing information, reviews, insights, local performance data.
Google Ads (scope: adwords): campaign performance, ad group metrics, keyword data, cost and conversion data.

Revoking Access

You can disconnect any Google service at any time through your Integration settings in the platform. This immediately revokes our OAuth token and we cease accessing data from that service. You can also revoke access directly from your Google Account security settings.

For complete details, see our dedicated Google API Services Usage Disclosure page.

6. Meta Platform Data Usage

When you connect Meta (Facebook) or Instagram accounts, we access platform data as defined in Meta's Platform Terms.
Data accessed: ad campaign performance, ad account insights, page insights, audience metrics.
We process Meta Platform Data solely to display your advertising analytics within our dashboard.
We do NOT sell, rent, or share Meta Platform Data with any third party.
We do NOT use Meta Platform Data for any purpose other than providing the analytics features you requested.
You can disconnect Meta integrations at any time through your Integration settings.
Our privacy policy is accessible to Meta's crawlers and is not geo blocked.

7. Legal Basis for Processing

Contract performance: processing necessary to provide the services you subscribed to.
Legitimate interest: improving our services, preventing fraud, ensuring platform security (balanced against your rights).
Consent: for marketing communications, non essential cookies, and connecting optional third party integrations.
Legal obligation: compliance with tax, accounting, and regulatory requirements.

8. Data Sharing and Third Parties

We do NOT sell, rent, or trade your personal data. We share data only in the following circumstances:

Stripe Inc. (US): payment processing. Stripe is PCI DSS Level 1 certified. Privacy: https://stripe.com/privacy.
Google LLC (US): Gemini API for AI assistant features (receives only aggregated campaign metrics, no personal identifiers), and OAuth for platform integrations (only data you explicitly authorize via OAuth scopes).
Hosting infrastructure provider: for server operation and data storage.
Service providers who assist in operating our platform, under strict data processing agreements.
Legal compliance: if required by law, court order, subpoena, or governmental authority.
Business transfers: in connection with a merger, acquisition, or sale of assets, with prior notice to you.

All third party service providers are contractually required to protect your data and use it only for the purposes we specify.

9. International Data Transfers

Your data may be transferred to and processed in countries other than your country of residence, including Brazil (our country of operation) and the United States (where our third party processors Stripe and Google operate).
For transfers from the European Economic Area (EEA): we rely on Standard Contractual Clauses (SCCs) approved by the European Commission.
For transfers from Brazil: we comply with LGPD requirements for international transfers.
Google and Stripe maintain their own international transfer mechanisms (Google: SCCs plus supplementary measures; Stripe: SCCs plus Binding Corporate Rules).

10. Data Security

All passwords are hashed using bcrypt with appropriate cost factor.
OAuth tokens and sensitive data are encrypted at rest using AES 256 GCM.
All data is transmitted exclusively over HTTPS/TLS.
Authentication uses JWT with short lived access tokens (in memory) and HTTP only secure refresh token cookies.
Two factor authentication (2FA) via email OTP is available for all accounts.
Rate limiting is enforced on all API endpoints to prevent abuse.
IP addresses from conversion tracking are hashed with SHA 256 plus a unique salt before storage.
We conduct regular security reviews and apply updates promptly.
Access to production systems is restricted to authorized personnel only.

11. Data Retention

Account data: retained while your account is active. Permanently deleted upon your account deletion request (Settings > Danger Zone).
Billing records: retained for 7 years as required by applicable tax and accounting regulations.
Audit logs: retained for 2 years for security and compliance purposes.
Conversion tracking events: retained for 90 days, then automatically purged.
Abandoned cart data: retained for 30 days, then automatically expired.
OTP verification codes: automatically cleaned up within 1 hour of expiration.
OAuth tokens from disconnected integrations: deleted immediately upon disconnection.
Google user data: when you disconnect a Google service, we delete the associated OAuth tokens immediately. Cached analytics data derived from Google APIs is purged within 24 hours of disconnection.

12. Your Rights

Regardless of your location, you have the right to:

Access your personal data held by us.
Correct inaccurate or incomplete data.
Delete your account and all associated data.
Export your data in a portable format.
Withdraw consent for marketing communications at any time.
Disconnect any third party integration (revoking our data access).
Object to processing based on legitimate interest.

To exercise any right, contact contact@virtual360ads.com or use the self service features in your account settings. We respond to all requests within 30 days (or sooner if required by applicable law).

13. Cookies

We use cookies for essential platform functionality (session management, authentication, CSRF protection).
Non essential cookies (analytics, preferences) are activated ONLY after your explicit consent.
For complete details, categories, and management options, see our Cookie Policy.

14. Children's Privacy

Our Service is not directed to individuals under the age of 16 (or the applicable minimum age in your jurisdiction).
We do not knowingly collect personal data from children.
If we become aware that we have collected data from a child, we will delete it promptly.
Our application does NOT use Google Sign In for children or child directed features.

15. Third Party Links

Our platform may contain links to third party websites or services.
We are not responsible for the privacy practices of these third parties.
We encourage you to review their privacy policies before providing any personal data.

16. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices or legal requirements.
Material changes will be communicated via email notification to your registered email address and/or a prominent notice within the platform.
The "Last Updated" date at the top of this page indicates the most recent revision.
Your continued use of the Service after changes constitutes acceptance of the updated policy.
We recommend reviewing this page periodically.

17. Contact Information

VIRTUAL RL ESPECIALIZADA LTDA
CNPJ: 52.197.772/0001-69
Brand: Virtual 360 ADS
Contact: contact@virtual360ads.com
Website: https://virtual360ads.com
Response time: within 30 days of receiving your request.

A1. LGPD, Lei Geral de Protecao de Dados (Brazil) LGPD

We comply with Brazil's Lei Geral de Protecao de Dados (Lei 13.709/2018) for all users located in Brazil.

Legal bases for processing under LGPD: consent (Art. 7, I), contract performance (Art. 7, V), legitimate interest (Art. 7, IX), legal obligation (Art. 7, II).

Your LGPD Rights (Art. 18)

Confirmation of the existence of processing.
Access to your data.
Correction of incomplete, inaccurate, or outdated data.
Anonymization, blocking, or deletion of unnecessary or excessive data.
Data portability to another service provider.
Deletion of personal data processed with your consent.
Information about public and private entities with whom we share data.
Information about the possibility of denying consent and its consequences.
Withdrawal of consent at any time.
Right to petition the ANPD (Autoridade Nacional de Protecao de Dados).

Data Protection Officer: contact@virtual360ads.com (DPO designation will be updated when formally appointed).

You may file a complaint with the ANPD at www.gov.br/anpd.

A2. CCPA / CPRA (California, United States) CCPA

This section applies to residents of California as defined by the CCPA (Cal. Civ. Code §1798.100 et seq.) and CPRA amendments.

Categories of Personal Information Collected

Identifiers: name, email.
Commercial information: billing and subscription records.
Internet or electronic network activity: log data, cookies, browsing within our platform.
Professional or employment related information: optional business details.

We do NOT sell personal information as defined by the CCPA. We do NOT share personal information for cross context behavioral advertising.

Your CCPA / CPRA Rights

Right to know what personal information we collect, use, disclose, and sell.
Right to delete personal information.
Right to opt out of the sale of personal information (not applicable as we do not sell).
Right to non discrimination for exercising your rights.
Right to correct inaccurate personal information.
Right to limit the use and disclosure of sensitive personal information.

To exercise your rights: email contact@virtual360ads.com or use the account deletion feature in Settings > Danger Zone.

Verification: we verify your identity through email confirmation to your registered email address.

Authorized agents: you may designate an authorized agent with signed written permission. We may require verification of both the agent's authority and your identity.

Retention: we retain personal information as described in Section 11 (Data Retention).

A3. Other Latin American Jurisdictions LATAM

We strive to comply with data protection laws across Latin America, including:

Argentina: Ley 25.326 de Proteccion de Datos Personales.
Colombia: Ley 1581 de 2012 and Decreto 1377 de 2013.
Mexico: Ley Federal de Proteccion de Datos Personales en Posesion de los Particulares (LFPDPPP).
Chile: Ley 19.628 sobre Proteccion de la Vida Privada.
Peru: Ley 29733, Ley de Proteccion de Datos Personales.

Core principles applied across all jurisdictions: purpose limitation, data minimization, storage limitation, accuracy, security, transparency, and accountability.

E1. GDPR Compliance, General Data Protection Regulation GDPR

We comply with Regulation (EU) 2016/679 (GDPR) for users located in the European Economic Area (EEA), United Kingdom, and Switzerland.

Data Controller: VIRTUAL RL ESPECIALIZADA LTDA (CNPJ 52.197.772/0001-69), operating under the Virtual 360 ADS brand, contact contact@virtual360ads.com.
EU Representative: to be formally appointed prior to EU market launch (will be updated in this policy).

Legal Bases for Processing under GDPR

Art. 6(1)(a) Consent: marketing communications, non essential cookies, optional integrations.
Art. 6(1)(b) Contract performance: providing the subscribed services.
Art. 6(1)(c) Legal obligation: tax and regulatory compliance.
Art. 6(1)(f) Legitimate interest: platform security, fraud prevention, service improvement.

E2. Your GDPR Rights GDPR

Right of access (Art. 15): obtain confirmation and a copy of your personal data.
Right to rectification (Art. 16): correct inaccurate or incomplete data.
Right to erasure (Art. 17): request deletion of your personal data ("right to be forgotten").
Right to restriction of processing (Art. 18): request limitation of processing in specific circumstances.
Right to data portability (Art. 20): receive your data in a structured, machine readable format.
Right to object (Art. 21): object to processing based on legitimate interest or for direct marketing.
Right related to automated decision making (Art. 22): we do NOT make automated decisions that produce legal effects concerning you or similarly significantly affect you.
Right to withdraw consent (Art. 7(3)): withdraw consent at any time without affecting the lawfulness of prior processing.
Right to lodge a complaint (Art. 77): you may file a complaint with your local supervisory authority.

E3. International Transfers from the EEA GDPR

Data is transferred to Brazil (our country of operation) and to servers of our sub processors in the United States.
Transfer mechanisms: EU Standard Contractual Clauses (SCCs) as approved by European Commission Decision 2021/914.
Sub processor safeguards: Google LLC and Stripe Inc. maintain their own SCCs and supplementary measures for EU data transfers.

E4. Data Protection Impact Assessments GDPR

We conduct Data Protection Impact Assessments (DPIAs) for high risk processing activities as required by Art. 35 GDPR.
Our conversion tracking pixel functionality has been assessed: visitor IPs are hashed with SHA 256 plus salt, making direct identification impossible without additional data held separately.

E5. Sub Processors GDPR

We use the following sub processors:

Stripe Inc. (United States): payment processing, PCI DSS Level 1 certified.
Google LLC (United States): Gemini AI API (aggregated data only), OAuth integrations (scoped access).
Hosting provider (United States / Brazil): server infrastructure and data storage.

We will notify you of any material changes to our sub processor list via email or platform notification.