Agency Dashboard by Creatinsta
How we collect, use, and protect your data
Effective: March 12, 2026
Creatinsta Kereskedelmi es Szolgaltato Korlátolt Felelossegu Tarsasag
Registered address: 8130 Enying, Erkel Ferenc utca 1/A, Hungary
Tax number: 14145757-2-07
Email: hello@clipz.hu
Website: https://dashboard.clipz.hu
Creatinsta Kft. ("Creatinsta", "we", "us", or "our") operates Agency Dashboard (the "Dashboard"), a software-as-a-service platform for advertising performance management. We are the data controller for personal data processed through the Dashboard as described in this Privacy Policy.
Where we act as a data processor on behalf of our client companies (advertisers), the respective client company is the data controller for the end-consumer data they bring into the platform. Creatinsta processes such data only under documented instructions from the client and in accordance with applicable data processing agreements.
This Privacy Policy applies to all personal data processed in connection with:
This policy does not cover third-party websites or platforms to which the Dashboard may link. Please review those platforms' own privacy policies.
3.1 Account and User Data
When a user account is created, we collect:
3.2 OAuth Credentials and Tokens
To connect advertising and social accounts, we store OAuth tokens obtained through authorised OAuth flows with Meta, Google, and TikTok. Specifically:
Tokens are stored encrypted at rest in our database and are used exclusively to retrieve advertising performance and social analytics data on behalf of the agency.
3.3 Advertising and Analytics Performance Data
We retrieve and store aggregated daily performance metrics from connected platforms. This data relates to advertising campaigns and does not include individual end-consumer personal data. Metrics include:
3.4 Client and Ad Account Configuration
3.5 Usage and Technical Data
We process personal data only where we have a valid legal basis under the General Data Protection Regulation (EU) 2016/679 (GDPR) and the Hungarian Privacy Act (Infotv.). The following table summarises our processing activities and their legal bases:
| Processing Activity | Legal Basis (GDPR Art.) |
|---|---|
| Creating and managing user accounts | Contract performance — Art. 6(1)(b) |
| Storing and using OAuth tokens to sync ad data | Contract performance — Art. 6(1)(b) |
| Storing WooCommerce API credentials | Contract performance — Art. 6(1)(b) |
| Displaying performance dashboards to agency and client users | Contract performance — Art. 6(1)(b) |
| Sending transactional emails (password reset, sync alerts) | Contract performance — Art. 6(1)(b) |
| Retaining sync logs for troubleshooting | Legitimate interests — Art. 6(1)(f) |
| Security logging and fraud prevention | Legitimate interests — Art. 6(1)(f) |
| Compliance with legal obligations (tax, accounting) | Legal obligation — Art. 6(1)(c) |
Where we rely on legitimate interests, we have assessed that our interests do not override the rights and freedoms of data subjects.
We use collected data solely for the following purposes:
We do not sell, rent, or trade personal data to third parties. We do not use personal data for automated profiling or decision-making that produces significant legal effects on individuals.
We engage the following sub-processors to deliver the Dashboard. Each processor has been assessed for adequate data protection standards:
| Processor | Role | Location | Basis for Transfer |
|---|---|---|---|
| Supabase Inc. | Database hosting, authentication (PostgreSQL + Auth) | EU (Frankfurt, AWS eu-central-1) | Adequacy / SCCs |
| Vercel Inc. | Application hosting, serverless functions, edge network | USA (primarily) + global CDN | SCCs / Data Processing Addendum |
| Meta Platforms Ireland | Ad data and social analytics API (Facebook, Instagram) | Ireland (EU) | Adequacy (EU entity) |
| Google Ireland Limited | Google Ads and Google Analytics 4 API | Ireland (EU) | Adequacy (EU entity) |
| TikTok Technology Limited | TikTok Ads and TikTok Open Platform API | Ireland (EU) / Singapore | SCCs |
| WooCommerce (Automattic) | E-commerce order and revenue data (client-hosted stores) | USA | SCCs / Data Processing Addendum |
Data shared with these processors is limited to what is strictly necessary for the stated purpose. We do not authorise processors to use the data for their own purposes.
Note on platform APIs: When we retrieve data from Meta, Google, or TikTok, we act under the authorisation granted by the agency via OAuth. The agency is responsible for ensuring it has appropriate permissions and legal basis to allow Creatinsta to access the data through those APIs.
Our primary database is hosted in the EU (Supabase on AWS Frankfurt). However, certain sub-processors (Vercel, TikTok, WooCommerce/Automattic) may process data in the United States or other countries outside the European Economic Area (EEA).
For transfers outside the EEA, we rely on one or more of the following safeguards:
You may request a copy of the transfer mechanisms in place by contacting us at hello@clipz.hu.
| Data Category | Retention Period |
|---|---|
| User account data | Until account deletion, then 30 days for recovery period |
| OAuth tokens | Until the connected account is disconnected or the credential is revoked |
| Daily ad performance metrics | 3 years from the date of the metric |
| Social daily metrics (reach, impressions, followers) | 3 years from the date of the metric |
| Social post data | Refreshed on each sync; latest snapshot retained until connection is removed |
| Sync logs | 90 days |
| WooCommerce order data (aggregated daily) | 3 years from the date of the metric |
| Billing and contractual records | 8 years (Hungarian accounting law requirement) |
When a client account is deleted, all associated ad accounts, social connections, daily metrics, and OAuth credentials are deleted within 30 days. User accounts may be retained in anonymised form for statistical purposes.
The Dashboard uses a minimal set of cookies required for operation:
| Cookie Name | Purpose | Type | Duration |
|---|---|---|---|
sb-*-auth-token |
Supabase session authentication | Strictly necessary | Session / up to 7 days |
sb-*-auth-token-code-verifier |
PKCE OAuth state verification | Strictly necessary | Session |
We do not use tracking cookies, advertising cookies, or third-party analytics cookies on the Dashboard. No cookie consent banner is displayed because no non-essential cookies are set.
The public-facing website at dashboard.clipz.hu may use cookies independently — please refer to the cookie settings on that site.
We implement the following technical and organisational measures to protect personal data:
Despite our security measures, no system is completely immune to breaches. In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay, as required by GDPR Art. 33 and 34.
If you are an individual whose personal data we process, you have the following rights under GDPR:
| Right | Description |
|---|---|
| Right of Access (Art. 15) | Request a copy of the personal data we hold about you and information about how it is processed. |
| Right to Rectification (Art. 16) | Request correction of inaccurate or incomplete personal data. |
| Right to Erasure (Art. 17) | Request deletion of your personal data where there is no compelling reason for its continued processing. |
| Right to Restriction (Art. 18) | Request that we restrict the processing of your data under certain circumstances. |
| Right to Data Portability (Art. 20) | Receive your personal data in a structured, machine-readable format and transmit it to another controller. |
| Right to Object (Art. 21) | Object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds. |
| Right to Withdraw Consent (Art. 7) | Where processing is based on consent, withdraw consent at any time without affecting prior processing. |
| Right Not to Be Subject to Automated Decisions (Art. 22) | Not to be subject to decisions based solely on automated processing that produce significant legal effects. We do not engage in such processing. |
To exercise any of these rights, contact us at hello@clipz.hu. We will respond within 30 days. We may need to verify your identity before processing your request.
If you are a client user (not an agency user), some of these rights may need to be exercised through the agency that manages your account, as the agency may be the data controller for your data within the platform.
The Dashboard is a professional B2B tool intended solely for business users aged 18 and over. We do not knowingly collect personal data from individuals under 18. If we become aware that a minor has provided us with personal data, we will delete it promptly.
We may update this Privacy Policy from time to time to reflect changes in our practices, the services we offer, or applicable law. When we make material changes, we will:
Continued use of the Dashboard after the effective date constitutes acceptance of the updated policy.
For any questions, requests, or concerns relating to this Privacy Policy or our data processing activities, please contact us:
Creatinsta Kft.
8130 Enying, Erkel Ferenc utca 1/A, Hungary
Email: hello@clipz.hu
Website: https://dashboard.clipz.hu
If you are not satisfied with our response, you have the right to lodge a complaint with the Hungarian National Authority for Data Protection and Freedom of Information (NAIH):
Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH)
Address: 1055 Budapest, Falk Miksa utca 9-11, Hungary
Phone: +36 1 391 1400
Email: ugyfelszolgalat@naih.hu
Website: https://www.naih.hu
If you are located in another EU/EEA member state, you may also contact your local data protection authority.