Adfinia. ← Back to adfinia.com
Legal · Privacy

Privacy Policy

Version1.0 (draft)
Last updated2026-05-15
Effective fromPending legal review
Jurisdictions coveredUSA · EU · UK · India · UAE · Global
This is a working draft. Adfinia operates on this policy in spirit while the final version is reviewed by external counsel. The content below reflects current practice and our commitments under the GDPR, the UK GDPR, India's Digital Personal Data Protection Act 2023, the UAE Personal Data Protection Law (Federal Decree-Law 45 of 2021), and applicable sector law. Material changes will be versioned and announced 30 days in advance unless a regulator requires sooner. To suggest edits before final publication, contact support@adfinia.com.

Who we are

Adfinia is a product of Infinia Technologies, an AI-native marketing, advertising, and data platform headquartered in Abu Dhabi, United Arab Emirates.

The data controller for this website and for the account information you provide to us is Infinia Technologies LLC ("Adfinia", "we", "us", "our"). Where Adfinia processes the personal data your business uploads to the platform on behalf of your contacts, we act as a data processor on your instructions — see §5 Customer data & the DPA.

Our EU/EEA representative (Art. 27 GDPR) and our UK representative (Art. 27 UK GDPR) will be appointed prior to the effective date of this policy and published here. Until then, EU/UK residents may contact us directly at support@adfinia.com or via our Data Protection Officer (see §16).

What this policy covers

This Privacy Policy explains what data Adfinia collects, why, how we use it, and how you can exercise your rights. It applies to:

  • Visitors to adfinia.com, docs.adfinia.com, and any other Adfinia-operated site.
  • Account holders — individuals who create or administer an Adfinia tenant, evaluate the platform, or correspond with our team.
  • Contacts of our customers — only with respect to data we collect about you directly. Where your data has been uploaded to Adfinia by one of our customers (for example, by a brand that markets to you), the customer is the controller and you should consult that customer's own privacy notice; see §5.

This policy does not cover:

  • Third-party sites we link to (we don't control their data practices).
  • Data that has been fully anonymised so it cannot be linked to any individual.
  • Personal data of our employees and contractors, which is covered by separate internal notices.

Visitor data — public site, docs, marketing

When you browse our public surfaces we may collect:

CategoryExamplesSource
Technical dataIP address, browser type, operating system, viewport, language, referrer.Automatically when you visit.
Usage dataPages viewed, time on page, navigation paths, clicks on tracked elements (e.g. "Request access").First-party analytics (self-hosted; no third-party advertising trackers).
Form dataName, business email, company, country, role, message, contact preferences.Only what you submit through our forms.
Cookies & local storageStrictly-necessary session cookies and (with consent) preference cookies. No advertising cookies on our public surfaces.Your browser.

We do not knowingly use third-party advertising or cross-site tracking on adfinia.com. If we add a tracker in future, we will surface a consent prompt before any non-essential cookie loads, and update this section.

Account data — when you sign up or evaluate Adfinia

When you create an Adfinia tenant or take part in a paid trial, we collect:

  • Identity & contact — your name, business email, role, the company you represent, the country of operation.
  • Authentication — your login identifier and authentication credentials (we never store plain-text passwords; we use industry-standard hashing and, where you enable it, multi-factor authentication).
  • Billing — the legal entity name and address you bill us under, VAT/tax identifiers, the payment-method token returned by our payments processor (we do not store full card numbers; see §9).
  • Usage & product telemetry — how your team uses the platform, in-app actions, feature adoption, error and performance data, and tenant-level audit-log entries.
  • Support correspondence — emails, chat transcripts, screenshots and recordings you share when contacting our team. Where calls are recorded, we ask for consent at the start.

Customer data & the Data Processing Addendum

When you use Adfinia to manage your customers, contacts, campaigns, or audiences, you remain the controller of that data. Adfinia is your processor.

This means the contact records, segment definitions, campaign content, ad audiences, attribution events, and AI-prompt history that you put into the platform belong to you and are processed strictly on your written instructions, which are set out in our Data Processing Addendum (DPA).

The DPA — incorporating the EU Standard Contractual Clauses, the UK International Data Transfer Addendum, and Indian DPDP transfer safeguards where relevant — is automatically part of your contract with us. It is available at adfinia.com/legal/dpa; if you require a counter-signature, write to support@adfinia.com.

Adfinia will not access, sell, share, or use customer data except (a) to provide and improve the platform on your instructions, (b) to comply with law, or (c) as expressly agreed in writing.

Cookies & similar technologies

We use cookies and local storage in three categories:

CategoryPurposeConsent?
Strictly necessaryAuthentication, session integrity, CSRF protection, security controls.Cannot be disabled; no consent prompt required.
PreferencesRemembering your locale, theme, and the docs section you were last reading.Asked at first visit; you may withdraw at any time.
AnalyticsAggregated, first-party visit measurement (no cross-site tracking). We use a privacy-preserving analytics tool that does not set advertising identifiers.Asked at first visit; you may withdraw at any time.

You can manage your choices at any time via the cookie banner ("Cookie preferences") or through your browser settings.

Legal bases

Where the GDPR or UK GDPR applies, we rely on one or more of the following lawful bases:

  • Performance of a contract (Art. 6(1)(b)) — to provide the service to you, bill you, support you.
  • Legitimate interest (Art. 6(1)(f)) — to secure the platform, prevent abuse, run product analytics, communicate with you about your account. Where we rely on this basis, we have weighed our interest against your rights; you can object via §11.
  • Consent (Art. 6(1)(a)) — where required, for example for non-essential cookies or marketing emails to prospects. You can withdraw consent at any time without affecting prior lawful processing.
  • Legal obligation (Art. 6(1)(c)) — to comply with tax, accounting, regulator, and lawful disclosure obligations.

Where India's DPDP Act applies, we process personal data either on the basis of your consent or on the specified "certain legitimate uses" recognised by the Act (Section 7). Where the UAE PDPL applies, we rely on lawful processing grounds in Article 4, principally contractual necessity and consent.

How we use data

We use data only for purposes consistent with this policy:

  • To provide the service — authenticate you, route your tenant, serve documentation, deliver email and other channels.
  • To bill and report — issue invoices and VAT statements, calculate usage, report aggregate revenue to our auditors.
  • To improve the platform — measure feature adoption, debug errors, run A/B experiments on Adfinia surfaces (not on customer surfaces).
  • To secure the platform — detect abuse, throttle attacks, run our suppression and consent gates, maintain audit logs.
  • To communicate with you — operational notices, security alerts, status-page updates, billing reminders, and — only with your consent or where a soft opt-in applies — product news and educational content.
  • To meet legal obligations — including regulatory reporting, tax records, and response to lawful requests.

We do not sell personal data. We do not share personal data with advertisers for targeting purposes. We do not use customer data uploaded to Adfinia to train any general-purpose AI model.

Sharing & sub-processors

We share personal data only in the following circumstances:

  • Sub-processors we engage to operate the platform — including infrastructure hosting, payment processing, email delivery, SMS gateways, customer-support tooling, and security monitoring. We maintain a current list at adfinia.com/legal/subprocessors. We sign GDPR-compliant data-processing agreements with each sub-processor, audit their security posture before engagement, and notify customers in advance of any new sub-processor.
  • Professional advisors — accountants, auditors, lawyers, insurers, where engaged under duties of confidentiality.
  • Authorities — where compelled by valid legal process or required to protect life, prevent fraud, or defend our rights. We will challenge over-broad requests and, where permitted, notify the affected customer.
  • Corporate transactions — in the event of a merger, acquisition, financing, or sale of assets, your data may be transferred subject to the same protections set out here.

We do not transfer personal data to any party for that party's own marketing or profiling purposes.

Data residency & cross-border transfers

Sovereignty is a first-class design choice at Adfinia. You choose where your data lives.

Adfinia operates in multiple data regions; customers select their residency at sign-up and may pin tenants to a specific region for the lifetime of the contract. Available regions and their primary hosting jurisdictions are documented at adfinia.com/legal/regions.

Where data must be transferred across borders — for example from the EU to outside the EEA — we rely on the appropriate transfer mechanism: EU Standard Contractual Clauses (Commission Decision 2021/914), the UK International Data Transfer Addendum, India DPDP Section 16 transfer-safeguard mechanisms, or an adequacy decision where one exists. Customers on the Sovereign tier may pin processing, AI inference, and analytics to in-country infrastructure with no outbound cross-border transfer.

Your rights

You have the following rights with respect to personal data we hold about you. Where you are a contact of one of our customers, please direct rights requests to the customer who controls your data; Adfinia will assist them in responding.

  • Access — request a copy of the personal data we hold about you.
  • Rectification — request correction of inaccurate or incomplete data.
  • Erasure — request deletion ("right to be forgotten") where one of the GDPR grounds applies or where required under DPDP / PDPL.
  • Restriction — ask us to limit processing while a dispute is resolved.
  • Portability — receive data you provided to us in a structured, machine-readable format and ask us to transmit it to another controller.
  • Objection — object to processing based on legitimate interest, including profiling that produces legal or similarly significant effects.
  • Withdraw consent — where processing is based on consent, withdraw it at any time.
  • Lodge a complaint — with your local supervisory authority. In the UAE, this is the UAE Data Office; in the EU, your national DPA; in the UK, the ICO; in India, the Data Protection Board.

To exercise any of these rights, write to support@adfinia.com or use the request form at adfinia.com/legal/rights. We will respond within 30 days (extendable to 60 days for complex requests under Art. 12(3) GDPR; aligned timelines under DPDP and PDPL). We may need to verify your identity before acting. Where we decline a request, we will explain why and how to seek review.

Retention

We keep personal data only as long as needed for the purposes set out in this policy or as required by law:

CategoryDefault retention
Account & profile dataFor the life of your account plus 90 days, then deleted unless retention is required by law.
Billing & tax records7 years from the end of the relevant tax year (statutory minimum).
Audit-log entries (security-relevant)2 years.
Support correspondence3 years from the date of the last interaction.
Public-site visitor analytics13 months aggregated; raw events 30 days.
Customer data uploaded to the platformFor the term of your subscription. On termination, exported on request and then permanently deleted within 60 days, including from analytical stores. See your DPA for full procedure.

Children

Adfinia is a business-to-business platform; we do not knowingly collect personal data from children. If you believe a child has provided personal data to us, contact support@adfinia.com and we will delete it without undue delay.

Customers using Adfinia to communicate with audiences must comply with applicable child-protection law (for example, GDPR Art. 8 age-of-consent rules and India DPDP Section 9 verifiable parental consent requirements). The platform provides controls to flag and suppress under-age contact lists.

Security

Security details that change with our deployments are kept in the Adfinia Trust & Security overview. In summary:

  • Encryption in transit (TLS 1.2+) on every external endpoint; encryption at rest on databases, object storage, and backups.
  • Tenant-isolated row-level-security policies on every database table, enforced by the database engine — not by application code alone.
  • Least-privilege access controls for our team, with all production access audited and time-bound.
  • Continuous vulnerability scanning, supply-chain attestation of every container image, and weekly base-image rebuilds.
  • Annual independent penetration testing; results summarised in the Trust & Security overview.
  • Documented incident-response plan and customer breach-notification SLAs aligned with GDPR Art. 33 (72 hours), DPDP Section 8(6), and PDPL Article 10.

Changes to this policy

We may update this policy from time to time. The version number and last-updated date at the top of this page always reflect the current version. Material changes — those that expand the purposes of processing, change the legal bases, or affect your rights — will be announced at least 30 days before they take effect via email to account administrators and a banner on this page. Older versions are archived at adfinia.com/legal/privacy/history.

Contact & Data Protection Officer

For any privacy question, request, or complaint — including matters for our Data Protection Officer:

  • Email: support@adfinia.com (mark the subject line "Privacy" or "DPO" for routing)
  • Postal address: Infinia Technologies LLC, Privacy Office, Abu Dhabi, United Arab Emirates (full address to be confirmed prior to publication).
  • EU/UK Representative: appointment in progress; details will be published here.

If you are not satisfied with our response, you may lodge a complaint with your local supervisory authority. We would, however, appreciate the chance to address your concerns first.