1. Data Controller
The 10x platform is operated by Fusion Impact Agency S.R.L., a digital marketing and SEO agency based in Romania. This policy describes how we collect, use, store, and protect data within our internal marketing platform.
10x is an internal tool used exclusively by Fusion Impact Agency employees — account managers, ad specialists, and agency leadership — to manage Google Ads campaigns and generate performance reports on behalf of our clients. No external party has direct login access to the tool.
2. Data We Collect
We collect and process the following categories of data:
- Authentication data: email address and password (hashed) for platform access, with optional two-factor authentication (2FA) via TOTP.
- Google Ads data (via Google Ads API): campaign metrics (impressions, clicks, cost, conversions, CTR, CPC), ad group data, ad content (responsive search ads, headlines, descriptions, final URLs), keyword performance and quality scores, search term reports, asset performance (text, image, video assets), landing page metrics, audience segments, demographic data (age ranges, gender), and account-level configuration.
- Google Analytics 4 data: traffic metrics, user sessions, and conversion data accessed via GA4 API.
- Google Search Console data: organic search performance, keyword rankings, and indexing status accessed via GSC API.
- Facebook/Meta Ads data: campaign metrics and ad performance accessed via Meta Marketing API.
- Website technical data: SEO audit information obtained through crawling and analysis of client websites.
3. How We Use Google Ads Data
Data obtained through the Google Ads API is used exclusively for the following purposes:
- Performance reporting: Displaying campaign, ad group, ad, keyword, and search term metrics in internal dashboards. Generating PDF reports for client distribution.
- Campaign analysis: Analyzing campaign performance across dimensions including time periods, campaign types, audiences, demographics, and landing pages.
- Keyword research: Using the Keyword Plan Idea Service to research keyword ideas and search volume data for planning new campaigns.
- Inventory sync automation: Automatically pausing ads via the Google Ads API when client products go out of stock, and re-enabling them when inventory is restored. This prevents clients from spending ad budget on unavailable products.
- Account management: Listing accessible client accounts under our Manager Account (MCC) and retrieving account-level configuration.
4. Google API Services User Data Policy Compliance
Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:
- We only use Google Ads data for the purposes described in this policy (internal reporting, campaign analysis, keyword research, and inventory sync automation).
- We do not sell Google Ads data to third parties.
- We do not use Google Ads data for advertising purposes, retargeting, or building user profiles outside the scope of campaign management.
- We do not transfer Google Ads data to third parties, except to infrastructure providers (hosting, database) necessary for the platform to function, and only under appropriate confidentiality obligations.
- We do not use Google Ads data for surveillance, credit assessment, lending, or insurance underwriting purposes.
- Human access to Google Ads data is limited to authorized Fusion Impact Agency employees who need it to provide campaign management services.
Our use of Google Ads API also complies with the Google Ads API Terms of Service.
5. Data Storage and Security
We implement the following security measures to protect your data:
- Encryption at rest: All sensitive credentials (OAuth tokens, API keys, refresh tokens) are encrypted using AES-256-GCM encryption before being stored in the database.
- Encryption in transit: All communications between the platform and external services (Google Ads API, databases, user browsers) are protected via HTTPS/TLS.
- Database security: Data is stored in a PostgreSQL database hosted on Railway with encrypted connections and access controls.
- Authentication: Platform access requires email/password authentication with optional two-factor authentication (2FA) via TOTP-based authenticator apps.
- Access logging: All API interactions and data access are logged for auditing and debugging purposes.
- Token management: OAuth access tokens are refreshed automatically and are never exposed to the frontend. Refresh tokens are stored encrypted and used only server-side.
6. Data Retention
Google Ads performance data (campaign metrics, keyword stats, search terms) is retained in our database for the duration of the client relationship with Fusion Impact Agency. This allows for historical trend analysis and year-over-year reporting.
Upon termination of a client relationship, or upon request, all associated data — including Google Ads metrics, campaign data, and account configuration — will be deleted from our systems within 30 days.
OAuth tokens and API credentials are deleted immediately when a Google Ads account is disconnected from the platform.
7. Data Sharing
We do not sell, rent, or share your data with third parties, except:
- Infrastructure providers: Railway (hosting), PostgreSQL (database), necessary for platform operation, under appropriate confidentiality and data processing agreements.
- Legal obligations: When required by law, regulation, or court order.
Performance reports generated from the platform may be shared with the respective client whose data they contain, in PDF format, by authorized agency personnel.
8. User Rights (GDPR)
In accordance with the General Data Protection Regulation (GDPR), you have the right to:
- Access — request a copy of the data we hold about you.
- Rectification — request correction of inaccurate data.
- Erasure — request deletion of your data ("right to be forgotten").
- Restriction — request limitation of data processing.
- Portability — request your data in a machine-readable format.
- Objection — object to data processing based on legitimate interests.
To exercise any of these rights, contact us at office@fusionstudio.ro. We will respond within 30 days.
9. Revoking Access
You can revoke the platform's access to your Google Ads data at any time by visiting your Google Account permissions page and removing access for our application.
Revoking access will immediately stop all data synchronization from Google Ads. Previously synced data will remain in our database until explicitly requested for deletion by contacting us at office@fusionstudio.ro.
10. Changes to This Policy
We may update this Privacy Policy from time to time. Significant changes will be communicated to users via the platform. The "Last updated" date at the top of this page reflects the most recent revision.