Privacy Policy

Roasy (“Roasy”, “we”, “us”) is a unified user-acquisition analytics platform operated by Peax, based in Istanbul, Türkiye. For the purposes of the GDPR and the KVKK, Roasy is the data controller of the personal data described here, except where we act as a processor on your behalf (see section 2).

This policy covers roasy.ai, the Roasy dashboard at dash.roasy.ai, our APIs, and related services that link to it. It does not cover the third-party services you connect to Roasy (such as ad networks or Adjust), which have their own privacy policies.

Roasy plays two roles depending on the data:

• Controller. For your account details, billing information, website usage, and our own analytics, we decide why and how data is processed.
• Processor. When you connect an ad account or your Adjust (MMP) account, the campaign and performance data we access belongs to you or your organization. We process it only on your instructions to provide the Service — for that data you are the controller and Roasy is your processor.

Business customers can request our Data Processing Agreement (DPA) at privacy@roasy.ai.

Information you give us

• Account & profile — your name, work email, company, and role. Passwords are stored only as a salted hash; we never see them in plain text.
• Communications — support requests, feedback, and messages you send us.
• Preferences — settings and your marketing opt-ins.

Data from the platforms you connect

When you authorize a connection via OAuth, Roasy accesses your advertising and attribution data on a read-only basis by default. This can include campaign and ad-set structure, budgets, spend, impressions, clicks, installs, in-app events, revenue, and the attribution and LTV data reported by Adjust and the connected networks (Meta, Google, TikTok, Apple Search Ads, AppLovin, Unity, Snapchat). We request only the scopes we need, store access tokens in encrypted form, and you can revoke any connection at any time.

Information we collect automatically

• Device and browser type, IP address, and approximate location.
• Pages viewed, actions taken, and timestamps within the Service.
• Cookies and similar technologies (see section 4).
• Diagnostic and security log data.

Information from third parties

• The ad networks and Adjust, as you authorize.
• Our payment processor, Paddle — limited transaction data only (see section 7).
• Analytics providers.

We use a small number of cookies and similar technologies:

• Strictly necessary— to keep you signed in, secure the Service, and remember settings. These can't be switched off.
• Analytics — to understand how the site and product are used, via Google Analytics and Vercel Web Analytics.

You can control non-essential cookies through your browser settings and any cookie banner we provide. Disabling analytics cookies won't affect core functionality.

We use personal data to:

• Provide, operate, secure, and maintain the Service.
• Connect your ad accounts and calculate true ROAS, cohort LTV, and unit economics.
• Generate AI-assisted budget and optimization recommendations — you always approve any change before it's applied.
• Process payments and manage your subscription, through Paddle.
• Provide support and respond to your requests.
• Prevent fraud, abuse, and security incidents.
• Understand and improve the product, in aggregate.
• Send service messages and, with your consent, marketing emails.
• Comply with our legal obligations.

What we don't do. We do not sell your personal data. We do not share it for cross-context behavioral advertising. And we do not use the campaign or attribution data you connect to Roasy to train AI or machine-learning models for other customers or third parties.

Where these laws apply, we rely on the following legal bases:

• Performance of a contract — to create your account and provide the Service you signed up for.
• Legitimate interests — to secure and improve the Service, prevent fraud, and run aggregate analytics, balanced against your rights.
• Consent — for non-essential cookies and marketing emails, which you can withdraw at any time.
• Legal obligation — to meet tax, accounting, and other requirements.

Under the KVKK, we process personal data on the equivalent grounds in Articles 5 and 6, including the performance of a contract and our legitimate interests.

We share personal data only with the categories of recipients below, under contracts that require them to protect it:

• Hosting & infrastructure — Vercel (application hosting and delivery; US and EU regions).
• Payments — Paddle, which acts as the Merchant of Record for Roasy purchases. Paddle handles your card details directly; we receive only limited transaction data such as plan, amount, country, and the last four digits of your card.
• Analytics — Google (Google Analytics) and Vercel (Web Analytics).
• AI / ML providers — used under contract to help generate recommendations; they may not use your data to train their own models.
• Professional advisers — auditors, lawyers, and accountants, where needed.
• Authorities — where legally required, or to protect our rights, our users, or the public.
• Business transfers — if Roasy is part of a merger, acquisition, or asset sale, data may pass to the successor under this policy.

A current list of subprocessors is available on request at privacy@roasy.ai. We do not sell or rent your personal data.

Roasy is based in Türkiye and uses infrastructure in the United States and the European Union. When we transfer personal data across borders — including out of the EEA, the UK, or Türkiye — we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses, the UK Addendum, and KVKK-compliant transfer mechanisms, alongside technical measures like encryption. You can request more detail at privacy@roasy.ai.

• Account data — for as long as your account is active, plus a limited period afterwards for wind-down, disputes, and legal obligations.
• Connected platform data— while the connection is active. When you disconnect an account or close your Roasy account, we delete or anonymize the associated data within 90 days, unless we're required to keep it.
• Billing records — retained as required by tax and accounting law.
• Backups — purged on a rolling schedule.

• Encryption in transit (TLS 1.3) and at rest (AES-256).
• Ad-platform connections are read-only by default, and OAuth tokens are stored encrypted.
• Role-based, least-privilege access controls and audit logging.
• Continuous monitoring, with a SOC 2 Type II program currently in progress.

No method of transmission or storage is completely secure, but we work hard to protect your data and will notify you and the relevant authorities of a personal-data breach where the law requires.

Depending on where you live, you may have the following rights:

• EEA / UK (GDPR) — access, rectification, erasure, restriction, portability, objection, and withdrawal of consent. You may also complain to your local supervisory authority.
• Türkiye (KVKK, Art. 11) — to learn whether your data is processed, request information and correction, request erasure, and object to outcomes of automated analysis. You may complain to the Turkish Data Protection Authority.
• California (CCPA/CPRA)— to know, access, correct, and delete your personal information, and to opt out of its “sale” or “sharing” (note: we don't sell or share it). We won't discriminate against you for exercising your rights.

To exercise any right, email privacy@roasy.ai. We may need to verify your identity, and we'll respond within the time the law allows (generally 30 days).

Roasy uses analytics and AI to surface budget and optimization recommendations. These are decision-support tools: they don't take actions on your behalf or produce legal or similarly significant effects without your involvement. You review and approve any change before it is applied.

Roasy is a business tool and isn't directed to anyone under 18. We don't knowingly collect personal data from children. If you believe a child has provided us data, email privacy@roasy.ai and we'll delete it.

The ad networks and Adjust you connect, and any other sites we link to, are governed by their own privacy policies. We encourage you to review them; we're not responsible for their practices.

We may update this policy as Roasy evolves or the law changes. If we make a material change, we'll update the date above and, for significant changes, notify you by email or in the product before it takes effect.

For any privacy question, or to exercise your rights, email privacy@roasy.ai or write to us at Roasy (Peax), Maslak, Sarıyer, Istanbul, Türkiye. If you have a concern we can't resolve, you have the right to contact your local data protection authority.