OptiBitts Systems Inc. – Master Legal & Data Policy

1. Our Services

OptiBitts Systems Inc. helps eCommerce brands make better advertising decisions by analyzing cross-platform advertising performance data. We provide:

• One-time attribution and performance audits
• Monthly insight retainers
• Custom deep-dive reports (SKU-level profitability, cohort LTV analysis)

We analyze data from Meta Ads, Google Ads, TikTok Ads, and eCommerce platforms like Shopify/WooCommerce to deliver clear, actionable recommendations on budget allocation and campaign optimization.

2. Data Controller/Processor Roles

OptiBitts acts in different capacities depending on the data type:

As Data Controller

• Website visitor data (analytics, cookies, marketing pixels)
• Our own business data and communications

As Data Processor

• Client advertising data exports (CSV files from Meta, Google, TikTok, Shopify/WooCommerce)
• Client customer transaction data included in exports
• Processing client data according to documented instructions for report generation

Client Responsibilities

Clients remain data controllers for their customer data and must ensure they have:

• Proper legal basis to export advertising and sales data from third-party platforms
• Authorization to share such data with OptiBitts for analysis
• Compliance with platform-specific terms of service and data export policies

3. Information We Collect

From Website Visitors

• Standard web analytics data via Google Analytics, PostHog
• Marketing attribution data via Facebook Pixel, Google Ads tracking
• Cookie data for website functionality and performance optimization
• Contact form submissions and inquiry data

From Clients

• Advertising data exports (CSV files) containing:
  • Campaign performance metrics from Meta Ads, Google Ads, TikTok Ads
  • Product sales data from Shopify/WooCommerce
  • Customer transaction information and purchase history
  • Creative performance data and audience insights
• Communication data (emails, project discussions)
• Payment and billing information

4. Legal Basis for Data Processing

We process personal data based on the following legal grounds under GDPR Article 6:

• Contract Performance: For providing audit and reporting services to clients
• Legitimate Interest: For website analytics, business communications, and marketing optimization
• Consent: Where explicitly obtained for specific processing activities (e.g., marketing communications)
• Legal Obligation: For tax, accounting, and regulatory compliance

For EU/EEA residents, you have the right to object to processing based on legitimate interest.

5. How We Use Your Information

Website Visitor Data

• Analyze website performance and user behavior
• Optimize marketing campaigns and content
• Improve our services and user experience

Client Data

Client data is used solely to:

• Generate cross-platform advertising performance reports
• Provide campaign optimization recommendations
• Conduct profitability analysis across channels and products
• Create custom insights reports as requested by clients
• Deliver contracted audit and consulting services

6. Data Processing Activities

We maintain records of the following processing activities under GDPR Article 30:

• Website Analytics: Google Analytics, PostHog data for performance optimization
• Marketing Attribution: Facebook Pixel data for advertising effectiveness analysis
• Client Services: CSV data processing for cross-platform advertising analysis
• Report Generation: Creating insights reports from client advertising and sales data
• Business Communications: Email correspondence and project management

7. Data Minimization

We collect and process only the minimum data necessary to:

• Generate requested audit reports and insights
• Provide actionable advertising recommendations
• Deliver contracted services effectively
• Comply with legal and regulatory obligations

8. Data Retention & Deletion

Client Data (Raw Files & Backups)

• Primary Data: All client-provided CSV files and processed data are securely deleted within 24 hours of report delivery
• Backup Systems: Encrypted snapshots containing processed data are maintained for disaster recovery and securely deleted within 7 days after report delivery
• Backup Purpose: Backups are created solely for disaster recovery and business continuity purposes, containing only processed data necessary for report regeneration in case of system failure
• Scope: Deletion includes raw advertising exports, cleaned datasets, processed analysis files, and all backup copies

Reports & Deliverables

• Final reports (PDFs) are retained only if the client chooses to keep them accessible in our system
• Clients can request deletion of reports at any time

Website Data

• Analytics data: 26 months (Google Analytics standard)
• Cookie data: As specified in our cookie consent banner
• Contact inquiries: Until resolved plus 2 years for business records

9. Data Security & Protection

We follow industry best practices aligned with SOC 2 principles:

Technical Safeguards

• Encryption: All files encrypted in transit (TLS 1.3) and at rest (AES-256)
• Access Control: Multi-factor authentication on all accounts
• Network Security: Secure, access-controlled cloud environments
• Regular Updates: Security patches and system updates maintained

Organizational Safeguards

• Limited Access: Only assigned analysts working on your project access your data
• Staff Training: Regular security awareness and data protection training
• Confidentiality: All personnel bound by confidentiality agreements
• Incident Response: Documented procedures for security incidents

Deletion Procedures

• Primary Storage: Secure deletion with multi-pass overwriting of storage media
• Backup Systems: Encrypted snapshots of processed data maintained for disaster recovery
• Backup Retention: All backup copies securely deleted within 7 days after report delivery
• Audit Trail: Documentation of all deletion activities across primary and backup systems

10. International Data Transfers

Client data may be processed in jurisdictions outside Canada/EEA through our cloud service providers. We ensure adequate protection through:

• Standard Contractual Clauses with all service providers
• Adequacy Decisions where applicable under applicable privacy laws
• Additional Technical Safeguards including encryption and access controls
• Regular Assessments of transfer mechanisms and security

11. Your Data Protection Rights

Under GDPR and applicable privacy laws, you have the right to:

Access Rights

• Request copies of your personal data
• Obtain information about how your data is processed

Correction & Deletion

• Request correction of inaccurate data
• Request deletion of your data ("right to be forgotten")
• Request restriction of processing activities

Data Control Rights

• Data portability (receive your data in machine-readable format)
• Object to processing based on legitimate interest
• Withdraw consent where processing is based on consent

Response Procedures

• Response Time: 30 days (extendable to 60 days for complex requests)
• Verification: Identity verification required for security
• Contact: Submit requests to hello@optibitts.com
• No Fee: Generally provided free of charge

12. California Privacy Rights (CCPA/CPRA)

California residents have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Enhanced Consumer Rights

• Right to Know: Detailed information about personal data collection, use, and sharing
• Right to Delete: Request deletion of personal data (subject to certain exceptions)
• Right to Correct: Request correction of inaccurate personal data
• Right to Opt-Out: Opt-out of the sale or sharing of personal data
• Right to Limit: Limit the use and disclosure of sensitive personal information
• Right to Non-Discrimination: Equal service and pricing regardless of exercising privacy rights

Important Notice for California Residents

• We Do Not Sell Personal Data: OptiBitts does not sell, rent, or share personal data for monetary consideration
• We Do Not Share for Cross-Context Behavioral Advertising: We do not share personal data for targeted advertising purposes
• Sensitive Data: We do not knowingly collect sensitive personal information as defined by CCPA
• Third-Party Services: We may share data with service providers under strict contractual obligations

Exercise Your California Rights

• Submit Requests: Contact us using the information provided in Section 27
• Verification Required: We may need to verify your identity to process requests
• Response Time: Within 45 days (extendable to 90 days for complex requests)
• Authorized Agents: Authorized agents may submit requests on your behalf with proper documentation

13. Client Data Processing Terms

When processing client data as a data processor, we:

• Process data only according to documented client instructions
• Ensure all personnel are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures
• Maintain encrypted backups for disaster recovery and business continuity purposes only
• Delete all backup copies within 7 days of service completion
• Assist clients in responding to data subject rights requests within 10 business days
• Notify clients of any data breaches within 24 hours of discovery
• Delete or return all personal data upon service completion
• Maintain records of processing activities for audit purposes
• Allow for client audits of our data processing activities (upon reasonable notice)

14. Data Breach Response

Notification Procedures

• Client Notification: Within 24 hours of discovery
• Regulatory Notification: Within 72 hours to relevant authorities (where required)
• Individual Notification: If high risk to rights and freedoms
• Documentation: All breaches documented regardless of notification requirements

Response Actions

• Immediate containment and assessment
• Investigation of cause and scope
• Implementation of corrective measures
• Communication with affected parties
• Post-incident review and improvements

15. Terms of Service

Scope of Services

We provide data analysis and consulting services including:

• One-time attribution and performance audits
• Monthly insight retainers with regular reporting
• Custom deep-dive reports based on client requirements
• Strategic recommendations for advertising optimization

Service Limitations

• We do not run advertisements or manage advertising campaigns
• We provide independent, data-driven recommendations only
• Implementation of recommendations remains client responsibility

Payment Terms

• Services are billed upfront according to agreed pricing
• Payment due within 30 days of invoice date
• Late payments may incur interest charges

Refund Policy

Due to the nature of our analytical work and immediate value delivery, all sales are final and non-refundable once work has commenced.

16. Results Disclaimer & Limitation of Liability

No Performance Guarantees

We provide insights and recommendations based on available data analysis. While our goal is to improve advertising efficiency and guide better decision-making, we do not guarantee specific outcomes including:

• Increased revenue or sales
• Improved return on ad spend (ROAS)
• Specific performance improvements
• Achievement of business objectives

Limitation of Liability

• OptiBitts' total liability for any claims shall not exceed the amount paid by the client for the specific service
• We are not liable for indirect, consequential, or punitive damages
• Recommendations are based on data provided and market conditions at time of analysis
• Clients are responsible for implementation decisions and outcomes

17. Automated Decision-Making

Our analysis involves automated processing of advertising data to generate insights and identify patterns. However:

• No automated decisions are made that significantly affect individuals without human review
• All recommendations undergo analyst review before delivery
• Clients maintain full control over implementation decisions

18. Cookies & Tracking Technologies

Cookies We Use

• Essential Cookies: Website functionality and security
• Analytics Cookies: Google Analytics, PostHog for performance measurement
• Marketing Cookies: Facebook Pixel, Google Ads for attribution tracking

Cookie Consent

• Consent banner displayed on first website visit
• Granular consent options for different cookie categories
• Ability to withdraw consent at any time
• Cookie settings accessible via website footer

Opting Out

You can disable cookies through your browser settings, though this may affect website functionality.

19. Third-Party Services & Integrations

Service Providers

We may use third-party service providers for:

• Cloud hosting and data storage
• Analytics and reporting tools
• Payment processing
• Communication platforms

All service providers are bound by data processing agreements and security requirements.

Platform Data Sources

We analyze data exported from third-party platforms including:

• Meta Business Manager / Ads Manager
• Google Ads and Google Analytics
• TikTok Ads Manager
• Shopify and WooCommerce platforms

Clients warrant they have authorization to export and share such data with us.

20. Confidentiality & Non-Disclosure

Confidential Information

We treat all client data as strictly confidential, including:

• Business performance metrics
• Advertising strategies and spend data
• Customer information contained in exports
• Strategic discussions and recommendations

NDA Availability

Formal Non-Disclosure Agreements are available upon client request for additional protection.

Staff Obligations

All OptiBitts personnel are bound by confidentiality agreements and data protection obligations.

21. Age Restrictions

We do not knowingly collect personal data from individuals under 16 years of age (or the local minimum age for digital consent). If you believe we have collected such data, please contact us immediately for deletion.

22. Dispute Resolution & Governing Law

Governing Law

This Policy and all services are governed by the laws of the Province of British Columbia, Canada.

Jurisdiction

Any disputes shall be resolved exclusively in the courts of Vancouver, British Columbia, Canada.

Alternative Resolution

We encourage informal resolution of disputes through direct communication before formal legal proceedings.

23. Force Majeure

We are not liable for any failure or delay in providing services due to causes beyond our reasonable control, including:

• Natural disasters or extreme weather
• Internet outages or telecommunications failures
• Regulatory changes or government actions
• Third-party service disruptions
• Cyber attacks or security incidents affecting infrastructure

24. Regulatory Compliance & Complaints

Privacy Authorities

• EU/EEA Residents: May lodge complaints with local data protection authorities
• Canadian Residents: Contact the Privacy Commissioner of Canada
• California Residents: Contact California Attorney General's Office

Contact Information

• For privacy-related inquiries: hello@optibitts.com
• For general inquiries: hello@optibitts.com
• Business address: British Columbia, Canada

25. Intellectual Property

Our IP Rights

All reports, insights, methodologies, analytical frameworks, and recommendations we create remain our intellectual property.

Client License

Clients receive a non-exclusive license to use reports for their internal business purposes only. Redistribution or resale of reports is prohibited without written consent.

Third-Party Trademarks

Meta, Google, TikTok, Shopify, and WooCommerce are trademarks of their respective owners. OptiBitts Systems Inc. is not affiliated with or endorsed by these companies.

26. Policy Updates & Notifications

Amendment Process

We may update this Policy to reflect:

• Changes in applicable laws or regulations
• Updates to our services or business practices
• Enhanced security measures or technologies
• Feedback from clients or regulatory guidance

Notification Methods

Material changes will be communicated via:

• Email notification to active clients
• Website banner or notice
• Updated "Last Updated" date at policy top

Continued Use

Continued use of our services after policy updates constitutes acceptance of changes.

27. Severability

If any provision of this Policy is found invalid or unenforceable, the remaining provisions shall continue in full force and effect.

28. Contact Information