Privacy Policy

Last updated: May 12, 2026 · Effective: May 12, 2026

This Privacy Policy ("Policy") explains how Choclement LLC, a Delaware limited-liability company doing business as BHmetrics("BHmetrics", "Choclement", "we", "us", "our"), collects, uses, discloses, retains, transfers, and protects information in connection with the BHmetrics web application, APIs, workers, dashboards, Copilot, marketing site, documentation, and related services (collectively, the "Service"), available at bhmetrics.com and related subdomains.

BHmetrics is a business-to-business product designed for businesses and is not intended for personal, family, or household use. We treat individuals using the Service as business representatives, rather than in their personal capacity. Most personal data that we process in connection with the Service belongs to our customers' end consumers, where our customer is the controller / business and we are the processor / service provider. This Policy describes both (i) data we process about you, the operator (we are the controller for that data), and (ii) data we process on behalf of our customers about their end consumers (we are the processor and our customer is the controller). Where we act as a processor, our processing is also governed by our Data Processing Addendum ("DPA"). This Policy is read together with our Terms of Service, our Acceptable Use Policy, our Cookie Policy, and our Subprocessor List.

Questions, requests, or privacy concerns? Email [email protected].

1. Plain-English summary (non-binding)

We are a paid B2B tool. We do not sell personal information and we do not share personal information for cross-context behavioral advertising.
End-consumer email, phone, and IP are SHA-256 hashed in your browser or storefront before they reach us. We do not store the plaintext.
We do not use Customer Data to train foundation AI models. Our AI subprocessors (currently Anthropic) operate under commercial terms that prohibit foundation-model training on customer inputs and outputs.
We rely on a short list of named subprocessors (Section 9) under written data-protection agreements.
You and your end consumers have rights to access, correct, port, restrict, and delete personal data. See Section 12.
Account deletion removes your data within thirty (30) days of the end of the extraction window, except where law requires longer retention.

The remainder of this Policy is the controlling document.

2. Who this Policy applies to (three data-subject categories)

This Policy addresses three categories of personal data and the corresponding data subjects:

Prospect Data — personal data of visitors to our marketing site, event attendees, demo requesters, newsletter subscribers, and other prospective customers and partners. We are the controller / business for Prospect Data.
User Data — personal data of personnel of our customers (account administrators, billing contacts, focal persons, Authorized Users, authorized signatories). We may be the controller (for our own account-management purposes) and/or the processor (for our customer's operation of the Service) depending on context.
Customer Data — personal data of our customers' end consumers, processed by us on behalf of our customers as part of the Service (for example, hashed identifiers for CAPI dispatch). Our customer is the controller / business; we are the processor / service provider. Processing of Customer Data is governed primarily by our DPA and our customer's instructions; this Policy applies only as a supplementary description.

3. Categories of personal data we collect

3.1 From you, the operator (User Data)

Identifiers: name, work email, hashed password (managed by Clerk), profile picture if supplied, IP address, device ID, browser type, OS string, locale.
Customer-record information: workspace and brand profile, role, team-member email addresses, billing address, billing contacts.
Commercial information: plan, subscription history, invoice and payment metadata (full payment-instrument data is processed by Stripe; we receive only last-4 / token references).
Communications: support tickets, email replies, in-product messages, call/video recordings or transcriptions you provide for support purposes, and notes from sales/onboarding meetings.
Internet or other electronic network activity: pages viewed, features used, click paths, error reports, referrers, session recordings (only as enabled), and product telemetry.
Approximate geolocation: city-level location derived from IP. We do not collect precise (GPS) geolocation.
Professional information: job title, employer, industry.
Authentication signals: sign-in timestamps, IP, 2FA / passkey status, MFA attempts (managed by Clerk).
Inferences: usage-derived inferences such as feature familiarity, plan fit, churn risk, and product-area engagement — used internally, never sold.

3.2 From your Connected Platforms (Meta, Google, TikTok, Pinterest, Snap, Shopify, and similar)

When you connect a platform, we receive data from it on your authorization. For end-consumer event data this is Customer Data and we are your processor.

OAuth refresh tokens and short-lived access tokens — stored encrypted at rest with AES-256-GCM. Never logged or transmitted in plaintext. Deleted immediately on disconnection.
Account, campaign, ad-set, ad, and creative metadata: name, objective, status, budget, schedule, targeting summary, creative URLs.
Performance metrics: impressions, clicks, spend, conversions, revenue (per ad, per hour).
Audience IDs and seed-list metadata when you create custom audiences. We do not request or store individual audience-member profile data, follower lists, Pinner data, or social-graph data beyond what is required to operate the Service.

3.3 End-consumer conversion event data (Customer Data)

Hashed identifiers: SHA-256 hashes of normalized email, phone (E.164), and other identifiers your storefront supplies. Plaintext is never stored.
Click identifiers: fbclid, gclid, ttclid, epik, scclid, fbp, _fbc, and similar platform-supplied identifiers.
Order metadata: order id, total value, currency, line-item count, timestamp, country, region, postal code.
IP address and user-agent of the end consumer at the time of conversion, used solely for event-quality matching, then either hashed or dropped per platform requirements; never stored as plaintext beyond the dispatch window.
We do not request, store, or process: raw email, phone, name, shipping address, payment instruments, government-issued IDs, precise (GPS) geolocation, or any "special category" data under GDPR Article 9, "sensitive personal information" under CPRA, or analogous categories under applicable law.

3.4 Prospect Data (marketing-site visitors and event attendees)

Contact and business details (name, work email, phone, employer, role), if you provide them via demo request, contact form, event registration, or newsletter signup.
Communications data (correspondence, demo notes, sales-call recordings or transcriptions where you have consented).
Internet activity on the marketing site (pages viewed, referrers, IP-derived city, cookie identifiers — see Section 10).
Feedback, testimonials, and public reviews you submit.

3.5 California (CCPA / CPRA) categories

Within the preceding twelve (12) months we have collected the following CCPA / CPRA categories of personal information from the sources described above (your interactions with the Service, our customers' systems and storefronts, and our subprocessors):

Identifiers (name, email, IP, device identifiers, online identifiers, hashed identifiers).
Customer-records information (account, billing).
Commercial information (subscription, transaction).
Internet or other electronic network activity information (usage, logs, telemetry).
Geolocation data (approximate, IP-derived; not precise).
Professional or employment-related information (role, employer).
Inferences drawn from any of the above (usage profile, plan fit).
Audio, electronic, visual information (support call recordings if provided).

We do not collect "sensitive personal information" as defined under CPRA, and we do not collect biometric information, genetic data, health or medical data, racial or ethnic origin, religious beliefs, sexual orientation or sex life, or the contents of consumer communications.

4. Sources of data

Directly from you and your Authorized Users (sign-up, configuration, support, sales calls).
Automatically from your interactions with the Service (cookies, server logs, telemetry).
From your Connected Platforms with your authorization.
From your storefront via the BHmetrics pixel, server tag, or webhook.
From subprocessors performing services on our behalf (Section 9).
From publicly available sources (e.g., your company website) for sales and marketing.

5. How we use personal data and our legal bases (GDPR Article 6)

For operators in the European Economic Area, the United Kingdom, and Switzerland, we rely on the following lawful bases under Article 6 GDPR:

Performance of a contract (Art. 6(1)(b)): to provide, support, and bill the Service; to authenticate accounts; to dispatch events to Connected Platforms on your authorization.
Legitimate interests (Art. 6(1)(f)): to operate, secure, debug, and improve the Service; to detect and prevent fraud, abuse, and security incidents; to enforce our Terms; to produce aggregated and de-identified analytics; to send transactional and account-related communications; to communicate with you about service updates and similar product offerings; to engage in B2B marketing to prospects in their professional capacity. We balance these interests against your rights and provide a right to object (Section 12).
Consent (Art. 6(1)(a)): for non-essential cookies (where required), for marketing email (where required and opt-in), and for any processing for which consent is the appropriate basis under local law. You may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
Legal obligation (Art. 6(1)(c)): to comply with tax, accounting, audit, fraud-prevention, regulatory, and lawful-request obligations.
Vital and public interests (Art. 6(1)(d)–(e)): only in the rare case necessary to protect a person's life or as required by a competent authority.

Where we process Customer Data on behalf of a customer, the lawful basis is the customer's, and we rely on the customer's representation that it has obtained the necessary consent and provided the required notices.

6. Purposes of processing

Provide, configure, monitor, secure, and support the Service.
Dispatch conversion events to platform Conversions APIs (Meta CAPI, Pinterest Conversions API, TikTok Events API, Snap Conversions API, Google Enhanced Conversions) per your settings.
Run automation rules, attribution models, anomaly detection, predictive analytics, and the AI Copilot on your behalf.
Authenticate users, manage sessions and MFA, and provision and de-provision access.
Send transactional and service-essential email — rule fires, weekly digest, security notices, billing and account messages. You cannot opt out of service-essential communications.
Send marketing communications (opt-in where required, with one-click unsubscribe).
Detect, investigate, and prevent fraud, abuse, security incidents, and violations of our Terms.
Improve, develop, and benchmark the Service using aggregated and de-identified usage data and Aggregated Data (as defined in our Terms).
Comply with legal, accounting, and regulatory obligations, including responding to lawful requests.
Conduct B2B sales and marketing to prospects in their professional capacity.
Operate the marketing site at bhmetrics.com (including basic page-view counters that do not set advertising cookies).
Establish, exercise, or defend legal claims; in the event of a corporate transaction (Section 8).

7. What we do not do

We do not sell personal data and we have not done so in the preceding twelve (12) months.
We do not "share" personal information for cross-context behavioral advertising as defined under CPRA, and we have not done so in the preceding twelve (12) months.
We do not share data between BHmetrics customers. Machine-learning models are trained per-brand only; Aggregated Data does not identify any brand, individual, or end consumer.
We do not provide Customer Data or Copilot Inputs/Outputs to Anthropic or any other AI subprocessor for foundation-model training. Anthropic's commercial API terms provide that customer inputs and outputs are not used for foundation-model training.
We do not run third-party advertising trackers (Meta Pixel, Google Ads tag, TikTok Pixel, LinkedIn Insight Tag, etc.) on app pages.
We do not knowingly collect personal data from anyone under the age of sixteen (16), or under thirteen (13) in the United States.
We do not use Customer Data, Prospect Data, or User Data to make legal or similarly significant automated decisions about an identified end consumer.
We do not engage in invasive cross-site tracking, fingerprinting, or surreptitious data collection.

8. Disclosures of personal data

We disclose personal data only as described below:

To subprocessors who provide infrastructure, security, payment, communications, and AI services on our behalf, under written data-protection agreements imposing equivalent protections (Section 9).
To Connected Platforms at your direction (where you are the controller for that disclosure).
To professional advisors (auditors, lawyers, accountants, insurers, tax advisors) bound by confidentiality.
To public authorities, regulators, and law enforcement where required by law, court order, subpoena, search warrant, or government request, or to (a) protect our or others' rights, property, safety, security, or integrity, (b) investigate or address suspected illegal activity, fraud, or wrongdoing, or (c) defend legal claims. Where legally permitted, we will give the affected customer advance notice and reasonable opportunity to object.
In a corporate transaction — in connection with a merger, acquisition, financing, reorganization, sale of assets, insolvency, receivership, bankruptcy, or assignment for the benefit of creditors, in which case personal data is transferred subject to this Policy or a successor policy of equivalent protection.
Within our corporate group — we may share personal data with our affiliates, parent, and subsidiaries for the purposes described in this Policy.
With public reviews / testimonials — if you submit a public review, testimonial, or quote, we may publish it as submitted. You can request removal by emailing [email protected].
With your consent — for any other disclosure.

8.1 CCPA disclosure-by-category (preceding 12 months)

For California residents, the categories of recipients to whom we have disclosed each CCPA category of personal information for a business purpose are:

Identifiers: subprocessors, professional advisors, government / legal, internal corporate group.
Customer-records information: subprocessors, professional advisors, government / legal, internal corporate group.
Commercial information: subprocessors (Stripe), professional advisors, government / legal.
Internet or other electronic network activity: subprocessors (hosting, error monitoring, logging), internal corporate group.
Geolocation (approximate): subprocessors (hosting, error monitoring).
Professional information: subprocessors (CRM, email), internal corporate group.
Inferences: internal corporate group only.
Audio/electronic/visual: subprocessors (support, transcription) where applicable.

We have not sold or shared any of the above for cross-context behavioral advertising in the preceding twelve (12) months.

9. Subprocessors

We rely on the following subprocessors. Each operates under a written data-protection agreement with us. We give at least thirty (30) days' advance notice of any addition or replacement of a subprocessor that processes personal data, by email and in-product. You have fifteen (15) days after notice to object on reasonable data-protection grounds; if we cannot accommodate the objection, you may terminate the affected portion of the Service for a pro-rata refund of prepaid, unused fees.

The canonical, up-to-date list is at /legal/subprocessors. As of the last updated date, it includes:

Vercel Inc. — application hosting (United States).
Neon Inc. — managed Postgres database (United States).
Cloudflare, Inc. — edge CDN, Workers compute, KV, Queues, email routing (global, primarily United States).
Clerk Inc. — authentication, MFA, session management (United States).
Stripe, Inc. — billing and payment processing for paid plans (United States).
Anthropic, PBC — AI Copilot LLM inference (United States). Anthropic's commercial terms provide that customer inputs and outputs are not used to train its foundation models.
Resend, Inc. — transactional email delivery (United States).
Slack Technologies, LLC — operator notifications, only when a customer configures a Slack incoming-webhook in their workspace (United States).

Additional subprocessors are listed on the canonical page as we add them. See /legal/subprocessors for current list, locations, data categories, and transfer mechanisms.

10. Cookies and similar technologies

See our Cookie Policy for a complete inventory of cookies, local storage, and session storage used by the Service, including the cookies set by the BHmetrics first-party pixel on customer storefronts.

Strictly necessary: Clerk session cookies, CSRF protection, brand-context cookie, Cloudflare bot-management cookies. These cannot be disabled without breaking the Service.
Functional: theme, sidebar/rail state, cookie-consent choice.
Analytics: first-party, aggregate page-view counters on the marketing site. We do not run Google Analytics, Meta Pixel, TikTok Pixel, LinkedIn Insight Tag, PostHog, Plausible, Mixpanel, or any other third-party advertising or analytics tracker on app or marketing pages.
Advertising: none. We do not deploy advertising cookies, retargeting pixels, or fingerprinting trackers.
Do Not Track and Global Privacy Control: we do not sell or share personal information and do not deploy non-essential or advertising trackers. At our pixel-event ingestion endpoint, when an incoming request carries Sec-GPC: 1 or DNT: 1, we drop the user-agent and IP-hash fields before persisting the event — the event is still recorded for the customer's analytics (the customer is the controller for end-consumer data), but no end-consumer device identifiers are stored on our side. We will treat the same signals as valid opt-out requests for any optional tracking we add in the future.

10.1 The BHmetrics first-party pixel on customer storefronts

Customers install our pixel on their own storefronts (typically Shopify) to capture conversion events and click identifiers. When installed, the pixel sets first-party cookies and storage on the storefront's domain (not on bhmetrics.com), including _cdt_sid (cookie, up to 1-year max-age, SameSite=Lax) and _cdt_sid/_cdt_clicks in localStorage / sessionStorage. End-consumer identifiers are SHA-256 hashed before persistence: where the BHmetrics first-party pixel is the source, hashing happens in the browser; where data arrives via a server-to-server integration (e.g., a Shopify webhook delivers a payload that includes plaintext email and phone), hashing happens at the earliest server-side entry point and the plaintext values are not persisted. As the operator of the storefront, the customer is the controller for these cookies and is responsible for end-consumer consent and notices under applicable law. End consumers should consult the privacy policy of the storefront they are visiting; this Policy describes only the data we Process as a processor on behalf of that customer.

10.2 Click-redirect endpoints

Where customers route ad clicks through BHmetrics click-redirect endpoints, we receive the click identifiers, user-agent string, IP address (hashed before retention), and the destination URL. We use this data solely to (a) reconcile clicks to subsequent conversions, (b) provide click-quality diagnostics to the customer, and (c) operate the redirect itself. Click-redirect data is retained per Section 11.

11. How to delete your data

This section explains how to request deletion of personal data we hold about you. A stand-alone, equivalent page is available at /legal/data-deletion — that is the canonical URL we submit to advertising platforms (e.g., Meta's "User Data Deletion" field for OAuth-enabled apps).

11.1 If you are a BHmetrics customer (operator)

Use the in-product self-service controls under Settings → Brand → Your data:

Download JSON exports a portable snapshot of your brand (profile, rules, ad-account metadata without OAuth tokens, automation log, recent events, anomalies) immediately to your device.
Request account deletion queues your brand for deletion and notifies the admin team. Only the brand owner may submit; you must type DELETE to confirm. We acknowledge within ten (10) business days and complete verified requests within thirty (30) days, except where applicable law requires longer retention (e.g., tax records held for 7 years and audit logs as described below).

If you cannot access your account, email [email protected] from the email address associated with your account and we will verify your identity and process the request manually.

11.2 If you disconnected a Connected Platform (e.g., Meta, Google, TikTok, Pinterest, Snap, Shopify)

When you revoke an OAuth grant from Settings → Connections — or from the Connected Platform's own apps/permissions page — we delete the associated OAuth refresh tokens immediately and stop ingesting new data from that platform. To also delete the historical data we already ingested from that platform, additionally use the Export / Delete flow above, or email [email protected] requesting deletion scoped to the specific Connected Platform.

11.3 If you are an end consumer of a BHmetrics customer

BHmetrics is a B2B processor. Our customer (the brand whose ad you clicked or whose storefront you bought from) is the controller for your personal data. Please contact the brand directly using the contact details on their website or in their privacy policy. We will assist the brand in fulfilling verified deletion requests as required by our DPA and applicable law. If you cannot identify the brand or are unable to reach them, email [email protected] with as much detail as you can (the brand name, the ad platform, the date of the event), and we will attempt to route your request.

11.4 What gets deleted, what's retained

Deletion removes the Personal Data we hold about you from active systems. Some data is retained beyond a deletion request, as permitted or required by law:

Billing and tax records: retained for seven (7) years for tax and accounting compliance.
Audit logs: retained for the life of the account (immutable) to support security investigations, dispute resolution, and "show your work" auditability.
Encrypted backups: deletion is reflected in backups within thirty-five (35) days as backups rotate.
Aggregated and de-identified data: retained indefinitely as described in our Terms of Service; this data does not identify you.
Data we are legally required to retain: in response to a lawful preservation request, court order, or other legal obligation.

11.5 Response time

We acknowledge deletion requests within ten (10) business days and complete verified requests within thirty (30) days for U.S. residents and forty-five (45) days for EU/UK/EEA residents (extendable as described in Section 12.1). We may need to verify your identity before processing a request; see Section 12.2.

11A. Retention schedule

The targets below describe how long we intend to retain each category of data. These targets are enforced through a combination of operational practices and scheduled clean-up jobs that we continue to build out as the product matures; specific retention cut-offs may currently be applied on a periodic, manual basis. Verified deletion requests are honored within the timelines in §11.5 regardless of these targets.

Conversion events: target retention is twenty-four (24) months in hot storage, then archived in cold storage for up to thirty-six (36) more months for compliance audits, then deleted.
Performance metrics: retained while your account is active; deleted within thirty (30) days of account closure (after the Extraction Window under our Terms).
Operator account data: retained while your account is active; deleted within thirty (30) days of account closure, except where law requires longer retention.
Usage telemetry and error logs: target retention is ninety (90) days, then aggregated or deleted.
Authentication and security logs: target retention is thirteen (13) months (security baseline).
Audit logs (rule fires, automation log): kept for the life of the account; required for the "show your work" auditability we promise.
OAuth tokens: deleted from our systems on disconnection. Revoking the grant on the Connected Platform's own apps-and-permissions page is the operator's responsibility.
Billing and tax records: retained for seven (7) years for tax and accounting compliance.
Marketing contacts / Prospect Data: retained while you remain a prospect or until you unsubscribe, whichever is sooner, plus a short suppression-list retention to honor your opt-out.
Support tickets and call recordings: twenty-four (24) months.
Backups: encrypted backups rotate on a thirty-five (35) day cycle; deletion is reflected in backups within that window.
Aggregated and de-identified data: retained indefinitely under our Terms; it does not identify any natural person.

Beyond the periods above, we may retain personal data as required by law or for the establishment, exercise, or defense of legal claims. We may delete or de-identify any personal data at any time, with or without notice, in accordance with our retention policy.

12. Your rights

Depending on where you live (and where your end consumers live), you may have the following rights under the GDPR, the UK GDPR, the Swiss FADP, the California Consumer Privacy Act as amended by the CPRA, the Virginia CDPA, the Colorado CPA, the Connecticut CTDPA, the Utah UCPA, the Texas TDPSA, the Oregon Consumer Privacy Act, the Delaware Personal Data Privacy Act, the Iowa Consumer Data Protection Act, the Tennessee Information Protection Act, the Montana Consumer Data Privacy Act, the Indiana Consumer Data Protection Act, and other applicable laws:

Right to know / access — request a copy of the personal data we hold about you, the categories of data, sources, purposes, and categories of recipients.
Right to correct — request correction of inaccurate or incomplete data.
Right to delete / erasure — request deletion, subject to permitted retention exceptions.
Right to data portability — receive your data in a machine-readable format.
Right to restrict or object — restrict processing based on legitimate interests, including direct marketing.
Right to opt out of sale or sharing — we do not sell or share personal information for cross-context behavioral advertising, so there is nothing to opt out of. If you nonetheless submit an opt-out request (including via GPC), we will confirm our no-sale, no-share posture in writing.
Right to opt out of profiling — for decisions producing legal or similarly significant effects, where applicable. We do not engage in such profiling of identified end consumers.
Right to non-discrimination — we will not retaliate for exercising your rights.
Right to withdraw consent — where processing is based on consent.
Right to lodge a complaint — with your local supervisory authority (e.g., UK ICO, France's CNIL, Ireland's DPC, your U.S. state attorney general).

12.1 How to make a request

Most controls are available in-app at Settings → Brand → Export / Delete. For requests we cannot service in-product, email [email protected]. We respond within forty-five (45) days, extendable once for another forty-five (45) days where reasonably necessary, with notice (or sooner where applicable law requires). For UK/EEA requests we will respond within thirty (30) days, extendable by up to sixty (60) more days where reasonably necessary.

12.2 Verification

We will verify your identity before fulfilling a request by matching at least two data-points associated with your account (or, for end consumers, by working through our customer of record). We may redact from any disclosure any personal data relating to other individuals.

12.3 Authorized agents

You may use an authorized agent, including one with a power of attorney; we may require written authorization, verification of the agent's authority, and direct verification of your identity.

12.4 No fee

We will not charge a fee for processing or responding to a verifiable request, unless the request is excessive, repetitive, or manifestly unfounded, in which case we will tell you why and provide a cost estimate before proceeding.

12.5 Appeals

If we deny a request, you may appeal by replying to our denial with "Appeal" in the subject line, or by emailing [email protected]. We will respond to the appeal within sixty (60) days. If your appeal is denied, you may contact your state attorney general or supervisory authority.

12.6 End-consumer requests

If you are an end consumer of a BHmetrics customer, the customer is the controller / business of record. Please direct your request to them first. We will assist the customer in fulfilling verified requests as required by our DPA and applicable law.

13. State-specific disclosures

13.1 California (CCPA / CPRA, Shine the Light, "Your Privacy Choices")

This section supplements Sections 3 through 12 for California residents. In the preceding twelve (12) months, we collected and disclosed the categories of personal information listed in Section 3.5 for the business purposes described in Section 6. We did not sell or share personal information for cross-context behavioral advertising. We do not collect "sensitive personal information" as defined under CPRA. We act as a "service provider" to our customers with respect to Customer Data; the customer is the "business". We retain personal information for the periods described in Section 11.

California Shine the Light (Cal. Civ. Code § 1798.83). We do not share personal information with third parties for those third parties' direct marketing purposes. California residents may submit Shine-the-Light inquiries to [email protected].

"Your Privacy Choices". Because we do not sell or share personal information, we do not maintain a "Do Not Sell or Share My Personal Information" link. You may nonetheless submit a confirmatory opt-out request to [email protected]. We do not sell or share for cross-context behavioral advertising, so a confirmed opt-out reaffirms that posture.

13.2 Nevada (SB220 / SB260)

Nevada residents may submit a verified request not to sell certain covered personal information to [email protected]. We do not currently engage in the sale of personal information as defined under Nevada law.

13.3 Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Delaware, Iowa, Tennessee, Montana, Indiana, and other states

Residents of these states may exercise the rights listed in Section 12, as applicable. We process personal information in our capacity as a "controller" for Prospect Data and operator-side User Data, and as a "processor" for Customer Data. We do not engage in "targeted advertising" or "profiling" decisions producing legal or similarly significant effects.

14. International data transfers

BHmetrics's infrastructure is primarily located in the United States. If you or your end consumers are in the European Economic Area, the United Kingdom, Switzerland, or other jurisdictions with cross-border-transfer restrictions, personal data is transferred to and processed in the United States and other countries that may not offer the same level of data protection as your home jurisdiction. We rely on the following safeguards:

EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), as incorporated into our DPA, including Module 2 (controller-to-processor) and Module 3 (processor-to-subprocessor).
UK International Data Transfer Addendum / IDTA to the EU SCCs for transfers from the United Kingdom.
Swiss-equivalent SCCs for transfers from Switzerland under the FADP.
Supplementary measures: encryption at rest (AES-256-GCM) and in transit (TLS 1.2+), pseudonymization (SHA-256 hashing of end-consumer identifiers), access controls, audit logging, and transfer-impact assessments.

We may, in the future, self-certify under the EU-U.S. Data Privacy Framework, the UK Extension, and the Swiss-U.S. DPF; if and when we do, we will update this Section and the DPA accordingly. Copies of the SCCs are available on request.

15. Security

We maintain administrative, technical, and physical safeguards designed to protect personal data, including:

Encryption at rest (AES-256-GCM for sensitive data) and in transit (TLS 1.2 or higher).
Secrets management with hardware-backed key storage; OAuth refresh tokens encrypted at the application layer.
Role-based access control, least-privilege provisioning, single sign-on, and mandatory two-factor authentication for production access.
Network isolation, firewalled environments, hardened images, and continuous vulnerability scanning.
Audit logging of administrative actions and automation; immutable change logs.
Regular backups, disaster-recovery testing, and an incident-response plan.
Vendor security review of subprocessors and contractually required equivalent protections.
SHA-256 hashing of end-consumer identifiers in the browser or storefront before transmission to us.

NO SYSTEM IS FULLY SECURE. We cannot guarantee that the Service will be immune from wrongdoing, malfunction, unlawful interception, hacking, tampering, or other misuse. You provide personal data at your own risk and are responsible for protecting your credentials and devices. If we become aware of a personal-data breach affecting Customer Data, we will notify you without undue delay (and in any event in accordance with our DPA and applicable law), provide information reasonably needed to comply with notification obligations, and cooperate in remediation. To report a suspected vulnerability or incident, email [email protected].

16. AI and automated decision-making

The Service includes automated processing — rule engines, multi-armed bandits, budget allocators, attribution models (MTA, MMM, incrementality), predictive lifetime-value modeling, anomaly detection, creative tagging and embeddings, and the AI Copilot. By default, BHmetrics recommends actions and the operator (you) decides whether to apply them. You may enable auto-apply for specific rule categories. These features operate against you, the operator, and against advertising campaigns, not against your end consumers. They do not produce legal or similarly significant effects on identified individuals. You remain responsible for the configuration, supervision, and outcomes of any automation you enable, and you can disable automation at any time via Settings → Brand or the "Freeze All Automation" toggle.

16.1 What goes to the AI Copilot

When you use the AI Copilot, we send to our AI subprocessor (currently Anthropic) only the chat input you submit together with aggregated brand context: brand name, current guardrail configuration, list of active rule names and statuses, summaries of open anomalies, summaries of recent automation-log entries, and your conversation history within that thread. We do not send raw end-consumer event data, hashed end-consumer identifiers, individual click events, or any PII to the AI subprocessor. Under Anthropic's commercial terms of service, Anthropic does not use inputs or outputs submitted through its commercial API to train its foundation models.

16.2 Creative embeddings

Where the Service generates vector embeddings of creative assets (images, video frames, ad copy) for similarity search, brand-voice matching, or fatigue detection, the embedding provider receives only the asset reference necessary to compute the embedding and is is engaged under terms that do not permit retention or training on the asset.

16.3 No training on Customer Data

We do not use Customer Data, Prospect Data, or User Data to train foundation AI models. We rely on our AI subprocessors' commercial terms (e.g., Anthropic's commercial API terms) which provide that customer inputs and outputs are not used for foundation-model training. We may use aggregated and de-identified usage data to evaluate, monitor, and improve our internal models (e.g., predictive-LTV, MMM) and the Service.

16A. Cooperative benchmarking (opt-out)

BHmetrics operates a cooperative benchmarking pool that contributes anonymized, aggregated performance metrics — for example, industry-tier ROAS, CPM, CTR, and CPA at the brand-cluster level — so that participating brands can compare against the pool. Brands are enrolled by default, and you may opt out at any time from Settings → Brand.

Contributions are de-identified: the brand identifier is hashed and metrics are aggregated across multiple brands within an industry / revenue tier so that re-identification of a contributing brand is not reasonably possible. No end-consumer personal data, hashed identifiers, click data, or PII is included — only aggregated brand-level performance KPIs.

After you opt out, we stop contributing further metrics from your brand on a going-forward basis. Aggregated metrics already contributed remain in the pool and are not retroactively removable because they are not identifying.

17. Children

The Service is a B2B product not directed to children. We do not knowingly collect personal data from anyone under sixteen (16) — or under thirteen (13) in the United States, consistent with COPPA. If we learn we have collected such data, we will block use and delete it. If you believe a child has interacted with the Service, contact us at [email protected].

18. Third-party links and Connected Platforms

The Service contains links to, and integrations with, third-party services (Connected Platforms, payment providers, support tools, advertisers). Their privacy practices are governed by their own policies, not this Policy. We encourage you to review them. We are not responsible for the privacy practices, content, or security of any third-party service.

19. Marketing communications

We send transactional and account-related email (sign-up confirmation, billing, rule fires, security notices, weekly digest) on a service-essential basis; you cannot opt out of service-essential communications. Marketing email is opt-in (where required) and includes one-click unsubscribe. You can manage email preferences in Settings at any time. If you unsubscribe from marketing email, we will continue to send transactional and legal notices required to operate the Service.

20. Do Not Sell or Share My Personal Information

We do not sell or share personal information for cross-context behavioral advertising, and we have no "Do Not Sell or Share" action to take on your behalf. You may submit a confirmatory request to [email protected]; we will respond in writing reaffirming the no-sale, no-share posture.

21. Customer responsibilities (DPA scope)

Our customers are solely responsible for determining whether and how they use the Service, and for ensuring that all Authorized Users, and all individuals whose personal data is included in Customer Data processed through the Service, have been provided with adequate notice and given informed consent to the processing of their personal data where consent is necessary or advised, and that all legal requirements applicable to the collection, recording, use, or other processing of data through the Service are fully met. Customers are also responsible for handling data-subject rights requests under applicable law by their users and other individuals whose data they process through the Service. Our role, responsibilities, and Customer's responsibilities are further described in our DPA.

22. Changes to this Policy

We may update this Policy from time to time. Material changes are announced by email at least thirty (30) days before they take effect, or, where required by law, with the consent we are required to obtain. Minor edits (typos, contact-info updates, subprocessor additions covered by Section 9) are reflected here with a new "Last updated" date. Continued use after the effective date of a material change constitutes acceptance to the extent permitted by law.

23. Data Protection contacts

General privacy inquiries. Choclement LLC, doing business as BHmetrics
c/o registered agent on file with the Delaware Secretary of State
Email: [email protected]
Service URL: bhmetrics.com

Data Protection Officer. We are not currently required to appoint a statutory Data Protection Officer under GDPR Article 37. If and when we do, we will publish their contact here. In the meantime, privacy inquiries are handled by [email protected].

EU and UK Representatives. If we appoint a Representative under GDPR Article 27 or UK GDPR Article 27, their contact details will be listed here. In the meantime, EU/EEA, UK, and Swiss residents may direct inquiries to [email protected], and may also contact their local supervisory authority.

Supervisory authorities. EU/EEA residents may lodge complaints with the supervisory authority in their member state (a list is at edpb.europa.eu). UK residents may contact the Information Commissioner's Office (ico.org.uk). Swiss residents may contact the Federal Data Protection and Information Commissioner. U.S. residents may contact their state attorney general or applicable privacy regulator.