Privacy Policy

Last updated 2026-05-07

Data Controller: JN DIGITAL, MB (registered in Lithuania)
Contact: info@tryvexa.ai
Service: Cato, a Meta Ads management tool available at app.tryvexa.ai (the "Service")

In this privacy policy we, JN DIGITAL, MB, with a registered address in Lithuania ("Vexa", "we", or "us"), explain how we treat personal information received about you when you use the website located at tryvexa.ai, the Cato application at app.tryvexa.ai, and any other interactive properties owned and operated by JN DIGITAL (the "Site"). On the Site, we provide our clients with Meta (Facebook, Instagram) advertising automation tools ("Services").

JN DIGITAL understands that your privacy is important to you. We are committed to protecting the privacy of your personally identifiable information as you use the Site. This privacy policy tells you how we protect and use information that we gather directly from you or from other sources. You should also read our Terms of Service to understand the general rules about your use of the Site.

1. How we use your personal data

In this section you will find:

the purposes for which we process your data,
how we use your personal data,
the categories of data we process,
the legal basis for processing,
the data retention period.

Purpose & how we use it	Personal data	Legal basis (GDPR Art. 6)	Retention period
User registration. We process your information to create and manage your account, enabling you to use the Services.	Email address, password (hashed by our authentication provider).	Necessary to take steps at the request of the data subject prior to entering into a contract (Art. 6(1)(b)).	Until deactivation of your account, or 2 years after your last login.
Providing Services. We process your data to enable Meta Ads management, Google Drive media import, and any optional integrations you configure.	Meta Marketing API credentials and tokens, Google Drive OAuth tokens, optional API keys (OpenAI, Anthropic, Firecrawl, YouTube, ElevenLabs, GA4 service account JSON), uploaded media files, ad campaign configurations.	Performance of a contract to which you are a party (Art. 6(1)(b)).	Until you remove the credential in Settings, disconnect the integration, or deactivate your account.
Paying for Services. We process your payment data to facilitate transactions and provide you access to paid Services.	Email address, payment method, payment card or bank details, billing address, VAT number where applicable.	Performance of a contract (Art. 6(1)(b)) and legal obligation under Lithuanian Accounting Law (Art. 6(1)(c)).	10 years after the end of the financial year in which the transaction occurred (mandatory under Lithuanian law).
Setting up profile information. We collect and use profile details to personalize your experience.	Name, role, company information (name, website, brand profile), naming convention, branding preferences.	Performance of a contract (Art. 6(1)(b)).	Until deactivation of your account, or 2 years after your last login.
Operational logging. We process technical data to operate, secure, and debug the Service.	IP address, browser type, request paths, response codes, timestamps, unique device identifiers.	Legitimate interest in the security and stability of the Service (Art. 6(1)(f)).	30 days for raw server logs, longer for aggregated, non-identifying analytics.
Audit logging. We record mutating actions (settings changes, ad launches, integrations connected or disconnected) tied to your account.	User ID, action type, timestamp, target object IDs (e.g. Meta campaign ID).	Legitimate interest (Art. 6(1)(f)) and performance of a contract (Art. 6(1)(b)).	Lifetime of the account, plus 90 days after deletion.
Managing enquiries. We process your data to respond to inquiries and provide assistance.	Email address, text of enquiry, attachments you choose to share.	Consent (Art. 6(1)(a)) and legitimate interest (Art. 6(1)(f)).	2 years from the date of last communication.
Direct marketing. With your consent, we use your data to send product updates and promotional content via email.	Email address, name.	Consent (Art. 6(1)(a)).	2 years after the date the consent was received, or until you withdraw consent.
Establishment, exercise, or defense of legal claims. If necessary, we process relevant data to protect and enforce legal rights.	All information listed above.	Legitimate interest (Art. 6(1)(f)).	1 year after the final settlement of the dispute, or until expiry of the applicable statute of limitations.

2. About cookies

Cookies are small textual files containing identifiers that are sent by a web server to your web browser and stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server. Cookies do not typically contain any information that personally identifies a user, but personal information that we store about you may be linked to information stored in and obtained from cookies.

Cookies that we use:

Necessary cookies: these cookies help to make the Site usable by enabling basic functions like page navigation and access to secure areas of the Site. The Site cannot function properly without these cookies. They include the session token used to keep you logged in.
Statistic cookies: if enabled, these cookies allow us to monitor and analyse visits from a variety of traffic sources, helping us improve the Site. The data collected by statistic cookies is aggregated and anonymous.

We do not use third-party advertising or behavioural-tracking cookies on the application.

3. With whom we share your data

We share your data with the following categories of recipients only to the extent necessary to deliver the Service:

Authentication provider: Supabase, Inc. (supabase.com/privacy) processes your email and hashed password.
Meta Platforms Ireland Ltd. (facebook.com/privacy/policy) receives the API calls we make on your behalf when you use the Meta Ads features.
Google Ireland Ltd. (policies.google.com/privacy) processes Drive folder reads and OAuth token exchanges when you use the Drive integration.
Hosting provider (currently Railway, Inc.) provides the compute and storage on which the Service runs.
Cloudflare, Inc. (cloudflare.com/privacypolicy) provides DNS, content delivery, and DDoS protection.
Optional integrations you configure. If you provide API keys for OpenAI, Anthropic, Firecrawl, YouTube Data API, ElevenLabs, or GA4, those providers process the relevant data when the corresponding feature is used. Their privacy policies apply to that processing.
Public authorities. Where we are required by law to disclose data in response to valid legal requests.
Legal advisors and auditors. Where necessary for the establishment, exercise, or defense of legal claims, or for compliance with our legal obligations.
In a business transfer. If JN DIGITAL is involved in a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity, which will be bound by this Privacy Policy or a substantially similar one.

4. International data transfers

Some of our sub-processors are based outside the European Economic Area (notably the United States). When data is transferred outside the EEA, we rely on the European Commission's Standard Contractual Clauses (SCCs) and any applicable adequacy decisions. You can request a copy of the SCCs by emailing info@tryvexa.ai.

5. How we protect your data

Encryption at rest. All integration credentials and OAuth tokens are encrypted with Fernet (AES-128-CBC with HMAC-SHA256) using a server-side encryption key never exposed to the frontend.
Encryption in transit. All traffic is served over HTTPS (TLS 1.2 or higher).
Per-user isolation. Each user's settings, uploads, and API tokens live in a separate per-user storage namespace, enforced at the application layer.
Secret redaction in the UI. The application never sends a full API key or token back to your browser. Only the last four characters are shown for verification.
Authentication. Passwords are bcrypt-hashed by our authentication provider. We do not see your password.
Path safety. File operations are constrained to the per-user uploads directory using basename and realpath checks.

The security of your personal data is important to us, but no method of transmission over the Internet or method of electronic storage is 100% secure. While we use commercially acceptable means to protect your data, we cannot guarantee its absolute security.

6. Your rights under GDPR

You have the right to:

Access a copy of the personal data we hold about you.
Rectify inaccurate data.
Erase your data (the "right to be forgotten"), subject to legal retention requirements.
Restrict processing while a dispute is resolved.
Receive your data in a machine-readable format (data portability).
Object to processing based on legitimate interests.
Withdraw consent at any time, where processing is based on consent.
Lodge a complaint with the Lithuanian supervisory authority, Valstybinė duomenų apsaugos inspekcija (VDAI), at vdai.lrv.lt.

To exercise any of these rights, email info@tryvexa.ai. We will respond within 30 days.

7. Children

The Service is a B2B advertising tool not directed at children. We do not knowingly collect personal data from anyone under 16. If you believe a minor has provided us with personal data, contact info@tryvexa.ai and we will delete it.

8. Links to other websites

The Service may contain links to other websites that are not operated by us. If you click on a third-party link, you will be directed to that third party's site. We strongly advise you to review the privacy policy of every site you visit. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services.

9. Changes to this Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and, where required, by sending you a notification by email at least 30 days before the changes take effect. The "Last updated" date at the top reflects the most recent revision. You are advised to review this Privacy Policy periodically for any changes.

10. Contact us

If you have any questions about this Privacy Policy, contact us by email at info@tryvexa.ai.

JN DIGITAL, MB · Lithuania · tryvexa.ai