This Privacy Policy describes how Massive Dynamic SAS ("Massive Dynamic," "we," "us," or "our") collects, uses, shares, and protects Personal Data in connection with the Massive Dynamic B2B Software-as-a-Service web application (the "Service") and our corporate website (the "Website").

Massive Dynamic is committed to protecting the privacy and security of Personal Data and adhering to applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 ("GDPR") and relevant French data protection legislation. The Commission Nationale de l'Informatique et des Libertés ("CNIL") is our lead supervisory authority in France. This commitment to robust data protection principles is fundamental to our operations and is designed to foster trust with our Clients and their users. This policy is also intended to meet the specific requirements set forth by Meta Platforms, Inc. ("Meta") for applications utilizing its Application Programming Interfaces ("APIs"), such as the Meta Marketing API.

This policy applies to:

• Authorized users of our Clients (typically employees or representatives of large global advertisers, hereinafter "Client Users") who access and use the Service.
• Personal Data processed via the Meta Marketing API on behalf of, and as instructed by, our Clients.
• Visitors to our Website.

Definitions:

• "Personal Data": Any information relating to an identified or identifiable natural person ("Data Subject"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. This definition aligns with Article 4(1) of the GDPR and encompasses Meta's definition of information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked with an individual, directly or indirectly.3
• "Processing": Any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
• "Controller": The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
• "Processor": A natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.
• "Client": The legal entity (e.g., a large global advertiser) that has subscribed to the Service.
• "Client User": An individual authorized by a Client to access and use the Service.
• "Service Data": Data, including advertising configurations, performance metrics, and insights, that Massive Dynamic accesses from a Client's Meta ad accounts via the Meta Marketing API, or data generated by the Service based on such Meta ad account data.
• "Usage Data": Data collected automatically about how Client Users interact with the Service or visitors interact with the Website.

This policy is an "Organization level privacy policy" that references our "application(s)" and "services," as expected by platforms like Meta.2 It is Massive Dynamic's own policy and not that of any other company.

We collect Personal Data from Client Users when they, or their employing Client, provide it to us directly. This includes:

• Account Registration and Profile Information: When a Client User account is created, we collect information such as full name, business email address, job title, company name, and business phone number.
• Account Credentials: Username and password (which is stored in a hashed format for security).
• Communications: When Client Users contact us for support, provide feedback, or otherwise communicate with us, we may collect the content of those communications and any associated contact information.

Upon authorization by our Clients, the Service connects to the Client's Meta ad accounts using the Meta Marketing API. This connection allows Massive Dynamic to access and process Service Data on behalf of the Client. The types of Service Data accessed include, but are not limited to:

• Ad Account Information: Meta ad account ID, ad account name, currency used by the ad account, and account status.
• Campaign Data: Campaign IDs, campaign objectives, ad set information (such as budgets, schedules, bid strategies, and targeting parameters like audience demographics or interests, as defined by the Client within Meta).
• Ad Creative Information: Ad IDs and metadata related to ad creatives (e.g., format, links). Massive Dynamic typically processes metadata about creatives rather than storing the raw creative assets themselves, unless specifically required for an analytical feature and agreed with the Client.
• Ad Performance and Insights Data: Metrics related to ad performance, such as impressions, clicks, click-through rates, conversions, cost per result, spend, reach, frequency, engagement metrics (e.g., likes, comments, shares, as provided by Meta), and audience insights as available through the Meta Insights API. This data is generally aggregated and statistical, relating to the performance of advertising campaigns rather than directly identifying individual consumers who viewed the ads.
• Configuration Data: Settings, rules, and parameters related to the Client's ad campaigns and ad sets as configured within Meta and accessed via the API.

Access to this Service Data is governed by the permissions granted by the Client to Massive Dynamic through the Meta API authorization process.

When Client Users interact with the Service or visitors browse our Website, we automatically collect certain information about their device and usage patterns:

• Device and Connection Information: IP address, browser type and version, operating system, device type, screen resolution.
• Usage Details: Pages visited on our Website or Service, features utilized within the Service, time spent on pages/features, actions taken (e.g., buttons clicked), error logs, and referring URLs.

This information is collected through:

• Server Logs: Standard logs generated by our web servers.
• Cookies and Similar Technologies: We use cookies (small text files placed on a device) and similar technologies (e.g., web beacons, pixels) to operate and personalize the Service and Website, analyze usage, and for session management.
• We use essential cookies for core functionality, performance cookies to understand how our Service is used, and functional cookies to remember preferences.
• Detailed information about the types of cookies we use, their purpose, duration, and how users can manage their cookie preferences (including providing or withdrawing consent in line with ePrivacy and GDPR requirements) is available in our separate Cookie Policy, which is accessible via a link on our Website and a consent management banner.

The AI primarily processes Service Data obtained with Client authorization via the Meta Marketing API. This includes:

• Historical and real-time advertising campaign configurations (e.g., targeting parameters, budget settings, bid strategies).
• Ad performance data (e.g., impressions, clicks, conversions, spend, engagement metrics).
• Audience insights provided by Meta.

The AI is designed to operate on data related to advertising activities and performance, often at an aggregated or statistical level. It is not designed to process or infer sensitive personal information about individual consumers who view our Clients' advertisements. In some instances, Client User preferences or interaction patterns within the Massive Dynamic Service may be used to personalize the AI "copilot" experience for that specific Client User, enhancing the relevance of suggestions and analyses provided to them.

The overarching purpose of using AI is to enhance the value of the Service for our Clients by:

• Providing actionable insights that can lead to improved advertising return on investment.
• Increasing the efficiency of ad campaign management.
• Empowering marketing teams with advanced analytical capabilities.

To ensure the continuous improvement of our AI capabilities, the underlying models and algorithms are periodically refined.

• Client-Specific Models: Where feasible and appropriate, AI models may be tailored or fine-tuned based on an individual Client's own Service Data to improve performance specifically for that Client.
• Aggregated, Anonymized Data for General Model Improvement: For enhancing the general capabilities of our AI models that benefit all Clients, Massive Dynamic may use Service Data that has been rigorously anonymized and aggregated. This process ensures that such data does not identify any individual Data Subject, nor does it allow for the re-identification of a specific Client's proprietary campaign details or performance once aggregated with data from other sources. This approach is critical; using one client's data, even if anonymized, to train models that benefit other clients can be viewed as a secondary use. Therefore, ensuring robust anonymization and a strong, well-documented legal basis (such as legitimate interest with comprehensive safeguards, or explicit consent if anonymization is not perfect) is paramount to maintain both GDPR compliance and client trust.10

CNIL's 2024 guidance specifically addresses AI design and learning, highlighting the regulatory focus on this area.

Massive Dynamic does not sell Personal Data to third parties. This is a core principle of our data handling practices.

We may share Personal Data with the following categories of third parties, only for the purposes described in this Privacy Policy and with appropriate safeguards in place:

We engage trusted third-party companies and individuals to perform services on our behalf or to assist us in providing and improving the Service. These service providers act as our sub-processors and may have access to Personal Data only to perform these tasks as instructed by Massive Dynamic. They are contractually obligated (typically through Data Processing Agreements - DPAs) to protect the confidentiality and security of Personal Data and are prohibited from using it for any other purpose.

Examples of service providers include:

• Cloud hosting and infrastructure providers (e.g., Google Cloud Platform).
• Data analytics providers (e.g., MixPanel).
• Customer support platform providers.
• Communication tool providers.
• Payment processing providers.

The Service, by its nature, interacts extensively with Meta's systems via the Meta Marketing API. This involves:

• Retrieving Service Data from a Client's Meta ad accounts as authorized by the Client.
• Sending data back to Meta when Client Users make changes to their ad campaigns or configurations through our Service (e.g., updating budgets, bids, or ad statuses). This sharing is integral to the functionality of the Service.

We may disclose Personal Data if we believe in good faith that such disclosure is necessary to:

• Comply with a valid legal obligation, such as a law, regulation, subpoena, court order, or other lawful request from public authorities (including to meet national security or law enforcement requirements).
• Protect and defend the rights, property, or safety of Massive Dynamic, our Clients, our Client Users, or the public.
• Prevent or investigate possible wrongdoing in connection with the Service.

In the event of a merger, acquisition, financing, reorganization, bankruptcy, receivership, sale of company assets, or transition of service to another provider, Personal Data may be transferred as part of such a transaction. We will notify Clients and Client Users of any such deal and outline their choices in that event, particularly if their Personal Data becomes subject to a different privacy policy.

List of Key Sub-processors:

Transparency regarding the third parties involved in processing data is a key tenet of the GDPR.13 The following table lists our key sub-processors. This list is subject to change, and we will endeavor to keep it updated. Clients will be informed of material changes to this list as per our contractual agreements. Maintaining an accurate and updated list of sub-processors is not merely a transparency exercise; it's an ongoing operational commitment crucial for GDPR compliance and for facilitating our Clients' own due diligence processes.

Personal Data collected by Massive Dynamic may be transferred to, stored, and processed in countries outside of the European Economic Area (EEA), including the United States of America, where some of our key service providers, such as Google Cloud Platform and Meta, are located or have data processing operations. Massive Dynamic is committed to ensuring that all international transfers of Personal Data are conducted in compliance with Chapter V of the GDPR and with appropriate safeguards in place to protect the data.

Our primary mechanisms for ensuring lawful international data transfers include:

• Adequacy Decisions: Where the European Commission has determined that a third country provides an adequate level of data protection (an "adequacy decision"), we may rely on this decision for transfers to recipients in that country. For example, for transfers to U.S. organizations certified under the EU-U.S. Data Privacy Framework (DPF), we may rely on the DPF, provided the specific recipient is certified and the DPF remains a valid transfer mechanism.
• Standard Contractual Clauses (SCCs): For transfers to countries not covered by an adequacy decision, or as a supplementary measure, we primarily rely on the Standard Contractual Clauses adopted by the European Commission. These clauses impose contractual obligations on the data importer to protect Personal Data to a standard equivalent to that within the EEA.
• Transfer Impact Assessments (TIAs): In conjunction with SCCs, we conduct Transfer Impact Assessments as necessary to evaluate the level of data protection in the recipient country and to identify and implement any supplementary measures required to ensure that the data remains adequately protected. This reflects an understanding that SCCs alone may not always be sufficient, depending on the laws and practices of the third country.
• Google Cloud Platform (GCP): Data stored and processed using GCP may be located in various global data centers. Transfers of Personal Data within GCP's infrastructure are governed by Google's Data Processing Addendum (or Cloud Data Processing Addendum - CDPA), which incorporates SCCs to legitimize transfers outside the EEA.15 Clients may have some control over the primary region for their data storage, which can influence transfer complexities.
• Meta Platforms, Inc.: Transfers of data to Meta in the United States are also subject to Meta's established data transfer mechanisms, which typically include SCCs or reliance on the DPF if the relevant Meta entities are certified.

Further information on the specific safeguards applied to international data transfers can be provided upon reasonable request.

Massive Dynamic takes the security of Personal Data very seriously and implements appropriate technical and organizational measures (TOMs) to protect it against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures are designed considering the nature, scope, context, and purposes of the Processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, in accordance with Article 32 of the GDPR and CNIL guidelines.

Our security measures include, but are not limited to:

• Access Controls:
• Implementation of role-based access controls (RBAC) to ensure that personnel can only access Personal Data necessary for their job functions.
• Strong authentication mechanisms for Client Users and internal systems, including multi-factor authentication (MFA) where appropriate.
• Encryption:
• Encryption of Personal Data in transit using industry-standard protocols such as HTTPS/TLS.
• Encryption of Personal Data at rest, for example, data stored within Google Cloud Platform is encrypted at rest by default.
• Network Security: Use of firewalls, intrusion detection and prevention systems (IDPS), and other network security technologies to protect our systems from external threats. We leverage the robust network security capabilities provided by Google Cloud Platform.
• Data Minimization: Collecting and retaining only the Personal Data that is strictly necessary for the purposes for which it is processed.
• Secure Development Practices: Integrating security considerations into our software development lifecycle (SDLC), including code reviews and testing for vulnerabilities.
• Regular Security Assessments: Conducting periodic security assessments, which may include vulnerability scanning and penetration testing, to identify and remediate potential weaknesses.
• Incident Response Plan: Maintaining an incident response plan to effectively manage and mitigate the impact of any data security incidents, including procedures for notification to supervisory authorities and affected Data Subjects where required by GDPR. Google Cloud Platform also has its own incident notification processes outlined in its DPA.
• Employee Training and Awareness: Providing regular data protection and security training to our employees to ensure they understand their responsibilities in safeguarding Personal Data.
• Physical Security: For data hosted on Google Cloud Platform, we rely on Google's extensive physical security measures for their data centers, which include multi-layered security controls, biometric access, surveillance, and environmental protections.

Client Responsibilities: Clients and Client Users are responsible for maintaining the confidentiality and security of their account credentials for accessing the Service.

Disclaimer: While Massive Dynamic implements comprehensive security measures, it is important to acknowledge that no system or method of transmission over the Internet or electronic storage is 100% secure. Therefore, we cannot guarantee absolute security.

Massive Dynamic adheres to the GDPR's principle of storage limitation (Article 5(1)(e)), which requires that Personal Data be kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data are processed.

Retention Periods by Data Type/Purpose:

• Client User Account Data: Personal Data associated with Client User accounts (e.g., name, email, account settings) is retained for the duration of the Client's active subscription or contract with Massive Dynamic. Following the termination of the Client's contract, this data may be retained for up to twelve (12) months to facilitate account reactivation, address any outstanding contractual matters, resolve disputes, or as required for our own record-keeping and legal compliance.
• Service Data (from Meta API):
• Service Data accessed from a Client's Meta ad accounts is actively processed and retained as long as the Client's account with Massive Dynamic is active and the data is necessary to provide the Service to that Client.
• Upon termination of a Client's account, or upon specific request from the Client (as the Data Controller of this Service Data), the Service Data associated with that Client will be securely deleted or fully anonymized from our active systems within ninety (90) days, unless there is a legal obligation or an overriding legitimate interest (such as a legal hold) that requires its continued retention. Such exceptions will be narrowly construed.
• Clients may, in some instances, have options within the Service to configure retention settings for certain aspects of their own Service Data.
• Usage Data (Analytics, Logs): Usage Data collected for analytics, troubleshooting, and security monitoring (e.g., server logs, application logs, website analytics data) is retained for eighteen (18) months. After this period, such data is either deleted or aggregated/anonymized so that it no longer identifies individuals.
• AI Model Data:
• If AI models are trained using Client-specific Service Data, the raw training data follows the retention period of the underlying Service Data.
• Data used for training general AI models (as described in Section 4) is anonymized and aggregated promptly. The anonymized/aggregated datasets used for ongoing model refinement may be retained as long as they are actively contributing to model improvement, but they do not constitute Personal Data.
• Backup Data: Personal Data may persist in our backup archives for up to six (6) months beyond the active retention period. Backup data is isolated, not actively processed, and is securely overwritten according to our backup rotation schedule. It would only be accessed for disaster recovery purposes.
• Legal and Regulatory Requirements: Certain categories of Personal Data (e.g., financial transaction records, invoices, contractual agreements, formal communications) may be retained for longer periods as required by applicable French law or other relevant legal or regulatory obligations.

Review of Retention Periods: Our data retention periods and policies are periodically reviewed and updated as necessary to ensure they remain appropriate for the purposes of processing and compliant with applicable laws. The "Data Deletion" rights of individuals (detailed in Section 9) interact with these retention policies; a user may request deletion before a standard retention period expires, and such requests will be honored unless a specific legal exception applies.

To exercise any of these rights, please contact us using the details provided in Section 13 ("Contact Information") of this Privacy Policy.

We will respond to requests "without undue delay" and generally within one month of receipt of the request, as required by GDPR.24 This period may be extended by two further months where necessary, taking into account the complexity and number of requests; we will inform the Data Subject of any such extension within one month of receipt of the request, together with the reasons for the delay.

We may need to request specific information from the person making the request to help us confirm their identity and ensure their right to access their Personal Data (or to exercise any of their other rights). This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it.

Data Subjects have the right to lodge a complaint with a data protection supervisory authority if they believe that our processing of their Personal Data infringes the GDPR. As Massive Dynamic is incorporated in France, our lead supervisory authority is the CNIL (Commission Nationale de l'Informatique et des Libertés). Contact details for the CNIL can be found on their website (www.cnil.fr). Data Subjects may also lodge a complaint with the supervisory authority in the EU Member State of their habitual residence, place of work, or place of the alleged infringement.

Provisions for data subject rights are also integral to international transfer mechanisms like SCCs and the DPF.

Massive Dynamic is committed to complying with Meta's Developer Policies and Platform Terms, including all requirements applicable to applications that use the Meta Marketing API. This Privacy Policy is specifically designed to meet these obligations. This dedicated section serves to reassure Meta's review teams that their specific concerns have been proactively addressed, potentially streamlining API access and maintenance processes.

• Data from Meta: We reiterate that all data obtained from the Meta Marketing API ("Service Data") is accessed solely with the explicit authorization of our Clients (the advertisers). This data is used exclusively to provide and improve the Service for the authorizing Client, as detailed in Sections 2, 3, and 4 of this Policy.
• Policy Accessibility: This Privacy Policy is maintained and made available via an active, publicly accessible, easily navigable, and non-geoblocked URL on our Website. This URL is also disclosed in the designated privacy policy field within the settings of our App Dashboard on the Meta for Developers platform.1
• Crawler Access: We ensure that Meta's crawlers are permitted to access the URL of this Privacy Policy and other relevant URLs specified in our app settings, to facilitate Meta's ongoing compliance checks.1
• Transparency on Data Usage:
• What data is collected: Section 2 ("Information We Collect and How") details the types of data accessed from the Meta Marketing API.
• How data is used and purposes: Section 3 ("How We Use Your Information") and Section 4 ("Our Use of Artificial Intelligence (AI)") comprehensively explain how Service Data from Meta is processed, the purposes of this processing, and the role of AI.
• Data Deletion Pathway: As clearly stated in Section 9 ("Your Data Protection Rights under GDPR"), we provide a distinct pathway for data deletion requests:
• Client Users can request deletion of their Personal Data associated with their Massive Dynamic account.
• Clients (advertisers), as Data Controllers of the Service Data obtained from their Meta ad accounts, can instruct Massive Dynamic to delete this Service Data from our systems. Such requests can be made by contacting us at privacy@massivedynamic.com or through their designated account representative. We will process these requests in line with our contractual commitments and applicable legal requirements.1
• No Sale of Data: We explicitly state and affirm that we do not sell any Personal Data, including any data obtained from Meta.3
• Adherence to Meta Terms: Massive Dynamic commits to adhering to all applicable Meta Platform Terms, Developer Policies, and any other relevant terms and conditions governing the use of the Meta Marketing API and the handling of data derived therefrom.

The Service and Website provided by Massive Dynamic are intended for use by businesses and their authorized adult representatives (Client Users). They are not designed for or directed at individuals under the age of 16 (or any higher age of digital consent applicable in a relevant jurisdiction, such as under the U.S. Children's Online Privacy Protection Act - COPPA, which applies to children under 13).

Massive Dynamic does not knowingly collect Personal Data from children. If we become aware that we have inadvertently collected Personal Data from a child without verification of parental consent (where applicable), we will take prompt steps to delete that information from our records.

If you are a parent or guardian and believe that your child has provided us with Personal Data, please contact us using the details in Section 13 ("Contact Information"). While this clause addresses a low-risk scenario for a B2B SaaS platform, its inclusion is standard practice and demonstrates a comprehensive approach to privacy.

Massive Dynamic reserves the right to update or modify this Privacy Policy at any time to reflect changes in our data processing practices, service offerings, or applicable legal and regulatory requirements. Such updates are necessary to ensure ongoing compliance and transparency, as emphasized by regulatory bodies like the CNIL.

Notification of Changes:

• For material changes to this Privacy Policy (i.e., changes that significantly alter our data processing practices or affect Data Subject rights), we will provide prominent notice to our Clients and Client Users. This notification may be provided via email to the registered email address associated with Client accounts, through a notice within the Service, or via a prominent announcement on our Website prior to the change becoming effective. The method of notification will be proportionate to the significance of the change.
• For minor changes that do not materially affect privacy rights, updating the "Effective Date" at the top of this Privacy Policy may be deemed sufficient notice.

Review of Policy:

We encourage Clients, Client Users, and Website visitors to review this Privacy Policy periodically to stay informed about how we are protecting Personal Data. Continued use of the Service or Website after any changes to this Privacy Policy constitutes acceptance of the revised policy, subject to applicable consent requirements for material changes.

The "Effective Date" at the top of this policy indicates when this version was last revised and came into effect.

If you have any questions, concerns, or complaints about this Privacy Policy, our data handling practices, or if you wish to exercise your data protection rights, please contact Massive Dynamic:

Company Name: Massive Dynamic SAS

Designated Privacy Email: privacy@massive-dynamic.ai

Postal Address:

Massive Dynamic SAS

78 rue de Longchamp, 75116 Paris

France

Data Protection Officer (DPO): Trystan Chabert

Massive Dynamic has appointed a Data Protection Officer (DPO) to oversee compliance with data protection laws. The CNIL strongly recommends the appointment of a DPO, even if not strictly mandated by GDPR criteria, as it signals a strong commitment to data protection.17 Our DPO can be reached through the privacy email address listed above (privacy@massivedynamic.com), please mark your communication for the attention of the DPO. Clear and accessible contact information is crucial for Data Subjects to exercise their rights and can prevent unnecessary escalations to supervisory authorities.