Privacy Policy

1. Introduction

This Privacy Policy describes how The JSR Engine ("we," "us," "our") collects, uses, stores, discloses, and protects information when you use the website at thejsrengine.com and the related Google Ads automation platform (the "Service"). It applies to all users of the Service, including customers, affiliates, and prospective users who interact with our marketing pages. This Policy is incorporated into our Terms of Service by reference.

If you have questions about anything in this Policy, contact support@thejsrengine.com.

2. Definitions

The following definitions are used consistently with our Terms of Service, Section 13:

• Customer Data means data you submit to the Service, plus data we receive from your connected Google Ads accounts through OAuth — including campaign, ad group, keyword, search term, ad creative, conversion, and performance data. You own all Customer Data; we process it only to operate the Service for you.
• Service Data means metadata, telemetry, and feedback signals generated by your use of the Service — which recommendations you approve, reject, dismiss, or roll back; configuration choices; navigation patterns; feature usage; error logs; and performance metrics.
• Aggregated Data means data that has been aggregated across multiple customers and de-identified such that it cannot reasonably be linked, directly or indirectly, to you, your business, or any individual.
• Personal Information means information that identifies, relates to, or could reasonably be linked with a particular individual.

3. Information We Collect

We collect the following categories of information:

• Account information. Email address, name, password (stored as a bcrypt hash — we cannot read it), and (if you sign in with Google) your Google account profile picture and unique Google user ID.
• Google Ads data. When you connect a Google Ads account, we access campaign data, ad group structure, keywords, search term reports, ad creative, conversion data, bid information, and related performance metrics through the Google Ads API. We store this data only to provide the Service to you.
• OAuth refresh tokens. The refresh token issued by Google when you authorize access, encrypted at rest using Fernet symmetric authenticated encryption. We never see your Google account password.
• Service Data. Telemetry about your use of the Service: actions taken in the dashboard (approve, reject, roll back, etc.), feature usage, configuration choices, performance metrics, and error logs. See Section 5 for how this is used.
• Billing information. If you subscribe, we store your Stripe customer ID, subscription status, and the last four digits and expiry of your card on file. We never store full credit-card numbers or bank-account details — those live exclusively in Stripe.
• Affiliate information. If you participate in the Affiliate Program: your referral activity (link clicks, signups, conversions), commission and payout history, and milestone progress. Payout processing is handled by Stripe Connect Express; the information you provide to Stripe during Connect onboarding (bank-account details, identity verification documents) is governed by Stripe's Privacy Policy.
• Security data. IP addresses, browser user-agent, and approximate geolocation derived from IP, recorded with login attempts, password changes, OAuth events, and other security-significant events.
• Acceptance records. When you accept our Terms of Service or this Privacy Policy, we record the timestamp, IP address, browser user-agent, and the version of the document accepted. See Section 14.
• Communications. If you email support or use the contact form, we retain the content of those messages.

We do not knowingly collect any other categories of Personal Information.

4. How We Use Information

We use the information we collect to:

• Provide and operate the Service — fetch your Google Ads data, generate recommendations, apply approved changes, render the dashboard, send cycle and digest emails.
• Authenticate you and protect your account against unauthorized access.
• Process subscription payments and affiliate payouts via Stripe.
• Maintain audit logs of recommendations, approvals, and account changes.
• Detect and prevent fraud, abuse, and policy violations — including referral fraud (IP-matching and behavioral analysis) and account abuse.
• Improve the Service and our machine-learning models (see Section 5).
• Communicate with you about the Service — transactional notifications, billing receipts, security alerts, and (only if you have not opted out) the weekly performance digest.
• Comply with legal obligations, respond to lawful requests, and protect our rights and the rights of others.

We do not use your information for cross-context behavioral advertising, do not sell your information, and do not share your information with data brokers.

5. Machine Learning & Aggregated Data

The Service includes machine-learning components — for example, our V2 confidence calibration system, our n-gram waste-detection engine, and our search-term discovery engine — that improve over time using signals about which recommendations users approve or reject.

Service Data and feedback signals. When you approve, reject, or roll back a recommendation, that signal becomes part of Service Data. We use Service Data to operate, maintain, secure, monitor, improve, and develop the Service, including to train, evaluate, and deploy machine-learning models used in the Service. The models are conventional product-improvement models (such as isotonic-regression confidence calibrators and quality classifiers). We do not train generative-AI foundation models or large language models on Customer Data without your separate written consent.

Aggregated Data. We may use Aggregated Data for any lawful purpose, including benchmarking, analytics, research, marketing materials, industry reports, and model training. We will not attempt to re-identify Aggregated Data, and we contractually require any third party that receives Aggregated Data from us to be similarly bound. This commitment is intended to satisfy the de-identification standards in California Civil Code §1798.140 and similar state-law provisions, so that Aggregated Data falls outside the scope of those laws.

Recommendations are not automated decisions about consumers. Recommendations generated by the Service relate to your management of advertising campaigns. They are not "significant decisions" about consumers within the meaning of California CPRA Automated Decision-making Technology regulations, and they are not automated decisions producing legal or similarly significant effects on natural persons under Article 22 of the GDPR.

6. Google API Services User Data Policy

The JSR Engine's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We only access Google user data necessary to provide and improve user-facing features of the Service.
• We do not sell Google user data.
• We do not use Google user data for advertising or for retargeting.
• We do not allow humans to read Google user data except (a) with your explicit consent, (b) as necessary for security purposes, (c) to comply with applicable law, or (d) where the data has been aggregated and anonymized for internal operations consistent with the User Data Policy.

You can review and revoke The JSR Engine's access to your Google account at any time at myaccount.google.com/permissions.

7. Data Storage and Security

Your data is stored on access-controlled servers operated by DigitalOcean in the United States. We use industry-standard administrative, technical, and physical safeguards to protect it, including:

• TLS 1.2+ encryption for all data in transit.
• Fernet symmetric authenticated encryption (AES-128-CBC + HMAC-SHA256) for OAuth refresh tokens at rest.
• Bcrypt password hashing.
• HTTP-only, Secure, SameSite=Lax cookies for authentication; JWT-based session tokens with version-based revocation.
• PostgreSQL instance not exposed to the public internet — accessible only from the application server.
• Rate limiting and CSRF protection at the application layer.

We comply with the New York Stop Hacks and Improve Electronic Data Security Act (SHIELD Act, N.Y. Gen. Bus. Law §899-bb), including maintaining a designated security coordinator, conducting risk assessments, contractually obligating vendors to maintain appropriate safeguards, training employees on security practices, and adhering to a written breach-notification procedure that targets disclosure within 30 days of discovery.

No system is perfectly secure. We disclaim any warranty of absolute security in our Terms of Service, Section 17. If we become aware of a breach affecting your Personal Information, we will notify you as required by applicable law.

8. Data Retention

We retain different categories of data for different periods, generally aligned with the purposes for which we collected the data:

• Customer Data and account information: retained for the duration of your account. On account deletion or termination, deleted within 30 days, with residual copies cleared from backup systems within 90 days, except where retention is required by law.
• Recommendations: expired or rejected recommendations are automatically purged after 7 days; applied recommendations and the action log are retained for 30 days.
• Security event logs (login attempts, IP addresses, geolocation): 90 days, then automatically deleted.
• Billing records: retained for a period consistent with tax and accounting obligations (generally 7 years), independent of account status.
• Acceptance records for Terms of Service and Privacy Policy: retained for at least three (3) years following the conclusion of the account relationship, per our commitment in Terms of Service, Section 22.
• Affiliate records: referral activity, commission, and payout history are retained for the duration of the Affiliate's account and a reasonable period after termination for tax and legal compliance.
• Aggregated Data: retained indefinitely as it is no longer linked to any individual or account.

You may request deletion at any time — see Section 10.

9. Sub-Processors

We use the following service providers ("sub-processors") to operate the Service. Each is engaged under a data processing agreement that contractually obligates them to maintain appropriate safeguards and to process Personal Information only as needed to provide their service.

We will notify you by email at the address associated with your account, or by posting an updated version of this Policy, before adding or replacing a sub-processor that materially affects how Personal Information is processed. We will not add sub-processors that do not satisfy our security and privacy standards.

10. Your Privacy Rights

Regardless of where you live, you may:

• Access: request a copy of the Personal Information we hold about you.
• Correct: request correction of inaccurate Personal Information.
• Delete: request deletion of your account and associated Personal Information. You can also delete your own account at any time from Settings → Delete Account.
• Port: request a copy of your data in a structured, commonly-used, machine-readable format.
• Object or restrict: object to or ask us to restrict certain processing.
• Revoke Google API access: at any time, at myaccount.google.com/permissions.

To exercise any of these rights, email support@thejsrengine.com from the address associated with your account. We will respond within 45 days. We may request additional information to verify your identity before fulfilling a request, in order to protect against unauthorized disclosure.

We will not discriminate against you for exercising any of these rights.

11. California Residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"), gives you the following specific rights:

• Right to know. Request disclosure of the categories of Personal Information we collected, the sources, the purposes, and the categories of third parties with whom we shared it.
• Right to access. Request a copy of the specific pieces of Personal Information we hold about you.
• Right to delete. Request that we delete the Personal Information we collected from you, subject to applicable exceptions.
• Right to correct. Request that we correct inaccurate Personal Information.
• Right to limit use of sensitive personal information. We do not use sensitive personal information for any purpose other than what is necessary to provide the Service.
• Right to opt out of sale or sharing. We do not sell Personal Information and we do not share Personal Information for cross-context behavioral advertising. No opt-out is necessary because there is nothing to opt out of.
• Right of non-discrimination. We will not deny service, charge different prices, or provide a different quality of service because you exercised any of these rights.

Categories of Personal Information collected (last 12 months)

Identifiers (name, email, IP address, Google user ID); commercial information (subscription status, billing identifiers, transaction history); internet/network activity (usage of the Service, dashboard navigation, recommendation approval/rejection); geolocation (approximate, from IP); inferences drawn from the above (recommendation-quality and confidence-calibration scores).

We do not collect biometric information, precise geolocation, race or ethnicity, religious beliefs, philosophical beliefs, union membership, sexual orientation, gender identity, health or genetic information, or any other category of sensitive personal information.

How to submit a request

Email support@thejsrengine.com with subject line "CCPA REQUEST". We will respond within 45 days. You may also designate an authorized agent to make a request on your behalf — the agent must provide written authorization, and we may still contact you to verify identity.

If you believe we have not adequately responded to your request, you may contact the California Attorney General at oag.ca.gov.

12. EU and UK Residents

The Service is offered only to United States-based businesses and U.S. residents. We do not target users in the European Economic Area, the United Kingdom, or Switzerland, and our Terms of Service, Section 3 require you to represent that you are not located in those regions. If you nonetheless access the Service from one of those regions, you do so at your own initiative and we make no representations regarding compliance with GDPR, UK GDPR, the EU-U.S. Data Privacy Framework, or other regional data-protection laws. If you believe you have submitted Personal Information to us as an EU, UK, or Swiss resident, email support@thejsrengine.com and we will delete it.

13. Children

The Service is not directed to, and we do not knowingly collect Personal Information from, children under 18. If you believe a child has submitted Personal Information to us, email support@thejsrengine.com and we will delete it.

14. Acceptance Records

We retain a record of each user's acceptance of the Terms of Service and this Privacy Policy, including the version accepted, the timestamp of acceptance, and the IP address and browser user-agent from which acceptance was made. We use these records to demonstrate that you agreed to the version of our policies in effect at the relevant time — including the binding arbitration clause in Terms of Service, Section 19. These records are retained for at least three (3) years after the conclusion of your account relationship.

15. Cookies

The JSR Engine uses the following cookies, which are strictly necessary for the operation of the Service:

We do not use tracking, analytics, or advertising cookies on logged-in product pages. We use Google Tag Manager on our public marketing pages for basic anonymous traffic analytics; that data is aggregated and not tied to any individual account.

16. Changes to This Policy

We may update this Privacy Policy from time to time. If we make a change that materially affects how we collect, use, or share your Personal Information, we will provide at least thirty (30) days' advance notice by email to your account address and by posting an updated version on this page. Non-material changes (clarifications, typographical fixes, formatting) are effective on posting. The "Last Updated" date at the top of this page reflects the most recent change.

17. Contact

If you have questions about this Privacy Policy, or to exercise any of the rights described above, contact us at support@thejsrengine.com. For California-specific requests, use subject line "CCPA REQUEST".

The JSR Engine operates from New York, United States.