Privacy Policy
Last updated: 20 February 2026 · BestClick Studio
1. Data controller
The controller of personal data processed through the AutoReports service (available at bestclickstudio.com) is BestClick Studio.
This privacy policy describes what data we collect, how we use it, and what rights users have under Regulation (EU) 2016/679 (GDPR).
2. Data we collect
| Category | Scope | Source |
|---|---|---|
| Google account data | First name, last name, email address, profile picture | Google OAuth 2.0 at sign-in |
| Google Ads authorisation tokens | Access token and refresh token enabling access to campaign data | Google OAuth when connecting a Google Ads account |
| Google Ads campaign data | Campaign metrics (clicks, impressions, conversions, costs) fetched on demand via Google Ads API | Google Ads API at the time of report generation |
| Generated reports | PDF report files stored in the cloud | Created by the service on user request |
| Technical data | System logs, anonymised IP address | Automatically collected during use of the service |
3. Legal bases for processing
- Performance of a contract (Art. 6(1)(b) GDPR) — processing of Google account data and Google Ads tokens necessary to provide the AutoReports service
- Legitimate interest (Art. 6(1)(f) GDPR) — system logs for security and technical diagnostics
- Consent (Art. 6(1)(a) GDPR) — to the extent required by applicable law
4. Purposes of processing
- User authentication and session management (JWT in an httpOnly cookie)
- Fetching Google Ads campaign data on user request
- Generating PDF reports and storing them in AWS S3 cloud storage
- Ensuring the security and integrity of the service
- Recording audit events (logins, report generation)
5. Cookies and sessions
AutoReports uses the following cookies:
| Cookie name | Type | Purpose | Expiry |
|---|---|---|---|
jwt | HttpOnly, SameSite=Strict | Authentication token for the user session (JWT) | 8 hours |
The service does not use third-party analytics, advertising, or tracking cookies. The jwt cookie is strictly necessary for the service to function and does not require consent under Art. 5(3) of Directive 2002/58/EC.
6. Sub-processors
- Google LLC — OAuth 2.0 authentication, Google Ads API (campaign data)
- Amazon Web Services (AWS) — storage of PDF report files in the EU region (eu-central-1, Frankfurt). AWS is ISO 27001 certified and has signed EU Standard Contractual Clauses (SCCs)
All data stored in AWS S3 resides on servers within the European Union.
7. Data retention
- Account data and Google Ads tokens — retained until the user deletes their account
- PDF report files — stored in AWS S3; download links are valid for 7 days. Reports can be deleted on request
- System logs — retained for a maximum of 90 days
8. Your rights
Under GDPR, you have the following rights:
- Right of access — you can request information about your processed personal data
- Right to rectification — you can request correction of inaccurate data
- Right to erasure — you can request deletion of your data ("right to be forgotten")
- Right to data portability — you can receive your data in a structured, machine-readable format
- Right to object — you can object to processing based on legitimate interest
- Right to restriction — you can request restriction of processing in certain circumstances
- Right to lodge a complaint — you can file a complaint with the supervisory authority in your country of residence
9. Security measures
- JWT tokens stored exclusively in httpOnly cookies (inaccessible to JavaScript)
- All communication over HTTPS (TLS)
- Google Ads API access via official OAuth 2.0 — your Google password is never processed by AutoReports
- Campaign data fetched on demand in real time — not stored permanently
- PDF reports stored in a private S3 bucket, accessible only via presigned URLs (7-day expiry)
- API rate limiting (Bucket4j) on authentication and report generation endpoints
10. Changes to this policy
We reserve the right to update this privacy policy. For significant changes, we will notify users via a visible notice within the service or by email. The date of the last update is always displayed at the top of this page.
11. Contact
For questions about data protection, please contact us via the About page or through the contact form available within the service.