Privacy Policy

Account and contact data — When you create an account or book a call, we collect your name, email address, company name, website URL, and details about your marketing budget and goals.

Usage data — We automatically collect information about how you interact with our platform: pages visited, features used, session duration, IP address, browser type, device identifiers, and referring URLs.

Platform connection data — If you connect third-party advertising or analytics accounts (Meta, Google, TikTok, Klaviyo, etc.), we receive aggregated performance data from those platforms under the permissions you grant. We do not store your platform passwords.

Communications — When you email us, submit a form, or interact with our support team, we retain those communications and any information you provide in them.

Payment data — Billing is handled by Stripe. We do not store full card numbers. We receive and retain billing name, last four digits, expiry, and transaction metadata.

Cookies and tracking — See Section 6 for our full cookie policy.

Contract performance — Processing your account data, providing the Service, and communicating with you about your subscription is necessary to perform our contract with you (Article 6(1)(b) UK/EU GDPR).

Legitimate interests — We process usage and analytics data to improve the platform, detect fraud, and ensure security. We have conducted a legitimate interests assessment and concluded our interests do not override your rights (Article 6(1)(f)).

Legal obligation — We may process data to comply with applicable law, regulation, or court order (Article 6(1)(c)).

Consent — Where we send marketing emails, use non-essential cookies, or share data for partnership purposes, we rely on your consent (Article 6(1)(a)). You may withdraw consent at any time.

Providing and improving the Service — Powering your dashboard, generating reports, training and refining our attribution models, and resolving bugs.

Account management — Billing, invoicing, renewal reminders, and account-level communications.

Marketing — With your consent, sending product updates, growth insights, case studies, and event invitations. You can opt out at any time via the unsubscribe link in any email.

Security and fraud prevention — Detecting suspicious access patterns, preventing abuse, and protecting user accounts.

Legal and compliance — Meeting our obligations under UK, EU, and other applicable law.

Aggregated analytics — We may use anonymised, aggregated data to publish benchmarks and industry reports. This data cannot be traced back to any individual.

We do not sell your personal data. We share data only in the following limited circumstances:

Service providers — We work with carefully selected vendors (cloud hosting on AWS EU-West, analytics via PostHog, email delivery via Resend, payments via Stripe) who process data strictly on our behalf under data processing agreements.

Platform integrations — When you authorise a third-party connection (e.g. Meta Ads), data flows between that platform and our Service under the permissions you grant. Review each platform's own privacy policy for how they handle your data.

Business transfers — If Masit is acquired, merged, or undergoes insolvency proceedings, your data may be transferred as part of that transaction. We will provide notice before your data is transferred and becomes subject to a different privacy policy.

Legal obligations — We may disclose data to law enforcement, regulatory bodies, or courts where we are legally required to do so.

We use the following categories of cookies:

Strictly necessary — Session management, CSRF protection, and load balancing. These cannot be disabled.

Analytics — We use PostHog to understand how the platform is used. These cookies collect anonymised, aggregated data and are only set with your consent.

Preferences — Remembering your dashboard layout, theme, and filter settings.

Marketing — If you arrive via a paid campaign, we may set a cookie to attribute your signup. These are only set with your consent.

You can manage cookie preferences via the cookie banner on first visit, or at any time through your account settings. Withdrawing consent for non-essential cookies will not affect your ability to use the Service.

We retain your account data for as long as your account is active and for 90 days after termination to allow account recovery.

Usage and analytics data is retained in identifiable form for 24 months and then anonymised.

Financial records (invoices, payment history) are retained for 7 years to comply with UK accounting law.

Support communications are retained for 3 years.

You may request deletion of your data at any time. Where we are required by law to retain certain records, we will delete all other data and inform you of what we must retain and why.

Our primary infrastructure is hosted in the EU (AWS eu-west-1, Ireland). Some of our service providers are based in the United States.

Where data is transferred to countries outside the UK or EEA, we rely on UK International Data Transfer Agreements (IDTAs) or Standard Contractual Clauses (SCCs) approved by the European Commission to ensure an adequate level of protection.

Under UK GDPR and EU GDPR, you have the right to: access a copy of your personal data; correct inaccurate data; request deletion ('right to be forgotten'); restrict or object to processing; data portability (receiving data in a structured, machine-readable format); and withdraw consent at any time without affecting prior lawful processing.

To exercise any of these rights, email us at privacy@masit.io. We will respond within 30 days. You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk, or your local data protection authority in the EU.

We implement appropriate technical and organisational measures to protect your data, including TLS encryption in transit, AES-256 encryption at rest, role-based access controls, regular penetration testing, and SOC 2 Type II compliance.

No system is completely secure. If you believe your account has been compromised, contact security@masit.io immediately.

We may update this Privacy Policy from time to time. For material changes, we will notify you by email at least 14 days before the change takes effect. Your continued use of the Service after that date constitutes acceptance of the updated policy.

Previous versions of this policy are available on request.

For privacy-related questions, requests, or concerns:

Email: privacy@masit.io · Post: Data Protection Officer, Masi Tech Ltd, 20 St Thomas Street, London SE1 9RS, United Kingdom.