Privacy Policy
This document explains how we collect, use and share your data when you use our website or authorize us to access your social-media and digital-advertising accounts.
Table of contents
About This Policy
Busma Advanced Advertising Company (CR No. 7034534581, Riyadh, Saudi Arabia) publishes this Policy to describe our data-handling practices in line with the Saudi Personal Data Protection Law (PDPL) issued by the Saudi Data and AI Authority (SDAIA).
This Policy applies to our website https://busma-adv.com and to client services that include integration with social-media and advertising platforms.
Data We Collect Directly From You
A. Identification & contact data
- Name, email, phone.
- Company name, job title, tax ID, address.
- Billing and payment details (handled via PCI-compliant providers — we do not store full card data on our systems).
B. Operational data
- Communication records (emails, messages, support calls).
- Documents and creative assets you share for project execution.
C. Technical data (automatic)
- IP address, browser, OS, device identifiers.
- Pages visited and timestamps (via analytics such as Google Analytics and Meta Pixel).
Data Accessed From Social-Media Platforms (Under Your Authorization)
When you grant us permission to manage your accounts on these platforms, our access is limited to what is necessary to deliver the Services. The table below details, per platform, the scopes we request and the data we process:
| Platform | Scopes | Data processed |
|---|---|---|
| Meta (Facebook + Instagram) |
pages_show_list, pages_read_engagement, pages_manage_posts, ads_management, ads_read, business_management, instagram_basic, instagram_manage_insights, instagram_content_publish |
Pages and business accounts you manage, post & ad performance, aggregated audience engagement, content publishing and reply management. |
| Google Ads Google Analytics Search Console |
Read ad accounts and performance reports, organic search data. (Google API Services User Data Policy — Limited Use) | Campaign structure, performance metrics (impressions, clicks, conversions), keywords, traffic reports & sources. |
| TikTok for Business | user.info.basic, ad.account.read, ad.campaign.read/write, video.list, video.publish |
Business account info, campaign performance, video analytics, campaign management. |
| Snapchat Marketing | Read/manage ad accounts, campaigns and performance reports. | Campaign structure, performance metrics, audience targeting (no individual identifiers). |
r_organization_admin, r_ads, rw_ads, w_organization_social |
Company pages, ad campaigns, engagement analytics. | |
| X (Twitter) | Read account and tweets, manage ads (Ads API). | Promoted-tweet performance, campaign metrics. |
We will NEVER:
- Sell your data or your audience data to any third party.
- Use data obtained via Google APIs to train AI models (per the Limited Use requirements).
- Store end-users' private messages or inbox content beyond the necessary processing window.
- Access accounts we are not explicitly authorized for.
How We Use Your Data
- Deliver contracted services and manage your campaigns.
- Produce reports and measure campaign performance.
- Communicate with you about projects and operations.
- Invoicing and contract administration.
- Improve our services (in aggregate, statistical form only).
- Comply with legal and regulatory obligations.
Legal Basis for Processing
- Contract: to perform the services agreement with you.
- Explicit consent: to access social-media accounts and send marketing material.
- Legitimate interest: to improve services and protect our systems.
- Legal obligation: tax, accounting and anti-fraud requirements.
Who We Share Your Data With
We do not sell your data. We share it only with:
- Sub-processors: cloud hosting, analytics, CRM, email and payment providers — all bound by data-protection agreements.
- Advertising platforms: Meta, Google, TikTok, Snapchat, LinkedIn, X — solely to execute the advertising services you request.
- Legal and regulatory authorities: where a legal obligation or court order requires it.
- Acquirers: in case of merger or acquisition, with prior notice to affected persons.
Retention Periods
| Data type | Retention |
|---|---|
| Active account data | Duration of the engagement |
| Access logs (platform integrations) | 12 months |
| Billing and accounting records | 10 years (statutory) |
| Marketing communications | Until consent is withdrawn |
| API performance snapshots | Max 24 months |
| Cookies | By type — up to 24 months |
After the period expires, data is deleted or anonymized.
Your Rights
Under the Saudi PDPL, you have the right to:
- Be informed about the data we collect.
- Access a copy of your data.
- Correct inaccurate data.
- Delete your data.
- Withdraw consent at any time.
- Portability — receive your data in a portable format.
To exercise any of these rights, email privacy@busma-adv.com. We respond within 30 days.
To request deletion of data held by our apps on Meta or other platforms, visit the Data Deletion Request page.
Cookies
We use two categories of cookies:
- Essential: for site operation (login, CSRF protection, language preference).
- Analytics & marketing: Google Analytics, Meta Pixel, Google Tag Manager — to measure performance and optimize content. These activate only after your consent via the cookie banner.
Security
We apply technical and organizational measures appropriate to the nature of the data, including:
- Encryption in transit (TLS 1.2+).
- Encryption of access tokens at rest.
- Role-based access control (RBAC) and audit logs.
- Periodic security reviews and penetration testing.
- Employee data-protection training.
International Data Transfers
Some data may be stored by service providers outside Saudi Arabia (such as Google, Meta, Amazon data centers) under adequate safeguards in line with PDPL requirements.
Children's Privacy
Our services are intended for companies and organizations. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us with data, contact us and we will delete it promptly.
Platform Developer-Policy Compliance
Meta Platform Terms
We comply with the Meta Platform Terms and Developer Policies. We use user data only to deliver services to the authorizing client. We delete data on app-removal or when permissions are revoked.
Google API Services — Limited Use
Our use of Google user data is limited to purposes the user requested. We do not transfer it to third parties except with explicit user consent or as required by law, do not use it for advertising, and do not allow humans to read it except in narrow cases (e.g. with user consent, security purposes, or legal compliance).
TikTok Developer Terms
We do not use TikTok data outside the scope of the service, and we delete it when the integration ends.
Changes & Contact
We will update this Policy when necessary. The update date appears at the top of the page, and we notify users of material changes by email.
Data Protection Officer (DPO)
Company: Busma Advanced Advertising Company
Address: Riyadh, Kingdom of Saudi Arabia
Privacy email: privacy@busma-adv.com
Data-deletion request: /en/data-deletion