How we collect, use, and protect your data.
Plain-English summaries are in the colored callouts. The numbered sections are the legally binding text. Both stay in sync — when the legal text changes, the summary changes with it.
1. Introduction
MyClickShield is a click fraud protection service operated by VELJASMELE LTD, a company registered in England and Wales with its registered office at 128 City Road, London EC1V 2NX, United Kingdom. In this Privacy Policy, "we", "our", "us" and "MyClickShield" refer to VELJASMELE LTD. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service. This policy complies with the requirements of Google, Meta (Facebook), and Microsoft advertising platforms, as well as GDPR and CCPA regulations.
We're a UK-registered company that filters bad ad clicks for you. This policy is the legally binding version — the colored boxes (like this one) are the human summaries.
2. Information We Collect
2.1 Account Information
When you create an account, we collect your name, email address, company name, and billing information.
2.2 Click and Traffic Data
We collect data about clicks on your advertisements, including:
- IP addresses (hashed for privacy where possible)
- Device information and device identifiers
- Browser type and version
- Operating system
- Click timestamps and frequency
- Referrer URLs and landing page URLs
- Behavioral patterns and mouse movements
- Click identifiers (gclid, fbclid, msclkid)
- Geographic location (country/region level)
2.3 Connected Advertising Account Data
When you connect your advertising accounts, we access:
- Google Ads: Campaign IDs, ad group IDs, conversion data, and IP exclusion lists
- Meta Ads: Ad account IDs, campaign data, pixel events, and custom audience information
- Microsoft Ads: Account IDs, campaign data, and negative site lists
2.4 Usage Data
We collect information about how you interact with our platform, including pages visited and features used.
Three buckets of data: (1) what you give us to sign up — email, billing, name; (2) signals about visitors to your ads — IP, device, behavior, click IDs; (3) what your ad accounts let us read so we can manage exclusions for you.
your site
(EU region)
(no PII shared)
exclusion API
Click and behavioral signals are processed in our encrypted database. Only IP addresses and click identifiers are passed back to Google / Meta / Microsoft for exclusion. We do not share visitor PII with ad platforms.
3. How We Use Your Information
We use the information we collect to:
- Provide and maintain our click fraud protection service
- Detect and block fraudulent clicks on your advertisements
- Create and manage IP exclusion lists on your connected ad platforms
- Report invalid click activity to advertising platforms
- Generate reports and analytics for your account
- Communicate with you about your account and our services
- Improve our fraud detection algorithms using aggregated, anonymized data
We use the data to do exactly what you signed up for — detect fraud, exclude bad IPs, and report invalid clicks back to the ad platforms. We also use anonymized aggregates to improve detection. We don't sell or resell any of it.
4. Third-Party Advertising Platform Integration
4.1 Google Ads API Integration
MyClickShield uses the Google Ads API to help advertisers reduce wasted ad spend by identifying and excluding invalid traffic from their campaigns. We do not sell, rent, or share Google Ads data with any third parties. Data retrieved from the Google Ads API is used solely to provide click fraud protection services to the authenticated advertiser and is never combined with data from other customers for any commercial purpose.
Specifically, we call the following Google Ads API services:
- CustomerService.listAccessibleCustomers — to list the Google Ads accounts the authenticated user has authorized us to manage during the OAuth connection flow.
- GoogleAdsService.searchStream — to read the list of active (
ENABLED) campaigns on the connected account, so we know where to apply IP exclusions. - CampaignCriterionService.mutate — to add (and remove) negative IP_BLOCK criteria to campaign-level exclusion lists. Every mutation is logged and reversible from the MyClickShield dashboard.
- ConversionAdjustmentUploadService.uploadConversionAdjustments — to upload RETRACTION conversion adjustments for clicks the user has opted to report as invalid via the GCLID.
We do not use any Google Ads API services to read or modify ad content, budgets, billing information, targeting, or keywords. Our integration is limited to the four services above.
User control over automated actions: All automated actions — such as IP exclusions, offline conversion adjustments, and optional campaign auto-pause — are fully configurable by the user and can be reviewed, modified, or disabled at any time from the MyClickShield dashboard. The user can also revoke API access completely at any time via their Google Account settings or from within MyClickShield.
We access customer Google Ads accounts only via OAuth 2.0 with explicit user consent, requesting the minimum permissions necessary (ads_management scope). Refresh tokens are stored encrypted at rest and are never shared externally.
Data shared with Google: IP addresses identified as invalid, click identifiers (gclid, wbraid, gbraid), and conversion adjustment data. Google's privacy policy applies to data processed by Google: https://policies.google.com/privacy
4.2 Meta (Facebook) Ads Integration
When you connect your Meta Ads account, we:
- Access your account via Facebook Login with your explicit consent
- Create and manage Custom Audiences for exclusion of fraudulent traffic
- Send invalid traffic events via the Meta Conversions API
- Store your access token securely (encrypted at rest) to maintain the connection
- Only request the minimum permissions necessary (ads_management, ads_read, business_management)
Data shared with Meta: Hashed IP addresses, click identifiers (fbclid), user agent data, event timestamps. Meta's privacy policy applies to data processed by Meta: https://www.facebook.com/privacy/policy/
4.3 Microsoft Ads Integration
When you connect your Microsoft Ads account, we:
- Access your account via Microsoft Identity Platform with your explicit consent
- Add fraudulent sources to your Negative Site Lists
- Report invalid conversions via the Microsoft Ads Offline Conversion API
- Store your refresh token securely (encrypted at rest) to maintain the connection
Data shared with Microsoft: IP addresses, click identifiers (msclkid), conversion data. Microsoft's privacy policy applies to data processed by Microsoft: https://privacy.microsoft.com/privacystatement
We only call the minimum set of APIs needed to add/remove IP exclusions and report invalid clicks back. We never read or modify your budgets, keywords, ad copy, or targeting. You can disconnect any platform with one click from your dashboard.
5. Data Sharing
We do not sell your personal information. We share information only as follows:
- With your connected advertising platforms: To enable IP exclusions and invalid click reporting as described above
- Service providers: Cloud hosting (encrypted data at rest and in transit), payment processing (Stripe)
- Legal requirements: When required by law, court order, or to protect our legal rights
- Business transfers: In connection with a merger, acquisition, or sale of assets (with notice to you)
| Sub-processor | Purpose | Data accessed | Region |
|---|---|---|---|
| Hetzner / AWS | Cloud hosting & encrypted DB | All processed data (encrypted at rest) | EU |
| Stripe | Payment processing | Billing email, card token, transaction history | EU / US |
| Postmark | Transactional email delivery | Recipient email, message body | US |
| Sentry | Error monitoring | Stack traces, anonymized session metadata | EU |
| Cloudflare | CDN, DDoS protection | Request IP, user agent (transit only) | Global |
We notify customers at least 30 days before adding a new sub-processor. The current list is also in the DPA.
6. Data Security
We implement industry-standard security measures to protect your data:
- All data encrypted in transit (TLS 1.3) and at rest (AES-256)
- OAuth tokens stored with additional encryption layer
- Regular security audits and penetration testing
- Access controls and audit logging
- Secure data centers with SOC 2 compliance
Data is encrypted in transit and on disk. OAuth tokens get an additional layer of encryption on top. We log who-touched-what for audit purposes. Full security details are at /trust-center.
7. Data Retention
- Click data: Retained for 90 days, then automatically deleted
- Account information: Retained for the duration of your subscription plus 30 days
- OAuth tokens: Retained until you disconnect your ad account or delete your account
- Aggregated analytics: May be retained indefinitely in anonymized form
You can request deletion of your data at any time by contacting us or through your account settings.
8. Your Rights and Controls
You have the following rights regarding your data:
- Access: Request a copy of your personal data
- Correction: Update or correct inaccurate data
- Deletion: Request deletion of your data ("right to be forgotten")
- Portability: Receive your data in a machine-readable format
- Objection: Object to certain types of processing
- Withdraw consent: Disconnect ad accounts at any time through your dashboard
- Restriction: Request limitation of processing
To exercise these rights, contact us at [email protected] or use the controls in your account dashboard.
10. GDPR Compliance (EU/EEA Users)
For users in the European Union and European Economic Area:
- Legal basis: We process data based on your consent (for ad platform connections) and legitimate interest (for fraud detection)
- Data transfers: Data may be transferred to the US where our servers are located, protected by Standard Contractual Clauses
- DPO: Contact our Data Protection Officer at [email protected]
- Supervisory authority: You have the right to lodge a complaint with your local data protection authority
What EU/EEA users can request
Email [email protected] to exercise any of these. We respond within 30 days.
11. CCPA Compliance (California Users)
For California residents under the California Consumer Privacy Act:
- We do not sell personal information
- You have the right to know what personal information we collect and how it's used
- You have the right to delete your personal information
- You have the right to opt-out of the sale of personal information (not applicable as we don't sell)
- We will not discriminate against you for exercising your CCPA rights
What California users can request
Email [email protected] with the subject "CCPA Request". We respond within 45 days.
12. Children's Privacy
Our service is not directed to children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes via email or through our service. Your continued use after changes constitutes acceptance of the updated policy.
14. Contact Us
For privacy-related questions, to exercise your rights, or for complaints:
- Email: [email protected]
- Data Protection Officer: [email protected]
- Address: VELJASMELE LTD, 128 City Road, London EC1V 2NX, United Kingdom
We will respond to all requests within 30 days.
Reach us directly
For any privacy question or DSR request — we read every email.