Privacy Policy

1. Information We Collect

StopBots collects the following information to detect and prevent click fraud on Google Ads campaigns:

• Click Data: IP address, browser fingerprint signals (canvas, WebGL, audio context, fonts, navigator properties), TLS fingerprint, user agent, referrer URL, page URL, and Google Click ID (gclid).
• Behavioral Data: Mouse movement patterns, scroll behavior, click timing, touch gestures (on mobile devices). This data is collected in aggregate form and does not identify individual users.
• Account Data: Email address, company name (optional), and password (hashed with Argon2id) when you create a StopBots account.
• Google Ads Data: When you connect your Google Ads account, we access campaign names, campaign IDs, click performance metrics, and existing IP exclusion lists via the Google Ads API.

2. How We Use Your Information

We use collected data exclusively for:

• Detecting fraudulent clicks on your Google Ads campaigns
• Adding fraudulent IP addresses to your Google Ads exclusion lists via the Google Ads API
• Generating fraud analytics and reports in your dashboard
• Improving our detection algorithms using aggregated, non-identifiable data
• Providing customer support and responding to your inquiries

We do not use your data for advertising, profiling, or any purpose unrelated to click fraud protection.

3. Data Sharing

We do not sell, rent, or share personal data with third parties for their marketing purposes. We use the following services strictly for operating StopBots:

• Google Ads API: To read campaign data and manage IP exclusion lists on your campaigns (with your explicit OAuth 2.0 authorization)
• IPQualityScore: IP reputation lookups (IP addresses only, no personal data)
• Public IP Threat Lists: We reference publicly available IP threat intelligence feeds (such as FireHOL and similar open-source lists) to identify known malicious IP ranges.
• Sentry: Error tracking and performance monitoring for our dashboard application. Sentry may receive technical error data (stack traces, browser type, page URL) but does not receive your Google Ads data or personal information.
• Stripe: Payment processing for subscriptions. Stripe handles all payment card data directly; we do not store your card details on our servers.

4. Data Retention

• Click data: Retained for 12 months to support historical analytics and seasonal trend analysis, then permanently deleted in automated batch processes.
• Aggregated statistics: Daily aggregate data (total clicks, fraud counts, estimated savings) is retained indefinitely to provide long-term trend analysis. This data does not contain personally identifiable information — individual click details and IP addresses are not included in aggregated records.
• Fraud intelligence database: IP addresses identified as sources of click fraud are retained indefinitely in our shared fraud intelligence database. This processing is based on legitimate interest (GDPR Article 6(1)(f)) to protect all customers from known fraud sources. The database contains only IP addresses, fraud scores, and detection metadata — no personal browsing data.
• Account data: Retained until you delete your account.
• Google Ads data: Campaign performance metrics are retained for the duration of your account. OAuth tokens are encrypted at rest and deleted immediately upon disconnection or account deletion.
• IP exclusion lists: Managed directly in your Google Ads account. If you downgrade to a free plan, existing IP exclusions remain in your Google Ads campaigns. Upon account deletion, you are responsible for managing any remaining IP exclusions through your Google Ads account settings.

You can request data deletion at any time by contacting us at contact@stopbots.app.

5. Cookies

The StopBots tracking script does not set any cookies on your visitors' browsers. Our dashboard uses essential cookies for authentication (httpOnly, secure, SameSite). We do not use advertising or analytics cookies.

6. Security

We implement industry-standard security measures to protect your data:

• Encryption in transit: All data is transmitted over HTTPS (TLS 1.2+).
• Encryption at rest: Google Ads OAuth tokens and sensitive credentials are encrypted before storage.
• Password security: Passwords are hashed using Argon2id and never stored in plain text.
• Infrastructure: Our servers are protected by firewalls (UFW), intrusion detection (Fail2Ban), and automated daily backups.
• Access control: Multi-tenant data isolation ensures each client can only access their own data. StopBots personnel do not access your Google Ads data without your explicit consent.

7. Google Ads API Usage & Limited Use Disclosure

StopBots uses the official Google Ads API in compliance with Google's API Terms of Service. We request access to the following OAuth 2.0 scope:

• https://www.googleapis.com/auth/adwords — to read campaign data and manage IP exclusion lists

Specifically, we use the API to:

• Read campaign and click performance data via GoogleAdsService.Search
• Manage IP exclusion lists (CampaignCriterionService) to block fraudulent IP addresses
• Display campaign-level performance reports in your dashboard

You authorize API access through Google OAuth 2.0. You can revoke access at any time through your StopBots account settings or your Google Account permissions. Upon revocation, we immediately stop accessing your Google Ads data and delete stored OAuth tokens.

8. Your Rights (GDPR)

If you are located in the European Economic Area (EEA), you have the following rights under the General Data Protection Regulation (GDPR):

• Right of access: Request a copy of the personal data we hold about you.
• Right to rectification: Request correction of inaccurate personal data.
• Right to erasure: Request deletion of your personal data.
• Right to restriction: Request restriction of processing of your personal data.
• Right to data portability: Request transfer of your data in a structured, machine-readable format.
• Right to object: Object to the processing of your personal data.

Our legal basis for processing your data is legitimate interest (providing click fraud protection services you subscribed to) and consent (for Google Ads API access via OAuth). To exercise any of these rights, contact us at contact@stopbots.app. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

9. Your Rights (CCPA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

• Right to know: Request disclosure of the categories and specific pieces of personal information we have collected about you.
• Right to delete: Request deletion of personal information we have collected from you.
• Right to opt-out: We do not sell personal information. Therefore, no opt-out mechanism for sales is necessary.
• Non-discrimination: We will not discriminate against you for exercising your CCPA rights.

To exercise your rights, contact us at contact@stopbots.app. We will verify your identity and respond within 45 days.

10. PIPEDA Compliance

StopBots is operated from Montreal, Quebec, Canada and complies with the Personal Information Protection and Electronic Documents Act (PIPEDA). We collect only the minimum data necessary for fraud detection, obtain meaningful consent through clear service terms, and provide data access and deletion upon request. We are also subject to Quebec's Act Respecting the Protection of Personal Information in the Private Sector (Law 25).

11. International Data Transfers

StopBots is hosted on servers located in the European Union (Hetzner, Finland). If you access our services from outside the EU, your data will be transferred to and processed in the EU. We ensure that all data transfers comply with applicable data protection laws, including GDPR adequacy decisions and PIPEDA requirements. Canada is recognized by the European Commission as providing an adequate level of data protection.

12. Children's Privacy

StopBots is a business-to-business (B2B) service designed for advertisers and marketing professionals. It is not intended for personal, family, or household use. Our service is not directed to individuals under 16 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

13. Data Breach Notification

In the event of a data breach that poses a real risk of significant harm to affected individuals, we will:

• Notify affected users via email without unreasonable delay after becoming aware of the breach
• Report the breach to the Office of the Privacy Commissioner of Canada and the Commission d'accès à l'information du Québec (CAI) as required by PIPEDA and Quebec Law 25
• Report to the relevant EU supervisory authority if EEA users are affected (GDPR requirement)
• Provide details about the nature of the breach, data affected, and steps taken to mitigate it

14. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email (using the address associated with your account) or by placing a prominent notice on our website at least 30 days before the changes take effect. Your continued use of StopBots after the changes become effective constitutes acceptance of the revised policy.

15. Contact

For privacy inquiries, data subject requests, or questions about this policy:

• Operator: StopBots (sole proprietorship)
• Email: contact@stopbots.app
• Website: https://stopbots.app
• Location: Montreal, Quebec, Canada