Legal

Privacy Policy

Last updated: 22 May 2026

YesCheck is a product of Think Ahead B.V. ("YesCheck", "we", "us"). This policy explains which personal data we process through this website and through the YesCheck platform, why we do so and which rights you have. We comply with the EU General Data Protection Regulation (GDPR).

1. Scope of this policy and our roles

This policy covers two situations:

  • As a visitor to this website (e.g. scheduling a demo via Cal.com, contact via form or email): YesCheck is the data controller for the data you provide to us.
  • As a user of the YesCheck platform (login, Google Ads analysis, proposal review, execution): YesCheck acts as data processor for the organisation you work for. Your organisation is the data controller. Roles and responsibilities are formalised in a data processing agreement (DPA) that is part of the platform contract.

2. Data we process

2a. Through the website

  • Demo requests and contact: name, email address, company name, and any additional information you provide in the contact form or during a demo.
  • Scheduling: when you book a demo through Cal.com, we receive the meeting details (name, email address, chosen time).
  • Technical data: basic log data such as IP address and browser type, as needed for security and the technical functioning of the site.

2b. Through the platform

  • Account data: name, email address and role (admin/editor/viewer) of users who work with the platform. Authentication uses Google Sign-In.
  • Organisation data: tenant name, subscription status, and billing data via Stripe (we do not store card data ourselves).
  • Google Ads data: campaigns, keywords, search terms, ads, landing pages, metrics and conversions. Retrieved via the Google Ads API after explicit authorisation by your organisation. Search terms may inadvertently contain personal data (e.g. because an end-consumer typed a name or email in a search query) — see §4 for how we handle this.
  • Audit data: who performed which action at which moment, including approvals and changes pushed to Google Ads.

3. Why we process this data

  • To respond to your demo request or question.
  • To schedule and confirm a demo appointment.
  • To deliver the platform: account creation, authentication, Google Ads data analysis, presenting AI proposals, executing approved changes, and maintaining the audit trail.
  • To bill subscriptions via Stripe.
  • To keep the platform secure, reliable and operational (including error logging and resource usage monitoring).

Legal basis: performance of the contract with you or your organisation, your explicit consent for the Google Ads integration, and our legitimate interest in a functioning and secure platform.

4. Google API scopes and Google Ads data

To connect your Google Ads accounts, YesCheck uses the Google Ads API. We request the OAuth scope https://www.googleapis.com/auth/adwords. This scope grants us access to read, and — only where you explicitly approve — write on the Google Ads accounts you connect.

What we do with this access:

  • Read campaign structure, keywords, search terms, ads, landing page URLs, daily metrics and conversion data.
  • Present AI-generated proposals to you (e.g. "mark this search term as a negative keyword"). Proposals are never executed automatically.
  • Upon your explicit approval via the platform UI: execute the change you approved in Google Ads (add keyword, pause ad, etc.).
  • Record every read action and change in an audit log so you can later trace who did what when.

What we do not do:

  • No automatic changes without explicit human approval (dry-run is the default; auto-approve is disabled).
  • No transfer of your Google Ads data to third parties for advertising purposes.
  • No training of AI models on your data. Our AI provider (Anthropic) processes your data only to generate an answer for you; see our subprocessors page for retention details.
  • No sale of data.

PII filter before AI processing: before search terms and related context are sent to the AI provider, we automatically filter for recognisable personal data (email addresses, phone numbers, BSN numbers and IBANs) and replace these with placeholders ([EMAIL], [PHONE], etc.). This happens fail-closed: if the filter unexpectedly errors, the term is still masked before reaching the AI.

4a. Google API Services User Data Policy & Limited Use

YesCheck's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

In concrete terms, this means we:

  • Only use Google user data (including Google Ads data and Google Sign-In identity data) to provide and improve user-facing features in the YesCheck application — such as search-term review, cannibalisation detection, PMAX overlap analysis, account audits, and the corresponding execution steps that you approve.
  • Only transfer Google user data to third parties to the extent necessary to provide or improve those user-facing features (see §5 for the current subprocessor list), to comply with applicable law, or as part of a merger, acquisition or sale of assets where users are notified in advance.
  • Do not use Google user data to serve advertisements, including personalised, retargeted or interest-based advertising.
  • Do not sell Google user data.
  • Do not allow humans to access Google user data except: (a) with your explicit consent, (b) to investigate security or fraud incidents, (c) where required by applicable law, or (d) when the data has been aggregated and anonymised so that individual records can no longer be identified. Access by support engineers requires a ticket, dual approval and is recorded in our audit log.
  • Do not train AI or ML models on your Google user data. We send prompts to our AI provider (Anthropic) only to generate an answer for you; the provider does not use your data to train its models.

5. Subprocessors

We engage processors that help us deliver the platform and this website. We have a data processing agreement with each of these parties. The full and current list — including region, purpose and link to their privacy policy — is available at yescheck.io/en/subprocessors.

We notify existing customers of changes to the subprocessor list at least 30 days in advance, giving you the opportunity to object.

6. How long we retain data

We do not retain data longer than necessary. Per data type we apply the following periods:

  • Contact and demo requests: maximum 24 months after last contact.
  • Technical log data (web server, Sentry): maximum 90 days.
  • Account data (platform): for the duration of your organisation's active contract, plus 30 days thereafter for wrap-up.
  • Google Ads snapshots (search terms): up to 180 days for trend analysis. Landing page URL hashes up to 7 days.
  • Audit log (per event class): mutations 12 months, Google Ads executions 24 months, configuration changes 24 months, sync events 6 months, auth events 12 months.
  • Refresh tokens: expired tokens kept up to 24 hours for forensic investigation; revoked tokens 7 to 30 days.
  • AI calls at Anthropic: 30 days default at Anthropic (per their Commercial DPA), or less if Zero Data Retention is activated for our organisation.

7. Cookies

This website sets functional cookies required for the site to work. The demo page embeds Cal.com, which may set additional cookies to operate the scheduling tool. If we deploy analytics or marketing cookies in the future, we will first ask for your consent via a cookie banner.

Within the YesCheck platform, only essential cookies are used for authentication (including an HttpOnly refresh token cookie and a CSRF cookie). No tracking or marketing cookies are used in the platform.

8. Security

We take appropriate technical and organisational measures to protect your data against loss and unauthorised access. These include: encryption in transit (TLS), encryption at rest for credentials (via Supabase Vault), Row-Level Security at the database layer, HttpOnly cookies for sessions, CSRF protection, rate limiting on authentication endpoints, and structural audit logging. For security questions or reports: security@yescheck.io (see also our security.txt).

9. Your rights and data deletion

Under the GDPR you have the right to:

  • access your data;
  • correct or supplement it;
  • erase your data;
  • restrict or object to processing;
  • data portability;
  • withdraw previously given consent (without retroactive effect).

You can submit a request via privacy@yescheck.io. We handle requests within 30 days. For platform users, requests concerning customer data go first through your organisation (which is the data controller); we support your organisation in the handling. You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

9a. How to delete your Google data from YesCheck

If you want YesCheck to no longer have access to your Google Ads data, or to have all previously retrieved data deleted, you have two independent routes — usable separately or together:

  1. Revoke access at Google. Go to myaccount.google.com/permissions, select "YesCheck" and choose Remove access. From that moment on, YesCheck can no longer retrieve new data from your Google Ads account; your refresh token at Google is immediately invalidated.
  2. Request deletion of existing data. Email privacy@yescheck.io with the subject "Data deletion request" and include the tenant or account name the request relates to. We confirm the request within 2 business days and complete the deletion within 30 days.

On a deletion request, we do the following:

  • We revoke the stored Google refresh token on our side and remove it from Supabase Vault.
  • We delete all linked Google Ads snapshots (search terms, ads, metrics) from the live database; backups taken before the request are overwritten within 35 days on a rolling schedule.
  • We delete any outstanding AI cache entries that contain your Google user data.
  • Audit log entries that must be retained for legal or contractual reasons (financial records, security incidents) are kept; we anonymise where possible and pseudonymise otherwise. The deletion request and its execution are themselves recorded in the audit log for traceability.
  • You receive an email confirmation once the deletion is complete, stating what has been deleted and what (and why) has been retained.

10. International transfers

Our primary processing region is the EU. Some subprocessors (including Anthropic for AI analysis and Stripe for payments) may process data in the United States. For such transfers we rely on the European Standard Contractual Clauses (SCCs) and, where available, additional safeguards such as Zero Data Retention. The full transfer situation per subprocessor is available on our subprocessors page.

11. Changes

We may update this privacy policy. The most recent version is always available on this page. For significant changes we will actively inform you.

12. Contact

Questions about this privacy policy? Email us at privacy@yescheck.io.