ad2app-lib 1.1.0 → 1.3.0

package/dist/legal/index.d.ts

@@ -0,0 +1,5 @@
+export { LEGAL_META } from './meta';
+export type { LegalMeta } from './meta';
+export type { Block, InlineText, LegalSection, ListItem } from './types';
+export { PRIVACY_SECTIONS } from './privacy';
+export { TERMS_SECTIONS } from './terms';

package/dist/legal/index.js

@@ -0,0 +1,9 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TERMS_SECTIONS = exports.PRIVACY_SECTIONS = exports.LEGAL_META = void 0;
+var meta_1 = require("./meta");
+Object.defineProperty(exports, "LEGAL_META", { enumerable: true, get: function () { return meta_1.LEGAL_META; } });
+var privacy_1 = require("./privacy");
+Object.defineProperty(exports, "PRIVACY_SECTIONS", { enumerable: true, get: function () { return privacy_1.PRIVACY_SECTIONS; } });
+var terms_1 = require("./terms");
+Object.defineProperty(exports, "TERMS_SECTIONS", { enumerable: true, get: function () { return terms_1.TERMS_SECTIONS; } });

package/dist/legal/meta.d.ts

@@ -0,0 +1,12 @@
+export declare const LEGAL_META: {
+    readonly lastUpdated: "26 May 2025";
+    readonly contactEmail: "kontakt@ad2.app";
+    readonly controllerName: "Ad2app sp. z o.o.";
+    readonly controllerAddress: "ul. Juliana Smulikowskiego 4A/21, 00-389 Warszawa, Poland";
+    readonly controllerNip: "5253042936";
+    readonly controllerKrs: "0001168159";
+    readonly uodoUrl: "https://uodo.gov.pl";
+    readonly uodoName: "Urząd Ochrony Danych Osobowych (UODO)";
+    readonly uodoAddress: "ul. Stawki 2, 00-193 Warszawa, Poland";
+};
+export type LegalMeta = typeof LEGAL_META;

package/dist/legal/meta.js

@@ -0,0 +1,14 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.LEGAL_META = void 0;
+exports.LEGAL_META = {
+    lastUpdated: '26 May 2025',
+    contactEmail: 'kontakt@ad2.app',
+    controllerName: 'Ad2app sp. z o.o.',
+    controllerAddress: 'ul. Juliana Smulikowskiego 4A/21, 00-389 Warszawa, Poland',
+    controllerNip: '5253042936',
+    controllerKrs: '0001168159',
+    uodoUrl: 'https://uodo.gov.pl',
+    uodoName: 'Urząd Ochrony Danych Osobowych (UODO)',
+    uodoAddress: 'ul. Stawki 2, 00-193 Warszawa, Poland',
+};

package/dist/legal/privacy.d.ts

@@ -0,0 +1,2 @@
+import type { LegalSection } from './types';
+export declare const PRIVACY_SECTIONS: LegalSection[];

package/dist/legal/privacy.js

@@ -0,0 +1,241 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PRIVACY_SECTIONS = void 0;
+exports.PRIVACY_SECTIONS = [
+    {
+        id: 's1',
+        title: '1. Data Controller',
+        blocks: [
+            { kind: 'p', text: 'The data controller of your personal data is **Ad2app sp. z o.o.**, with its registered office at ul. Juliana Smulikowskiego 4A/21, 00-389 Warszawa, Poland, NIP: 5253042936, KRS: 0001168159 ("ad2app", "we", "us", "our").' },
+            { kind: 'p', text: 'You can contact us regarding any privacy matter at kontakt@ad2.app.' },
+            { kind: 'p', text: '**Data Protection Officer:** We have assessed our processing activities against the criteria of Article 37 GDPR. Our current processing volume does not meet the mandatory threshold for DPO designation under Art. 37 GDPR. All privacy queries are handled by our designated privacy contact at kontakt@ad2.app. We will appoint a DPO if our processing activities reach the applicable threshold and will update this policy accordingly.' },
+        ],
+    },
+    {
+        id: 's2',
+        title: '2. Scope of This Policy',
+        blocks: [
+            { kind: 'p', text: 'This Privacy Policy explains how we collect, use, store, share, and protect personal data when you access or use the ad2app platform — including our website, web application, and any related services (collectively, the "Service"). It applies to all users: brands, agencies, and influencers who register accounts, as well as individuals who submit their email via our waitlist form.' },
+            { kind: 'p', text: 'We process personal data in accordance with Regulation (EU) 2016/679 (GDPR) and the Polish Act of 10 May 2018 on the Protection of Personal Data.' },
+            { kind: 'p', text: 'In fulfilling our accountability obligations under Art. 5(2) GDPR, ad2app maintains a Record of Processing Activities (ROPA) as required by Art. 30 GDPR, available to supervisory authorities on request.' },
+        ],
+    },
+    {
+        id: 's3',
+        title: '3. Personal Data We Collect',
+        blocks: [
+            { kind: 'p', text: 'We collect the following categories of personal data:' },
+            {
+                kind: 'ul',
+                items: [
+                    { text: '**Identity & contact data:** first name, last name, email address, business name, phone number (if provided).' },
+                    { text: '**Account credentials:** hashed password; OAuth access and refresh tokens when you connect social media accounts — we store tokens, not your passwords.' },
+                    {
+                        text: '**Social platform data via OAuth:** when you authorise a connection to a social media account, we receive data from that platform\'s API as permitted by your OAuth consent. The specific data received depends on the platform and the permissions you grant:',
+                        sub: [
+                            { text: '**TikTok:** basic profile (user ID, display name, avatar, biography, profile URL), account statistics (follower count, following count, like count, video count), video list and metadata (titles, view counts, engagement metrics), and — where enabled for scheduling features — video upload and publish permissions. We request only the permissions required for the features you actively use.' },
+                            { text: '**Instagram:** Instagram Business account data including username, biography, profile picture, account type, and associated business metrics.' },
+                            { text: '**Facebook:** public profile information and, where you grant permission, your Facebook email address. Facebook is an independent OAuth provider separate from Instagram.' },
+                            { text: '**YouTube:** YouTube channel data (read-only: videos, statistics, channel metadata) and your Google Account profile (name, profile picture URL, Google Account ID) via the Google identity scope used for authentication.' },
+                        ],
+                    },
+                    { text: '**Audience data (aggregate only):** demographic and engagement statistics about your social media audience, as provided by the connected platform\'s API. This data is processed exclusively in aggregate statistical form and is not linked to any identified individual within your audience. We have assessed whether this data could constitute special category data under Art. 9 GDPR and confirm that we do not process such special category data — audience data is processed solely as aggregate numeric metrics.' },
+                    { text: '**Inbox data:** when you use the platform\'s inbox features, direct message conversations and post comments from your connected social media accounts are fetched and displayed. This includes content sent to you by your followers or other third parties on those platforms. See Section 11 for further detail.' },
+                    { text: '**Professional data:** influencer category, social media handles, media kit content.' },
+                    { text: '**Campaign & collaboration data:** campaign briefs, offer terms, messages exchanged within the platform between brands and influencers.' },
+                    { text: '**Media & content:** files you upload (images, videos, documents) for campaigns or your profile.' },
+                    { text: '**Technical & usage data:** IP address, browser type and version, operating system, pages visited, referral URLs, timestamps, crash reports, and usage events (e.g. feature interactions tracked via Google Analytics 4).' },
+                    { text: '**Billing data:** billing address and payment reference. Payment card details are handled exclusively by Stripe and are never stored by ad2app.' },
+                    { text: '**Waitlist data:** if you submit your email address via our waitlist form before registering, we store that email address to notify you when access is available.' },
+                    { text: '**Feedback data:** free-text feedback submitted via the in-app feedback form. This may incidentally contain personal data you choose to include.' },
+                ],
+            },
+            { kind: 'p', text: 'We do not knowingly collect personal data from individuals under 18 years of age.' },
+            { kind: 'p', text: 'For information on which data fields are mandatory versus optional, see Section 8.' },
+        ],
+    },
+    {
+        id: 's4',
+        title: '4. Legal Bases and Purposes of Processing',
+        blocks: [
+            {
+                kind: 'table',
+                headers: ['Purpose', 'Legal basis (GDPR Art. 6)'],
+                rows: [
+                    ['Creating and managing your account', 'Art. 6(1)(b) — performance of contract'],
+                    ['Providing platform features (campaigns, collaborations, messaging, inbox)', 'Art. 6(1)(b) — performance of contract'],
+                    ['Processing social media data received via OAuth connections (audience metrics, engagement data, video metadata, inbox messages)', 'Art. 6(1)(b) — performance of contract: necessary to deliver influencer-brand matching, campaign analytics, and inbox features as contracted. Audience data is processed in aggregate and anonymised form only. No Art. 9 special category data is processed.'],
+                    ['Automated influencer–campaign matching and recommendations (profiling within the meaning of Art. 4(4) GDPR)', 'Art. 6(1)(b) — performance of contract. No binding automated decision with legal or similarly significant effect is made solely by automated means — all matches require affirmative acceptance by both parties. Human review is available on request.'],
+                    ['Temporary retention of account data for 30 days following account deletion (account recovery window)', 'Art. 6(1)(f) — legitimate interests: ad2app\'s and the user\'s shared interest in preventing irreversible accidental data loss, balanced against the minimal additional retention period.'],
+                    ['Processing payments and issuing invoices (via Stripe)', 'Art. 6(1)(b) & Art. 6(1)(c) — contract & legal obligation'],
+                    ['Complying with legal obligations (tax, accounting, record-keeping)', 'Art. 6(1)(c) — legal obligation: Polish Accounting Act (Ustawa o rachunkowości), Tax Ordinance (Ordynacja podatkowa), VAT Act (Ustawa o VAT).'],
+                    ['Waitlist email: notifying you when platform access is available', 'Art. 6(1)(a) — consent (given at the point of waitlist submission; withdrawable at any time).'],
+                    ['Processing in-app feedback', 'Art. 6(1)(f) — legitimate interests: ad2app\'s interest in improving the Service through user feedback.'],
+                    ['Improving and developing the Service (usage analytics via Google Analytics 4)', 'Art. 6(1)(f) — legitimate interests: ad2app\'s interest in understanding usage patterns to improve product quality, balanced against minimal privacy impact through pseudonymisation. Where analytics cookies are used, Art. 6(1)(a) consent applies.'],
+                    ['Security, fraud prevention, and abuse detection', 'Art. 6(1)(f) — legitimate interests: ad2app\'s interest in maintaining platform integrity and protecting users from harm, which overrides the minimal intrusiveness of security logging.'],
+                    ['Transfer of personal data in a merger, acquisition, or business asset sale', 'Art. 6(1)(f) — legitimate interests: ad2app\'s legitimate interest in completing lawful business restructuring, balanced against data subjects\' interests. Data subjects will be notified before their data is subject to a materially different privacy policy.'],
+                    ['Sending marketing communications', 'Art. 6(1)(a) — consent (withdrawable at any time without affecting prior processing).'],
+                ],
+            },
+            { kind: 'note', label: 'Data Protection Impact Assessment (Art. 35 GDPR)', text: 'ad2app has conducted a pre-screening assessment of its processing activities against the criteria of Art. 35(1) GDPR. The automated influencer–campaign matching function involves profiling of natural persons based on professional and behavioural data. We have assessed whether this constitutes "systematic and extensive evaluation… on which decisions are taken that produce legal or similarly significant effects" within the meaning of Art. 35(3)(b). Our assessment concluded that because no decision with legal or similarly significant effect is produced solely by automated means — all campaign offers require affirmative acceptance by both parties — a full DPIA is not mandated at this stage. This assessment is documented in accordance with our accountability obligations under Art. 5(2) GDPR and is reviewed annually. We will conduct a full DPIA if the nature or scope of our profiling activities changes materially.' },
+        ],
+    },
+    {
+        id: 's5',
+        title: '5. Data Retention',
+        blocks: [
+            { kind: 'p', text: 'We retain your personal data only for as long as necessary to fulfil the purposes described in this policy, or as required by applicable law. Retention periods correspond to the processing purposes identified in Section 4:' },
+            {
+                kind: 'ul',
+                items: [
+                    { text: '**Account data:** for the duration of your account plus 30 days after deletion (account recovery window), then permanently deleted. You may request immediate permanent deletion — waiving the recovery window — by explicitly stating this in your request to kontakt@ad2.app.' },
+                    { text: '**Campaign & collaboration data:** for the duration of your account plus 12 months after account deletion to allow dispute resolution, after which it is permanently deleted. Anonymised aggregated analytics may be retained indefinitely.' },
+                    { text: '**OAuth access and refresh tokens:** revoked and deleted immediately upon disconnection or account deletion, with a maximum retention of 24 hours for revocation processing logs.' },
+                    { text: '**Inbox data (DMs and comments):** retained for the duration of your account; deleted with your account data.' },
+                    { text: '**Invoices and billing records:** 5 years from the end of the fiscal year (Polish Accounting Act).' },
+                    { text: '**Technical logs:** up to 90 days.' },
+                    { text: '**Marketing consent records:** until consent is withdrawn plus 3 years for compliance evidence.' },
+                    { text: '**Waitlist emails:** until you register for an account or request deletion, or 24 months from submission if you do not register — whichever comes first.' },
+                    { text: '**In-app feedback:** up to 24 months from submission.' },
+                ],
+            },
+            { kind: 'p', text: 'Data processed solely on the basis of consent (marketing, analytics cookies, waitlist) is deleted within 30 days of consent withdrawal. Data processed for contractual performance is retained for the duration of the contract plus the applicable limitation period under Polish law (generally 3 years for commercial claims under Art. 118 of the Civil Code, or 6 years for documented claims). Data retained for legal obligation compliance follows the statutory schedule above.' },
+        ],
+    },
+    {
+        id: 's6',
+        title: '6. Sharing of Personal Data',
+        blocks: [
+            { kind: 'p', text: 'We do not sell your personal data. We may share it with:' },
+            {
+                kind: 'ul',
+                items: [
+                    { text: '**Other platform users:** when you actively participate in a collaboration, your professional profile (name, social handles, media kit) is visible to the brands/agencies you are matched with, and vice versa.' },
+                    {
+                        text: '**Service providers (data processors)** — engaged under contractual terms that include data protection obligations; we are in the process of formalising written Data Processing Agreements under Art. 28 GDPR with all sub-processors where not yet in place:',
+                        sub: [
+                            { text: '**Zernio (ARBICHAT, S.L.)** — social media API aggregation: we pass OAuth tokens, post content, media files, and inbox data to Zernio solely to execute publishing and inbox operations on your behalf. Zernio is incorporated in Spain (EEA); however, data is processed on infrastructure with residency in North America (United States). This constitutes an international data transfer covered by Standard Contractual Clauses (Commission Decision 2021/914).' },
+                            { text: '**Stripe** — payment processing: billing address, email, and payment reference are shared with Stripe to process subscription payments. Stripe is located in the United States and operates under the EU–US Data Privacy Framework.' },
+                            { text: '**Google Analytics 4** — product analytics: pseudonymised usage event data (feature interactions, session data, device/browser info) is sent to Google only after you have given explicit analytics consent. Google is located in the United States and participates in the EU–US Data Privacy Framework.' },
+                            { text: '**Vercel Inc.** — backend API hosting and compute: server-side application code, API requests, and associated request logs are processed on Vercel\'s infrastructure. Vercel is located in the United States and transfers are covered by Standard Contractual Clauses (Commission Decision 2021/914).' },
+                            { text: '**Neon Inc.** — PostgreSQL database hosting: all structured platform data (accounts, campaigns, collaborations, social account metadata) is stored in a Neon-hosted PostgreSQL database. Neon is located in the United States and transfers are covered by Standard Contractual Clauses (Commission Decision 2021/914).' },
+                            { text: '**Google Firebase (Firebase Authentication)** — authentication token verification: authentication tokens issued to users may be verified against Firebase Authentication to validate active sessions. Firebase is a Google service located in the United States and operates under the EU–US Data Privacy Framework.' },
+                            { text: 'A current list of sub-processors (including names, countries of processing, and applicable transfer safeguards) is available on request at kontakt@ad2.app.' },
+                        ],
+                    },
+                    { text: '**Legal authorities:** where required by law, court order, or to protect the rights and safety of ad2app or third parties.' },
+                    { text: '**Business transfers:** in the event of a merger, acquisition, or sale of assets, personal data may be transferred under Art. 6(1)(f) — you will be notified before it becomes subject to a different privacy policy.' },
+                ],
+            },
+        ],
+    },
+    {
+        id: 's7',
+        title: '7. International Data Transfers',
+        blocks: [
+            { kind: 'p', text: 'Your data is primarily processed within the European Economic Area (EEA). We use certain processors located outside the EEA, including processors based in the United States (currently: Vercel, Neon, Google Firebase, Stripe, Google Analytics 4, and Zernio). For all such transfers we ensure adequate safeguards through one or more of the following mechanisms:' },
+            {
+                kind: 'ul',
+                items: [
+                    { text: 'the EU–US Data Privacy Framework (Commission Implementing Decision 2023/1795) where the recipient is certified;' },
+                    { text: 'EU Standard Contractual Clauses (SCCs, Commission Decision 2021/914) supplemented by Transfer Impact Assessments confirming equivalent protection in the destination country; or' },
+                    { text: 'an adequacy decision by the European Commission covering the recipient country.' },
+                ],
+            },
+            { kind: 'p', text: 'You may request copies of applicable SCCs or a summary of our Transfer Impact Assessment findings at kontakt@ad2.app.' },
+        ],
+    },
+    {
+        id: 's8',
+        title: '8. Your Rights Under GDPR',
+        blocks: [
+            { kind: 'p', text: 'As a data subject, you have the following rights under the GDPR (Articles 15–22 and Art. 77). To exercise any of these rights, contact us at kontakt@ad2.app. We will respond within 30 days (extendable by a further 60 days for complex requests, with notice). Where we decline to act on a request, we will inform you of the reasons within the same period, along with your right to lodge a complaint with UODO (see Section 12) and your right to seek a judicial remedy.' },
+            {
+                kind: 'ul',
+                items: [
+                    { text: '**Right of access (Art. 15):** obtain a copy of the personal data we hold about you and information about how it is processed.' },
+                    { text: '**Right to rectification (Art. 16):** request correction of inaccurate or incomplete personal data.' },
+                    { text: '**Right to erasure (Art. 17):** request deletion of your personal data where there is no overriding legal basis for continued processing. Following account deletion, your data is retained in a deactivated state for 30 days to allow account recovery. You may request immediate permanent deletion (waiving the recovery window) by explicitly stating this in your request.' },
+                    { text: '**Right to restriction (Art. 18):** request that we limit the processing of your data in certain circumstances.' },
+                    { text: '**Right to data portability (Art. 20):** receive your data in a structured, machine-readable format and transmit it to another controller, where technically feasible.' },
+                    { text: '**Right to object (Art. 21):** object to processing based on legitimate interests or to profiling. We will cease unless we demonstrate compelling legitimate grounds. You may object to direct marketing at any time.' },
+                    { text: '**Right to withdraw consent (Art. 7(3)):** where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of prior processing.' },
+                    { text: '**Rights related to automated decision-making and profiling (Art. 22):** our platform uses automated algorithms to match Influencers with relevant campaigns — this constitutes profiling within the meaning of Art. 4(4) GDPR. No final decision that produces legal or similarly significant effects is made solely by automated means; all campaign offers require affirmative acceptance by both parties. You may request human review of any automated match by contacting us. You may object to profiling under Art. 21(2).' },
+                    { text: '**Right to lodge a complaint (Art. 77):** you have the right to lodge a complaint with the Polish supervisory authority — Urząd Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00-193 Warszawa, https://uodo.gov.pl — if you believe we are processing your personal data in violation of the GDPR.' },
+                ],
+            },
+            { kind: 'note', label: 'Mandatory vs. optional data', text: 'Providing certain personal data (email address, name, account credentials) is a contractual requirement for accessing the Service — without it, we cannot create or maintain your account. Other fields (phone number, media kit files, audience metrics) are voluntary; their absence affects only platform functionality, not account access. Connecting social media accounts via OAuth is optional but required to access campaign matching, publishing, and inbox features.' },
+        ],
+    },
+    {
+        id: 's9',
+        title: '9. Cookies, Local Storage, and Tracking Technologies',
+        blocks: [
+            { kind: 'p', text: 'We use cookies, browser local storage, and similar technologies to operate the Service and improve your experience.' },
+            {
+                kind: 'ul',
+                items: [
+                    { text: '**Strictly necessary cookies:** required for authentication sessions and core platform functionality. Cannot be disabled without breaking the Service. Legal basis: Art. 6(1)(b) — contract performance; no consent required. Duration: session cookies expire when you close your browser; authentication cookies expire after 30 days of inactivity.' },
+                    { text: '**Functional cookies:** set only in direct response to an action you take (e.g. selecting a language or theme preference), and strictly necessary to deliver that specific function you have requested. They do not track you across sessions beyond preserving your chosen setting. Legal basis: strictly necessary to fulfil your explicit request under Art. 173 of the Polish Telecommunications Act (ePrivacy); no separate consent required. Duration: up to 12 months, or cleared when you clear your browser data.' },
+                    { text: '**Analytics cookies (Google Analytics 4):** collect pseudonymised usage event data to help us understand how the Service is used. Legal basis: Art. 6(1)(a) — consent. No analytics cookies are set prior to your affirmative consent via the cookie consent banner shown on first visit. The `_ga` cookie set by Google Analytics expires after 2 years; `_ga_*` expires after 2 years. Data is sent to Google LLC (United States) under the EU–US Data Privacy Framework.' },
+                ],
+            },
+            { kind: 'p', text: 'You may withdraw or update your cookie consent at any time through the consent management panel accessible via the cookie settings link in the footer. Withdrawing analytics consent does not affect platform functionality.' },
+            { kind: 'subheading', text: 'Browser local storage' },
+            { kind: 'p', text: 'In addition to cookies, we use browser local storage to preserve application state between sessions. This includes: your language and theme preferences; a cached copy of your subscription tier and status (retained for up to 30 days then invalidated); and draft campaign deadline data. Local storage data is stored on your device only and is not transmitted to our servers independently of your normal usage. It is cleared when you clear your browser data or log out.' },
+        ],
+    },
+    {
+        id: 's10',
+        title: '10. Data Security',
+        blocks: [
+            { kind: 'p', text: 'We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction, in accordance with Art. 32 GDPR:' },
+            {
+                kind: 'ul',
+                items: [
+                    { text: 'Encryption in transit (TLS 1.2+) and at rest for stored personal data.' },
+                    { text: 'Hashed storage of passwords using bcrypt with appropriate cost factors; OAuth tokens encrypted at rest.' },
+                    { text: 'Role-based access controls with least-privilege principles; access logs retained for audit purposes.' },
+                    { text: 'Pseudonymisation of analytics and usage data where technically feasible.' },
+                    { text: 'Regular vulnerability assessments and periodic penetration testing.' },
+                    { text: 'Incident detection, response, and escalation procedures — including UODO notification within 72 hours of a qualifying breach under Art. 33 GDPR, and notification to affected data subjects where required under Art. 34 GDPR.' },
+                    { text: 'Business continuity and data recovery procedures tested at least annually.' },
+                ],
+            },
+        ],
+    },
+    {
+        id: 's11',
+        title: '11. Third-Party Links, Social Platforms, and Inbox Data',
+        blocks: [
+            { kind: 'p', text: 'The Service allows you to connect social media accounts (TikTok, Instagram, Facebook, or YouTube) to enable platform features. When you authorise an OAuth connection, ad2app receives data from that platform\'s API as permitted by your OAuth consent screen. The source of all such data is the respective social media platform\'s API.' },
+            { kind: 'p', text: '**Inbox data and third-party communications:** when you use the inbox features, direct message conversations and post comments from your connected social media accounts are fetched and stored. This includes messages and comments sent by your followers and other third parties on those platforms. Those individuals have not directly provided their data to ad2app. We process this data under Art. 6(1)(b) (to provide the inbox feature you have contracted for) and rely on the exemption in Art. 14(5)(b) GDPR — providing individual notice to each such person would require disproportionate effort given the volume and platform-derived nature of the data. Inbox data is not used for profiling, advertising, or any purpose beyond displaying your social media communications within the platform.' },
+            { kind: 'p', text: '**Audience data (Art. 14 GDPR):** when you connect a social media account, the connected platform may provide aggregate audience data (e.g. demographic statistics about your followers). This data originates from the social platform and relates to individuals who are not in a direct relationship with ad2app. We rely on Art. 14(5)(b) GDPR — individual notification is impossible given the aggregate and platform-derived nature of this data. It is processed solely in aggregated form for influencer–brand matching and campaign analytics, and is not used for any other purpose.' },
+            { kind: 'p', text: 'We are not responsible for the privacy practices of third-party social platforms. Please review their privacy policies before connecting your accounts.' },
+        ],
+    },
+    {
+        id: 's12',
+        title: '12. Supervisory Authority',
+        blocks: [
+            { kind: 'p', text: 'You have the right to lodge a complaint with the Polish data protection supervisory authority (Art. 77 GDPR) if you believe we have violated your rights:' },
+            { kind: 'address', lines: ['Urząd Ochrony Danych Osobowych (UODO)', 'ul. Stawki 2, 00-193 Warszawa, Poland', 'https://uodo.gov.pl'] },
+        ],
+    },
+    {
+        id: 's13',
+        title: '13. Changes to This Policy',
+        blocks: [
+            { kind: 'p', text: 'We may update this Privacy Policy from time to time. Where changes are material, we will notify you by email or by a prominent notice within the Service at least 14 days before the changes take effect. The "Last updated" date at the top of this page always reflects the most recent version.' },
+            { kind: 'p', text: 'Previous versions of this Privacy Policy are available on request at kontakt@ad2.app. A changelog summarising material amendments is maintained internally and available to supervisory authorities on request.' },
+        ],
+    },
+    {
+        id: 's14',
+        title: '14. Contact',
+        blocks: [
+            { kind: 'p', text: 'For any questions, requests, or concerns regarding this Privacy Policy or your personal data, please contact us at:' },
+            { kind: 'address', lines: ['**Ad2app sp. z o.o.**', 'ul. Juliana Smulikowskiego 4A/21, 00-389 Warszawa, Poland', 'NIP: 5253042936', 'KRS: 0001168159', 'Email: kontakt@ad2.app'] },
+        ],
+    },
+];

package/dist/legal/terms.d.ts

@@ -0,0 +1,2 @@
+import type { LegalSection } from './types';
+export declare const TERMS_SECTIONS: LegalSection[];

package/dist/legal/terms.js

@@ -0,0 +1,254 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TERMS_SECTIONS = void 0;
+exports.TERMS_SECTIONS = [
+    {
+        id: 's1',
+        title: '1. Parties and Agreement',
+        blocks: [
+            { kind: 'p', text: 'These Terms of Service ("Terms") constitute a legally binding agreement between **Ad2app sp. z o.o.**, with its registered office at ul. Juliana Smulikowskiego 4A/21, 00-389 Warszawa, Poland, NIP: 5253042936, KRS: 0001168159 ("ad2app", "we", "us"), and the individual or legal entity accessing or using the ad2app platform ("you", "User").' },
+            { kind: 'p', text: 'By creating an account or using the Service, you confirm that you have read, understood, and agree to be bound by these Terms and our {PRIVACY}, which is incorporated by reference.' },
+        ],
+    },
+    {
+        id: 's2',
+        title: '2. Service Description',
+        blocks: [
+            { kind: 'p', text: 'ad2app is a B2B influencer marketing platform that enables brands and agencies ("Advertisers") to discover, manage, and collaborate with content creators and influencers ("Influencers") on marketing campaigns. The Service includes:' },
+            {
+                kind: 'ul',
+                items: [
+                    { text: 'Campaign creation, management, and tracking tools.' },
+                    { text: 'Influencer discovery and profile management.' },
+                    { text: 'Collaboration and offer management workflows.' },
+                    { text: 'Messaging between Advertisers and Influencers.' },
+                    { text: 'Social media inbox management (DMs and comments from connected platforms).' },
+                    { text: 'Analytics and reporting features.' },
+                    { text: 'Media and content file management.' },
+                ],
+            },
+            { kind: 'p', text: 'We reserve the right to modify, suspend, or discontinue any part of the Service at any time, with reasonable prior notice where technically or commercially practicable.' },
+        ],
+    },
+    {
+        id: 's3',
+        title: '3. Eligibility and Account Registration',
+        blocks: [
+            {
+                kind: 'ul',
+                items: [
+                    { text: 'You must be at least 18 years old and have full legal capacity to enter into binding contracts to use the Service.' },
+                    { text: 'If you register on behalf of a legal entity, you represent and warrant that you have authority to bind that entity to these Terms.' },
+                    { text: 'You are responsible for maintaining the confidentiality of your account credentials and for all activities that occur under your account.' },
+                    { text: 'You must provide accurate, current, and complete registration information and keep it updated.' },
+                    { text: 'You may not create more than one account per legal entity without our prior written consent.' },
+                ],
+            },
+        ],
+    },
+    {
+        id: 's4',
+        title: '4. Acceptable Use',
+        blocks: [
+            { kind: 'p', text: 'You agree not to use the Service to:' },
+            {
+                kind: 'ul',
+                items: [
+                    { text: 'Violate any applicable law or regulation, including EU and Polish data protection, advertising, and consumer protection laws.' },
+                    { text: 'Upload, transmit, or distribute content that is unlawful, harmful, defamatory, obscene, or that infringes third-party intellectual property rights.' },
+                    { text: 'Impersonate any person or entity or misrepresent your affiliation with any person or entity.' },
+                    { text: 'Attempt to gain unauthorised access to any part of the Service or its related systems.' },
+                    { text: 'Use automated means (bots, scrapers, crawlers) to access or collect data from the Service without our express prior written consent.' },
+                    { text: 'Send unsolicited communications (spam) to other platform users.' },
+                    { text: 'Engage in any activity that disrupts or interferes with the integrity or performance of the Service.' },
+                    { text: 'Circumvent or disable any security or access control features of the Service.' },
+                ],
+            },
+            { kind: 'p', text: 'We reserve the right to suspend or terminate accounts that violate this section without prior notice.' },
+        ],
+    },
+    {
+        id: 's5',
+        title: '5. User Content',
+        blocks: [
+            { kind: 'p', text: '"User Content" means any data, text, images, video, or other material you upload, post, or otherwise transmit through the Service.' },
+            {
+                kind: 'ul',
+                items: [
+                    { text: 'You retain all intellectual property rights in your User Content. By submitting User Content, you grant ad2app a non-exclusive, worldwide, royalty-free licence to host, store, display, and reproduce it solely to the extent necessary to provide the Service.' },
+                    { text: 'You represent and warrant that you own or have the necessary rights to your User Content and that it does not infringe any third-party rights.' },
+                    { text: 'We may remove User Content that violates these Terms or applicable law.' },
+                ],
+            },
+            { kind: 'subheading', text: 'Platform non-liability for User Content' },
+            { kind: 'p', text: '**ad2app does not create, edit, endorse, or control User Content.** We act solely as a hosting intermediary within the meaning of Article 6 of the EU Digital Services Act (Regulation (EU) 2022/2065) and are not liable for User Content unless we have actual knowledge of its illegal nature and fail to act expeditiously to remove or disable access to it.' },
+            { kind: 'p', text: 'You are **solely and exclusively responsible** for any content you create, publish, share, or distribute through the Service, including — but not limited to — campaign materials, promotional posts, sponsored content, images, videos, captions, hashtags, and any other material posted on third-party platforms (such as TikTok, Instagram, Facebook, or YouTube) using ad2app as a tool or workflow. ad2app assumes no liability for such content regardless of whether it was planned, briefed, or tracked through the platform.' },
+            { kind: 'p', text: 'In particular, you are responsible for ensuring that all published content complies with: (a) applicable advertising and marketing laws; (b) platform-specific community guidelines and terms of service of any third-party social media platform; (c) intellectual property rights of third parties; and (d) all applicable laws of the jurisdiction(s) where the content is distributed or viewed.' },
+            { kind: 'subheading', text: 'Digital Services Act — Points of Contact (Art. 11 DSA)' },
+            { kind: 'p', text: 'In accordance with Art. 11 of Regulation (EU) 2022/2065 (Digital Services Act), ad2app designates the following single point of contact for direct communication with Member State authorities, the European Commission, and the European Board for Digital Services: kontakt@ad2.app. Communications may be conducted in Polish or English.' },
+            { kind: 'subheading', text: 'Notice-and-action procedure (Art. 16 DSA)' },
+            { kind: 'p', text: 'Any person or entity may submit a notice of alleged illegal content hosted on the ad2app platform to kontakt@ad2.app. To be effective under Art. 16(2) DSA, a notice should include:' },
+            {
+                kind: 'ul',
+                items: [
+                    { text: 'an explanation of why the content is considered illegal under EU or applicable national law;' },
+                    { text: 'the precise location (URL or sufficient description) of the content;' },
+                    { text: 'the name and contact details of the notifier, unless the notice concerns content constituting a criminal offence involving the notifier; and' },
+                    { text: 'a statement that the notifier believes in good faith that the information and allegations are accurate and complete.' },
+                ],
+            },
+            { kind: 'p', text: 'We will acknowledge receipt without undue delay and act expeditiously upon sufficiently substantiated notices. Notifiers will receive our decision and information about available redress mechanisms. Manifestly unfounded repeated notices may be deprioritised.' },
+        ],
+    },
+    {
+        id: 's6',
+        title: '6. Intellectual Property',
+        blocks: [
+            { kind: 'p', text: 'The Service, including its software, design, logos, trademarks, and documentation, is owned by or licensed to ad2app and is protected by intellectual property laws. You are granted a limited, non-exclusive, non-transferable, revocable licence to access and use the Service solely for your internal business purposes in accordance with these Terms. You must not:' },
+            {
+                kind: 'ul',
+                items: [
+                    { text: 'copy, modify, or create derivative works of the Service;' },
+                    { text: 'reverse engineer, decompile, or disassemble any part of the Service (except as permitted by applicable law);' },
+                    { text: 'use our trademarks or branding without our prior written consent.' },
+                ],
+            },
+        ],
+    },
+    {
+        id: 's7',
+        title: '7. Campaigns and Collaborations Between Users',
+        blocks: [
+            { kind: 'p', text: 'The Service facilitates agreements between Advertisers and Influencers. ad2app is not a party to any agreement reached between Users through the platform and has no control over the performance, quality, legality, or accuracy of campaigns or content produced. **ad2app is not responsible for any content that Users publish, broadcast, or distribute on any platform — including third-party social media platforms — whether or not that content was planned, briefed, approved, or tracked through the Service.**' },
+            { kind: 'p', text: 'Each User is solely responsible for:' },
+            {
+                kind: 'ul',
+                items: [
+                    { text: 'ensuring that all published campaign content complies with applicable advertising laws and disclosure obligations, including the Polish Act on Combating Unfair Commercial Practices (including the obligation to clearly mark sponsored posts as "reklama" or "#ad"), the EU Digital Services Act, and any platform-specific rules of the social media platform on which the content is distributed;' },
+                    { text: 'obtaining all necessary licences, consents, and permissions for any creative materials (music, images, trademarks, likeness) used in published content;' },
+                    { text: 'fulfilling the obligations agreed upon with the counterparty;' },
+                    { text: 'any tax obligations arising from payments made or received through the platform.' },
+                ],
+            },
+            { kind: 'p', text: 'ad2app shall have no liability arising from claims by third parties — including other Users, consumers, regulators, or rights-holders — that relate to the content, accuracy, legality, or effects of any material posted by Users in connection with a campaign, regardless of whether ad2app was involved in the planning or delivery of that campaign.' },
+            { kind: 'p', text: '**DSA disclosure tools:** ad2app provides campaign management tools that include disclosure labelling features to assist Advertisers and Influencers in meeting their obligations under Regulation (EU) 2022/2065 and applicable national advertising law. ad2app is not an advertising intermediary within the meaning of DSA Art. 26 with respect to content published on third-party social media platforms; however, we cooperate with users to ensure our platform tools support compliant disclosure practices.' },
+        ],
+    },
+    {
+        id: 's8',
+        title: '8. Fees and Payment',
+        blocks: [
+            { kind: 'p', text: 'Certain features of the Service may require payment of fees as set out in the applicable subscription plan or order form ("Fees"). Fees are stated in EUR or PLN and are exclusive of VAT unless otherwise indicated.' },
+            {
+                kind: 'ul',
+                items: [
+                    { text: 'Fees are non-refundable except where expressly stated or required by applicable law.' },
+                    { text: 'We reserve the right to change Fees with at least 30 days\' notice before the change takes effect.' },
+                    { text: 'Failure to pay Fees may result in suspension of your access to paid features.' },
+                ],
+            },
+            { kind: 'p', text: '**Consumer right of withdrawal:** if you are acting as a natural person outside your professional or business capacity (consumer), you have a right of withdrawal from a service contract within 14 days under the Polish Consumer Rights Act (Ustawa o prawach konsumenta) and EU Consumer Rights Directive 2011/83/EU. By expressly requesting immediate access to the Service at the point of purchase and acknowledging this notice, you agree that the right of withdrawal is lost upon full performance of a digital service, in accordance with Art. 38(1)(a) of the Directive.' },
+            { kind: 'p', text: 'If you wish to exercise the right of withdrawal before performance is complete, you may use the standard form below or any unambiguous statement:' },
+            {
+                kind: 'box',
+                label: 'Standard Withdrawal Form',
+                lines: [
+                    'To: Ad2app sp. z o.o., ul. Juliana Smulikowskiego 4A/21, 00-389 Warszawa, Poland, kontakt@ad2.app',
+                    'I/We (*) hereby give notice that I/We (*) withdraw from my/our (*) contract for the provision of the following service: ___________',
+                    'Ordered on (*) / service commenced on (*): ___________',
+                    'Name of consumer(s): ___________',
+                    'Address of consumer(s): ___________',
+                    'Signature of consumer(s) (only if this form is submitted on paper): ___________',
+                    'Date: ___________',
+                    '(*) Delete as appropriate.',
+                ],
+            },
+        ],
+    },
+    {
+        id: 's9',
+        title: '9. Disclaimer of Warranties',
+        blocks: [
+            { kind: 'p', text: 'The Service is provided "as is" and "as available" without any warranty of any kind, express or implied, including but not limited to warranties of merchantability, fitness for a particular purpose, or non-infringement, to the fullest extent permitted by applicable law.' },
+            { kind: 'p', text: 'We do not warrant that the Service will be uninterrupted, error-free, or free of viruses or other harmful components.' },
+        ],
+    },
+    {
+        id: 's10',
+        title: '10. Limitation of Liability',
+        blocks: [
+            { kind: 'p', text: 'To the maximum extent permitted by applicable law, ad2app shall not be liable for any indirect, incidental, special, consequential, or punitive damages, including loss of profits, data, or goodwill, arising from your use of or inability to use the Service.' },
+            { kind: 'p', text: 'In any case, our total aggregate liability to you for any claim arising from these Terms shall not exceed the greater of: (a) the Fees paid by you to ad2app in the 12 months preceding the claim, or (b) EUR 100.' },
+            { kind: 'p', text: 'Nothing in these Terms limits liability for death or personal injury caused by negligence, fraud, or any other liability that cannot be excluded by Polish or EU law.' },
+        ],
+    },
+    {
+        id: 's11',
+        title: '11. Indemnification',
+        blocks: [
+            { kind: 'p', text: 'You agree to indemnify, defend, and hold harmless ad2app and its officers, directors, employees, and agents from any claims, liabilities, damages, losses, and expenses (including reasonable legal fees) arising out of or relating to: (a) your use of the Service in violation of these Terms; (b) your User Content; or (c) your violation of any third-party rights.' },
+        ],
+    },
+    {
+        id: 's12',
+        title: '12. Termination',
+        blocks: [
+            {
+                kind: 'ul',
+                items: [
+                    { text: 'You may close your account at any time by contacting us at kontakt@ad2.app.' },
+                    { text: 'We may suspend or terminate your account immediately if you materially breach these Terms, or with 30 days\' notice for any other reason.' },
+                    { text: 'Upon termination, your licence to use the Service ceases. Sections 5, 6, 10, 11, 13, 14, and 15 survive termination.' },
+                ],
+            },
+        ],
+    },
+    {
+        id: 's13',
+        title: '13. Data Protection',
+        blocks: [
+            { kind: 'p', text: 'Our collection and use of personal data is governed by our {PRIVACY}, which forms part of these Terms. By accepting these Terms, you acknowledge that you have read and understood our Privacy Policy.' },
+            { kind: 'p', text: 'Where you, as an Advertiser, use the Service to access, communicate with, or manage Influencer personal data through the platform, ad2app acts as a **data processor** on your behalf under Article 28 GDPR, and you act as the **data controller** for that processing. Our Data Processing Agreement (available on request at kontakt@ad2.app) governs that relationship. You remain solely responsible for ensuring you have a valid legal basis for any personal data processing you direct through the platform and for your own compliance with GDPR in your capacity as controller.' },
+        ],
+    },
+    {
+        id: 's14',
+        title: '14. Governing Law and Dispute Resolution',
+        blocks: [
+            { kind: 'p', text: 'These Terms are governed by and construed in accordance with the laws of Poland, without regard to its conflict-of-law provisions. EU mandatory consumer protection laws apply where you are a consumer within the EU.' },
+            { kind: 'p', text: 'Any dispute arising from or in connection with these Terms shall be subject to the exclusive jurisdiction of the courts competent for the registered office of ad2app, unless mandatory law provides otherwise.' },
+            { kind: 'p', text: 'If you are a consumer resident in the EU, you may seek alternative dispute resolution through a certified ADR body. In Poland, the relevant body is the Inspekcja Handlowa (Trade Inspection Authority). ad2app is willing to participate in ADR proceedings where required by applicable law. Our contact address for dispute resolution purposes is kontakt@ad2.app.' },
+        ],
+    },
+    {
+        id: 's15',
+        title: '15. Changes to These Terms',
+        blocks: [
+            { kind: 'p', text: 'We may update these Terms at any time. Where changes are material, we will notify you by email or via a prominent notice within the Service at least 14 days before the changes take effect. Your continued use of the Service after that date constitutes your acceptance of the revised Terms. If you do not agree to the revised Terms, you must stop using the Service and close your account.' },
+            { kind: 'p', text: 'For Users acting as consumers, material changes that affect your rights will require your explicit re-acceptance before they take effect — we will provide a clear accept/decline mechanism in such cases.' },
+        ],
+    },
+    {
+        id: 's16',
+        title: '16. General Provisions',
+        blocks: [
+            {
+                kind: 'ul',
+                items: [
+                    { text: '**Entire agreement:** These Terms and the Privacy Policy constitute the entire agreement between you and ad2app regarding the Service and supersede all prior agreements.' },
+                    { text: '**Severability:** If any provision of these Terms is found unenforceable, the remaining provisions shall continue in full force and effect.' },
+                    { text: '**No waiver:** Failure to enforce any provision of these Terms shall not constitute a waiver of our right to enforce it in the future.' },
+                    { text: '**Assignment:** You may not assign your rights or obligations under these Terms without our prior written consent. We may assign our rights without restriction.' },
+                ],
+            },
+        ],
+    },
+    {
+        id: 's17',
+        title: '17. Contact',
+        blocks: [
+            { kind: 'p', text: 'For questions about these Terms, please contact us at:' },
+            { kind: 'address', lines: ['**Ad2app sp. z o.o.**', 'ul. Juliana Smulikowskiego 4A/21, 00-389 Warszawa, Poland', 'NIP: 5253042936', 'KRS: 0001168159', 'Email: kontakt@ad2.app'] },
+        ],
+    },
+];

package/dist/legal/types.d.ts

@@ -0,0 +1,43 @@
+/**
+ * Inline markup conventions used in all legal text strings:
+ *   **text**   → bold
+ *   `text`     → inline code
+ *   {EMAIL}    → contact email hyperlink
+ *   {UODO}     → UODO supervisory authority URL
+ *   {PRIVACY}  → link to the Privacy Policy page (used in TOS)
+ */
+export type InlineText = string;
+export interface ListItem {
+    text: InlineText;
+    sub?: ListItem[];
+}
+export type Block = {
+    kind: 'p';
+    text: InlineText;
+} | {
+    kind: 'ul';
+    items: ListItem[];
+} | {
+    kind: 'table';
+    headers: [string, string];
+    rows: [string, string][];
+} | {
+    kind: 'address';
+    lines: InlineText[];
+} | {
+    kind: 'subheading';
+    text: string;
+} | {
+    kind: 'box';
+    label: string;
+    lines: InlineText[];
+} | {
+    kind: 'note';
+    label: string;
+    text: InlineText;
+};
+export interface LegalSection {
+    id: string;
+    title: string;
+    blocks: Block[];
+}

package/dist/legal/types.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });