ad2app-lib 1.1.0 → 1.3.0

package/dist/types/I_User.d.ts

@@ -32,9 +32,11 @@ export declare class I_UserSignInDTO {
 export declare class I_UserSignUpDTO {
     email: string;
     password: string;
-    first_name: string;
-    last_name: string;
-    display_name: string;
+    termsAccepted: boolean;
+    privacyPolicyAccepted: boolean;
+    first_name?: string;
+    last_name?: string;
+    display_name?: string;
 }
 export declare class I_UserFindOneDTO {
     email: string;

package/dist/types/I_User.js

@@ -69,17 +69,13 @@ __decorate([
     __metadata("design:type", String)
 ], I_UserSignUpDTO.prototype, "password", void 0);
 __decorate([
-    (0, class_validator_1.IsNotEmpty)(),
-    __metadata("design:type", String)
-], I_UserSignUpDTO.prototype, "first_name", void 0);
+    (0, class_validator_1.IsBoolean)(),
+    __metadata("design:type", Boolean)
+], I_UserSignUpDTO.prototype, "termsAccepted", void 0);
 __decorate([
-    (0, class_validator_1.IsNotEmpty)(),
-    __metadata("design:type", String)
-], I_UserSignUpDTO.prototype, "last_name", void 0);
-__decorate([
-    (0, class_validator_1.IsNotEmpty)(),
-    __metadata("design:type", String)
-], I_UserSignUpDTO.prototype, "display_name", void 0);
+    (0, class_validator_1.IsBoolean)(),
+    __metadata("design:type", Boolean)
+], I_UserSignUpDTO.prototype, "privacyPolicyAccepted", void 0);
 class I_UserFindOneDTO {
 }
 exports.I_UserFindOneDTO = I_UserFindOneDTO;

package/dist/types/scheduling/I_SchedulingPost.d.ts

@@ -30,6 +30,7 @@ export declare class SchedulingCreatePostDTO {
     publishNow?: boolean;
     mediaItems?: SchedulingMediaItemDTO[];
     platformSpecificData?: Record<string, Record<string, unknown>>;
+    tiktokSettings?: Record<string, unknown>;
     constructor(data?: Partial<SchedulingCreatePostDTO>);
 }
 /** Input DTO for updating an existing post's content or scheduled time. */
@@ -46,6 +47,8 @@ export declare class SchedulingPostDTO {
     platformStatuses: SchedulingPlatformStatusMap;
     /** Per-platform URLs to the published post (e.g. { instagram: 'https://...' }). */
     postUrls?: Record<string, string>;
+    /** Per-platform error messages for platforms that failed to publish. */
+    platformErrors?: Record<string, string>;
     scheduledAt?: string;
     publishedAt?: string;
     status: SchedulingPostStatus;

package/dist/types/scheduling/I_SchedulingPost.js

@@ -48,6 +48,7 @@ class SchedulingCreatePostDTO {
         this.publishNow = data.publishNow;
         this.mediaItems = data.mediaItems;
         this.platformSpecificData = data.platformSpecificData;
+        this.tiktokSettings = data.tiktokSettings;
     }
 }
 exports.SchedulingCreatePostDTO = SchedulingCreatePostDTO;
@@ -71,6 +72,7 @@ class SchedulingPostDTO {
         this.platforms = data.platforms;
         this.platformStatuses = data.platformStatuses;
         this.postUrls = data.postUrls;
+        this.platformErrors = data.platformErrors;
         this.scheduledAt = data.scheduledAt;
         this.publishedAt = data.publishedAt;
         this.status = data.status;

package/package.json

@@ -1,13 +1,14 @@
 {
   "name": "ad2app-lib",
-  "version": "1.1.0",
+  "version": "1.3.0",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
   "type": "commonjs",
   "exports": {
     "./utils": "./dist/utils/index.js",
     "./types": "./dist/types/index.js",
-    "./api": "./dist/api/index.js"
+    "./api": "./dist/api/index.js",
+    "./legal": "./dist/legal/index.js"
   },
   "typesVersions": {
     "*": {
@@ -20,6 +21,9 @@
       "api": [
         "dist/api/index.d.ts"
       ],
+      "legal": [
+        "dist/legal/index.d.ts"
+      ],
       "*": [
         "dist/index.d.ts"
       ]

package/src/legal/index.ts

@@ -0,0 +1,5 @@
+export { LEGAL_META } from './meta';
+export type { LegalMeta } from './meta';
+export type { Block, InlineText, LegalSection, ListItem } from './types';
+export { PRIVACY_SECTIONS } from './privacy';
+export { TERMS_SECTIONS } from './terms';

package/src/legal/meta.ts

@@ -0,0 +1,13 @@
+export const LEGAL_META = {
+  lastUpdated: '26 May 2025',
+  contactEmail: 'kontakt@ad2.app',
+  controllerName: 'Ad2app sp. z o.o.',
+  controllerAddress: 'ul. Juliana Smulikowskiego 4A/21, 00-389 Warszawa, Poland',
+  controllerNip: '5253042936',
+  controllerKrs: '0001168159',
+  uodoUrl: 'https://uodo.gov.pl',
+  uodoName: 'Urząd Ochrony Danych Osobowych (UODO)',
+  uodoAddress: 'ul. Stawki 2, 00-193 Warszawa, Poland',
+} as const;
+
+export type LegalMeta = typeof LEGAL_META;

package/src/legal/privacy.ts

@@ -0,0 +1,240 @@
+import type { LegalSection } from './types';
+
+export const PRIVACY_SECTIONS: LegalSection[] = [
+  {
+    id: 's1',
+    title: '1. Data Controller',
+    blocks: [
+      { kind: 'p', text: 'The data controller of your personal data is **Ad2app sp. z o.o.**, with its registered office at ul. Juliana Smulikowskiego 4A/21, 00-389 Warszawa, Poland, NIP: 5253042936, KRS: 0001168159 ("ad2app", "we", "us", "our").' },
+      { kind: 'p', text: 'You can contact us regarding any privacy matter at kontakt@ad2.app.' },
+      { kind: 'p', text: '**Data Protection Officer:** We have assessed our processing activities against the criteria of Article 37 GDPR. Our current processing volume does not meet the mandatory threshold for DPO designation under Art. 37 GDPR. All privacy queries are handled by our designated privacy contact at kontakt@ad2.app. We will appoint a DPO if our processing activities reach the applicable threshold and will update this policy accordingly.' },
+    ],
+  },
+  {
+    id: 's2',
+    title: '2. Scope of This Policy',
+    blocks: [
+      { kind: 'p', text: 'This Privacy Policy explains how we collect, use, store, share, and protect personal data when you access or use the ad2app platform — including our website, web application, and any related services (collectively, the "Service"). It applies to all users: brands, agencies, and influencers who register accounts, as well as individuals who submit their email via our waitlist form.' },
+      { kind: 'p', text: 'We process personal data in accordance with Regulation (EU) 2016/679 (GDPR) and the Polish Act of 10 May 2018 on the Protection of Personal Data.' },
+      { kind: 'p', text: 'In fulfilling our accountability obligations under Art. 5(2) GDPR, ad2app maintains a Record of Processing Activities (ROPA) as required by Art. 30 GDPR, available to supervisory authorities on request.' },
+    ],
+  },
+  {
+    id: 's3',
+    title: '3. Personal Data We Collect',
+    blocks: [
+      { kind: 'p', text: 'We collect the following categories of personal data:' },
+      {
+        kind: 'ul',
+        items: [
+          { text: '**Identity & contact data:** first name, last name, email address, business name, phone number (if provided).' },
+          { text: '**Account credentials:** hashed password; OAuth access and refresh tokens when you connect social media accounts — we store tokens, not your passwords.' },
+          {
+            text: '**Social platform data via OAuth:** when you authorise a connection to a social media account, we receive data from that platform\'s API as permitted by your OAuth consent. The specific data received depends on the platform and the permissions you grant:',
+            sub: [
+              { text: '**TikTok:** basic profile (user ID, display name, avatar, biography, profile URL), account statistics (follower count, following count, like count, video count), video list and metadata (titles, view counts, engagement metrics), and — where enabled for scheduling features — video upload and publish permissions. We request only the permissions required for the features you actively use.' },
+              { text: '**Instagram:** Instagram Business account data including username, biography, profile picture, account type, and associated business metrics.' },
+              { text: '**Facebook:** public profile information and, where you grant permission, your Facebook email address. Facebook is an independent OAuth provider separate from Instagram.' },
+              { text: '**YouTube:** YouTube channel data (read-only: videos, statistics, channel metadata) and your Google Account profile (name, profile picture URL, Google Account ID) via the Google identity scope used for authentication.' },
+            ],
+          },
+          { text: '**Audience data (aggregate only):** demographic and engagement statistics about your social media audience, as provided by the connected platform\'s API. This data is processed exclusively in aggregate statistical form and is not linked to any identified individual within your audience. We have assessed whether this data could constitute special category data under Art. 9 GDPR and confirm that we do not process such special category data — audience data is processed solely as aggregate numeric metrics.' },
+          { text: '**Inbox data:** when you use the platform\'s inbox features, direct message conversations and post comments from your connected social media accounts are fetched and displayed. This includes content sent to you by your followers or other third parties on those platforms. See Section 11 for further detail.' },
+          { text: '**Professional data:** influencer category, social media handles, media kit content.' },
+          { text: '**Campaign & collaboration data:** campaign briefs, offer terms, messages exchanged within the platform between brands and influencers.' },
+          { text: '**Media & content:** files you upload (images, videos, documents) for campaigns or your profile.' },
+          { text: '**Technical & usage data:** IP address, browser type and version, operating system, pages visited, referral URLs, timestamps, crash reports, and usage events (e.g. feature interactions tracked via Google Analytics 4).' },
+          { text: '**Billing data:** billing address and payment reference. Payment card details are handled exclusively by Stripe and are never stored by ad2app.' },
+          { text: '**Waitlist data:** if you submit your email address via our waitlist form before registering, we store that email address to notify you when access is available.' },
+          { text: '**Feedback data:** free-text feedback submitted via the in-app feedback form. This may incidentally contain personal data you choose to include.' },
+        ],
+      },
+      { kind: 'p', text: 'We do not knowingly collect personal data from individuals under 18 years of age.' },
+      { kind: 'p', text: 'For information on which data fields are mandatory versus optional, see Section 8.' },
+    ],
+  },
+  {
+    id: 's4',
+    title: '4. Legal Bases and Purposes of Processing',
+    blocks: [
+      {
+        kind: 'table',
+        headers: ['Purpose', 'Legal basis (GDPR Art. 6)'],
+        rows: [
+          ['Creating and managing your account', 'Art. 6(1)(b) — performance of contract'],
+          ['Providing platform features (campaigns, collaborations, messaging, inbox)', 'Art. 6(1)(b) — performance of contract'],
+          ['Processing social media data received via OAuth connections (audience metrics, engagement data, video metadata, inbox messages)', 'Art. 6(1)(b) — performance of contract: necessary to deliver influencer-brand matching, campaign analytics, and inbox features as contracted. Audience data is processed in aggregate and anonymised form only. No Art. 9 special category data is processed.'],
+          ['Automated influencer–campaign matching and recommendations (profiling within the meaning of Art. 4(4) GDPR)', 'Art. 6(1)(b) — performance of contract. No binding automated decision with legal or similarly significant effect is made solely by automated means — all matches require affirmative acceptance by both parties. Human review is available on request.'],
+          ['Temporary retention of account data for 30 days following account deletion (account recovery window)', 'Art. 6(1)(f) — legitimate interests: ad2app\'s and the user\'s shared interest in preventing irreversible accidental data loss, balanced against the minimal additional retention period.'],
+          ['Processing payments and issuing invoices (via Stripe)', 'Art. 6(1)(b) & Art. 6(1)(c) — contract & legal obligation'],
+          ['Complying with legal obligations (tax, accounting, record-keeping)', 'Art. 6(1)(c) — legal obligation: Polish Accounting Act (Ustawa o rachunkowości), Tax Ordinance (Ordynacja podatkowa), VAT Act (Ustawa o VAT).'],
+          ['Waitlist email: notifying you when platform access is available', 'Art. 6(1)(a) — consent (given at the point of waitlist submission; withdrawable at any time).'],
+          ['Processing in-app feedback', 'Art. 6(1)(f) — legitimate interests: ad2app\'s interest in improving the Service through user feedback.'],
+          ['Improving and developing the Service (usage analytics via Google Analytics 4)', 'Art. 6(1)(f) — legitimate interests: ad2app\'s interest in understanding usage patterns to improve product quality, balanced against minimal privacy impact through pseudonymisation. Where analytics cookies are used, Art. 6(1)(a) consent applies.'],
+          ['Security, fraud prevention, and abuse detection', 'Art. 6(1)(f) — legitimate interests: ad2app\'s interest in maintaining platform integrity and protecting users from harm, which overrides the minimal intrusiveness of security logging.'],
+          ['Transfer of personal data in a merger, acquisition, or business asset sale', 'Art. 6(1)(f) — legitimate interests: ad2app\'s legitimate interest in completing lawful business restructuring, balanced against data subjects\' interests. Data subjects will be notified before their data is subject to a materially different privacy policy.'],
+          ['Sending marketing communications', 'Art. 6(1)(a) — consent (withdrawable at any time without affecting prior processing).'],
+        ],
+      },
+      { kind: 'note', label: 'Data Protection Impact Assessment (Art. 35 GDPR)', text: 'ad2app has conducted a pre-screening assessment of its processing activities against the criteria of Art. 35(1) GDPR. The automated influencer–campaign matching function involves profiling of natural persons based on professional and behavioural data. We have assessed whether this constitutes "systematic and extensive evaluation… on which decisions are taken that produce legal or similarly significant effects" within the meaning of Art. 35(3)(b). Our assessment concluded that because no decision with legal or similarly significant effect is produced solely by automated means — all campaign offers require affirmative acceptance by both parties — a full DPIA is not mandated at this stage. This assessment is documented in accordance with our accountability obligations under Art. 5(2) GDPR and is reviewed annually. We will conduct a full DPIA if the nature or scope of our profiling activities changes materially.' },
+    ],
+  },
+  {
+    id: 's5',
+    title: '5. Data Retention',
+    blocks: [
+      { kind: 'p', text: 'We retain your personal data only for as long as necessary to fulfil the purposes described in this policy, or as required by applicable law. Retention periods correspond to the processing purposes identified in Section 4:' },
+      {
+        kind: 'ul',
+        items: [
+          { text: '**Account data:** for the duration of your account plus 30 days after deletion (account recovery window), then permanently deleted. You may request immediate permanent deletion — waiving the recovery window — by explicitly stating this in your request to kontakt@ad2.app.' },
+          { text: '**Campaign & collaboration data:** for the duration of your account plus 12 months after account deletion to allow dispute resolution, after which it is permanently deleted. Anonymised aggregated analytics may be retained indefinitely.' },
+          { text: '**OAuth access and refresh tokens:** revoked and deleted immediately upon disconnection or account deletion, with a maximum retention of 24 hours for revocation processing logs.' },
+          { text: '**Inbox data (DMs and comments):** retained for the duration of your account; deleted with your account data.' },
+          { text: '**Invoices and billing records:** 5 years from the end of the fiscal year (Polish Accounting Act).' },
+          { text: '**Technical logs:** up to 90 days.' },
+          { text: '**Marketing consent records:** until consent is withdrawn plus 3 years for compliance evidence.' },
+          { text: '**Waitlist emails:** until you register for an account or request deletion, or 24 months from submission if you do not register — whichever comes first.' },
+          { text: '**In-app feedback:** up to 24 months from submission.' },
+        ],
+      },
+      { kind: 'p', text: 'Data processed solely on the basis of consent (marketing, analytics cookies, waitlist) is deleted within 30 days of consent withdrawal. Data processed for contractual performance is retained for the duration of the contract plus the applicable limitation period under Polish law (generally 3 years for commercial claims under Art. 118 of the Civil Code, or 6 years for documented claims). Data retained for legal obligation compliance follows the statutory schedule above.' },
+    ],
+  },
+  {
+    id: 's6',
+    title: '6. Sharing of Personal Data',
+    blocks: [
+      { kind: 'p', text: 'We do not sell your personal data. We may share it with:' },
+      {
+        kind: 'ul',
+        items: [
+          { text: '**Other platform users:** when you actively participate in a collaboration, your professional profile (name, social handles, media kit) is visible to the brands/agencies you are matched with, and vice versa.' },
+          {
+            text: '**Service providers (data processors)** — engaged under contractual terms that include data protection obligations; we are in the process of formalising written Data Processing Agreements under Art. 28 GDPR with all sub-processors where not yet in place:',
+            sub: [
+              { text: '**Zernio (ARBICHAT, S.L.)** — social media API aggregation: we pass OAuth tokens, post content, media files, and inbox data to Zernio solely to execute publishing and inbox operations on your behalf. Zernio is incorporated in Spain (EEA); however, data is processed on infrastructure with residency in North America (United States). This constitutes an international data transfer covered by Standard Contractual Clauses (Commission Decision 2021/914).' },
+              { text: '**Stripe** — payment processing: billing address, email, and payment reference are shared with Stripe to process subscription payments. Stripe is located in the United States and operates under the EU–US Data Privacy Framework.' },
+              { text: '**Google Analytics 4** — product analytics: pseudonymised usage event data (feature interactions, session data, device/browser info) is sent to Google only after you have given explicit analytics consent. Google is located in the United States and participates in the EU–US Data Privacy Framework.' },
+              { text: '**Vercel Inc.** — backend API hosting and compute: server-side application code, API requests, and associated request logs are processed on Vercel\'s infrastructure. Vercel is located in the United States and transfers are covered by Standard Contractual Clauses (Commission Decision 2021/914).' },
+              { text: '**Neon Inc.** — PostgreSQL database hosting: all structured platform data (accounts, campaigns, collaborations, social account metadata) is stored in a Neon-hosted PostgreSQL database. Neon is located in the United States and transfers are covered by Standard Contractual Clauses (Commission Decision 2021/914).' },
+              { text: '**Google Firebase (Firebase Authentication)** — authentication token verification: authentication tokens issued to users may be verified against Firebase Authentication to validate active sessions. Firebase is a Google service located in the United States and operates under the EU–US Data Privacy Framework.' },
+              { text: 'A current list of sub-processors (including names, countries of processing, and applicable transfer safeguards) is available on request at kontakt@ad2.app.' },
+            ],
+          },
+          { text: '**Legal authorities:** where required by law, court order, or to protect the rights and safety of ad2app or third parties.' },
+          { text: '**Business transfers:** in the event of a merger, acquisition, or sale of assets, personal data may be transferred under Art. 6(1)(f) — you will be notified before it becomes subject to a different privacy policy.' },
+        ],
+      },
+    ],
+  },
+  {
+    id: 's7',
+    title: '7. International Data Transfers',
+    blocks: [
+      { kind: 'p', text: 'Your data is primarily processed within the European Economic Area (EEA). We use certain processors located outside the EEA, including processors based in the United States (currently: Vercel, Neon, Google Firebase, Stripe, Google Analytics 4, and Zernio). For all such transfers we ensure adequate safeguards through one or more of the following mechanisms:' },
+      {
+        kind: 'ul',
+        items: [
+          { text: 'the EU–US Data Privacy Framework (Commission Implementing Decision 2023/1795) where the recipient is certified;' },
+          { text: 'EU Standard Contractual Clauses (SCCs, Commission Decision 2021/914) supplemented by Transfer Impact Assessments confirming equivalent protection in the destination country; or' },
+          { text: 'an adequacy decision by the European Commission covering the recipient country.' },
+        ],
+      },
+      { kind: 'p', text: 'You may request copies of applicable SCCs or a summary of our Transfer Impact Assessment findings at kontakt@ad2.app.' },
+    ],
+  },
+  {
+    id: 's8',
+    title: '8. Your Rights Under GDPR',
+    blocks: [
+      { kind: 'p', text: 'As a data subject, you have the following rights under the GDPR (Articles 15–22 and Art. 77). To exercise any of these rights, contact us at kontakt@ad2.app. We will respond within 30 days (extendable by a further 60 days for complex requests, with notice). Where we decline to act on a request, we will inform you of the reasons within the same period, along with your right to lodge a complaint with UODO (see Section 12) and your right to seek a judicial remedy.' },
+      {
+        kind: 'ul',
+        items: [
+          { text: '**Right of access (Art. 15):** obtain a copy of the personal data we hold about you and information about how it is processed.' },
+          { text: '**Right to rectification (Art. 16):** request correction of inaccurate or incomplete personal data.' },
+          { text: '**Right to erasure (Art. 17):** request deletion of your personal data where there is no overriding legal basis for continued processing. Following account deletion, your data is retained in a deactivated state for 30 days to allow account recovery. You may request immediate permanent deletion (waiving the recovery window) by explicitly stating this in your request.' },
+          { text: '**Right to restriction (Art. 18):** request that we limit the processing of your data in certain circumstances.' },
+          { text: '**Right to data portability (Art. 20):** receive your data in a structured, machine-readable format and transmit it to another controller, where technically feasible.' },
+          { text: '**Right to object (Art. 21):** object to processing based on legitimate interests or to profiling. We will cease unless we demonstrate compelling legitimate grounds. You may object to direct marketing at any time.' },
+          { text: '**Right to withdraw consent (Art. 7(3)):** where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of prior processing.' },
+          { text: '**Rights related to automated decision-making and profiling (Art. 22):** our platform uses automated algorithms to match Influencers with relevant campaigns — this constitutes profiling within the meaning of Art. 4(4) GDPR. No final decision that produces legal or similarly significant effects is made solely by automated means; all campaign offers require affirmative acceptance by both parties. You may request human review of any automated match by contacting us. You may object to profiling under Art. 21(2).' },
+          { text: '**Right to lodge a complaint (Art. 77):** you have the right to lodge a complaint with the Polish supervisory authority — Urząd Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00-193 Warszawa, https://uodo.gov.pl — if you believe we are processing your personal data in violation of the GDPR.' },
+        ],
+      },
+      { kind: 'note', label: 'Mandatory vs. optional data', text: 'Providing certain personal data (email address, name, account credentials) is a contractual requirement for accessing the Service — without it, we cannot create or maintain your account. Other fields (phone number, media kit files, audience metrics) are voluntary; their absence affects only platform functionality, not account access. Connecting social media accounts via OAuth is optional but required to access campaign matching, publishing, and inbox features.' },
+    ],
+  },
+  {
+    id: 's9',
+    title: '9. Cookies, Local Storage, and Tracking Technologies',
+    blocks: [
+      { kind: 'p', text: 'We use cookies, browser local storage, and similar technologies to operate the Service and improve your experience.' },
+      {
+        kind: 'ul',
+        items: [
+          { text: '**Strictly necessary cookies:** required for authentication sessions and core platform functionality. Cannot be disabled without breaking the Service. Legal basis: Art. 6(1)(b) — contract performance; no consent required. Duration: session cookies expire when you close your browser; authentication cookies expire after 30 days of inactivity.' },
+          { text: '**Functional cookies:** set only in direct response to an action you take (e.g. selecting a language or theme preference), and strictly necessary to deliver that specific function you have requested. They do not track you across sessions beyond preserving your chosen setting. Legal basis: strictly necessary to fulfil your explicit request under Art. 173 of the Polish Telecommunications Act (ePrivacy); no separate consent required. Duration: up to 12 months, or cleared when you clear your browser data.' },
+          { text: '**Analytics cookies (Google Analytics 4):** collect pseudonymised usage event data to help us understand how the Service is used. Legal basis: Art. 6(1)(a) — consent. No analytics cookies are set prior to your affirmative consent via the cookie consent banner shown on first visit. The `_ga` cookie set by Google Analytics expires after 2 years; `_ga_*` expires after 2 years. Data is sent to Google LLC (United States) under the EU–US Data Privacy Framework.' },
+        ],
+      },
+      { kind: 'p', text: 'You may withdraw or update your cookie consent at any time through the consent management panel accessible via the cookie settings link in the footer. Withdrawing analytics consent does not affect platform functionality.' },
+      { kind: 'subheading', text: 'Browser local storage' },
+      { kind: 'p', text: 'In addition to cookies, we use browser local storage to preserve application state between sessions. This includes: your language and theme preferences; a cached copy of your subscription tier and status (retained for up to 30 days then invalidated); and draft campaign deadline data. Local storage data is stored on your device only and is not transmitted to our servers independently of your normal usage. It is cleared when you clear your browser data or log out.' },
+    ],
+  },
+  {
+    id: 's10',
+    title: '10. Data Security',
+    blocks: [
+      { kind: 'p', text: 'We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction, in accordance with Art. 32 GDPR:' },
+      {
+        kind: 'ul',
+        items: [
+          { text: 'Encryption in transit (TLS 1.2+) and at rest for stored personal data.' },
+          { text: 'Hashed storage of passwords using bcrypt with appropriate cost factors; OAuth tokens encrypted at rest.' },
+          { text: 'Role-based access controls with least-privilege principles; access logs retained for audit purposes.' },
+          { text: 'Pseudonymisation of analytics and usage data where technically feasible.' },
+          { text: 'Regular vulnerability assessments and periodic penetration testing.' },
+          { text: 'Incident detection, response, and escalation procedures — including UODO notification within 72 hours of a qualifying breach under Art. 33 GDPR, and notification to affected data subjects where required under Art. 34 GDPR.' },
+          { text: 'Business continuity and data recovery procedures tested at least annually.' },
+        ],
+      },
+    ],
+  },
+  {
+    id: 's11',
+    title: '11. Third-Party Links, Social Platforms, and Inbox Data',
+    blocks: [
+      { kind: 'p', text: 'The Service allows you to connect social media accounts (TikTok, Instagram, Facebook, or YouTube) to enable platform features. When you authorise an OAuth connection, ad2app receives data from that platform\'s API as permitted by your OAuth consent screen. The source of all such data is the respective social media platform\'s API.' },
+      { kind: 'p', text: '**Inbox data and third-party communications:** when you use the inbox features, direct message conversations and post comments from your connected social media accounts are fetched and stored. This includes messages and comments sent by your followers and other third parties on those platforms. Those individuals have not directly provided their data to ad2app. We process this data under Art. 6(1)(b) (to provide the inbox feature you have contracted for) and rely on the exemption in Art. 14(5)(b) GDPR — providing individual notice to each such person would require disproportionate effort given the volume and platform-derived nature of the data. Inbox data is not used for profiling, advertising, or any purpose beyond displaying your social media communications within the platform.' },
+      { kind: 'p', text: '**Audience data (Art. 14 GDPR):** when you connect a social media account, the connected platform may provide aggregate audience data (e.g. demographic statistics about your followers). This data originates from the social platform and relates to individuals who are not in a direct relationship with ad2app. We rely on Art. 14(5)(b) GDPR — individual notification is impossible given the aggregate and platform-derived nature of this data. It is processed solely in aggregated form for influencer–brand matching and campaign analytics, and is not used for any other purpose.' },
+      { kind: 'p', text: 'We are not responsible for the privacy practices of third-party social platforms. Please review their privacy policies before connecting your accounts.' },
+    ],
+  },
+  {
+    id: 's12',
+    title: '12. Supervisory Authority',
+    blocks: [
+      { kind: 'p', text: 'You have the right to lodge a complaint with the Polish data protection supervisory authority (Art. 77 GDPR) if you believe we have violated your rights:' },
+      { kind: 'address', lines: ['Urząd Ochrony Danych Osobowych (UODO)', 'ul. Stawki 2, 00-193 Warszawa, Poland', 'https://uodo.gov.pl'] },
+    ],
+  },
+  {
+    id: 's13',
+    title: '13. Changes to This Policy',
+    blocks: [
+      { kind: 'p', text: 'We may update this Privacy Policy from time to time. Where changes are material, we will notify you by email or by a prominent notice within the Service at least 14 days before the changes take effect. The "Last updated" date at the top of this page always reflects the most recent version.' },
+      { kind: 'p', text: 'Previous versions of this Privacy Policy are available on request at kontakt@ad2.app. A changelog summarising material amendments is maintained internally and available to supervisory authorities on request.' },
+    ],
+  },
+  {
+    id: 's14',
+    title: '14. Contact',
+    blocks: [
+      { kind: 'p', text: 'For any questions, requests, or concerns regarding this Privacy Policy or your personal data, please contact us at:' },
+      { kind: 'address', lines: ['**Ad2app sp. z o.o.**', 'ul. Juliana Smulikowskiego 4A/21, 00-389 Warszawa, Poland', 'NIP: 5253042936', 'KRS: 0001168159', 'Email: kontakt@ad2.app'] },
+    ],
+  },
+];