Version 2026-07-14 · Last updated: July 14, 2026

Privacy Policy

This Privacy Policy explains how the operator of MAD and mad-ads.com collects, uses, discloses, stores, and protects personal information. It covers public editorial pages, accounts and profiles, community applications, merch pre-orders, editor tools, analytics, and the internal content workflow.

1. Controller and scope

The operator of MAD and mad-ads.com determines why and how personal information is processed and is responsible for that processing (or, in Ukrainian terminology, acts as the personal data owner). MAD is the public-facing service name used in this notice.

For privacy questions, rights requests, or complaints, contact the MAD operator at maximusik2@gmail.com.

2. Data map: accounts and profiles

  • Data: first and last name, email address, password handled by Supabase Auth, optional phone, job title and company, username, profile text, avatar, account role, subscription tier, language, authentication/session records, and policy-acceptance version and timestamp.
  • Purpose and ground: create and secure the account, provide the profile and editor/member features, send service messages, and perform the user agreement; protect MAD and users; meet legal obligations.
  • Recipients: authorized MAD team members, Supabase for authentication/database/storage, Railway for application hosting and runtime logs, and Resend for transactional email.
  • Retention: while the account is active, then for the period needed to complete a verified deletion request, protect security and legal claims, and clear normal backups. Public avatars remain visible until replaced or removed.

3. Data map: community applications and merch pre-orders

  • Data: community applications include full name, email, country, phone, company and position, LinkedIn URL, Telegram username, application answers, referral source, locale, timestamps, and delivery records. Merch pre-orders include the selected design, name, email, Telegram username, locale, privacy-policy version, and timestamps.
  • Purpose and ground: evaluate and administer a requested community relationship or record merch interest and contact the person about that pre-order; protect participants, prevent abuse, and take steps requested before a possible agreement. Neither form subscribes a person to marketing.
  • Recipients: authorized MAD team members, Supabase, and Railway; Resend also receives community-application data for transactional delivery. These submissions are not intended to be published.
  • Retention: community applications follow the membership/decision periods described by MAD and are generally kept no longer than 12 months after the relationship or decision. Merch pre-orders are kept until the related drop is completed or cancelled and for up to 12 months afterward, unless law, safety, fraud prevention, or a dispute requires longer retention.

4. Data map: usage, device, and attribution

  • Data may include requested pages, locale, timestamps, browser and device characteristics, IP address in provider or security logs, referring host, campaign parameters, whether an advertising click identifier was present, clicks, navigation, scrolling, errors, and security events.
  • Purpose and ground: operate and secure the service, diagnose failures, measure content and campaign performance, understand product use, and improve the experience. MAD relies on legitimate interests or another applicable lawful ground where available; default-on analytics is not described as consent.
  • Recipients: Railway and Supabase for operations; Meta for advertising measurement; Amplitude for product analytics and, when configured, sampled session replay.
  • Retention: analytics and provider records follow the applicable provider/project settings and are reviewed against business need; security and runtime logs are targeted for no more than 12 months unless an incident or legal obligation requires longer retention.

5. Data map: editorial and AI-assisted workflows

  • Data may include source URLs and snapshots, submitted editorial material, titles and article bodies, prompts, translation dictionaries, model and prompt versions, generated drafts, confidence or relevance values, review notes, and editor identifiers.
  • Purpose and ground: operate the CMS, prepare drafts and translations, maintain source and audit history, and improve editorial operations.
  • Recipients: authorized MAD editors, Supabase, Railway, and OpenAI when an authorized AI-assisted workflow is configured and invoked.
  • Retention: for the life of the related editorial record and a reasonable audit period. Published material and source records may be retained longer for integrity, attribution, rights, and historical purposes.

6. Authentication, sessions, and public profile elements

Supabase Auth handles registration, email confirmation, login, password processing, and sessions. MAD does not store plaintext passwords in application code or public profile tables. Authentication cookies and related session information are used to keep users signed in and enforce access controls.

Avatar files are publicly readable so they can appear in the interface. Do not upload an image you do not want publicly accessible. Other profile details are limited by database access controls but may be displayed when a feature expressly presents them.

7. Essential storage and marketing analytics

MAD uses essential cookies or similar storage for authentication, security, sessions, language routing, and service operation. These functions cannot be disabled through the marketing control.

Meta Pixel and Amplitude are enabled by default when configured. They help measure page views, confirmed registrations, campaigns, product use, and interaction quality. This default is a product setting, not a statement that a user gave legal consent. Where applicable law permits an opt-out model, MAD relies on legitimate interests or another available ground. Any mandatory rule requiring prior consent still controls.

The persistent Privacy choices control lets you disable or re-enable marketing analytics on the current browser. MAD stores that preference locally. Disabling stops new app-triggered Meta and Amplitude events after the choice takes effect and opts the running Amplitude client out; it does not retroactively delete events already sent. A verified rights request can address historical data where applicable.

8. Session replay safeguards

If the configured Amplitude replay sample rate is above zero, Amplitude may create a video-like reconstruction from sampled DOM changes, navigation, clicks, scrolling, and visible page interactions. Replay uses browser storage such as IndexedDB and follows the Amplitude opt-out setting.

MAD configures replay with medium masking and blocks all forms and containers marked as sensitive, including account registration/login, profile, admin, community application, and merch pre-order interfaces. Form fields, passwords, private profile content, and submission answers are not intended to be captured. Remote Amplitude privacy settings can apply stricter controls and must not be configured to weaken these protections.

9. Purposes and lawful grounds

  • Contract or steps requested before a contract: accounts, requested community review, merch pre-orders, service delivery, and transactional communications.
  • Legitimate interests: site security, fraud prevention, debugging, service improvement, audience measurement, attribution, and defensible editorial operations, balanced against user rights.
  • Legal obligation and legal claims: compliance, accounting if paid services launch, responding to lawful requests, and establishing or defending rights.
  • Consent: used only where MAD asks for a separate affirmative choice and the law makes consent appropriate. A default-on analytics setting or privacy-policy acknowledgment is not consent.

10. Current processors and recipients

  • Railway: application hosting, deployment runtime, networking, and operational logs.
  • Supabase: authentication, Postgres database, row-level access controls, and file storage.
  • Resend: transactional email delivery and delivery records.
  • Meta: Pixel-based advertising measurement and related event processing when configured.
  • Amplitude: product analytics and sampled session replay when configured.
  • OpenAI: internal source analysis, relevance scoring, drafting, translation, or review when an authorized editor or automation run invokes that configured workflow.

11. Planned or inactive services

The codebase contains a protected Listmonk webhook and references possible newsletter infrastructure, but Listmonk is not described as an active marketing sender unless separately deployed and configured. The contact-only merch pre-order form is active, but MAD+ subscriptions, merch checkout, and a payment provider are not active paid services in the current product.

If MAD activates a new processor or materially different purpose, this notice and any required collection notice will be updated before or when that processing begins.

12. Disclosure, sale, and targeted advertising

MAD does not sell personal information for money. Information may be disclosed to the processors above, authorized team members and contractors, professional advisers, a successor in a business transaction, or authorities when disclosure is lawfully required or needed to protect rights and safety.

Meta Pixel can be treated as a sale, sharing, or processing for targeted or cross-context behavioral advertising under some U.S. state laws even when no money changes hands. MAD therefore provides the Privacy choices opt-out and will apply any additional rights required where such a law applies.

13. Manual publishing and AI

Automated ingestion, localization, scoring, and AI tools may create or update internal drafts. They do not independently schedule or auto-publish public content. Public release requires an intentional publish instruction by an authorized editor or through authorized MCP publishing tooling.

Manual-only publishing means unattended ingestion or drafting jobs do not transition a draft to public status. MAD may retain prompts, sources, generated material, and editor activity to operate and audit that workflow.

14. International transfers

Processors may handle data outside the country where a person lives, depending on the region and settings selected for Railway, Supabase, Resend, Meta, Amplitude, and OpenAI. Exact production regions and signed data-processing terms should be maintained in MAD's internal processor register.

Where required, MAD will use a lawful transfer mechanism, such as an adequacy basis, a data-processing agreement with appropriate contractual safeguards, standard contractual clauses, or another mechanism permitted by law. Transfers of Ukrainian personal data must also satisfy Article 29 of the Law of Ukraine On Personal Data Protection.

15. Retention and deletion

MAD keeps data only for the category-specific periods above or while it remains reasonably necessary for the stated purpose. Transactional email delivery records are targeted for no more than 24 months; verified privacy-request and dispute records may be kept for up to five years; security incidents and legal holds may require longer retention.

Deletion may be performed manually. Data removed from active systems may remain in restricted backups until the normal backup cycle expires. MAD may retain de-identified information, records required by law, and limited evidence needed to prevent fraud, resolve disputes, or prove compliance.

16. Security

MAD uses measures designed to reduce risk, including server-side authorization, Supabase row-level security, restricted service-role use, scoped editor/admin access, input and upload validation, and replay blocking for sensitive interfaces.

No system is completely secure. Users must protect their credentials and email account. Please report suspected unauthorized access through the privacy contact without including passwords or unnecessary sensitive data.

17. Your rights and request procedure

Depending on applicable law, you may ask to know whether MAD processes your data; access, correct, update, delete, or obtain a copy; restrict or object to processing; withdraw consent where processing actually relies on consent; opt out of targeted advertising or sharing; appeal a denied request; and complain to a regulator or court.

Email maximusik2@gmail.com with the right you want to exercise, the account, application, or merch pre-order email involved, and enough detail to find the record. Do not send a password. MAD may verify identity proportionately, may ask an authorized agent for proof of authority, and will respond within the period required by applicable law. If a request is denied, reply with 'Appeal' and the reason you disagree. MAD will not discriminate against a person for exercising a legally protected privacy right.

18. Notice for people in Ukraine

For Article 12 collection notice purposes, the data categories, purposes, recipients, rights, MAD service identity, and monitored operator contact are stated in this Policy and beside account, community, and merch pre-order forms. Under Article 11, MAD maps processing to contract or requested steps, legal obligation, legitimate interests where available, or separately obtained consent; default-on analytics is not labeled as consent.

Article 8 rights include obtaining information about the owner and processing, access, reasoned objection, correction or deletion of inaccurate or unlawfully processed data, protection from unlawful processing and accidental loss, complaint to the Ukrainian Parliament Commissioner for Human Rights or a court, and withdrawal of consent where consent is the ground. Cross-border transfers are handled subject to Article 29 and other applicable Ukrainian requirements.

19. California and other U.S. notices

California's CalOPPA requires disclosure of online collection practices. MAD does not currently respond to the browser Do Not Track header because there is no uniform technical standard for that signal. MAD does honor a browser Global Privacy Control signal as an analytics opt-out when the browser exposes it, and everyone can use the persistent Privacy choices control.

Meta and other third-party analytics services may collect information about activity over time and across different websites or online services under their own policies. If a comprehensive U.S. state privacy law applies to MAD, eligible residents may receive the access, correction, deletion, portability, appeal, and opt-out rights required by that law. This notice does not claim that MAD currently meets a particular law's business-size or processing-volume threshold.

20. Sources of information

MAD obtains information directly from users, automatically from browsers and devices, from authentication/email/hosting providers, from authorized editors, and from public editorial sources. MAD does not intentionally buy profile, community-application, or merch pre-order data from data brokers.

21. Age eligibility

Public editorial pages are intended for a general audience, but MAD accounts and community applications are only for people who are at least 18 years old. MAD does not knowingly create accounts for or accept community applications from anyone under 18. Contact the privacy address if you believe an ineligible minor submitted personal data.

22. Changes and contact

MAD may update this Policy as the product, processors, or law changes. The page will show a new version and date. Material changes will receive additional notice, such as an account email or prominent on-site message, where appropriate or required; renewed acknowledgment will be requested when required.

Privacy requests, complaints, and Terms questions: maximusik2@gmail.com. This channel is operationally monitored; an email address in this notice is not a substitute for a working request process.