Get early access
Features Pricing Log in Get early access

Privacy Policy

Last updated: February 24, 2026

1. Introduction

This privacy policy explains how Wawade AB ("Company", "we", "us", "our") collects, uses, discloses, and protects personal data when you use the Spinaker LinkedIn Ads Manager application.

We are committed to protecting your personal data and complying with applicable data protection laws, including the General Data Protection Regulation (GDPR) and the UK GDPR.

Contact: [email protected]

2. Our role

Depending on the context, we act as:

A. Data controller

We act as a controller when we determine the purposes and means of processing personal data, including:

  • Account registration and management
  • Application performance monitoring and error tracking
  • Security and fraud prevention

B. Data processor

We act as a processor when we process personal data on behalf of our business customers in connection with LinkedIn Ads operations and integrations established by users.

In such cases, processing is governed by our Data Processing Agreement (DPA) with the customer.

3. Personal data we collect

We collect and process the following personal data:

  • Account information: name, email address, and profile image from your Google account (provided during sign-in)
  • LinkedIn connection data: OAuth tokens linking your LinkedIn account to the service (encrypted at rest)
  • LinkedIn Ads data: ad account information, campaigns, ads, and related metadata fetched via the LinkedIn Marketing API
  • Usage data: actions performed within the application (recorded in audit logs)
  • Technical data: IP address, user agent, browser type and version, and device information (captured for security and audit purposes)

We do not intentionally collect sensitive personal data (special category data under GDPR).

4. How we collect personal data

We collect personal data:

  • Directly from you when you register an account or contact us
  • Automatically through cookies and similar technologies during your use of the platform
  • From third-party platforms when you connect your LinkedIn account via OAuth

5. Purposes and legal bases for processing

Under GDPR, we rely on the following legal bases:

A. Performance of a contract (Art. 6(1)(b))

  • Providing access to the platform and managing your account
  • Authenticating access via Google OAuth
  • LinkedIn Ads operations: syncing, editing, and publishing changes to your LinkedIn ad accounts on your behalf
  • Delivering customer support

B. Legitimate interests (Art. 6(1)(f))

  • Security monitoring and fraud prevention — our interest in protecting the platform, user data, and LinkedIn OAuth tokens from unauthorized access
  • Maintaining audit logs of actions and detecting unauthorized access — our interest in accountability and incident investigation
  • Monitoring application performance and identifying errors — our interest in delivering a stable, reliable service
  • Limited B2B marketing communications to existing customers — our interest in retaining customers and communicating product updates

We conduct balancing assessments for each legitimate interest, documented in our internal records. You have the right to object to processing based on legitimate interest (see Section 12).

C. Consent (Art. 6(1)(a))

  • Analytics cookies (Google Analytics) — only set after you give consent via the cookie banner

You may withdraw consent at any time by updating your preferences via the Cookie Settings link in the site footer.

D. Legal obligation

  • Compliance with tax, accounting, and regulatory requirements

6. Whether providing personal data is required

Providing your account information (name and email via Google OAuth) is necessary to use the service. Without it, we cannot create your account or grant access to the platform.

Connecting your LinkedIn account via OAuth is necessary to use LinkedIn Ads management features. You may use the platform without connecting a LinkedIn account, but ad account operations will not be available.

7. Cookies and tracking technologies

We use strictly necessary cookies for authentication and core platform functionality. We do not use marketing or advertising cookies.

We use Google Analytics 4 with Google Consent Mode v2 to understand how visitors interact with this website. Analytics cookies are only set after you give consent via the cookie banner. Without consent, Google Analytics sends cookieless measurement pings that do not store any data on your device. Google Analytics operates under consent (see Section 5C).

We use PostHog for application performance monitoring and error tracking. PostHog operates under our legitimate interest in maintaining a reliable service (see Section 5B) and uses browser localStorage, not cookies. PostHog session recording is used for error diagnosis and service improvement; all input masking is enabled to prevent capture of typed content.

For full details on cookies and similar technologies, see our cookie policy. You can manage your cookie preferences at any time via the Cookie Settings link in the site footer or through your browser settings.

8. Subprocessors

We use the following third-party services to process your data:

Provider Purpose Location
Google Cloud Platform Application hosting, database (Firestore), serverless functions, encryption key management (Cloud KMS) US (us-east1)
Firebase User authentication (Google OAuth) US
LinkedIn API integration for ad account management US
Anthropic AI-powered platform features US
PostHog Application performance monitoring and error tracking EU
Google Analytics Website analytics US

Planned: Stripe (payment processing, US) — not yet active.

Where we act as a processor, these providers act as subprocessors under appropriate contractual safeguards. A current list of subprocessors is maintained on our subprocessors page.

9. International data transfers

Your data is hosted in the United States (us-east1). For users located in the European Economic Area (EEA) or the United Kingdom, this means your personal data is transferred to the United States for processing.

Where required, we implement appropriate safeguards, including:

  • Standard Contractual Clauses approved by the European Commission
  • UK International Data Transfer Addendum (where applicable)
  • Supplementary technical and organizational measures
  • Transfer risk assessments

You may request further information about these safeguards by contacting us.

10. Data retention

  • Audit logs: retained for 90 days, then automatically deleted via Firestore TTL policy
  • Account data: retained until you delete your account. Upon deletion, your profile, subscription memberships, and associated data are permanently removed
  • LinkedIn tokens: retained while your LinkedIn connection is active. Removed when you disconnect your LinkedIn account or delete your user account
  • Application performance monitoring data (PostHog): retained for 12 months
  • Website analytics data (Google Analytics): retained for 14 months
  • Legal and accounting data: retained as required by law

11. Data security

We implement appropriate technical and organizational measures to protect your data, including:

  • Encryption of OAuth tokens at rest using envelope encryption (AES-256-GCM with Cloud KMS)
  • Encryption in transit (TLS)
  • Role-based access control with subscription-level tenant isolation
  • Automatic redaction of sensitive fields in application logs
  • CSRF protection on all state-changing requests
  • Audit logging with 90-day retention
  • Monitoring and alerting
  • Least-privilege access controls

Access to production systems is limited to authorized personnel.

12. Your data protection rights (EU/UK)

If you are located in the EU or UK, you have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Erase your data (you can also delete your account directly from your profile page)
  • Restrict processing
  • Object to processing based on legitimate interest
  • Data portability — request your data in a structured, commonly used format
  • Withdraw consent at any time
  • Lodge a complaint with a supervisory authority:
    • EU: Swedish Authority for Privacy Protection (IMY) — Box 8114, 104 20 Stockholm, Sweden; phone: +46 8 657 61 00; email: [email protected]; web: www.imy.se
    • UK: Information Commissioner's Office (ICO) — Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, United Kingdom; phone: +44 303 123 1113; web: ico.org.uk

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

13. Marketing communications

You may opt out of marketing communications at any time by:

  • Clicking the unsubscribe link in emails
  • Contacting us directly

Service-related communications are not marketing and cannot be opted out of while you maintain an account.

14. AI processing

We may use third-party AI service providers to deliver certain platform features. Personal data processed by AI providers is handled strictly in accordance with contractual safeguards and is not used for model training or unrelated purposes.

15. Third-party links

Our website and platform may contain links to third-party websites and services (such as LinkedIn, Google, and PostHog). We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies before providing them with personal data.

16. Automated decision-making

We do not engage in automated decision-making, including profiling, that produces legal or similarly significant effects concerning you.

17. Children

Our services are intended for business use only and are not directed to individuals under 18.

18. Changes to this policy

We may update this privacy policy from time to time. Changes will be reflected by the "Last updated" date at the top of this page. For material changes, we will notify you via email or an in-app notification before the changes take effect. Where changes affect processing based on consent, we will seek fresh consent where required by law.

19. Contact information

If you have questions about this privacy policy or our data practices, please contact:

Wawade AB
Medevigatan 8, 113 61 Stockholm, Sweden
Email: [email protected]

We are established in the EU and are not required to appoint a UK representative under Article 27 of the UK GDPR. If this changes, we will update this policy.