Privacy Policy

Last updated: 2026-05-08

This Privacy Policy describes what personal data AdHunter collects from customers of the Service available at https://adhunter.org, why we collect it, how we store it and with whom we share it. By using the Service, you agree to the practices described below.

1. Data we collect

1.1. Account data

• Account login (chosen by you);
• password (stored only as a salted bcrypt hash);
• contact identifier (Telegram username and/or Jabber ID);
• creation timestamp, role, active/blocked flag.

1.2. Operational data submitted for tasks

To execute a task, you submit details of the third-party resources you want us to operate on. This may include:

• Google Ads account email address, password, recovery email, TOTP secret;
• destination URL, copy and creative assets;
• proxy connection details (host, port, credentials);
• payment card details when a card needs to be bound to the ad account;
• verification documents that the third-party platform may request from the advertiser.

All sensitive fields above (account passwords, TOTP secrets, payment card numbers and CVV, proxy passwords) are stored encrypted at rest using the Fernet symmetric scheme with a per-instance key. Plaintext is decrypted only at the moment an operator is authorised to view the credentials of a specific task assigned to them; every such view is recorded in an audit log.

1.3. Wallet and transaction data

For each top-up and payment we keep: the amount, currency, timestamp, status, payment provider order identifier and (for crypto) the blockchain transaction hash. We do not store any payment card details when payments are made via the Cryptomus payment gateway — those are handled by the gateway directly.

1.4. Telemetry

We log basic technical telemetry on every API request — IP address, User-Agent, endpoint, status code — to investigate abuse and to enforce rate limits. Log retention is up to 90 days for general access logs and longer for security-relevant events.

2. Why we use this data

• To deliver the requested service (run a campaign launch on your behalf);
• to operate the wallet, accept top-ups and process refunds;
• to authenticate customers and detect unauthorised access;
• to investigate and prevent fraud and AML risk;
• to respond to legal requests we are required to comply with;
• to communicate with the customer about their account and tasks (transactional notifications only — we do not send marketing emails by default).

3. Sharing

We share data with third parties only in the following cases:

• Cryptomus — to issue and verify payment invoices when you initiate a top-up. Cryptomus receives the order identifier, amount, currency and a callback URL. Customer login or other personal identifiers are not passed.
• Card-issuing partners (MyBrocard, FlexCard, Multicards.io) — only when you explicitly request synchronisation of your virtual cards with our platform via your own API key.
• Hosting and infrastructure providers that process data on our behalf under written contracts.
• Law enforcement and regulators when we are legally required to disclose data in response to a valid request.

We never sell or rent personal data to advertisers, brokers or any other third party.

4. Storage location and retention

Personal data is stored on servers operated by AdHunter or its infrastructure provider. We retain account and wallet data for as long as the account is active and for a reasonable period afterwards (no longer than 24 months) for accounting, legal and anti-fraud purposes, after which the data is irreversibly deleted or anonymised. Encrypted credentials are deleted as soon as they are no longer required to execute the corresponding task.

5. Your rights

Subject to applicable law, you have the right to access, rectify, export and delete the personal data we hold about you. To exercise any of these rights, write to privacy@adhunter.org from the email address on record. We will respond within 30 days. Note that some data must be retained to comply with our AML, accounting and security obligations and cannot be deleted before that retention period expires.

6. Cookies and similar technologies

The customer dashboard uses a small number of cookies that are strictly necessary for the Service to operate (authentication session, language preference). We do not use third-party analytics or advertising cookies on the public website.

7. Children

The Service is not intended for and may not be used by anyone under the age of 18. If we learn that we have collected personal data of a person under 18, we will delete it promptly.

8. Security

We apply industry-standard technical and organisational measures to protect customer data: TLS 1.2+ in transit, encryption at rest for sensitive fields, strict authentication and audit logs, rate limiting and SSRF protection on outbound calls, isolated environments per service, regular database backups with WAL archiving and database-level guards against destructive operations. No system is completely immune from compromise; please notify us at security@adhunter.org if you discover a vulnerability.

9. Changes

We may update this Privacy Policy from time to time. The "Last updated" date above indicates the current version. Material changes will be announced via the dashboard and/or by email at least 14 days before they take effect.

10. Contact

For privacy questions, email privacy@adhunter.org.