Privacy Notice

1. Scope and Acceptance

This Privacy Notice applies to personal data we collect when you use the MB Suite platform ("the Service"), represent a Client, or visit our websites. By accessing our services you agree to this Privacy Notice. If you do not agree, please discontinue use of the Service.

2. Information We Collect

• Account Data: Name, email address, phone number, billing information, organization name, and role within the platform.
• Technical Data: Cookies, browser type, device information, IP address, and user preferences. For detailed information about cookies and how to manage your preferences, see our Cookie Policy.
• Contact Management Data: When users of our platform (marketing agencies) manage their client contacts within MB Suite, we process the following data as a Data Processor on their behalf: first name, last name, email address, phone number, mobile number, job title, notes, and organizational associations. The agency (Data Controller) is responsible for ensuring a lawful basis exists for processing this data. Contact data may also be: (a) included in AI conversation context when the "contacts" data source is enabled for an AI agent, in which case contact names are transmitted but email addresses are omitted from context summaries; (b) used as recipients of email marketing campaigns and automated flows; (c) created through AI-assisted actions with explicit user confirmation. All processing of Contact Management Data is performed at the direction of the organization (Data Controller).
• Integration Data (OAuth): When you connect advertising and analytics platforms, we access the following data through OAuth authorization:
  • Google Ads: Campaign performance metrics (impressions, clicks, cost, conversions), account structure, and budget settings. We may read AND write budget values if you enable the AutoBudget feature.
  • Google Analytics (GA4): Property data, page views, sessions, user metrics, and traffic source data. Read-only access.
  • Google Search Console: Search performance data, keyword rankings, clicks, and impressions. Read-only access.
  • Google Business Profile: Business listing data, reviews, and location information. Read and manage access.
  • Meta (Facebook & Instagram) Ads: Ad account data, campaign performance, audience insights, Page engagement metrics, and Instagram business profile data. Read access for reporting; write access for ad management.
  • TikTok Ads: Advertiser account data, campaign performance metrics, and reporting data. Read-only access.
  • LinkedIn Ads: Ad account data, campaign performance, reporting metrics, and organization page data. Read access for reporting; write access for ad management.
• Imported Data: Campaign metrics, performance data, and reporting information fetched from connected platforms.

3. How We Store Integration Credentials

OAuth access tokens are stored securely in Google Cloud Secret Manager (encrypted at rest with AES-256) and are never stored in our application database. You can revoke access at any time by disconnecting the integration from your MB Suite settings, which immediately revokes the token at the platform provider and deletes it from our systems.

4. How We Use Data

We use data to operate the platform, authenticate users, display performance reports and dashboards, send transactional and marketing emails, process payments, and power our AI-assisted features as described in Section 4a below. We do not sell your personal data to third parties.

4a. Artificial Intelligence Features

5. Legal Bases

We process data based on Performance of Contract (to provide the service you subscribed to), Legitimate Interest (security, fraud detection, and service improvement), and Consent (for cookies and marketing communications).

6. Data Controller and Processor Roles

Controller: APEX LAB SOLUTIONS LLC is the Data Controller for Account Data (your name, email, billing information).
Processor: APEX acts as Data Processor for Service Data (campaign metrics, advertising data). The Client (organization owner) is the Data Controller for Service Data. A Data Processing Agreement (DPA) governing our processing of Service Data on your behalf is available at /dpa. The DPA includes Standard Contractual Clauses for international data transfers and details our technical and organizational security measures.

Parent-Child Organization Relationships: In the context of Parent-Child Organization relationships, the Parent Organization acts as a Data Controller (or joint controller, depending on the arrangement) for data within its Child Organizations that it accesses. The Parent Organization is responsible for establishing the appropriate legal basis for such access and for informing users within Child Organizations.

7. Subprocessors

We share data with the following trusted service providers solely to operate the Service:

• Google Cloud Platform (Firebase) — Database, authentication, and file storage (United States; EU-US Data Privacy Framework certified)
• Google Cloud Secret Manager — Secure credential storage for OAuth tokens (United States; EU-US Data Privacy Framework certified)
• Vercel — Application hosting and edge network (United States; EU-US Data Privacy Framework certified)
• Stripe — Payment processing and subscription management (United States; EU-US Data Privacy Framework certified)
• Resend — Transactional and marketing email delivery (United States)
• Google Gemini (Vertex AI) — AI-powered conversational assistants, content generation, and data analysis (United States; EU-US Data Privacy Framework certified)
• OpenAI — AI-powered conversational assistants, content generation, and data analysis. Data Processing Addendum executed. (United States; EU-US Data Privacy Framework certified)
• Anthropic — AI-powered conversational assistants, content generation, and data analysis. Data Processing Agreement executed. (United States; EU-US Data Privacy Framework certified)
• Sentry — Error tracking and performance monitoring (United States; EU-US Data Privacy Framework certified)

We will notify you of changes to our subprocessor list at least 30 days in advance. You may subscribe to subprocessor change notifications by contacting privacy@mb-suite.com.

8. International Transfers

Your personal data is processed in the United States. We ensure that all international data transfers are protected by appropriate safeguards as required by applicable law:

• EU-US Data Privacy Framework (DPF): Our primary subprocessors (Google Cloud Platform, Vercel, and Stripe) are certified under the EU-US Data Privacy Framework, providing an adequacy basis for transfers from the European Economic Area (EEA) to the United States.
• Standard Contractual Clauses (SCCs): For subprocessors not covered by the DPF, we have executed the European Commission Standard Contractual Clauses (Implementing Decision 2021/914, Module 2: Controller to Processor) to ensure an adequate level of protection.
• Supplementary Measures: In addition to contractual safeguards, we implement technical supplementary measures including: AES-256 encryption at rest, TLS 1.3 encryption in transit, role-based access controls, comprehensive audit logging, and pseudonymization of data where technically feasible.
• Transfer Impact Assessments: We conduct and maintain Transfer Impact Assessments (TIAs) for data transfers to jurisdictions that have not received an adequacy decision, documenting the legal framework of the destination country and the effectiveness of supplementary measures.

You may request a copy of the applicable transfer safeguards by contacting privacy@mb-suite.com.

For Latin American users: International transfers from Argentina are conducted under the exceptions of Ley 25.326 Art. 12; from Brazil under LGPD Art. 33 (standard contractual clauses and specific consent); from Mexico under LFPDPPP Art. 36; and from Colombia under Ley 1581/2012 Art. 26. In all cases, we ensure that the receiving entities maintain appropriate levels of data protection.

9. Retention

10. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Request correction of inaccurate or incomplete data.
• Erasure: Request deletion of your personal data, subject to legal retention obligations.
• Restriction: Request that we limit how we process your data in certain circumstances.
• Portability: Receive your personal data in a structured, commonly used format.
• Withdraw Consent: Where processing is based on consent, withdraw it at any time without affecting prior processing.
• Object: Where we process your data based on legitimate interest, you have the right to object at any time on grounds relating to your particular situation. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms. You may also object at any time to the processing of your personal data for direct marketing purposes.

To exercise any of these rights, contact us at privacy@mb-suite.com. We will respond within 30 days (or within the shorter timeline required by your local law).

Right to Lodge a Complaint: You also have the right to lodge a complaint with a data protection supervisory authority. In the European Union, you can contact the supervisory authority in the Member State of your habitual residence, place of work, or place of the alleged infringement. A list of EU supervisory authorities is available at the European Data Protection Board website. In Latin America, you may contact: AAIP (Argentina), ANPD (Brazil), INAI (Mexico), or SIC (Colombia).

11. Data Deletion

You may request deletion of your personal data at any time by contacting privacy@mb-suite.com. For data obtained through Meta (Facebook/Instagram) integrations, you can also initiate a data deletion request through your Facebook app settings. We process all deletion requests within 30 days.

When you disconnect an advertising platform integration:

1. The OAuth access token is immediately revoked at the platform provider
2. The encrypted credentials are deleted from our secure storage
3. All cached platform data (metrics, account structure) is deleted
4. Historical dashboard reports that referenced this data will show the data as unavailable

13. Children's Privacy

MB Suite is not directed to individuals under the age of 16 (or 13 in the United States under COPPA). We do not knowingly collect personal data from children. If we become aware that a child has provided us with personal data, we will take steps to delete such data promptly. If you believe a child has provided us with personal data, please contact us at privacy@mb-suite.com.

14. Latin America Privacy Rights

If you are located in Latin America, the following jurisdiction-specific rights and information apply to you in addition to the general rights described above:

15. Data Breach Notification

APEX maintains documented incident response procedures. In the event of a personal data breach that is likely to result in a risk to data subjects, we will notify affected individuals and applicable regulatory authorities as required by law: within 72 hours to supervisory authorities under GDPR, within a reasonable period under LGPD, and without unreasonable delay under CCPA and other applicable laws.

Notifications will include: the nature of the breach, categories and approximate number of records affected, likely consequences, measures taken or proposed to address the breach, and contact point for further information.

16. Security

We implement industry-standard technical and organizational measures to protect your data, including HTTPS encryption in transit, AES-256 encryption at rest for OAuth credentials, role-based access controls (RBAC), and comprehensive audit logging. No system is 100% secure, but we are committed to protecting your information.

17. Changes to This Notice

We may update this Privacy Notice from time to time. We will notify you of significant changes by posting the new notice on this page and updating the effective date.

18. Contact