Privacy Policy
Last updated: June 2026
Effective date: June 2026
1. Introduction and Controller Identity
Mr. Robot ("we", "our", "us") operates the services offered at mrrobot.co.il and its associated platforms. This policy explains what personal data we collect, how we use it, who we share it with, and the rights available to you. For any privacy-related inquiry, please contact us at contact@mrrobot.co.il.
2. Information We Collect
We collect the following categories of personal data:
- Account and contact data: name, email address, phone number, company name, and billing address.
- Payment data: handled by our payment provider. We do not store card details on our servers.
- Content you provide: files, text, branding, messages, and other information you upload or create.
- Technical data: IP address, browser type, operating system, device information, and approximate location.
- Communications: emails, support tickets, and chat messages you send to us.
- WhatsApp data: applies only when you contact us via WhatsApp (see section 8).
- Google account information: when a customer connects a Google account to enable the meeting-booking feature on a landing page, we receive an OAuth access token, refresh token, token expiry, granted scope string, and the connected Google account email address. See section 9.
- Google Ads account data: when a customer connects a Google Ads account to use the advertising feature, we receive OAuth tokens and the Google Ads customer ID(s) of the authorized account(s), and we access the campaigns, ad groups, keywords, ads, and performance metrics (impressions, clicks, cost, conversions) for campaigns the system creates and manages. See the Google Ads Account Connections section.
- Meta advertising account data: when a customer connects a Meta ad account to use the advertising feature, we receive a Meta access token and the ad account, Facebook Page, and Pixel identifiers you select, and we access the campaigns, ad sets, ads, and ads insights for campaigns the system creates and manages. See the Meta Advertising Account Connections section.
- Cookies and similar technologies: see section 6.
3. Legal Basis for Processing
We process personal data on one or more of the following bases: (a) performance of a contract with you; (b) your consent, which you may withdraw at any time; (c) our legitimate interests (such as securing the Service, preventing fraud, and improving the product), balanced against your rights; (d) compliance with a legal obligation to which we are subject.
4. How We Use Your Information
- To provide, operate, and maintain the Service.
- To manage accounts, billing, subscriptions, and invoicing.
- To communicate with you about the Service, updates, and support.
- To improve the Service and its quality, including the quality of models and automated outputs.
- To prevent fraud, abuse, and security incidents.
- To comply with legal obligations and enforce our agreements.
5. Automated Processing and AI
The Service uses artificial intelligence to generate content and to automate interactions on your behalf. AI output may contain errors and should be reviewed before use. We do not make decisions based solely on automated processing that produce legal or similarly significant effects concerning you. Google user data received via Google APIs (including data from the Google Calendar API) is excluded from any model training, fine-tuning, or quality-improvement process, and is never sent to any AI provider. See section 9.
For the advertising feature, AI is used to generate campaign assets - for example ad copy (headlines and descriptions), ad images, and suggested keywords or audience signals - from the business brief and inputs you type into the campaign wizard. Only that user-provided text and prompts are sent to our AI and keyword-research providers; we do not send any data read from your connected Google Ads or Meta advertising account (such as existing campaigns, search terms, or historical performance) to any AI provider. Accordingly, the commitment above that Google user data received via Google APIs is never sent to any AI provider continues to hold for the advertising feature: the only inputs sent to AI providers originate from your own typed brief, not from data retrieved through the Google Ads API. See the Google Ads and Meta advertising sections.
6. Cookies and Similar Technologies
We use cookies in the following categories: essential (authentication and session state), preferences (language, theme, and similar), analytics (usage measurement and improvement), and affiliate attribution. You can manage consent through the cookie banner on the site and through your browser settings. Blocking certain cookies may affect how the Service works.
7. Sharing with Third Parties
We do not sell your personal data. We share information only with the following categories of service providers acting on our behalf and under our instructions:
- Payment processors (for billing and fraud prevention).
- Cloud infrastructure and storage providers.
- Communication providers (email, SMS, messaging).
- AI providers (for features that rely on generative AI).
- Google (Google Identity Services for "Sign in with Google", and the Google Calendar API for the meeting-booking feature) - see section 9 for the specific data, scopes, and limited-use commitments.
- Google (the Google Ads API for creating, editing, and reporting on campaigns in a customer's connected Google Ads account) - see the Google Ads Account Connections section for the specific data, scopes, and limited-use commitments.
- Meta (the Meta Marketing API for creating, editing, and reporting on campaigns in a customer's connected Meta ad account) - see the Meta Advertising Account Connections section.
- AI and keyword-research providers used to generate advertising assets from your typed brief: OpenAI (ad copy, ad images, and audience suggestions) and DataForSEO (keyword research - search volume, competition, difficulty, and intent). These providers receive only the inputs you type into the wizard and never data pulled from your connected Google Ads or Meta account.
- Analytics and security providers.
- Professional advisors, public authorities, and law-enforcement authorities - where legally required or to protect our rights.
A current list of our sub-processors is available on written request.
8. Meta WhatsApp Business Platform
When you contact us via WhatsApp, we receive from Meta your WhatsApp phone number, WhatsApp ID, public display name, and message content (text, images, audio, documents). This information is used to respond to your inquiries, provide support, and power our chatbot services. To request deletion, email contact@mrrobot.co.il with the subject "DELETE MY DATA" and your phone number. WhatsApp conversations are retained until you request deletion or the conversation is considered inactive, subject to applicable law and Meta's policies.
9. Google Account Connections (Google Calendar Integration)
Customers who run a landing page may choose to connect their Google account so that visitors can book meetings directly into their Google Calendar. When the customer authorizes the connection, we receive and store the following from Google: an OAuth access token, an OAuth refresh token, the access-token expiry, the granted scope string, and the email address of the connected Google account. We request the scope https://www.googleapis.com/auth/calendar.events (to read free/busy times and to create events on calendars the user owns) together with the basic profile email scope (to display which Google account is connected).
We use Google user data only to power the meeting-booking feature the customer enabled: (a) reading free/busy intervals on the calendar selected by the customer to compute available slots for visitors; (b) listing the customer's writable calendars in the settings UI so they can pick which calendar to book into; (c) creating events on that calendar, with the visitor's name and email as the event attendee, when a visitor submits the booking form.
Limited Use. Mr. Robot's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:
- We do not use Google user data to serve advertising or for any advertising purpose.
- We do not sell Google user data and we do not transfer it to data brokers or information resellers.
- We do not use Google user data to train, fine-tune, or improve any generalized or third-party AI/ML model, and we do not send Google user data to any AI provider.
- We do not allow humans to read Google user data except (i) with the customer's explicit consent, (ii) for security purposes (such as investigating abuse), (iii) to comply with applicable law, or (iv) where the data has been aggregated and anonymized.
Storage and security. OAuth tokens and the connected account email are stored on the same cloud infrastructure as the rest of the customer's account, protected by access controls and encryption in transit. No part of this data is sent to any third party other than Google itself, in order to call the Google Calendar API on the customer's behalf.
Retention and deletion. OAuth tokens and connected-account metadata are retained for as long as the customer keeps the integration enabled on their landing page. The customer can disconnect at any time from /platform/landing-pages → Meetings → Disconnect Google, which immediately revokes the refresh token at Google's /oauth2/revoke endpoint and erases the stored OAuth blob. The customer can also independently revoke our access at any time from https://myaccount.google.com/permissions. Events already created on the customer's Google Calendar before disconnection remain on Google's calendar and are governed by Google's own terms; we do not retain a copy of the event body.
Visitor data. When a visitor books a meeting on a customer's landing page, the visitor's name, email address, the chosen time slot, and the form submission are sent to Google to be inserted as an event (with the visitor as the attendee) on the customer's calendar. In that flow the customer is the data controller for the visitor's data and Mr. Robot acts as a data processor on the customer's behalf (see section 18). Visitors who want their data removed should contact the customer who owns the landing page; we will assist customers in honoring such requests.
10. Google Ads Account Connections (Advertising)
Customers who use our advertising feature may choose to connect their own Google Ads account so that Mr. Robot can create, edit, launch, pause, and report on Search campaigns in that account on the customer's behalf. The connection is established through Google OAuth using the Google Ads API. We request the restricted scope https://www.googleapis.com/auth/adwords (to manage Google Ads campaigns on the connected account), together with the basic openid and email scopes where used to identify the connected account. The system only manages campaigns it itself created within the connected account; it does not import or take over campaigns created elsewhere.
Through this connection we access and process the following from the connected Google Ads account: the Google Ads customer ID(s) of the account(s) you authorize (and any manager-account ID, currency, and time zone used to operate them); the campaigns, ad groups, keywords, responsive search ads, and creatives that the system creates and the remote resource IDs Google returns for them; and performance metrics that the system reads back for reporting and optimization, such as impressions, clicks, click-through rate, average cost-per-click, cost, conversions, and conversion value at the campaign and keyword level. The keyword data, ad copy, budgets, bids, and destination URLs sent to Google to build campaigns are derived from the inputs you provide in the campaign wizard.
We use this Google user data only to operate the campaign-management and reporting feature you enabled - building and editing your campaigns, and showing you their performance. We do not use it for any other purpose.
Limited Use. Mr. Robot's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:
- We do not use Google user data to serve advertising or for any advertising purpose other than operating the campaigns you ask us to manage in your own account.
- We do not sell Google user data and we do not transfer it to data brokers or information resellers.
- We do not use Google user data to train, fine-tune, or improve any generalized or third-party AI/ML model. Performance and account data read from your Google Ads account is never sent to any AI provider; our optimization suggestions are generated by our own server-side logic over the metrics cached for your account.
- We do not allow humans to read Google user data except (i) with your explicit consent, (ii) for security purposes (such as investigating abuse), (iii) to comply with applicable law, or (iv) where the data has been aggregated and anonymized.
Storage and security. The OAuth access and refresh tokens and the connected-account identifiers (customer ID, manager-account ID, account name, currency, time zone) are stored on the same cloud infrastructure as the rest of your account, protected by access controls and encryption in transit. Tokens are deliberately kept out of our API audit logs. Campaign structure and the performance metrics read back from your account are cached on our infrastructure so we can display reporting without re-querying Google on every view.
Retention and deletion. OAuth tokens and connected-account identifiers are retained for as long as you keep the Google Ads integration connected. When you disconnect, we delete the stored connection record, including the access and refresh tokens, from our database. Disconnecting in-app removes our local copy of the tokens but does not by itself revoke the grant at Google; to fully revoke our access you should also remove it from your Google Account (see below). Campaign drafts, the campaign structure we created, our internal API audit logs, and the performance metrics we cached from your account are not automatically deleted when you disconnect - disconnecting only removes the stored OAuth tokens and connection record. This data is retained on our infrastructure until you request its deletion. To request deletion of campaign data, cached metrics, or audit logs associated with your account, email contact@mrrobot.co.il.
Revocation. You can disconnect the integration at any time in-app from /platform/google-ads. You can also independently revoke our access at any time from https://myaccount.google.com/permissions.
11. Meta Advertising Account Connections
Customers who use our advertising feature may choose to connect their own Meta (Facebook/Instagram) ad account through Facebook Login so that Mr. Robot can create, edit, launch, pause, and report on advertising campaigns in that account on the customer's behalf. We use the Meta Marketing API and request the ads_management and ads_read permissions. The system only manages campaigns it itself created within the connected account.
Through this connection we access the following from your Meta account: the ad account(s) you authorize (including account ID, name, currency, account status, and time zone); the Facebook Page(s) and Meta Pixel(s) you select for use in your campaigns; the campaigns, ad sets, ads, and ad creatives that the system creates and the remote IDs Meta returns for them; and ads insights - performance metrics that the system reads back for reporting, such as impressions, reach, clicks, link clicks, click-through rate, cost-per-click, cost-per-thousand-impressions, spend, conversions, and conversion value.
We use this data only to operate the campaign-management and reporting feature you enabled - building and editing your campaigns, and showing you their performance.
AI-assisted asset generation. When you ask the wizard to generate ad copy, an ad image, or suggested audience signals, the business brief and prompts you type are sent to OpenAI to produce that content. Only that user-provided text and prompts are sent to OpenAI; we do not send any data read from your connected Meta ad account (such as your campaigns, Pages, Pixels, or performance metrics) to OpenAI or any other AI provider. Generated images are stored on our cloud storage and uploaded to your Meta ad account when you launch. See the third-party providers section for details.
Meta Platform Terms. When we access Meta Platform Data through this integration we comply with the Meta Platform Terms and the Meta Developer Policies. In particular, advertising data obtained through this connection is used only to manage and measure your own advertising campaigns:
- We do not sell your Meta advertising data and we do not transfer it to data brokers.
- We do not use it to retarget users on or off Meta.
- We do not combine it with, or use it to manage, campaigns on other advertising platforms.
- We do not use it to build, augment, or enrich user profiles.
Storage and security. The long-lived Meta access token and the connected-account identifiers (ad account ID, Page ID, Pixel ID, currency, account name) are stored on the same cloud infrastructure as the rest of your account, protected by access controls and encryption in transit. The access token is deliberately kept out of our API audit logs. Campaign structure and the performance metrics read back from your account are cached on our infrastructure to display reporting.
Retention and deletion. The access token and connected-account identifiers are retained for as long as you keep the Meta integration connected. When you disconnect, we delete the stored connection record, including the access token, from our database. Campaign drafts, generated ad assets, and the performance metrics cached while the integration was connected may be retained after disconnection unless you ask us to delete them. Regardless of whether you have an active connection, you may request unconditional deletion of all data we hold about you: email contact@mrrobot.co.il with the subject "DELETE MY DATA" and the relevant account details, and we will delete your stored connection, campaign data, cached metrics, and generated ad assets.
Revocation. You can disconnect the integration at any time in-app from /platform/meta-ads. You can also independently remove our access at any time from your Facebook Settings → Business Integrations. Disconnecting in-app removes our local copy of the access token but does not by itself revoke the connection on Meta's side, where the access token remains valid until its natural expiry (up to about 60 days). To revoke access immediately, remove the integration from your Facebook Settings → Business Integrations.
12. International Data Transfers
Your data may be transferred to and processed outside of your country of residence (including outside the European Economic Area). Where legally required, we rely on appropriate safeguards, such as adequacy decisions or standard contractual clauses.
13. Data Retention
We retain personal data for as long as necessary to provide the Service, to comply with legal, accounting, and tax obligations, to resolve disputes, and to enforce our agreements. When data is no longer needed, we delete or anonymize it. Retention periods vary by data category and applicable law. OAuth tokens and connected-Google-account metadata associated with the Calendar integration are retained while the integration is enabled and erased immediately on disconnect - see section 9.
14. Your Rights
Subject to applicable law, you have the following rights: access to your personal data; rectification of inaccurate data; erasure; restriction of processing; data portability; objection to processing; withdrawal of consent at any time without affecting processing carried out beforehand; and the right to lodge a complaint with the competent supervisory authority. To exercise these rights, contact us at contact@mrrobot.co.il.
15. Region-Specific Rights
Israel: processing is conducted in accordance with the Protection of Privacy Law, 5741-1981, and regulations issued under it.
European Union / United Kingdom: EEA and UK residents are entitled to the rights provided by the GDPR (and UK GDPR), including the right to lodge a complaint with a national supervisory authority.
California (USA): California residents have rights under the CCPA/CPRA, including the right to know, the right to delete, and the right not to have their personal information "sold" or "shared." We do not sell personal information.
16. Children's Privacy
The Service is not directed to children under the age of 16 (European Union) or under the age of 13 (United States). We do not knowingly collect personal data from minors. If we become aware that such data has been collected, we will delete it. A parent or guardian may contact us to request deletion.
17. Security
We implement reasonable technical and organizational measures to protect your data, including encryption in transit and access controls. However, no method is completely secure. In the event of a material security incident, we will act in accordance with applicable notification requirements.
18. Customer Sites - Processor Relationship
When you use the Service to build a site or application that collects data from your own visitors, you act as the data controller and we act as the data processor on your behalf. You are responsible for publishing your own privacy policy, obtaining required consents, and complying with the laws applicable to your activity.
19. Third-Party Links
The Service may contain links to third-party websites or services. We are not responsible for the content or privacy practices of external sites or of sites built by you and hosted elsewhere.
20. Changes to This Policy
We may update this policy from time to time. Material changes take effect no earlier than 30 days after reasonable notice (by email or in-platform message), and the "Last updated" date at the top of this document will reflect the change.
21. Contact
For questions, requests, or exercise of rights under this policy, contact us at contact@mrrobot.co.il or through our contact page.