Privacy Policy

Effective Date: 05.02.2025
Previous Version: 05.02.2025

1. General Provisions

This Privacy Policy (hereinafter referred to as the “Policy”) describes how the advertising agency “FMAds” (hereinafter referred to as the “Agency”, “Company”, “we”, “us”, “our”) collects, uses, stores, and protects the personal data of users of the website fmads.agency (hereinafter referred to as the “Website”), clients who request digital marketing services, job candidates, and other individuals interacting with the Company through digital channels.

Data Controller Details:

• Full Name / Legal Form: Sole Proprietorship (FOP) Sheremenko Artem Kostiantynovych
• EDRPOU Code / RNOKPP: 3414410410
• Legal Address: Apt. 49, Bldg. 10, Valeria Gudzia St., Boryspil, Kyiv Region, 08302
• Mailing Address: Remote work format
• Email: admin@fmads.agency
• Phone: +380 (93) 022-78-35
• Website: https://fmads.agency

Data Protection Officer:

• Full Name: Sheremenko Artem Kostiantynovych
• Email for personal data inquiries: admin@fmads.agency

By using the Website, filling out consultation forms, submitting a resume, placing an order for services, or interacting with the Company via messengers, you confirm that you have read this Policy and agree to its terms. If you do not agree with any provision of the Policy, please refrain from using the Website and providing us with your data.

2. Definition of Terms

Personal Data — any information or set of information about an individual who is identified or can be specifically identified.

Processing of Personal Data — any operation or set of operations performed on personal data (collection, recording, accumulation, storage, adaptation, alteration, renewal, use, disclosure, anonymization, destruction).

Data Controller — the Company, which determines the purposes and means of the processing of personal data.

Data Processor — a natural or legal person who processes personal data on behalf of the Controller (the Company’s contractors: advertising platforms, CRM systems, email services, etc.).

Data Subject — a natural person whose personal data is processed (a Website visitor, potential or current client, job candidate).

Client — a natural or legal person who has entered into a digital marketing services agreement with the Agency or is conducting negotiations to enter into such an agreement.

Cookies — small text files stored in the user’s browser and used to ensure the proper functioning of the Website, analytics, and marketing.

3. What Data We Collect

We collect the following categories of personal data, depending on the nature of your interaction with the Company:

3.1. Contact and Identification Data

• First name, last name
• Phone number
• Email address
• Company name, job title, industry (for B2B clients)
• Company website, social media account (if available)

3.2. Service Request Data

• Selected service (Google Ads, Meta Ads, TikTok Ads, LinkedIn Ads, SEO, SMM, web development, etc.)
• Description of the client’s business, target audience, geography, advertising budget
• Goals and KPIs of the advertising campaign
• Comments and additional requests
• Communication history (emails, messengers, phone calls)

3.3. Client Data in the Process of Service Delivery

Within the scope of executing the digital marketing services agreement, the Company may obtain access to data provided by the Client for setting up and managing advertising campaigns. The list and procedure for processing such data are regulated by a separate Agreement and a Data Processing Agreement (DPA) concluded between the Company and the Client.

Categories of data to which the Company may have access as a processor on behalf of the Client:

• Access to the Client’s advertising accounts (Google Ads, Meta Ads Manager, TikTok Ads, LinkedIn Campaign Manager) — with administrator, editor, or analyst permissions
• Access to the Client’s analytics services (Google Analytics, Search Console, Google Tag Manager)
• Access to the Client’s CRM, ESP, and other marketing services (subject to the principle of least privilege)
• Data about the Customer’s clients used to form remarketing audiences, lookalike audiences, and email newsletters
• Creatives, ad texts, video materials provided by the Client

Important: regarding personal data to which the Company receives access within the scope of executing the agreement with the Client, the Company acts as a Data Processor, and the Client acts as a Data Controller. The Company processes such data exclusively in accordance with the documented instructions of the Client and in compliance with the requirements of Art. 28 of the GDPR and the Law of Ukraine “On Personal Data Protection”.

3.4. Job Candidate Data

• Full name, contact details (phone, email)
• Resume, portfolio, links to profiles on social networks and professional platforms
• Education, work experience, skills, references
• Photograph (if included in the resume)
• Other data voluntarily provided by the candidate during interviews and test assignments

3.5. Technical Data and Website Usage Data

• IP address (anonymized for analytics)
• Browser type and version, operating system, device type
• Browser language, time zone, screen resolution
• Pages of the Website you visited, duration of stay, sequence of navigation
• Referrer URL, traffic source, UTM tags
• Cookies and similar technologies (browser local storage, pixels)

3.6. Data for Marketing Communications

• Email address for newsletters containing case studies, blog articles, and service updates
• Date and time of subscription, IP address at the moment of subscription (to confirm consent)
• History of interaction with emails (opens, link clicks)
• User identifiers in messengers (Telegram, WhatsApp, Facebook Messenger, Instagram) when initiating a dialogue with the Company

Age Restriction. The Website and the Company’s services are intended for adults and legal entities. We do not knowingly collect personal data from individuals under the age of 16. If you become aware that a child has provided us with their data without parental or legal guardian consent, please notify us using the contact details in Section 12, and we will immediately delete such data.

4. Purpose and Legal Basis for Data Processing

We process personal data for the following purposes and on the following legal bases:

• Performance of a contract for services (preparation of commercial proposals, management of ad campaigns, reporting, billing) — basis: performance of a contract to which the data subject is a party (Art. 11 of the Law of Ukraine “On Personal Data Protection”; Art. 6(1)(b) of the GDPR).
• Communication with you regarding inquiries and consultations (responding to requests from Website forms, partnership negotiations, sending commercial proposals) — basis: taking steps at the request of the data subject prior to entering into a contract.
• Recruitment (processing resumes, conducting interviews, evaluating candidates, forming a talent pool) — basis: taking steps at the request of the data subject prior to entering into an employment contract; candidate’s consent to be included in the talent pool.
• Compliance with legal obligations (accounting and tax records, responding to requests from government authorities) — basis: compliance with a legal obligation to which the Company is subject (Art. 6(1)(c) of the GDPR).
• Analytics and Website improvement (visit statistics, user behavior, A/B testing) — basis: your consent provided via the cookie banner.
• Marketing and advertising of the Company’s services (displaying personalized Agency ads, remarketing, audience building, email newsletters with case studies and articles) — basis: your consent provided via the cookie banner and/or a separate subscription checkbox.
• Protection of the Website and Company interests (protection against bots via reCAPTCHA, fraud prevention, establishing evidence of service delivery) — basis: legitimate interest of the Company (Art. 6(1)(f) of the GDPR).

5. Data Transfer to Third Parties (Processors)

We do not sell your personal data. We transfer it to a limited circle of third parties exclusively for the purposes specified in Section 4, and on the basis of concluded Data Processing Agreements (DPAs).

5.1. Advertising Platforms (as Clients’ Contractors)

Within the framework of executing services agreements, the Company works with Clients’ advertising accounts on the following platforms. Data transfer is carried out in accordance with the Client’s instructions:

• Google Ireland Limited / Google LLC (Google Ads, Google Analytics, Google Tag Manager, Google Merchant Center, YouTube Ads)
• Meta Platforms Ireland Limited / Meta Platforms, Inc. (Facebook Ads, Instagram Ads, Meta Business Suite, Meta Pixel, Conversions API)
• TikTok Information Technologies UK Limited / TikTok Pte. Ltd. (TikTok Ads, TikTok Pixel)
• LinkedIn Ireland Unlimited Company / LinkedIn Corporation (LinkedIn Ads, Insight Tag)

5.2. Analytics and Marketing Services of the Company

The list of third-party services used on the Agency’s own Website and the procedure for data processing are described in detail in Section 7 of this Policy.

5.3. Hosting and Technical Infrastructure

• Website Hosting Provider: Hostinger
• CDN and DDoS Protection: Cloudflare

5.4. CRM and Communication Management Systems

• Proprietary CRM system
• Email services: Google Workspace

5.5. Messengers

• Telegram (Telegram FZ-LLC, UAE) — for communication with clients and candidates. Privacy Policy: https://telegram.org/privacy
• WhatsApp (Meta Platforms Ireland Limited) — for communication with clients
• Instagram Direct, Facebook Messenger (Meta Platforms Ireland Limited)

5.6. Company’s Contractors

In the event of engaging freelancers, specialists under civil law contracts, or subcontractors (designers, copywriters, videomakers, developers) to perform specific tasks under agreements with Clients, such persons receive access to a limited amount of data exclusively on confidentiality terms and in compliance with the data minimization principle.

5.7. Government Authorities

Data may be transferred to government authorities (law enforcement agencies, tax authorities, courts) exclusively on the basis of an official request in accordance with the current legislation of Ukraine.

6. Cross-Border Data Transfer

Most of our processors (Google, Meta, TikTok, LinkedIn, and others) have server infrastructure outside of Ukraine, including in the USA, the United Kingdom, Singapore, and European Union countries. The transfer of personal data to these jurisdictions is carried out on the basis of:

• Standard Contractual Clauses (SCC) approved by the European Commission;
• EU-U.S. Data Privacy Framework — for processors certified under this program (Google, Meta);
• Your explicit consent — for cases not covered by other mechanisms.

The specific legal grounds for each processor are outlined in Section 7.

7. Analytics, Advertising, and Marketing Services

To analyze the performance of its own Website, optimize the Agency’s advertising campaigns, and communicate with potential clients, the Company uses the third-party services listed below. All these services set cookies and/or use other tracking technologies (pixels, SDKs, browser local storage) and may transfer personal data outside of Ukraine.

Legal Basis for Processing: your consent (Art. 11 of the Law of Ukraine “On Personal Data Protection”, Art. 6(1)(a) of the GDPR), which you provide via the cookie consent banner before the respective services are loaded. Consent can be withdrawn at any time through the cookie settings on the Website or by contacting the email specified in Section 12.

7.1. Google Analytics 4

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (for users from the EEA and Ukraine) / Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

• Purpose: analyzing user behavior, measuring traffic, traffic sources, conversions (consultation requests), and the performance of the blog and landing pages.
• Data Categories: IP address (anonymized), Client ID, session ID, pages viewed, events (form_submit, consultation_request).
• Retention Period: up to 14 months on Google servers.
• Data Transfer: Google LLC, USA. Basis — SCC and EU-U.S. Data Privacy Framework.
• DPA: https://business.safety.google/adsprocessorterms/
• Privacy Policy: https://policies.google.com/privacy
• How to Opt-Out: cookie consent banner on the Website; Google Analytics Opt-out Browser Add-on — https://tools.google.com/dlpage/gaoptout

7.2. Google Ads (including remarketing, Conversion Tracking)

Provider: Google Ireland Limited / Google LLC.

• Purpose: displaying personalized Company ads within the Google networks (Search, Display, YouTube, Discover), measuring conversions, and building remarketing audiences to promote the Agency’s services.
• Data Categories: cookie identifiers (NID, IDE, _gcl_au), Google User ID, IP address, actions on the Website, referrer URL.
• Consent Mode v2: Google Consent Mode v2 is implemented on the Website. Until consent is granted, no personal data is transferred — only aggregated signals without identifiers are sent.
• Retention Period: up to 540 days for remarketing audiences.
• Data Transfer: Google LLC, USA. Basis — SCC and EU-U.S. Data Privacy Framework.
• DPA: https://business.safety.google/adsprocessorterms/
• How to Opt-Out: cookie consent banner; https://adssettings.google.com; https://www.youronlinechoices.com

7.3. Google Tag Manager

Provider: Google Ireland Limited / Google LLC.

• Container ID: GTM-M79NHNTW.
• Purpose: managing third-party service tags on the Website without altering the source code.
• Data Categories: GTM itself does not collect personal data — it is a technical tool that loads other tags.
• Basis: legitimate interest for GTM as a tool; consent for the tags managed by it.
• Terms of Service: https://marketingplatform.google.com/about/analytics/tag-manager/use-policy/

7.4. Google Search Console / Site Kit

Provider: Google Ireland Limited / Google LLC.

• Purpose: monitoring Website visibility in Google search results, technical optimization, and detecting indexing errors.
• Data Categories: aggregated search query and click statistics (without personal identification).
• Basis: legitimate interest of the Company.

7.5. Google reCAPTCHA

Provider: Google Ireland Limited / Google LLC.

• Purpose: protecting Website forms (consultation requests, feedback forms, candidate forms) from automated bots and spam.
• Data Categories: IP address, behavioral metrics (mouse movements, time spent filling out the form), referrer, Google cookies.
• Basis: legitimate interest of the Company — protecting the Website from abuse.
• Terms: https://policies.google.com/terms

7.6. Meta Pixel

Provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland / Meta Platforms, Inc., 1601 Willow Road, Menlo Park, CA 94025, USA.

• Purpose: measuring the effectiveness of the Company’s advertising on Meta platforms (Facebook, Instagram, Messenger), forming Custom Audiences and Lookalike Audiences to promote the Agency’s services.
• Data Categories: Meta cookie identifiers (_fbp, _fbc), Facebook Click ID (fbclid), IP address, user-agent, pages viewed, events (PageView, Lead, InitiateCheckout).
• Retention Period: up to 180 days for website audiences.
• Data Transfer: Meta Platforms, Inc., USA. Basis — SCC and EU-U.S. Data Privacy Framework.
• Business Tools Terms: https://www.facebook.com/legal/terms/businesstools
• Meta Privacy Policy: https://www.facebook.com/privacy/policy
• How to Opt-Out: cookie consent banner; https://www.facebook.com/adpreferences/ad_settings; https://www.youronlinechoices.com

7.7. Meta Conversions API (CAPI)

Provider: Meta Platforms Ireland Limited / Meta Platforms, Inc.

• Purpose: server-side transfer of conversion events directly from the Company’s server to Meta to improve attribution accuracy under browser tracking limitations.
• Data Categories: Lead and InitiateCheckout events with parameters; hashed (SHA-256) email, phone number, and name.
• Basis: user consent via the cookie banner; server-side events are transmitted only if consent is granted.

7.8. TikTok Pixel

Provider: TikTok Information Technologies UK Limited (for users from the EEA, United Kingdom, and Switzerland) / TikTok Pte. Ltd. (Singapore, for all other users).

• Purpose: measuring the effectiveness of the Agency’s ad campaigns in TikTok Ads, forming remarketing audiences.
• Data Categories: TikTok cookie identifiers, TikTok Click ID (ttclid), IP address, user-agent, pages viewed, events.
• Data Transfer: TikTok servers, including those outside the EEA and Ukraine.
• Business Products Terms: https://ads.tiktok.com/i18n/official/policy/business-products
• TikTok Privacy Policy: https://www.tiktok.com/legal/page/eea/privacy-policy/uk

7.9. LinkedIn Insight Tag

Provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland / LinkedIn Corporation, USA.

• Purpose: measuring the effectiveness of the Agency’s ad campaigns in LinkedIn Ads, forming B2B remarketing audiences.
• Data Categories: LinkedIn cookie identifiers, IP address, pages viewed, conversion events, professional characteristics (industry, job title) for aggregated analytics.
• Data Transfer: LinkedIn Corporation, USA. Basis — SCC and EU-U.S. Data Privacy Framework.
• LinkedIn Cookie Policy: https://www.linkedin.com/legal/cookie-policy

7.10. Social Media Integrations

The Website contains links to the official pages of the Company on social networks and messengers: Instagram, Facebook, Telegram, WhatsApp. Following these links initiates a separate data exchange between your browser/device and the respective platform in accordance with its privacy policy.

8. Cookies and Similar Technologies

The Website uses cookies and similar technologies (browser local storage, pixels) to ensure functionality, analytics, and marketing. Upon your first visit to the Website, a consent banner is displayed where you can choose which categories of cookies to allow.

Categories of Cookies:

• Strictly Necessary. Provide basic functionality of the Website: session security, form submission. They do not require consent (legitimate interest). Examples: session_id, csrf_token.
• Functional. Remember user settings (language, region). Require consent. Examples: language.
• Analytics. Collect statistics on traffic and user behavior. Require consent. Examples: _ga, _ga_*, _gid (Google Analytics).
• Marketing. Used to display personalized Agency ads and form remarketing audiences. Require consent. Examples: _gcl_au, NID, IDE (Google Ads); _fbp, _fbc (Meta Pixel); ttclid (TikTok); LinkedIn Insight cookies.

You can grant or withdraw consent for each category separately via the cookie banner on the Website or through the cookie management widget available in the Website’s footer. You can also block or delete cookies through your browser settings.

9. Data Storage and Security

We implement technical and organizational measures to protect personal data from unauthorized access, alteration, disclosure, or destruction:

• encryption of the data transmission channel (HTTPS/TLS);
• role-based access restrictions to data (authorized personnel only);
• two-factor authentication for accessing Clients’ advertising accounts;
• regular data backups;
• security monitoring and incident response;
• concluding Data Processing Agreements (DPAs) with all processors and contractors;
• signing Non-Disclosure Agreements (NDAs) with all employees and freelancers who have access to client data.

Personal Data Retention Periods:

• Consultation and feedback requests — 12 months from the date of submission.
• Client data under completed agreements — 3 years after the termination of cooperation in accordance with accounting requirements (Art. 44 of the Tax Code of Ukraine).
• Resumes and job candidate data — 12 months from the moment of the last interaction or until the candidate withdraws consent.
• Email newsletter data — until unsubscription or 36 months of no interaction.
• Technical data (logs, IPs) — up to 90 days.
• Remarketing audience data — according to the settings of advertising platforms (up to 540 days for Google Ads, up to 180 days for Meta).

Upon expiration of the retention period, data is deleted or anonymized.

10. Personal Data Breach Notification

In the event of detecting a personal data breach that may pose a significant risk to the rights and freedoms of data subjects, the Company:

• notifies the Ukrainian Parliament Commissioner for Human Rights without undue delay;
• in cases provided by the GDPR (for data of EEA residents), notifies the competent supervisory authority within 72 hours;
• notifies the affected data subjects in the event of a high risk to their rights;
• in the event of a breach concerning Client data (which the Company processes as a processor), notifies the respective Client without undue delay in accordance with the terms of the concluded DPA.

11. Your Rights as a Data Subject

In accordance with the Law of Ukraine “On Personal Data Protection” and the GDPR, you have the right:

• To be informed about processing — to obtain information about what data of yours we process, for what purpose, on what basis, and to whom it is transferred.
• Of access — to obtain a copy of your personal data processed by the Company.
• To rectification — to request the correction of inaccurate or incomplete data.
• To erasure (“right to be forgotten”) — to request the deletion of your data if it is no longer necessary for the processing purposes or if you have withdrawn consent.
• To restriction of processing — to request a temporary suspension of data processing.
• To data portability — to receive your data in a structured, commonly used, machine-readable format and transfer it to another controller.
• To object — to object to data processing based on legitimate interest or used for direct marketing.
• To withdraw consent — to withdraw consent to data processing at any time without affecting the lawfulness of processing based on consent before its withdrawal.
• Not to be subject to automated decision-making — to demand human intervention in decision-making that has legal consequences. The Company does not use automated decision-making with legal consequences for users.
• To lodge a complaint — to file a complaint with the Ukrainian Parliament Commissioner for Human Rights (https://ombudsman.gov.ua) or with the supervisory authority of your place of residence (for EEA residents).

Procedure for Exercising Your Rights:

• Send your requests to email: admin@fmads.agency.
• In your request, specify: your full name, contact details, the essence of the request, and the right you wish to exercise.
• To identify the applicant, we may request additional data confirming your identity.
• The response period is no later than 30 calendar days from the date of receipt of the request. In complex cases, this period may be extended by an additional 60 days, with notification sent to the applicant.
• The exercise of rights is free of charge, except in cases of manifestly unfounded or repetitive requests.

12. Privacy Contacts

For questions regarding the processing of personal data, the exercise of your rights, or to report a breach, please contact:

• Name: FMAds Advertising Agency (Sole Proprietor Sheremenko Artem Kostiantynovych)
• Email: admin@fmads.agency
• Phone: +380 (93) 022-78-35
• Address for written inquiries: Apt. 49, Bldg. 10, Valeria Gudzia St., Boryspil, Kyiv Region, 08302
• Responsible Person: Sheremenko Artem Kostiantynovych
• Working Hours: Mon–Fri, 09:00–18:00

13. Changes to the Policy

We reserve the right to update this Policy in accordance with changes in legislation, data processing technologies, or the Company’s services. We notify about significant changes:

• by publishing the new version on this page, indicating the new effective date;
• via email newsletter to current subscribers — 7 (seven) calendar days prior to the changes taking effect.

Continued use of the Website after the changes take effect signifies your agreement to the updated version of the Policy. Previous versions of the Policy are provided upon request via the contacts in Section 12.

 

Last Updated: 05.02.2026