Legal

These Terms of Service (the "Terms") govern your access to and use of Bluegrass, a business software-as-a-service platform provided by Marcode Ltd. Bluegrass is provided for business use only. Please read these Terms carefully.

1. Definitions

"Company", "Marcode", "we", "us" or "our" means Marcode Ltd, a company registered in England and Wales with company number 15046325, whose place of business is at Unit 420, 30 Great Guildford Street, London, SE1 0HS, England.

"Customer", "you" or "your" means the business, company or other organisation that registers for, accesses or uses the Services, together with its Authorised Users.

"Authorised Users" means the employees, contractors and other individuals whom the Customer permits to access and use the Services on its behalf through the Customer's account.

"Services" means the Bluegrass software-as-a-service platform for planning, analysing and managing advertising on OpenAI Ads (ChatGPT Ads) — including its analytics, day-parting and bid-scheduling, and audience and targeting features — together with the Company's website, application programming interfaces, and related documentation and support.

"Software" means any software, code, scripts, models, documentation or data forming part of or made available through the Services.

"Ads Account" means the OpenAI Ads (ChatGPT Ads) advertising account, or other third-party advertising or analytics account, that the Customer connects to the Services.

"Customer Data" means all data and content that the Customer or its Authorised Users submit to the Services, and all data that the Services retrieve, import or derive from the Customer's connected Ads Account, in each case on the Customer's behalf.

"Usage Data" means data generated by or collected through the Customer's and its Authorised Users' access to and use of the Services, including log, device, configuration, performance and analytics data.

"Aggregated Data" means data and information derived from Customer Data and/or Usage Data that has been aggregated and/or de-identified such that it does not identify, and could not reasonably be used to identify, the Customer, any Authorised User, any individual, or any specific Ads Account, campaign or advertisement.

"Agreement" means these Terms together with any order, subscription plan or policy referenced herein.

2. The Agreement and Eligibility

2.1 By registering for, accessing or using the Services, the Customer agrees to be bound by this Agreement. If the Customer does not agree, it must not access or use the Services.

2.2 The Services are provided solely for business and professional use. The Services are not offered to, and may not be used by, consumers, and consumer-protection rights and remedies do not apply to the Customer's use of the Services.

2.3 The individual accepting this Agreement represents and warrants that they are at least 18 years of age and have full authority to bind the Customer to this Agreement. If they do not have such authority, they must not access or use the Services.

2.4 This Agreement constitutes a legally binding agreement between the Customer and Marcode Ltd.

2.5 Subject to the Customer's continued compliance with this Agreement and payment of all applicable Fees, Marcode grants the Customer a limited, non-exclusive, non-transferable, non-sublicensable and revocable right, during the Term, to access and use the Services for the Customer's own internal business purposes. All rights not expressly granted are reserved by Marcode.

2.6 Marcode reserves the right to refuse, suspend or withdraw access to the Services to any person or organisation at any time, acting reasonably.

3. Accounts and Authorised Users

3.1 To use the Services the Customer must register an account and provide accurate, current and complete information, and keep that information up to date.

3.2 The Customer is responsible for configuring and managing its Authorised Users, for maintaining the confidentiality and security of all account credentials, and for all activity that occurs under its account or those credentials, whether or not authorised by the Customer.

3.3 The Customer is responsible for its Authorised Users' compliance with this Agreement and is liable for any act or omission of an Authorised User as if it were the Customer's own.

3.4 The Customer must notify Marcode promptly of any actual or suspected unauthorised access to or use of the Services or its account.

4. The Services

4.1 Bluegrass enables the Customer to connect its Ads Account and to view analytics, schedule bids by time of day and day of week, manage audiences and targeting, and otherwise plan and manage its advertising. To provide the Services, the Customer authorises Marcode to access and read data from, and, where the Customer so directs, make changes to, the connected Ads Account.

4.2 Marcode shall provide the Services with reasonable skill and care and shall use commercially reasonable efforts to make the Services available, subject to clauses 10 and 12. The Services may be temporarily unavailable for scheduled or emergency maintenance, or for causes beyond Marcode's reasonable control.

4.3 The Customer is responsible for obtaining and maintaining the Ads Account, all credentials and API access required to connect it, and all equipment, software and connectivity needed to access the Services.

5. Fees and Payment

5.1 The Customer shall pay the fees for the Services at the rates and on the billing cycle set out in the plan or order the Customer selects ("Fees"). Except as expressly stated in this Agreement, Fees are non-refundable and payment obligations are non-cancellable.

5.2 Unless stated otherwise, all Fees are exclusive of value added tax and any other applicable taxes or duties, which the Customer shall pay in addition.

5.3 Marcode may suspend the Services, or terminate this Agreement, if any undisputed Fees remain unpaid after their due date.

5.4 Marcode may change its Fees on reasonable prior notice, with effect from the start of the next billing cycle.

5.5 Where Marcode offers a free trial, the Services are provided during the trial period "as is" and may be modified, limited or withdrawn at any time.

6. Customer Responsibilities and Acceptable Use

6.1 The Customer shall use the Services only in accordance with this Agreement, all applicable laws and regulations, and the terms, policies and acceptable-use requirements of OpenAI and any other platform underlying a connected Ads Account.

6.2 The Customer represents and warrants that it has, and shall maintain, all rights, consents and authority necessary to connect its Ads Account, to provide the Customer Data to the Services, and to grant the rights set out in clause 7.

6.3 The Customer shall not, and shall not permit any Authorised User or third party to:

• reverse engineer, decompile, disassemble or otherwise attempt to derive the source code, object code, structure or underlying ideas, know-how or algorithms of the Services or Software, except to the extent this restriction is prohibited by law;
• modify, translate, or create derivative works of the Services or Software, except as expressly permitted;
• copy, sell, resell, rent, lease, sublicense, distribute or otherwise make the Services available to any third party, or use the Services to provide services to or for the benefit of any third party (other than the Customer's own internal use as permitted);
• access or use the Services to build a competing product or service, or to benchmark for the benefit of a competitor;
• introduce any virus, worm, malware or other harmful code, or interfere with or disrupt the integrity, security or performance of the Services;
• attempt to gain unauthorised access to the Services or their related systems or networks;
• use any automated means, including spiders, crawlers, robots or data-mining tools, to access the Services or extract data other than through functionality the Services expressly provide;
• remove or obscure any proprietary notices or labels; or
• use the Services for any unlawful, infringing, deceptive or fraudulent purpose.

6.4 Although Marcode has no obligation to monitor the Customer's use of the Services, it may do so and may suspend or prohibit any use it reasonably believes breaches this Agreement.

7. Customer Data and Data Rights

7.1 Ownership of Customer Data. As between the parties, the Customer owns and retains all right, title and interest in and to the Customer Data, including all data pulled, retrieved or imported from the Customer's connected Ads Account. Except for the rights expressly granted in this clause 7, no ownership of Customer Data passes to Marcode.

7.2 Licence to Marcode. The Customer hereby grants Marcode a worldwide, non-exclusive, royalty-free, fully paid-up licence to host, store, copy, transmit, process, analyse and otherwise use the Customer Data and the Usage Data in order to: (a) provide, maintain, secure and support the Services; and (b) develop, test, improve and enhance the Services and Marcode's other products, services and offerings. This licence continues for so long as is necessary for those purposes.

7.3 Restriction on disclosure. Marcode shall not sell the Customer Data, and shall not disclose the Customer Data, or any information specific to the Customer's Ads Account, campaigns or advertisements, to any third party, except: (a) to subprocessors and service providers engaged by Marcode to host or operate the Services on its behalf, each of whom is bound by written obligations of confidentiality and data protection no less protective than those in this Agreement; (b) to the extent required by law, regulation, court order or other lawful request by a competent authority; or (c) with the Customer's prior written consent.

7.4 Aggregated Data. Marcode may create Aggregated Data from the Customer Data and the Usage Data. Notwithstanding clause 7.1, Marcode owns all right, title and interest in and to the Aggregated Data, and may use, reproduce, disclose and otherwise exploit the Aggregated Data for any lawful business purpose — including operating, analysing, benchmarking, improving and marketing the Services — in each case provided that the Aggregated Data is and remains aggregated and/or de-identified so that it does not identify, and could not reasonably be used to identify, the Customer, any Authorised User, any individual, or any specific Ads Account, campaign or advertisement.

7.5 Customer warranties. The Customer represents and warrants that it has all rights, consents, permissions and lawful bases necessary to make the Customer Data available to Marcode and to grant the rights in this clause 7, and that Marcode's use of the Customer Data in accordance with this Agreement will not infringe or violate the rights of any third party or any applicable law.

7.6 Data protection. Where Marcode processes any personal data contained in the Customer Data on the Customer's behalf, it does so as a processor acting on the Customer's documented instructions, as further described in our Privacy Policy and in our Data Processing Addendum, which forms part of this Agreement. Each party shall comply with applicable data protection laws.

7.7 Transient processing of end-user identifiers. Where the Customer uses the audience-matching features, any end-user identifiers (such as email addresses or telephone numbers) contained in a list the Customer provides are processed only transiently, in memory, for the purpose of normalising and, where applicable, hashing them and transmitting the resulting audience to the Customer's connected Ads Account. Marcode does not retain such end-user identifiers (in raw or hashed form) after the relevant operation completes.

7.8 Security. Marcode shall implement and maintain appropriate technical and organisational measures designed to protect the Customer Data against unauthorised or unlawful processing and accidental loss, destruction or damage. Marcode Ltd holds SOC 2 certification, with Bluegrass in scope. No method of transmission or storage is completely secure, however, and Marcode does not guarantee absolute security.

8. Intellectual Property

8.1 Marcode and its licensors own and retain all right, title and interest in and to the Services, the Software, all improvements, enhancements and modifications thereto, all Aggregated Data, and all intellectual property rights in any of the foregoing. Except as expressly set out in this Agreement, no rights or licences are granted to the Customer in respect of the Services, the Software or any related intellectual property.

8.2 If the Customer or any Authorised User provides any feedback, comments or suggestions regarding the Services, Marcode may use them without restriction or any obligation to the Customer, and the Customer assigns to Marcode all rights in such feedback.

8.3 The Customer acknowledges and agrees that, as between the parties, Marcode exclusively owns the Services, the Software, all Confidential Information (as defined in clause 9) and all related intellectual property rights, and that nothing in this Agreement transfers any such ownership to the Customer. The Customer shall not take any action that is inconsistent with, or that challenges or assists any third party in challenging, Marcode's ownership of the foregoing. No licences are granted by implication, estoppel or otherwise beyond those expressly set out in this Agreement.

9. Confidentiality and Protection of Intellectual Property

9.1 Confidential Information. "Confidential Information" means all non-public information disclosed or made available by one party (the "Disclosing Party") to the other (the "Receiving Party"), whether orally, in writing, electronically or by access to or observation of the Services, and whether or not marked or identified as confidential, that the Receiving Party knows or ought reasonably to know is confidential. Marcode's Confidential Information includes, without limitation, the Services and the Software and their source and object code, architecture, structure, sequence and organisation, design, "look and feel", user interfaces, screens, workflows, features and functionality; the methods, processes, techniques, algorithms, models, data structures and know-how embodied in or used to provide them; security measures; performance, testing and benchmarking results; the Aggregated Data; pricing and other non-public commercial terms; and Marcode's product plans and roadmap. The Customer acknowledges that the Services and the Software embody valuable trade secrets of Marcode and its licensors.

9.2 Obligations. The Receiving Party shall: (a) use the Disclosing Party's Confidential Information only as necessary to exercise its rights and perform its obligations under this Agreement; (b) protect it using at least the degree of care it uses to protect its own confidential information of like importance, and in no event less than a reasonable degree of care; and (c) not disclose it to any third party except to those of its personnel and professional advisers who have a genuine need to know for the purposes of this Agreement and who are bound by written obligations of confidentiality no less protective than those set out here. The Receiving Party is responsible and liable for any act or omission of any person to whom it discloses Confidential Information as if it were its own.

9.3 Exclusions. The obligations in clause 9.2 do not apply to information that the Receiving Party can demonstrate by written records: is or becomes publicly available other than through breach of this Agreement; was lawfully in its possession, without obligation of confidence, before disclosure; is independently developed by it without use of or reference to the Disclosing Party's Confidential Information; or is lawfully obtained from a third party without restriction. If the Receiving Party is required by law, regulation or a competent authority to disclose Confidential Information, it shall, where lawful, give the Disclosing Party reasonable prior notice and reasonable assistance so the Disclosing Party may seek protective treatment, and shall disclose only what is legally required.

9.4 Trade secrets. With respect to any Confidential Information that constitutes a trade secret under applicable law, the obligations in this clause 9 continue for so long as such information remains a trade secret, notwithstanding any expiry of any general confidentiality period or the termination of this Agreement.

9.5 Protection of the Services and intellectual property. In addition to, and without limiting, the restrictions in clause 6, the Customer shall not, and shall not authorise, assist, encourage or enable any Authorised User or third party to:

• reverse engineer, decompile, disassemble or otherwise attempt to derive or reconstruct the source code, architecture, structure, ideas, know-how, algorithms or models of the Services or the Software, except to the extent (and only to the extent) this restriction cannot be excluded under applicable law;
• copy, reproduce, imitate, replicate, frame or mirror any part of the Services or the Software, or create any product, service or material that copies or is derived from the Services or the Software or their user interfaces, design, "look and feel", features, functionality or workflows;
• use the Services, the Software or any Confidential Information to design, develop, train, market, procure or operate any product or service that competes with, or is substantially similar to, the Services, or to assist any third party to do so;
• use the Services, or any data, results or output obtained from them, to train, fine-tune or develop any machine-learning or artificial-intelligence model, or to compile any dataset, for any purpose other than the Customer's permitted internal use;
• access or use the Services to monitor their availability, performance or functionality, or for any benchmarking, competitive-analysis or intelligence-gathering purpose; or
• apply for, register or attempt to register any patent, trade mark, copyright, design right or other intellectual property right that is based on, incorporates or is confusingly similar to any part of the Services, the Software or Marcode's Confidential Information.

9.6 Good-faith use. The Customer represents, warrants and undertakes that it is registering for and using the Services in good faith for its own internal business purposes; that it shall not use, and is not registering in order to obtain, access for the purpose of copying, replicating, reverse engineering, benchmarking or otherwise misappropriating the Services, the Software or any Confidential Information; and that it is not registering for, accessing or using the Services on behalf of, or for the benefit of, any competitor of Marcode.

9.7 Equitable remedies. The Customer acknowledges and agrees that any actual or threatened breach of clause 6, clause 8 or this clause 9 would cause Marcode irreparable harm for which monetary damages would not be an adequate remedy. Accordingly, Marcode shall be entitled to seek injunctive relief, specific performance and other equitable remedies to prevent or restrain any such breach, without the need to prove actual damage and without any requirement to post a bond, deposit or other security, in addition to and without prejudice to any other rights and remedies available to it at law or in equity, including the recovery of damages and an account of profits. The Customer shall reimburse Marcode for the reasonable costs and legal fees it incurs in investigating and enforcing clause 6, clause 8 or this clause 9.

9.8 Return or destruction. On expiry or termination of this Agreement, or at the Disclosing Party's earlier request, the Receiving Party shall cease all use of and, at the Disclosing Party's option, return or securely destroy the Disclosing Party's Confidential Information in its possession or control (subject, in respect of Customer Data, to clause 13.4 and to any retention required by law) and, if requested, shall certify such destruction in writing.

10. Warranties and Disclaimer

10.1 The Customer warrants that it will comply with this Agreement and that it has the authority, rights and consents described in clauses 2, 3, 6 and 7.

10.2 TO THE FULLEST EXTENT PERMITTED BY LAW, THE SERVICES, THE SOFTWARE AND ALL RELATED MATERIALS ARE PROVIDED "AS IS" AND "AS AVAILABLE", WITHOUT WARRANTY OF ANY KIND. MARCODE EXPRESSLY DISCLAIMS ALL WARRANTIES, REPRESENTATIONS, CONDITIONS AND OTHER TERMS, WHETHER EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, INCLUDING ANY IMPLIED WARRANTIES OR CONDITIONS OF MERCHANTABILITY, SATISFACTORY QUALITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT, AND ANY WARRANTIES ARISING FROM COURSE OF DEALING OR USAGE OF TRADE.

10.3 WITHOUT LIMITING THE FOREGOING, MARCODE DOES NOT WARRANT THAT THE SERVICES WILL BE UNINTERRUPTED, TIMELY, SECURE OR ERROR-FREE, THAT DEFECTS WILL BE CORRECTED, OR THAT THE SERVICES OR ANY DATA, RESULTS, ANALYTICS, RECOMMENDATIONS OR OUTPUTS (INCLUDING ANY DATA OBTAINED FROM A CONNECTED ADS ACCOUNT OR FROM OPENAI OR OTHER THIRD PARTIES) WILL BE ACCURATE, COMPLETE OR RELIABLE. THE CUSTOMER IS SOLELY RESPONSIBLE FOR ITS ADVERTISING DECISIONS, BIDS, BUDGETS AND CAMPAIGNS AND FOR ANY RESULTS OBTAINED FROM USE OF THE SERVICES.

10.4 Nothing in this Agreement excludes or limits any warranty or liability that cannot be excluded or limited under applicable law.

11. Indemnification

11.1 The Customer shall defend, indemnify and hold harmless Marcode and its affiliates, and their respective directors, officers, employees, agents and subprocessors (the "Indemnified Parties"), from and against any and all claims, demands, actions, proceedings, losses, liabilities, damages, fines, penalties, costs and expenses (including reasonable legal fees) arising out of or in connection with: (a) the Customer Data and the connected Ads Account, including their content, accuracy and legality; (b) the Customer's or any Authorised User's use of the Services; (c) the Customer's advertising, products, services or business; (d) any breach by the Customer of this Agreement or of any applicable law or third-party right; and (e) any claim that Marcode's authorised use of the Customer Data infringes the rights of, or has caused harm to, a third party.

11.2 Marcode shall have no obligation to defend, indemnify or hold harmless the Customer or any other person in respect of any claim of any kind.

12. Limitation of Liability

12.1 Nothing in this Agreement excludes or limits either party's liability for: (a) death or personal injury caused by its negligence; (b) fraud or fraudulent misrepresentation; or (c) any other liability that cannot be excluded or limited under applicable law.

12.2 Subject to clause 12.1, Marcode shall not be liable, whether in contract, tort (including negligence), breach of statutory duty or otherwise, for any: loss of profits, revenue, business, anticipated savings, goodwill or opportunity; loss or corruption of data; loss arising from advertising spend, bids or campaign performance; or any indirect, special, incidental, consequential or punitive loss or damage, in each case even if foreseeable or if the party was advised of the possibility.

12.3 Subject to clause 12.1, Marcode's total aggregate liability arising out of or in connection with this Agreement and the Services, whether in contract, tort (including negligence), breach of statutory duty or otherwise, shall not exceed the total Fees actually paid by the Customer to Marcode under this Agreement in the twelve (12) months immediately preceding the event giving rise to the liability.

12.4 The limitations and exclusions in this clause 12 apply even if any remedy fails of its essential purpose, and reflect the agreed allocation of risk between the parties.

13. Term, Suspension and Termination

13.1 This Agreement begins on the date the Customer first registers for or uses the Services and continues for the subscription term selected and any renewals, until terminated in accordance with this clause (the "Term").

13.2 Either party may terminate this Agreement on written notice if the other party commits a material breach and, where the breach is capable of remedy, fails to remedy it within thirty (30) days of written notice.

13.3 Marcode may suspend or restrict the Customer's access to the Services, in whole or in part, with or without notice, where required by law, where necessary to protect the security or integrity of the Services, where Fees are overdue, or where it reasonably believes the Customer is in breach of this Agreement.

13.4 On expiry or termination: (a) all licences and rights granted to the Customer cease and the Customer must stop using the Services; (b) the Customer remains liable for all Fees accrued up to the effective date of termination; and (c) the Customer may, for a period of thirty (30) days, request export of its Customer Data, after which Marcode may delete or de-identify the Customer Data in the ordinary course, save that Marcode may retain Aggregated Data and any data it is required to retain by law.

13.5 Any provision that by its nature should survive termination shall survive, including clauses 5, 6, 7, 8, 9, 10, 11, 12, 13.4, 17 and 18.

14. Changes to the Terms or the Services

14.1 Marcode may modify this Agreement from time to time. Material changes will be notified to the Customer (for example, by email or in-product notice) before they take effect. The Customer's continued use of the Services after the changes take effect constitutes acceptance of the modified Agreement.

14.2 Marcode may update, improve or change the Services, and may add, modify or remove features, provided that it will not materially degrade the core functionality of the Services during a paid subscription term.

15. Force Majeure

Neither party shall be liable for any failure or delay in performing its obligations (other than payment obligations) to the extent caused by events beyond its reasonable control, including acts of God, natural disasters, epidemic or pandemic, war or terrorism, government action, and failure or degradation of utilities, telecommunications, the internet, or third-party platforms or APIs.

16. Third-Party Services

16.1 The Services interoperate with third-party platforms and services, including OpenAI / ChatGPT Ads. The Customer's use of any third-party platform or Ads Account is governed by that third party's own terms, and the Customer is responsible for complying with them.

16.2 Marcode does not control and is not responsible for any third-party platform, service or content, and shall have no liability for any change to, unavailability of, or discontinuation of any third-party platform or API on which the Services depend. Marcode does not endorse any third-party platform or content.

17. General

17.1 Severability. If any provision of this Agreement is held invalid, illegal or unenforceable, it shall be severed and the remaining provisions shall remain in full force and effect.

17.2 Assignment. The Customer may not assign or transfer this Agreement, in whole or in part, without Marcode's prior written consent. Marcode may assign or transfer this Agreement, in whole or in part, at its discretion, including in connection with a merger, acquisition or sale of assets.

17.3 No partnership or agency. Nothing in this Agreement creates any partnership, joint venture, agency or employment relationship between the parties.

17.4 Waiver. No failure or delay in exercising any right or remedy is a waiver of it, and any waiver must be in writing and signed by a duly authorised representative.

17.5 Entire agreement. This Agreement, together with the Privacy Policy and any order or policy referenced herein, constitutes the entire agreement between the parties regarding the Services and supersedes all prior agreements, representations and understandings. Each party agrees that it has not relied on, and shall have no remedy in respect of, any statement or representation not set out in this Agreement.

17.6 Notices. Notices to the Customer may be given through the Services or by email; notices to Marcode must be sent to the contact address in clause 19.

17.7 Third-party rights. A person who is not a party to this Agreement has no right under the Contracts (Rights of Third Parties) Act 1999 to enforce any of its terms.

18. Governing Law and Jurisdiction

18.1 This Agreement and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it, its subject matter or its formation shall be governed by and construed in accordance with the laws of England and Wales.

18.2 The parties irrevocably agree that the courts of England and Wales shall have exclusive jurisdiction to settle any such dispute or claim.

19. Contact

If you have any questions about these Terms, please contact us at:

1. Introduction and Scope

We take privacy seriously. This privacy policy explains how Marcode Ltd collects, uses and shares personal data in connection with Bluegrass (the "Service"), our business software-as-a-service platform for managing advertising on OpenAI Ads (ChatGPT Ads), and our website. It also explains your rights and how to contact us.

This policy applies to personal data for which Marcode acts as a controller — for example, personal data about our customers' account administrators and Authorised Users, business contacts, prospective customers, and visitors to our website. Where we process personal data contained in Customer Data on a customer's behalf, we act as a processor on that customer's instructions; that processing is governed by our agreement with the customer (see section 7).

2. Controller

Marcode Ltd ("Marcode", "we", "us" or "our") is the controller of the personal data described in section 1. Marcode Ltd is registered in England and Wales (company number 15046325), with its place of business at Unit 420, 30 Great Guildford Street, London, SE1 0HS, England.

3. Contact Us and Complaints

If you have any questions about this policy or about how we handle personal data, please contact our data privacy manager at: [email protected]

You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK regulator for data protection issues. We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.

We keep our privacy policy under regular review. It is important that the personal data we hold about you is accurate and current; please keep us informed if it changes.

4. Personal Data We Collect

Personal data means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous or aggregated data). We may collect and process the following categories of personal data:

• Account and user data: name, business email address, telephone number, job title, employer or organisation, and authentication data. We use passwordless sign-in (single-use email links), so we do not store passwords; session tokens are stored only as hashes.
• Usage Data: information about how you and your Authorised Users access and use the Service, including features used, actions taken, and preferences.
• Technical Data: IP address, browser type and version, device type and identifiers, operating system and settings, approximate location derived from IP address, and log data such as dates, times and pages visited.
• Customer Data: data that the Service retrieves from a connected Ads Account, or that customers submit, on the customer's behalf. This is primarily advertising configuration and performance data and generally does not identify individuals. Where a customer uses the audience-matching features, any end-user identifiers (such as email addresses or telephone numbers) in a list the customer provides are processed only transiently, in memory, to normalise and, where applicable, hash them and transmit the resulting audience to the customer's connected Ads Account; we do not store those end-user identifiers, in raw or hashed form. To the extent Customer Data contains personal data, we process it as a processor (see section 7).
• Communications and marketing data: the content of, and metadata about, your communications with us, and your marketing preferences.

We do not knowingly collect special categories of personal data (such as data about health, race, religion or political opinions), and we ask that you do not submit such data to the Service.

5. How Your Personal Data Is Collected

• Directly from you: when you register, configure your account, contact us, or otherwise interact with the Service or our website.
• Automated technologies: as you use the Service and website, through cookies and similar technologies (see section 13) and server logs.
• From connected accounts and third parties: from your connected Ads Account and platforms such as OpenAI, and from our service providers and business partners.

6. How and Why We Use Your Personal Data

Under data protection law, we can only use your personal data where we have a lawful basis. We rely on the following: performance of a contract; our legitimate interests (where not overridden by your rights); your consent (where required); and compliance with legal obligations. The table below explains how and why we use your personal data:

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another, compatible purpose. If we need to use it for an unrelated purpose, we will notify you and explain the legal basis for doing so.

7. Customer Data (Our Role as Processor)

When we process personal data contained in Customer Data on behalf of a customer, the customer is the controller and we are the processor. We process such personal data only on the customer's documented instructions and as needed to provide and improve the Service, in accordance with our customer agreement and our Data Processing Addendum (DPA), which governs that processing and forms part of the agreement with the customer.

Any end-user identifiers used for audience matching are processed only transiently, in memory, for the matching and synchronisation operation, and are not retained by us in raw or hashed form (see section 4).

If you are an individual whose personal data may be contained in a customer's Customer Data, please direct any requests to the relevant customer, who is the controller, and we will support that customer in responding.

8. Aggregated and De-identified Data

We may create aggregated and/or de-identified data from Customer Data and Usage Data. This data does not identify you, your organisation, or any specific account or advertisement, and is not treated as personal data. As described in our Terms of Service, Marcode owns such aggregated data and may use and disclose it for any lawful business purpose, including benchmarking, analytics, and improving and marketing the Service.

9. Who We Share Your Personal Data With

We do not sell your personal data, and we do not share Customer Data or information specific to a customer's account, campaigns or advertisements with third parties except as needed to provide the Service or as required by law. We may share personal data with:

• Heroku (a Salesforce company) — application hosting and managed database, in a UK/EEA region — and Amazon Web Services (AWS), the underlying cloud infrastructure (UK/EEA region), each acting as a subprocessor under written confidentiality and data-protection obligations;
• Slack (a Salesforce company) — used to receive and respond to sales and support enquiries submitted through our website;
• Cloudflare — sending transactional and service emails, such as sign-in links and service notices;
• Professional advisers, such as lawyers, auditors and accountants, under duties of confidentiality;
• Authorities, regulators, courts and law-enforcement bodies, where required to comply with a legal obligation or lawful request; and
• A successor or acquirer in connection with a merger, acquisition, financing, reorganisation or sale of assets, or in the event of our insolvency.

When you instruct the Service to publish an audience to, or apply changes to, your connected Ads Account, we transmit the relevant data to your own OpenAI Ads (ChatGPT Ads) account at your direction. OpenAI processes that data under your own agreement with OpenAI; it is not our subprocessor. A current list of our subprocessors is available on request.

10. Data Storage and Security

We implement appropriate technical and organisational measures to protect personal data, including encryption in transit and at rest, access controls and tenant isolation. Marcode Ltd holds SOC 2 certification, and Bluegrass is within that scope. You understand and agree that no method of transmission over, or storage on, the internet is completely secure, and we cannot guarantee the absolute security of any information.

11. How Long We Keep Personal Data

We retain personal data for as long as reasonably necessary to fulfil the purposes for which we collected it, including to provide the Service, comply with legal, tax, accounting and regulatory obligations, resolve disputes and enforce our agreements. We may retain personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation.

When personal data is no longer needed, we delete or de-identify it. We may retain aggregated and de-identified data indefinitely. Following termination, Customer Data is handled as set out in our Terms of Service. Please contact [email protected] for further information about our retention periods.

12. International Transfers

We store and process Customer Data and account data within the United Kingdom and the European Economic Area (EEA). Limited personal data — for example, an email address used to send you a sign-in link or service notice, or an enquiry submitted through our website — may be processed by communications providers located outside the UK/EEA. Where any personal data is transferred to, or accessed from, a country outside the UK or EEA, we put in place appropriate safeguards, such as the UK International Data Transfer Agreement (IDTA) or the European Commission's Standard Contractual Clauses, together with any additional measures required by law.

13. Cookies and Similar Technologies

To keep you signed in, the Service stores a session token in your browser's local storage; this is strictly necessary for the Service to work. We, and our website, may also use cookies and similar technologies for functionality, security, remembering your preferences, and analytics and performance measurement (including, in future, first- or third-party analytics tools to understand and improve usage). We do not use cookies for third-party advertising.

You can set your browser to refuse all or some cookies, or to alert you when websites set or access cookies, and you can clear local storage. If you disable these, please note that some parts of our website or the Service may become inaccessible or not function properly. Where required by law, we will seek your consent before setting non-essential cookies.

14. Your Rights

Under certain circumstances, you have rights under data protection laws in relation to your personal data. Subject to applicable law, you have the right to:

• Request access to your personal data and to check that we are processing it lawfully;
• Request correction of personal data that is inaccurate or incomplete;
• Request erasure of your personal data where there is no good reason for us to continue processing it;
• Object to processing where we rely on a legitimate interest and there is something about your situation that makes you want to object;
• Request restriction of processing of your personal data in certain circumstances;
• Request the transfer of your personal data to you or a third party in a structured, commonly used, machine-readable format; and
• Withdraw consent at any time where we rely on consent (this will not affect the lawfulness of processing carried out before withdrawal).

To exercise any of these rights, please contact [email protected]. Where the personal data forms part of a customer's Customer Data, we will refer your request to that customer as the controller. You will not usually have to pay a fee, and we aim to respond to all legitimate requests within one month. We may need to verify your identity before acting on a request.

15. Children's Privacy

The Service is a business product intended for use by organisations and their Authorised Users. It is not directed to children, and we do not knowingly collect personal data from anyone under 18 years of age.

16. Changes to This Policy

We may update this Privacy Policy from time to time. We will post the updated policy with a revised "Last updated" date and, where the changes are material, provide additional notice. Your continued use of the Service after the changes take effect constitutes acceptance of the updated policy.

17. Contact

For privacy-related questions, please contact us at:

This Data Processing Addendum ("DPA") forms part of, and is incorporated into, the Terms of Service between Marcode Ltd ("Marcode", "we", "us") and the customer ("Customer", "you") (together, the "Agreement"). It applies where, and to the extent that, Marcode processes Customer Personal Data on the Customer's behalf in connection with the Services. Capitalised terms not defined in this DPA have the meaning given in the Agreement. In the event of any conflict between this DPA and the rest of the Agreement in respect of the processing of Customer Personal Data, this DPA prevails.

1. Definitions

"Applicable Data Protection Laws" means all laws and regulations applicable to the processing of personal data under this DPA, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018; where applicable, Regulation (EU) 2016/679 (EU GDPR); and the Privacy and Electronic Communications Regulations, in each case as amended or replaced.

"Controller", "Processor", "Data Subject", "Personal Data", "Personal Data Breach", "Process" / "Processing" and "Special Categories of Personal Data" have the meanings given in Applicable Data Protection Laws.

"Customer Personal Data" means any Personal Data contained in the Customer Data that Marcode Processes on behalf of the Customer under the Agreement, as further described in Annex 1.

"Subprocessor" means any third party engaged by Marcode to Process Customer Personal Data.

"Standard Contractual Clauses" means the UK International Data Transfer Agreement or Addendum (IDTA) and/or the European Commission's Standard Contractual Clauses, as applicable to a given transfer.

2. Roles and Scope

2.1 The parties acknowledge that, in respect of the Customer Personal Data, the Customer is the Controller and Marcode is the Processor. Where the Customer is itself a processor acting on behalf of a third-party controller, Marcode is a sub-processor, and the Customer warrants that it has the authority and instructions necessary to engage Marcode on the terms of this DPA.

2.2 Marcode shall Process Customer Personal Data only to provide and support the Services in accordance with the Agreement and this DPA. The subject matter, duration, nature and purpose of the Processing, the types of Customer Personal Data and the categories of Data Subjects are set out in Annex 1.

2.3 Each party shall comply with its respective obligations under Applicable Data Protection Laws.

3. Customer Obligations

3.1 The Customer, as Controller, is responsible for the lawfulness of the Customer Personal Data and of its instructions, including for establishing a valid lawful basis, providing all required notices to and obtaining all required consents from Data Subjects, and ensuring the accuracy of the Customer Personal Data it makes available to Marcode.

3.2 The Customer's documented instructions to Marcode are constituted by the Agreement, this DPA, the Customer's configuration and use of the Services, and any other written instructions the parties agree.

3.3 The Customer shall not provide to the Services any Special Categories of Personal Data, or personal data relating to criminal convictions and offences, except as expressly agreed in writing.

4. Marcode's Obligations as Processor

4.1 Instructions. Marcode shall Process Customer Personal Data only on the Customer's documented instructions, including with regard to transfers, unless required to do otherwise by law to which Marcode is subject; in that case, Marcode shall inform the Customer of that legal requirement before Processing, unless the law prohibits it on important grounds of public interest. Marcode shall inform the Customer if, in its opinion, an instruction infringes Applicable Data Protection Laws.

4.2 Confidentiality. Marcode shall ensure that persons authorised to Process the Customer Personal Data are subject to appropriate obligations of confidentiality.

4.3 Security. Marcode shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Annex 2.

4.4 Subprocessing. Marcode may engage Subprocessors in accordance with clause 5.

4.5 Data Subject requests. Taking into account the nature of the Processing, Marcode shall assist the Customer by appropriate technical and organisational measures, insofar as possible, to respond to requests by Data Subjects exercising their rights under Applicable Data Protection Laws. If Marcode receives such a request directly, it shall not respond other than to direct the Data Subject to the Customer (unless instructed otherwise) and shall promptly forward the request to the Customer.

4.6 Assistance. Taking into account the nature of the Processing and the information available to it, Marcode shall assist the Customer in ensuring compliance with its obligations relating to security of processing, notification of Personal Data Breaches, data protection impact assessments, and prior consultation with supervisory authorities.

4.7 Personal Data Breach. Marcode shall notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and shall provide the Customer with reasonable information and cooperation to enable the Customer to meet its own breach-notification obligations.

4.8 Deletion or return. On termination or expiry of the Services, Marcode shall, at the Customer's choice, delete or return all Customer Personal Data and delete existing copies, unless storage is required by law. The Customer acknowledges that audience end-user identifiers are processed transiently and are not stored by Marcode (see Annex 1 and Annex 2).

4.9 Records and audits. Marcode shall make available to the Customer information reasonably necessary to demonstrate compliance with this DPA and with Article 28 of the UK GDPR, and shall allow for and contribute to audits, including inspections, conducted by the Customer or an auditor it mandates. Such audits are subject to reasonable prior notice, reasonable frequency, confidentiality obligations, and conduct that does not compromise the security or privacy of Marcode's other customers; Marcode may satisfy an audit request by providing its then-current SOC 2 report or similar third-party certifications and summaries.

5. Subprocessors

5.1 The Customer grants Marcode general written authorisation to engage Subprocessors to Process Customer Personal Data. Marcode's current Subprocessors are listed in Annex 3.

5.2 Marcode shall impose on each Subprocessor, by written contract, data-protection obligations no less protective than those set out in this DPA, and shall remain fully liable to the Customer for the performance of each Subprocessor's obligations.

5.3 Marcode shall give the Customer reasonable prior notice of any intended addition or replacement of a Subprocessor (for example, by updating Annex 3 or by email or in-product notice). The Customer may object on reasonable, documented data-protection grounds within a reasonable period, and the parties shall work together in good faith to resolve the objection.

5.4 When the Customer instructs the Service to publish an audience to, or apply changes to, the Customer's connected Ads Account, Marcode transmits the relevant data to the Customer's own OpenAI Ads (ChatGPT Ads) account at the Customer's direction. OpenAI processes that data under the Customer's own agreement with OpenAI and is not a Subprocessor of Marcode.

6. International Transfers

6.1 Marcode hosts and Processes Customer Personal Data within the United Kingdom and the European Economic Area. Marcode shall not transfer Customer Personal Data to a country outside the UK/EEA unless it has taken appropriate safeguards in accordance with Applicable Data Protection Laws, such as entering into the applicable Standard Contractual Clauses, together with any additional measures required by law.

7. Liability

7.1 Each party's liability arising out of or in connection with this DPA is subject to, and counts towards, the exclusions and limitations of liability set out in the Agreement, including the limitation of liability clause.

8. Term

8.1 This DPA takes effect on the effective date of the Agreement and continues for as long as Marcode Processes Customer Personal Data on the Customer's behalf. Provisions which by their nature should survive termination (including those relating to confidentiality, deletion and return, and liability) shall survive.

9. General

9.1 Precedence. In the event of any conflict between this DPA and the rest of the Agreement or the Privacy Policy in respect of the Processing of Customer Personal Data, this DPA prevails.

9.2 Changes. Marcode may update this DPA from time to time to reflect changes in Applicable Data Protection Laws, its Services or its Subprocessors, provided that no such change shall materially reduce the protections for Customer Personal Data.

9.3 Governing law. This DPA is governed by, and construed in accordance with, the laws of England and Wales, and is subject to the governing-law and jurisdiction provisions of the Agreement.

Annex 1 — Details of the Processing

• Subject matter: Marcode's provision of the Bluegrass Services to the Customer under the Agreement.
• Duration: the term of the Agreement, plus any period thereafter required to delete or return Customer Personal Data in accordance with clause 4.8.
• Nature and purpose: hosting, storing, analysing and displaying advertising data; day-parting and bid scheduling; creating audiences and synchronising them to the Customer's connected Ads Account; providing support; and developing and improving the Services as licensed under the Agreement.
• Types of Customer Personal Data: (a) end-user identifiers used for audience matching — email addresses and/or telephone numbers, in raw or hashed form — which are Processed only transiently, in memory, and are not stored by Marcode; and (b) any Personal Data contained in the advertising configuration and performance data retrieved from the Customer's connected Ads Account, which is typically limited and not directly identifying.
• Categories of Data Subjects: the Customer's customers, prospects and other contacts whose identifiers the Customer includes in an audience list; and individuals to whom the connected Ads Account data relates.
• Special Categories: none. The Customer must not submit Special Categories of Personal Data to the Services.

Annex 2 — Technical and Organisational Security Measures

Marcode maintains a security programme that includes, at a minimum, the following measures:

• Encryption of data in transit (HTTPS/TLS) and at rest.
• Per-account Ads Account API keys and credentials encrypted at rest using AES-256-GCM, with the key-encryption key held outside the database.
• Transient, in-memory-only processing of audience end-user identifiers, which are not persisted in raw or hashed form.
• Passwordless authentication via single-use, time-limited email sign-in links; no passwords are stored; session tokens are stored only as hashes, never in raw form.
• Role-based access control (RBAC) and least-privilege access, with logical isolation between customer organisations (multi-tenant separation).
• Audit logging of changes made through the Services.
• Vulnerability management, monitoring, and regular backups.
• Personnel bound by confidentiality obligations and given data-protection and security awareness training.
• SOC 2 certification held by Marcode Ltd, with Bluegrass within scope.

Annex 3 — Approved Subprocessors

A current list of Subprocessors is available on request. OpenAI is not a Subprocessor; data is transmitted to the Customer's own connected Ads Account at the Customer's direction, as described in clause 5.4.

Contact

Questions about this DPA or our data-processing practices can be sent to: