Last updated: 21 May 2026
Orion Technologies, established at Amsteldijk 729, 1074JH Amsterdam, is responsible for the processing of personal data as described in this Privacy Policy.
Contact:
- Website: https://www.buron.ai
- Address: Amsteldijk 729, 1074JH Amsterdam, Netherlands
- For privacy questions: privacy@buron.ai
Personal data we process
We process your personal data because you use our service and/or because you provide it to us. We may process:
- First and last name
- Email address
- Account credentials (stored hashed)
- Workspace and organization settings
- Phone number (only if you connect a messaging service such as WhatsApp to the service)
- Internet browser and device type
- IP address
- Information about your activity on our website
- Content you submit to the service (prompts, instructions, notes, brand information, audience and product information, source documents)
- Data we retrieve from third-party services you connect (see "Connected Services" below)
Children
The service is intended for business use and is not directed to children under 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child without parental consent, contact privacy@buron.ai and we will delete it.
Purposes
We process personal data to:
- Provide and operate the service, including creating accounts, authentication, and executing actions you authorize in connected services
- Generate findings, analysis, drafts, and other outputs based on your inputs and connected service data
- Process payments and meet legal accounting and tax obligations
- Send service notices, support replies, and (where permitted) product updates
- Improve and secure the service, including debugging, evaluation, abuse detection, and security
- Comply with applicable law
We do not sell personal data, do not use connected service data for advertising or retargeting outside the service, and do not use it for eligibility decisions, surveillance, or profiling of natural persons.
Connected Services
When you connect a third-party service to Buron, we retrieve data from that service on your behalf. The data accessed depends on the service and on the scopes you grant. The categories below describe what we may access for two common services; the same pattern applies to others.
Google Ads — OAuth scope https://www.googleapis.com/auth/adwords. We may read: account structure (Manager and child accounts, identifiers, currency, time zone), campaigns, ad groups, ads, keywords, audiences, conversion actions, billing summaries, performance metrics (impressions, clicks, cost, conversions, revenue), recommendations, and change history. At your direction, we may also create and modify campaigns, ad groups, ads, keywords, audiences, budgets, bids, and other campaign settings in order to help you optimize the connected accounts. We do not access Gmail, Drive, Calendar, Contacts, or other Google account data.
Meta (Facebook and Instagram) — permissions ads_read, ads_management, business_management, and (where granted) read_insights. We may read: ad accounts, Business Manager assets you grant access to, campaigns, ad sets, ads, audiences, creatives, performance metrics, and basic profile information (name, email, user identifier) of the user authorizing the connection. We do not access private messages, friend lists, or content outside the assets you grant.
For each additional connected service, the scopes and data are described in the authorization flow at the point of connection.
Google API Services User Data Policy
Buron's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
Specifically, with respect to data accessed through Google APIs (including the Google Ads API):
- We use this data only to provide and improve user-facing features that are prominent in the Buron interface, namely the analysis, recommendations, automation, and reporting features that the user has connected the account for.
- We do not transfer this data to others unless doing so is necessary to provide and improve these user-facing features, comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to users.
- We do not use this data to serve advertisements, including retargeted, personalized, or interest-based advertising.
- We do not allow humans to read this data, except (a) with the user's affirmative agreement for specific messages, (b) when necessary for security purposes such as investigating abuse, (c) to comply with applicable law, or (d) where the data has been aggregated and is used for internal operations in accordance with applicable privacy and other jurisdictional legal requirements.
AI features
The service uses AI models operated by third-party providers, which act as subprocessors under the agreement described in the "Sharing personal data with third parties" section.
We do not use your data, or data accessed from connected services, to train AI models.
Automated decision-making
The service uses automated processing, including AI-generated recommendations and automated execution of actions in connected services at the customer's direction. These processes do not produce legal effects on natural persons, and do not similarly significantly affect them, within the meaning of Article 22 GDPR.
Retention
We retain personal data no longer than necessary for the purposes for which it was collected:
- Account data: for the life of the account, plus a limited period after closure for legal and administrative purposes
- Data from connected services (such as Google Ads, Meta): up to 30 days after disconnection or account closure
- Inputs you submit and outputs generated by the service: up to 30 days after account closure
- Usage and security logs: up to 12 months
- Billing and administrative records: 7 years (Dutch statutory tax retention)
- Backups: residual copies are overwritten within 90 days of the primary deletion
Sharing personal data with third parties
We share personal data with third parties only where necessary to perform the agreement or to meet a legal obligation. We sign a processor agreement with third parties processing data on our behalf.
| Category | Name | Jurisdiction | Purpose | Data | Safeguard (outside EEA) |
|---|---|---|---|---|---|
| Processor | Vercel Inc. | United States (with EU regions) | Hosting, edge network, and related platform services | Account data, configuration, customer data in transit, AI inputs | EU Standard Contractual Clauses |
| Processor | Neon Inc. | United States (with EU region in Frankfurt) | Managed Postgres database | All customer data at rest | EU SCCs |
| Processor | Google LLC (Gemini) | United States | AI inference | AI inputs and context | EU SCCs |
| Processor | Anthropic PBC | United States | AI inference | AI inputs and context | EU SCCs |
| Processor | OpenAI OpCo LLC | United States | AI inference | AI inputs and context | EU SCCs |
| Processor | Stripe Payments Europe Ltd. | Ireland (with US transfers) | Payment processing | Billing contact, masked payment-card identifiers | EU SCCs |
| Processor | Resend Inc. | United States | Transactional email | Email addresses, message content | EU SCCs |
| Controller | Google Ads, Meta and other advertising platforms | Various | When the customer performs actions through Buron in their own advertising account; the customer is the platform's principal | As determined by the OAuth scopes the customer grants | N/A — the customer initiates the relationship |
International transfers
We transfer personal data to processors located outside the European Economic Area (see the table above). For these transfers we rely on the EU Standard Contractual Clauses (Commission Implementing Decision 2021/914) and, where applicable, the UK International Data Transfer Addendum.
Cookies and similar techniques
Our website uses functional, analytical, and tracking cookies. Functional cookies are required for the website to work and for features like authentication. Tracking cookies are used to measure conversions and build audiences for our own marketing.
We ask for your consent before placing tracking cookies, through a cookie banner on first visit. You can withdraw consent at any time by clearing your browser cookies or adjusting your browser settings.
Third-party cookies on this website:
| Cookie | Name | Purpose | Retention |
|---|---|---|---|
| Google Analytics | _ga | Analytical cookie that distinguishes unique visitors | 2 years |
| Google Analytics | _ga_<container-id> | Session state for GA4 | 2 years |
| Google Ads | _gcl_au | Conversion linker — links Google Ads clicks to conversions | 90 days |
| Meta Pixel | _fbp | Identifier for Facebook/Instagram conversion measurement and audiences | 90 days |
| Meta Pixel | _fbc | Stores the click ID from a Facebook ad for conversion measurement | 90 days |
li_sugr | Visitor identifier for LinkedIn conversion measurement | 90 days | |
bcookie | Browser identifier for LinkedIn | 1 year | |
| TikTok | _ttp | Identifier for TikTok conversion measurement | 13 months |
| Microsoft UET | _uetvid | Visitor identifier for Bing Ads conversion measurement | 13 months |
_rdt_uuid | Identifier for Reddit conversion measurement | 90 days | |
| X (Twitter) | muc_ads | Identifier for X conversion measurement | 13 months |
_pin_unauth | Identifier for Pinterest conversion measurement | 1 year |
Your rights
You have the right to access, correct, and delete your personal data. You also have the right to withdraw any consent you have given, object to processing, request data portability, and lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, autoriteitpersoonsgegevens.nl).
You can exercise these rights by emailing privacy@buron.ai from the email address associated with your account, or by using in-product controls where available. We respond within four weeks. We may ask you to confirm your identity by sending the request from your account's email address or by signing in to your account.
Data deletion
You can request deletion of your account and data:
- In-product, via Account Settings → Privacy → Delete my account and data
- By emailing privacy@buron.ai
For data Buron holds about you as a result of a Meta connection, you can also remove Buron in Facebook Settings → Apps and Websites, and Meta-initiated deletion requests are handled through our Data Deletion Callback at https://buron.ai/api/meta/data-deletion.
We confirm deletion within 30 days unless retention is required by law, in which case we will tell you.
Security
We take the protection of your data seriously and apply appropriate technical and organizational measures, including:
- Encryption in transit (TLS 1.2 or higher) and at rest
- Role-based access control with multi-factor authentication for personnel with access to production systems
- Encrypted storage and rotation of OAuth tokens and other secrets
- Logging and monitoring of access to production systems
- Security review of subprocessors and contractual flow-down of obligations
- Incident response procedures, including notification of a confirmed personal data breach within 72 hours
If you believe your data is not properly secured or that there are signs of misuse, contact us at privacy@buron.ai.
Changes
We may update this Privacy Policy. Material changes will be announced by email or in-product notice before they take effect. The "Last updated" date reflects the current version.