Privacy Policy

Last updated: 26 May 2026

This Privacy Policy explains how TPMGE (“TPMGE”, “we”, “us”, “our”), operating the website https://tpmge.com, collects, uses, stores, protects, and shares information about visitors, prospects, clients, and the advertising accounts we manage on behalf of our clients.

TPMGE is a Paris-based digital agency that builds custom digital tools and manages online advertising campaigns (including Google Ads) on behalf of its clients under a signed service agreement.

1. Data Controller

TPMGE
Paris, France
Contact : contact@tpmge.com

2. What Data We Collect

2.1 Information you provide directly

Contact details: name, email address, phone number, company name, job title, when you fill in a contact form, request a quote, or sign a service agreement.
Account credentials: for employees and authorized users of our internal tools, your professional email address and authentication identifiers (we use Single Sign-On; we do not store passwords in clear text).
Communications: the content of emails, calls, and messages you send us in the context of our business relationship.

2.2 Information collected automatically

Technical data: IP address, browser type and version, device type, operating system, referring URL, pages visited, timestamps.
Cookies and similar technologies: strictly necessary cookies for the operation of the site, and — only with your prior consent — analytics cookies. You can manage your consent at any time through our cookie banner.

2.3 Advertising data we process on behalf of our clients

When a client engages us to manage their Google Ads (or other advertising) account, we access that client’s advertising data through official APIs, including the Google Ads API, under a Google Ads Manager Account (MCC) invitation accepted by the client. This data may include:

Campaign, ad group, ad, keyword, and audience configurations.
Performance metrics (impressions, clicks, cost, conversions, conversion value).
Conversion tracking configuration and aggregated conversion data.
Account structure metadata (customer IDs, currency, time zone, linked accounts).

In this context, the client is the data controller of their advertising account and TPMGE acts as a data processor under a written Data Processing Agreement (DPA). We process this data exclusively to deliver the contracted services (reporting, audits, campaign operations).

2.4 What we do NOT collect

We do not collect special categories of personal data (health, religion, political opinions, etc.).
We do not knowingly collect data from children under 16.
We do not collect or store end-user payment card data on our own servers; payments, when applicable, are processed by certified payment providers.

3. How We Use Your Data

To provide our services — managing Google Ads and other advertising campaigns for our clients, producing reports and audits, operating the internal tools used by our employees.
To communicate with you — replying to inquiries, sending contractual information, scheduling meetings.
To improve our services — aggregated, non-identifying analytics about how our website and internal tools are used.
To comply with legal obligations — accounting, tax, and regulatory requirements applicable to TPMGE in France and in the European Union.
To secure our systems — fraud prevention, abuse detection, audit logs.

4. Legal Bases (GDPR)

Performance of a contract \u2014 to deliver the services agreed with you or your employer.
Legitimate interest \u2014 to operate, secure, and improve our website and tools.
Consent \u2014 for non-essential cookies and any marketing communications.
Legal obligation \u2014 for accounting, tax, and regulatory requirements.

5. Data Sharing with Third Parties

We do not sell your personal data. We do not rent or trade it. We do not share advertising data we manage for clients with any unauthorized third party.

We share data only in the following limited circumstances:

With Google \u2014 when we operate a client’s Google Ads account, we necessarily exchange data with Google through the Google Ads API, in compliance with the Google Ads API Terms and Conditions and Google’s Privacy Policy.
With our sub-processors \u2014 limited to vendors strictly necessary to operate our services, under written data processing agreements. A current list of sub-processors is available on request at contact@tpmge.com.
With the client \u2014 we share the reports, audits, and recommendations we produce about their own account with that client.
With public authorities \u2014 when required by law, by a valid court order, or to protect the rights, property, or safety of TPMGE, our clients, or the public.

We do not share data we collect or process for one client with any other client. We do not use data accessed through the Google Ads API for any purpose other than delivering the contracted services to the client who owns the account.

6. International Data Transfers

Our primary infrastructure is hosted in the European Union. When a sub-processor is located outside the EU/EEA, transfers are governed by the European Commission’s Standard Contractual Clauses (SCC) and supplementary measures where required.

7. Data Retention

Contact form submissions: up to 3 years from the last interaction.
Contractual and accounting records: 10 years, as required by French law.
Client advertising data accessed through the Google Ads API: retained only for the duration of the engagement and deleted within 30 days of contract termination, or sooner upon written request from the client.
Server logs: up to 12 months.

8. How We Protect Your Data

Encryption in transit \u2014 all traffic to our website and internal tools is served over TLS 1.2 or higher.
Encryption at rest \u2014 sensitive credentials (including OAuth refresh tokens used to access client Google Ads accounts) are encrypted with AES-256 in a managed secrets vault.
Access controls \u2014 Single Sign-On with mandatory two-factor authentication for employees; role-based access control; principle of least privilege.
Audit logging \u2014 every action performed on a client’s advertising account through our tool is logged with the employee identifier and a timestamp.
Operational security \u2014 regular backups, vulnerability monitoring, incident response procedures.

9. Your Rights

Under the GDPR and applicable French data-protection law, you have the right to:

Access the personal data we hold about you.
Request correction of inaccurate or incomplete data.
Request deletion of your data (“right to be forgotten”), subject to legal retention requirements.
Restrict or object to certain processing.
Request data portability.
Withdraw consent at any time, where processing is based on consent.
Lodge a complaint with the CNIL (Commission Nationale de l'Informatique et des Libert\u00e9s), the French data protection authority \u2014 www.cnil.fr.

To exercise any of these rights, contact us at contact@tpmge.com. We respond within 30 days.

Note for end-users of advertisers we manage: if you wish to exercise rights regarding personal data processed by one of our clients in their advertising campaigns, please contact that client directly. TPMGE will forward such requests to the relevant client when applicable.

10. Cookies

Our website uses strictly necessary cookies to function. With your consent, we may also use analytics cookies to understand aggregate site usage. You can change your cookie preferences at any time through the cookie banner or your browser settings.

11. Children

Our services are not directed to individuals under the age of 16. We do not knowingly collect personal data from children.

12. Changes to This Policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top of the page indicates the most recent revision. Material changes will be communicated through the website or, where appropriate, by email.

13. Contact

Questions about this Privacy Policy or about how we handle your data?

Email : contact@tpmge.com
Postal address : TPMGE, Paris, France