About Maynut Technologies
Maynut Technologies Inc. ("Maynut," "we," "us," or "our") is a Canadian corporation operating from Toronto, Ontario. We are an advertising agency that designs, launches, and manages advertising campaigns on Meta platforms — including Facebook, Instagram, Messenger, and Audience Network — on behalf of licensed real estate agents (our "Clients").
For the purposes of Canadian privacy law (PIPEDA), we are a private-sector organization that collects, uses, and discloses personal information in the course of commercial activity. For the purposes of the EU General Data Protection Regulation (GDPR), we act as a data controller for information about our Clients and visitors to maynut.co, and as a data processor for personal information of end users that we handle on a Client's behalf through their Meta ad accounts.
Scope of this policy
This policy applies to:
- Visitors to maynut.co and any subdomain we operate
- Real estate agents and brokerages who engage Maynut as their advertising agency
- Individuals whose information is processed by Maynut through Meta's advertising platforms when we act as our Clients' agency — for example, when we manage a Client's Meta ad account, run lead generation campaigns on their behalf, or access advertising performance data
- Anyone who contacts us by email, phone, or any web form we operate
It does not cover the privacy practices of Meta Platforms, Inc., the Clients themselves (each Client maintains its own privacy policy), or any third-party site we link to. When you interact with a Meta ad we have built, Meta's own Privacy Policy also applies to that interaction.
Whose data we handle
Because we sit between Meta and our Clients, we encounter several categories of people. We treat each differently:
| Category | Our role | Examples |
|---|---|---|
| Website visitors | Controller | People browsing maynut.co or filling in our contact form |
| Clients | Controller | Licensed real estate agents and brokerages who hire us |
| Client contacts | Controller | Team members, assistants, or partners at our Client's brokerage |
| Ad audiences & leads | Processor (acting for the Client) | People who see, click, or fill out a lead form on a Meta ad we manage on a Client's behalf |
Information we collect
From website visitors
- Contact information you submit voluntarily: name, email address, phone number, brokerage name, market area, and anything else you put in a message
- Technical information automatically logged when you visit: IP address, browser type and version, device type, operating system, referring URL, pages viewed, time on page, and approximate location derived from IP
- Cookies and similar technologies: described in the section on Meta data below
From Clients
- Business information: legal entity name, brokerage affiliation, real estate license number, billing address, billing contact
- Payment details processed by our payment provider (we do not store full card numbers on our own systems)
- Account credentials needed to operate your Meta Business Portfolio and ad accounts on your behalf — handled exclusively through Meta's official OAuth flow and System User mechanisms; we do not ask for and do not store your Facebook password
- Marketing assets you provide for use in ads: photographs, video, listing details, copy, branding
- Communications: emails, call notes, message exchanges, meeting recordings (only with consent)
From the Meta Marketing API
This is described in detail in the next section.
Data from Meta platforms
With your express authorization, Maynut connects to your Meta Business Portfolio and ad accounts through Meta's Marketing API, Graph API, and related developer interfaces (collectively, the "Meta Platform"). The connection is established through Meta's official authorization flow, in which you actively grant Maynut a defined set of permissions. You may revoke this access at any time from your Facebook account's Settings → Business Integrations page or from your Business Portfolio's Connected Apps settings.
Permissions we request
Maynut requests only the Meta permissions necessary to operate your advertising on your behalf. Depending on the services you have engaged us for, these may include:
ads_management— to create, edit, pause, and delete campaigns, ad sets, and ads in your ad accountads_read— to read campaign performance, audience insights, and reporting databusiness_management— to manage assets in your Business Portfolio that are connected to advertising, such as ad accounts, pixels, and custom audiencespages_manage_adsandpages_read_engagement— to attach ads to your Facebook Page and read engagement metrics, since every Meta ad must be tied to a Pageinstagram_basic— to associate ads with your Instagram business account where applicableleads_retrieval— to retrieve leads generated by your lead-form ads so we can route them to your CRMpublic_profile— to retrieve your Facebook user ID and display name after you authenticate via Facebook Login, used to identify you within the platform and confirm the correct account is connectedpages_show_list— to discover which Facebook Pages you manage, so you can select the Page to attribute your ads topages_manage_metadata— to subscribe your connected Pages to leadgen webhook events for real-time lead delivery, and to assign system users to your Pages in the agency partner flow
Information accessed via the Meta Platform
Through these permissions, we may access and process:
- Public profile data: Facebook user ID and display name, used to identify the connected account within the platform
- Account metadata: ad account ID, name, currency, time zone, status, spending limit, billing information
- Campaign data: campaign, ad set, and ad names; targeting parameters; budgets; bidding settings; creative assets; placements; schedules
- Performance data: impressions, reach, clicks, click-through rate, cost-per-result, conversions, and other reporting metrics
- Page and Instagram data: Page ID, name, profile picture, follower count, engagement metrics on ads we manage
- Lead data from lead-form ads we run on your behalf — typically the name, email, phone number, and any custom fields you have configured in the lead form. This data belongs to you, our Client; we transmit it to your designated destination (CRM, email, webhook) and do not retain it for our own purposes
- Pixel and conversion data from the Meta Pixel installed on your website, used for measurement and audience optimization. We do not see the raw browsing behaviour of individual visitors to your site; we see aggregated and modeled conversion data from Meta
Meta Pixel on maynut.co
Our own website may use the Meta Pixel and Conversions API to measure the performance of advertising we run for our own marketing purposes. The Pixel sets cookies in your browser and transmits limited information — IP address, browser fingerprint, and pages viewed — to Meta. You can manage this through your browser's cookie controls or your Facebook ad preferences.
How we use information
We use the information described above to:
- Provide, operate, and improve our advertising services for our Clients
- Build, launch, and manage Meta ad campaigns on behalf of Clients who have authorized us to do so
- Measure campaign performance, generate reports, and recommend optimizations
- Route leads from Client lead-generation campaigns to the destination the Client has specified (such as a CRM, email address, or webhook)
- Communicate with Clients and prospects, including responding to inquiries, sending invoices, and providing service updates
- Comply with our legal, regulatory, and contractual obligations
- Detect, prevent, and respond to fraud, abuse, security incidents, and policy violations
- Operate, secure, and improve maynut.co
We do not use personal information accessed through Meta APIs for any purpose unrelated to operating that Client's advertising. We do not share Meta-derived data with our other Clients. We do not use a Client's audience or lead data to target advertising for any other party.
Legal basis for processing
For Canadian residents, our processing is governed by the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial laws. We rely on consent, contractual necessity, and legitimate business interests as the basis for our processing.
For residents of the European Economic Area, the United Kingdom, and other jurisdictions where the GDPR or similar laws apply, we rely on the following legal bases:
- Consent — when you grant Meta permissions to our app, when you submit a contact form, when you opt in to marketing communications, and where consent is otherwise required
- Contractual necessity — to deliver the services agreed in our service contract with each Client
- Legitimate interests — to operate, secure, and improve our business, communicate with Clients, prevent fraud, and pursue commercial opportunities, in each case balanced against the privacy interests of the data subject
- Legal obligation — when processing is required to comply with applicable law, court order, or regulatory request
How we share information
We share personal information only in the limited circumstances set out below.
Service providers
We engage carefully selected third-party service providers to operate our business. Each is contractually bound to use the information only to provide services to Maynut and to protect it with reasonable security measures. These include:
- Meta Platforms, Inc. — the advertising platform on which we run our Clients' campaigns
- Cloud hosting and infrastructure providers — to host our application and store data securely
- Payment processors — to handle Client billing
- Email and communication providers — to send Client communications and operate our help desk
- Customer relationship management (CRM) and analytics tools — to manage our own pipeline and understand site usage
- Lead-routing tools — to deliver lead-form data to a Client's chosen destination, where the Client has set this up
With Clients
We share with each Client the data that pertains to their own advertising — campaign reports, ad performance, leads from their campaigns, and so on. We do not share one Client's data with another Client.
Legal and safety
We may disclose information if required by law, court order, subpoena, or regulatory request; to protect the rights, property, or safety of Maynut, our Clients, or others; or to detect or prevent fraud, security incidents, or violations of our Terms of Service.
Business transfers
If Maynut is involved in a merger, acquisition, financing, or sale of assets, personal information may be transferred as part of that transaction, subject to standard confidentiality protections and the terms of this policy.
We do not sell your personal information.
Maynut does not sell personal information for monetary consideration, and does not engage in the categories of "sharing" of personal information for cross-context behavioural advertising as defined under U.S. state privacy laws such as the California Consumer Privacy Act, beyond the operation of the Meta Pixel on our own website (which you may disable as described above).
How long we keep it
We retain personal information only as long as necessary to fulfill the purposes for which it was collected, to deliver our services, and to comply with legal, regulatory, accounting, or reporting obligations. Specific retention periods include:
| Type of data | Retention period |
|---|---|
| Website visitor logs | Up to 12 months |
| Contact form submissions | Up to 24 months from last contact |
| Client account & billing records | Duration of engagement plus 7 years (Canadian tax law requirement) |
| Meta access tokens and credentials | Duration of engagement; deleted within 30 days of disconnection |
| Cached campaign & reporting data from Meta | Up to 24 months for reporting continuity; deleted within 30 days of Client request or disconnection, whichever is earlier |
| Lead-form data routed on a Client's behalf | Held only transiently during routing; deleted from Maynut systems within 30 days of successful delivery |
| Email and Slack communications | Up to 5 years |
Where data is stored solely for legal or compliance reasons, we restrict access to it and use it only for those purposes.
Security
We implement administrative, technical, and physical safeguards designed to protect personal information from unauthorized access, disclosure, alteration, and destruction. These include:
- Encryption of data in transit using TLS 1.2 or higher
- Encryption of sensitive data at rest, including all stored Meta access tokens
- Strict access controls based on the principle of least privilege; access logged and reviewed
- Multi-factor authentication on all internal systems handling personal information
- Regular security review of our infrastructure, dependencies, and access patterns
- Confidentiality and data protection obligations in contracts with all employees, contractors, and service providers
- Incident response procedures, including notification of affected individuals and regulators where required by law
No system is perfectly secure. If we become aware of a security incident affecting your personal information, we will notify you and the appropriate authorities as required by applicable law.
Your rights
Depending on your location, you may have some or all of the following rights regarding personal information that Maynut holds about you:
- Access — to request a copy of the personal information we hold about you
- Correction — to request that we correct inaccurate or incomplete information
- Deletion — to request that we delete your personal information, subject to legal retention obligations
- Restriction — to request that we restrict processing in certain circumstances
- Portability — to request a copy of your personal information in a structured, commonly used, machine-readable format
- Objection — to object to processing based on legitimate interests or for direct marketing
- Withdrawal of consent — to withdraw any consent you previously provided, without affecting the lawfulness of prior processing
- Complaint — to lodge a complaint with a supervisory authority, including the Office of the Privacy Commissioner of Canada or your local data protection authority
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days, or as required by applicable law. We may need to verify your identity before processing your request. There is no fee for a reasonable request, but we may decline manifestly unfounded or excessive requests.
For data we hold as a processor on a Client's behalf — for example, leads generated by a Client's ad campaign — we will direct your request to the relevant Client, who is responsible for responding as the controller of that information.
Data deletion requests
If you would like Maynut to delete personal information we hold about you, including data we have accessed through the Meta Platform, you may submit a request in any of the following ways:
- Email [email protected] with the subject line "Data Deletion Request"
- Visit maynut.co/data-deletion for instructions and our deletion request form
- If you are a Client, disconnect Maynut from your Facebook account at Settings → Business Integrations on Facebook; we will automatically delete the associated tokens and cached Marketing API data within 30 days
We will confirm receipt within 7 days and complete the deletion within 30 days, unless we are required to retain certain information by law (for example, billing records required for tax purposes). Where we cannot delete information, we will tell you why and how long we are required to retain it.
International transfers
Maynut is headquartered in Canada. Personal information we collect may be processed in Canada, the United States, or any other country where our service providers operate. When we transfer personal information out of your country of residence, we rely on lawful transfer mechanisms — including standard contractual clauses, adequacy decisions, and your consent where applicable — to ensure that your information continues to receive an appropriate level of protection.
Children
Our services are intended for licensed real estate professionals and the adult audiences of their advertising. We do not knowingly collect personal information from children under 16. If you believe we have inadvertently collected information from a child, contact [email protected] and we will delete it.
Changes to this policy
We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page. If the changes are material, we will provide a more prominent notice — for example, by email to active Clients or by a banner on maynut.co — before the changes take effect. Your continued use of our services after the effective date of an updated policy constitutes acceptance of the updated terms.
Contact us
If you have any questions, concerns, or requests regarding this Privacy Policy or our handling of personal information, please contact us:
Email: [email protected]
Phone: (416) 655-4850
111-10 Morrison Street, Toronto, Ontario, Canada M5V 2T8
If you are not satisfied with our response, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca) or the data protection authority in your jurisdiction.