Effective Date: March 3, 2026

At a Glance

This summary is provided for convenience. It does not replace the full Privacy Policy below.

Who we are: Demsly, operated by ForwardFocus Group LLC, a US limited liability company.

What we do: We produce AI-generated user-generated-content (UGC) advertising creative for direct-to-consumer brands. We also operate the website demsly.com.

What we collect: Information you provide via our application form, information automatically collected when you visit our website (cookies, IP address, device data), and, for clients, advertising performance data from platforms you grant us access to.

What we do not collect: Your customers' personal data, your customers' payment information, your billing details, or any non-advertising data.

Who we share with: Our service providers (sub-processors listed in Section 7), advertising platforms (Meta), and authorities when legally required. We do not sell or rent your personal information.

Your rights: Depending on where you live, you may access, correct, delete, port, or restrict use of your personal information, and opt out of marketing.

Contact: [email protected]

1. Introduction and Scope

This Privacy Policy describes how ForwardFocus Group LLC, a Wyoming limited liability company doing business as Demsly ("Demsly," "we," "us," or "our"), collects, uses, discloses, and safeguards personal information when you:

visit demsly.com or any subdomain (the "Website");

submit an application or contact us through any form;

engage Demsly as a client; or otherwise interact with our services or business communications.

This Policy applies globally. If you are located in the European Economic Area (EEA), United Kingdom, Switzerland, California, or another jurisdiction with specific data protection laws, additional rights are described in Section 11.

By using the Website or engaging our services, you confirm you have read this Policy. If you do not agree, please do not use the Website or engage us.

2. Definitions

Personal Information means information that identifies, relates to, or could reasonably be linked with an identified or identifiable natural person. In the EEA and UK this is referred to as "Personal Data."

Processing means any operation performed on Personal Information, including collection, storage, use, disclosure, and deletion.

Data Controller means the entity that determines the purposes and means of processing Personal Information.

Data Processor means an entity that processes Personal Information on behalf of a Controller.

Sub-processor means a third party engaged by a Processor to assist in processing on the Controller's behalf.

Sensitive Personal Information has the meaning given by applicable law (for example, CCPA Section 1798.140(ae) or GDPR Article 9).

3. Our Role: Controller and Processor

Our role under data protection law depends on the context.

We act as a Data Controller when you visit our Website, submit an application, or communicate with us before becoming a client. We determine the purposes and means of processing your personal information in those contexts.

We act as a Data Processor when, as part of our services to a client, we process personal information on the client's behalf, including ad performance metrics, audience-level data accessible through the client's Meta Ads Manager, and other data the client provides us access to. The client is the Data Controller of that information. Our processing is governed by our service agreement with the client, which may include a Data Processing Addendum (DPA) on request.

If you are an end user of one of our clients (for example, a customer of a brand we work with) and have questions about how your data is processed, please contact that brand directly. We do not have a direct relationship with you in that context.

4. Information We Collect

4.1 Information You Provide to Us

When you submit our application form, contact us, or otherwise interact with our business, we may collect:

Full name

Email address

Brand or company name

Website URL

Estimated monthly advertising spend

Current cost per acquisition or other advertising performance metrics

Any other information you voluntarily provide in correspondence

4.2 Information Collected When You Engage Our Services

If you engage Demsly as a client, we may receive or access (through read-only permissions you grant us):

Meta (Facebook and Instagram) Ads Manager performance data, including ad spend, impressions, click-through rates, conversion rates, cost per purchase, and return on ad spend

Ad creative performance metrics

Aggregated and anonymized campaign data

Brand assets, briefs, product information, and creative direction you share with us

We do not collect, access, store, or process: your customers' personal information, your customers' payment information, your billing or banking details, your CRM data, your email subscriber lists, or any data unrelated to advertising creative production and performance.

4.3 Information Collected Automatically

When you visit our Website, we and our service providers automatically collect:

IP address and approximate location (city or region level) derived from it.

Browser type, version, and language settings. Operating system and device type (desktop, mobile, tablet)

Pages visited, time spent on pages, and click paths

Referring website or campaign source

Date and time of access

Cookie and tracking-pixel identifiers

We collect this information using cookies, pixels (including the Meta Pixel), tags, and similar technologies. See Section 12 for details.

4.4 Information from Third Parties

We may receive information about you from:

Our advertising platforms (Meta) regarding your interaction with our advertisements

Analytics providers (Google Analytics) regarding your use of our Website

Public sources or business directories when verifying a prospective client's brand

4.5 Sensitive Personal Information

We do not knowingly collect Sensitive Personal Information as defined under CCPA, GDPR Article 9, or equivalent laws.

5. How We Use Your Information

We use the personal information we collect for the following purposes. Where we operate under GDPR or UK GDPR, we have identified the legal basis for each purpose.

Purpose Legal Basis (GDPR / UK GDPR) Respond to inquiries and application submissions Legitimate interests; pre-contract steps Evaluate whether your brand qualifies for our services Legitimate interests Deliver, optimize, and report on advertising creative for clients Performance of contract; legitimate interests Calculate fees owed under service agreements Performance of contract Communicate with you about our services, including operational and transactional emails Performance of contract; legitimate interests Send marketing communications to prospects and past contacts Consent (where required); legitimate interests Improve our Website, services, and user experience Legitimate interests Detect, prevent, and respond to fraud, abuse, security incidents, and unlawful activity Legitimate interests; legal obligation Comply with applicable legal, tax, and regulatory obligations Legal obligation Establish, exercise, or defend legal claims Legitimate interests; legal claims

You may withdraw consent at any time where we rely on consent. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

6. AI and Automated Processing

Demsly is an AI-native creative agency. The following disclosures describe how we use artificial intelligence and automated tools.

Creative production. We use generative AI tools (including image, video, and voice models) to produce advertising creative for clients. These tools process brand inputs (product images, briefs, scripts) provided by the client. We do not provide your personal information or your customers' personal information to these tools.

No model training on your data. We do not use your personal information, your business performance data, or your brand assets to train, fine-tune, or otherwise improve generalized AI models. Where we use third-party AI tools, we configure them to opt out of provider-level training on customer inputs to the extent the provider supports such opt-out.

No automated decisions with legal or significant effects. We do not use automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you, within the meaning of GDPR Article 22.

Analytics and ad optimization. We use automated analytics tools to evaluate creative performance and optimize ad delivery on a client's behalf. These tools operate on aggregated and anonymized data and do not target individuals.

7. How We Share Your Information

We do not sell, rent, or trade your personal information to third parties for their independent marketing purposes. We share personal information only as described below.

7.1 Sub-processors and Service Providers

We share personal information with the following categories of service providers, who are contractually required to protect your information and use it only for the purposes we specify:

Sub-processor Purpose Location Webflow / Framer (whichever hosts demsly.com) Website hosting and content management United States Cloudflare Content delivery, DDoS protection, email obfuscation United States Google LLC (Google Analytics) Website analytics United States Meta Platforms, Inc. (Meta Pixel) Advertising attribution and audience building United States Google Workspace (Gmail) Business email and document storage United States Slack Technologies Internal communications United States Notion Labs Internal documentation United States

This list is updated when we engage new sub-processors. The current list is available on request to [email protected].

7.2 Advertising Platforms

We use the Meta Pixel on our Website. Data collected by Meta Pixel may be processed by Meta in accordance with the Meta Privacy Policy at https://www.facebook.com/policy.php. You can manage interest-based advertising through your Facebook Ad Settings.

7.3 Legal Obligations and Protection of Rights

We may disclose personal information when required by law, regulation, court order, subpoena, governmental request, or to enforce our rights, protect our property, prevent fraud, or address security or technical issues.

7.4 Business Transfers

If we are involved in a merger, acquisition, financing, reorganization, sale of assets, or bankruptcy, your personal information may be transferred to the successor entity. We will notify you of any change in ownership or use of your personal information and provide you with choices regarding the transfer where required by law.

7.5 With Your Consent

We may share your personal information with other parties when you direct us to do so or otherwise consent.

8. International Data Transfers

ForwardFocus Group LLC is registered in the United States. Our principal operator is based in Ethiopia. Many of our sub-processors are located in the United States.

If you are located in the EEA, UK, or Switzerland, your personal information will be transferred to and processed in countries outside your jurisdiction, including the United States and Ethiopia, which may not provide the same level of data protection as your home country.

When we transfer personal information internationally, we rely on appropriate safeguards including the European Commission's Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, or other lawful transfer mechanisms. Copies of relevant transfer mechanisms are available on request.

9. Data Retention

We retain personal information only for as long as necessary to fulfill the purposes described in this Policy, comply with our legal obligations, resolve disputes, and enforce our agreements.

Data Category Retention Period Application data from non-clients 12 months from submission Client engagement data (briefs, performance reports) Duration of engagement plus 24 months Billing and tax records 7 years (US tax record retention requirement) Marketing email lists Until you unsubscribe or after 24 months of inactivity Website analytics data 26 months (Google Analytics default) General correspondence 24 months from last contact. When personal information is no longer needed, we delete it or de-identify it.

10. Data Security

We implement reasonable administrative, technical, and physical safeguards designed to protect personal information from unauthorized access, use, disclosure, alteration, and destruction. These safeguards include:

Encrypted data transmission (TLS) and storage where supported by our infrastructure

Access controls limiting personal information to personnel who need it for a specified purpose

Multi-factor authentication on business accounts

Regular review of vendor security practices

Documented response procedures for suspected security incidents

No method of electronic transmission or storage is completely secure. We cannot guarantee absolute security. If we become aware of a security incident affecting your personal information, we will notify you and applicable regulators as required by law.

11. Your Rights

11.1 Rights for All Users

You may contact us at [email protected] to:

Request access to the personal information we hold about you.

Request correction of inaccurate or incomplete personal information.

Request deletion of your personal information

Opt out of marketing communications (you may also use the unsubscribe link in any marketing email)

Ask questions about how we process your personal information

We will respond to your request within 30 days. We may need to verify your identity before processing your request.

11.2 EEA, UK, and Swiss Residents (GDPR / UK GDPR)

In addition to the rights above, you have the right to:

Object to processing based on legitimate interests

Restrict processing in certain circumstances

Data portability: receive your personal information in a structured, machine-readable format

Withdraw consent at any time where processing is based on consent

Lodge a complaint with your local data protection supervisory authority

If you are in the EEA or UK, you have the right to lodge a complaint with the supervisory authority in your country of residence, place of work, or place of the alleged infringement.

11.3 California Residents (CCPA / CPRA)

If you are a California resident, you have the following additional rights:

Right to know what categories of personal information we collect, the sources, the purposes, and the categories of third parties with whom we share it

Right to know specific pieces of personal information we have collected about you

Right to delete personal information we have collected from you, subject to exceptions

Right to correct inaccurate personal information

Right to opt out of the sale or sharing of personal information (we do not sell or share personal information as those terms are defined in CCPA)

Right to limit use and disclosure of Sensitive Personal Information (we do not collect Sensitive Personal Information)

Right to non-discrimination for exercising your CCPA rights

To exercise these rights, contact [email protected]. You may designate an authorized agent to act on your behalf, subject to verification.

11.4 Other US State Residents

Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Tennessee, Florida, Delaware, New Hampshire, New Jersey, Indiana, Maryland, Minnesota, Nebraska, Rhode Island, and Kentucky may have rights similar to those described above under their respective state privacy laws. Contact [email protected] to exercise these rights.

11.5 Other Jurisdictions

If you are located in another jurisdiction with applicable data protection laws (including Canada under PIPEDA, Australia under the Privacy Act, Brazil under LGPD, and others), you may have additional rights. Contact us to inquire.

12. Cookies and Tracking Technologies

We use cookies, pixels, and similar tracking technologies on our Website.

Strictly Necessary Cookies: Required for the Website to function. Cannot be disabled.

Analytics Cookies: Help us understand how visitors interact with the Website. We use Google Analytics, which sets cookies including ga, gid, and _gat. See https://policies.google.com/privacy.

Advertising Cookies: Used to measure advertising effectiveness and build audiences. We use the Meta Pixel, which may set cookies including _fbp. See https://www.facebook.com/policy.php.

You can manage cookie preferences through your browser settings. Most browsers allow you to refuse new cookies, delete existing cookies, or notify you when new cookies are set. Disabling cookies may affect Website functionality.

We do not respond to "Do Not Track" signals at this time, as no consistent industry standard for honoring such signals has been adopted.

13. Children's Privacy

Our Website and services are intended for businesses and adults. We do not knowingly collect personal information from children under 13 (or under 16 in the EEA, where stricter standards apply under GDPR). If we become aware that we have collected personal information from a child below the applicable age threshold without verifiable parental consent, we will delete that information promptly. If you believe a child has provided personal information to us, contact [email protected].

14. Third-Party Links and Services

Our Website may contain links to third-party websites, services, or platforms. We are not responsible for the privacy practices, content, or security of those third parties. This Policy does not apply to information collected by third parties. We encourage you to review the privacy policies of any third-party site you visit.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, our services, applicable law, or for other operational reasons. The updated version will be indicated by the "Last Updated" date at the top of this page and will become effective immediately upon posting unless otherwise stated. For material changes, we will provide additional notice (such as by email or a prominent notice on the Website) where required by law. We encourage you to review this Policy periodically.

16. Complaints

If you have a concern about how we have handled your personal information, please contact us first at [email protected] so we can address it. If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.

17. Contact Us

For any questions about this Privacy Policy or our data practices:

ForwardFocus Group LLC (doing business as Demsly) Attn: Sam Gebrekidan Email: [email protected] Website: demsly.com

For data protection requests in the EEA or UK, you may direct correspondence to the same address with the subject line "GDPR Request" or "UK GDPR Request."

This Privacy Policy is governed by the laws of the State of Wyoming, United States, without regard to conflict of law principles, except where applicable data protection law requires otherwise.