Privacy Policy

1. Introduction

AdsXFlow ("we", "us", "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and share information when you use our AI-powered marketing platform at adsxflow.com ("the Service").

This policy complies with applicable data protection laws including the Information Technology Act, 2000 (India), the General Data Protection Regulation (GDPR) where applicable, and the California Consumer Privacy Act (CCPA) where applicable. It also satisfies the privacy policy requirements of the Meta Platform Terms, Google API Services User Data Policy, and Firebase Privacy Guidelines.

2. Data We Collect

2.1 Account Data

• Email address (from registration or Google Sign-In)
• Display name (optional, from Google profile or manually set)
• Firebase Authentication UID and authentication provider metadata
• No passwords are stored by AdsXFlow — authentication is handled entirely by Firebase Authentication

2.2 Project Data (User-Provided)

• Website URLs you submit for brand analysis
• Uploaded files (images, videos, PDFs) for brand profiling
• Campaign goals, target personas, and messaging preferences
• Product catalogs and product feed data (if you use Dynamic Product Ads)
• Custom audience CSV uploads (email, phone, name data — hashed before any transmission)

2.3 Third-Party Platform Data

When you connect Meta (Facebook/Instagram) accounts, we access:

• Facebook Pages: Page name, ID, access tokens, category, profile picture
• Instagram Accounts: Username, account type, profile picture, follower count
• Ad Accounts: Account ID, name, currency, balance, spend status
• Campaign Metrics: Impressions, reach, clicks, CTR, spend, conversions, frequency, CPM, CPC
• Lead Data: Form submissions from Meta Lead Ads (name, email, phone, custom fields as configured by you)
• OAuth Tokens: Long-lived access tokens (encrypted at rest — see Section 5)

We access only the data necessary to provide the Service. We do not access your personal Facebook/Instagram posts, messages, friend lists, or private profile information.

2.4 Analytics Data (Automatic)

• Page views and navigation patterns (via Firebase Analytics — anonymized, no PII)
• Device type, browser, and operating system (anonymized)
• Firebase Analytics measurement ID: G-7YM853XSJ4
• We do NOT use cookies for tracking. Firebase Analytics uses first-party measurement only.

2.5 AI Processing Data

• Website content crawled by Firecrawl (for brand profiling) — text only, no login-protected content unless you provide captures
• Prompts sent to Google Vertex AI (Gemini, Imagen, Veo) for content generation
• AI-generated outputs (text, images, videos) stored in your project
• Google Vertex AI does NOT use your data to train its models (per Vertex AI data governance)

3. How We Use Your Data

• Service delivery: Generate brand profiles, create ad campaigns, publish content, fetch metrics, deliver leads
• AI content generation: Send brand context + campaign briefs to Vertex AI to generate captions, images, and videos
• Meta API operations: Publish posts, launch ad campaigns, fetch insights, receive webhooks
• Security: Verify webhook signatures, encrypt tokens, detect unauthorized access
• Product improvement: Anonymous usage analytics to improve features (no PII)
• Notifications: Email and webhook alerts for campaign status changes and lead captures (only when you configure them)

4. Data Sharing

We share data only with these categories of recipients, and only as necessary to provide the Service:

We do NOT sell your data. We do not share your data with data brokers, advertising networks, or any other third parties for their own marketing purposes.

5. Data Security

• Encryption in transit: All data is transmitted over HTTPS/TLS 1.3
• Encryption at rest: Meta and Instagram OAuth tokens are encrypted using Fernet symmetric encryption (AES-128-CBC with HMAC-SHA256)
• Webhook verification: All Meta webhook payloads are verified using HMAC-SHA256 signatures with the app secret proof
• API authentication: Backend APIs are protected by Firebase ID token verification
• PII hashing: All personally identifiable information in custom audience uploads and Conversions API events is SHA-256 hashed before transmission to Meta
• Infrastructure: Hosted on Google Cloud Platform (Cloud Run) with data stored in Google Cloud Storage. GCP maintains SOC 2, ISO 27001, and GDPR compliance certifications
• Access control: Role-based access (owner, editor, viewer) per project with invite-only membership

6. Data Retention

• Active accounts: Data is retained for the lifetime of your account
• Deleted accounts: Personal data, project data (brand profiles, campaigns, generated media), and all uploaded references are deleted immediately when you delete your account. Cloud backups roll over within 30 days, after which no copy of your data exists in any tier. A minimal audit row (email + deletion timestamp) is retained indefinitely so we can prove to regulators that we honored your request. See /privacy/data-deletion for the full procedure.
• OAuth tokens: Revoked immediately when you disconnect Meta/Instagram or delete your account — we call DELETE /me/permissions against Meta's and Instagram's Graph API the moment the deletion flow runs.
• Lead data: Retained in your project until you delete the project or the leads individually
• Analytics data: Anonymized Firebase Analytics data is retained per Google's standard retention policy (14 months for user-level, 2 months for event-level)
• AI cost logs: Retained for 12 months for billing transparency, then automatically purged

7. Your Rights

Depending on your jurisdiction, you may have the following rights:

• Access: Request a copy of all personal data we hold about you
• Rectification: Correct inaccurate personal data
• Erasure: Delete your account and all associated data. Step-by-step instructions: adsxflow.com/privacy/data-deletion.
• Portability: Export your project data (brand profiles, campaigns, leads) in JSON format
• Restriction: Request that we limit processing of your data
• Objection: Object to processing based on legitimate interests
• Withdrawal of consent: Revoke OAuth connections at any time via the Integrations page; disconnect removes our access to your Meta/Instagram accounts immediately

To exercise any of these rights, email us at privacy@adsxflow.com. We will respond within 30 days.

8. Meta Platform Data Handling

In compliance with the Meta Developer Policies, we disclose:

• We do not sell, license, or purchase Meta Platform Data
• We do not use Meta Platform Data to build or augment user profiles for advertising outside of Meta's platforms
• We do not use Meta Platform Data to perform surveillance or provide data to surveillance entities
• We do not transfer Meta Platform Data (including anonymous, aggregated, or derived data) to any ad network, data broker, or other advertising or monetization service
• Meta Platform Data is stored in a secure, encrypted environment on Google Cloud Platform
• If we detect a data security incident involving Meta Platform Data, we will notify Meta within the required timeframe and begin immediate remediation
• Upon deletion of a user's account or disconnection of their Meta account, all cached Meta Platform Data is purged immediately (synchronous cascade); cloud backups roll over within 30 days. We also accept Meta's data-deletion callback at /api/webhooks/meta/data-deletion — when a user removes AdsXFlow from their Facebook account, Meta notifies us and we run the same cascade on our end.

9. Google User Data Handling

In compliance with the Google API Services User Data Policy:

• We access Google user data only through Firebase Authentication (email, display name, profile photo URL) and Google Cloud Vertex AI (for AI content generation)
• We do not access Gmail, Google Drive, Google Calendar, YouTube user data, or any Google Workspace data
• We do not use Google user data for purposes other than providing and improving the Service
• We do not transfer Google user data to third parties except as described in this Privacy Policy (i.e., only to service providers necessary for operating the Service)
• We do not use Google user data for serving advertisements
• Google Sign-In data is used solely for authentication purposes

10. Children's Privacy

The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that a child under 18 has provided personal data, we will delete it promptly.

11. International Data Transfers

Your data is processed and stored on Google Cloud Platform servers in the United States (us-central1 region). By using the Service, you consent to the transfer of your data to the United States. Google Cloud Platform maintains appropriate safeguards including Standard Contractual Clauses for international data transfers.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or an in-app notification. The "Last updated" date at the top of this page reflects the most recent revision. Your continued use of the Service after changes are posted constitutes acceptance.

13. Contact Us

For privacy-related questions, data access requests, or concerns: