Data Security Policy

This policy applies to all data we handle, including:

• User-provided personal information (e.g., name, email address)
• Meta Platform Data received through the Meta Marketing API (e.g., ad account IDs, campaign and ad performance metrics, audience insights)

• In Transit: All data is encrypted using TLS 1.2 or higher when transmitted.
• At Rest: All stored data is encrypted using AES-256 or equivalent standards.
• Hosting Security: Stored on secure, access-controlled servers with SOC 2 / ISO 27001 certifications.

• Restricted to authorized personnel only, following least privilege.
• Strong credentials & MFA used for authentication.
• Access permissions reviewed at least quarterly.

• Meta Platform Data retained only as long as necessary.
• Deleted within 30 days of account deletion or revocation.
• No unnecessary backups of personal or Meta data are stored.

• Never sell personal data or Meta Platform Data.
• Shared only with approved providers:
  • Supabase – hosting & database services
  • OpenAI – analytics on aggregated, non-identifiable data
• All processors are bound by data protection agreements.

• Users may request access, correction, or deletion anytime.
• Meta users can revoke access via Meta settings.
• Revoked data deleted within 30 days.

• Request only minimum Meta permissions needed.
• Data used solely as described in our Privacy Policy.
• No automated decision-making without explicit consent.

• Users can view/manage granted permissions anytime.
• Revoked permissions trigger immediate data deletion within 30 days.
• For ads_management, actions only performed if explicitly initiated.

• Update policies when new Meta permissions are required.
• Request user consent before enabling new permissions.
• Notify users in advance of impactful changes.