Privacy Policy
Last updated June 11, 2026
What changed on June 10, 2026: section 5 now permits — and strictly bounds — anonymous, aggregated category benchmarks computed across the customer base, with matching updates to sections 4 and 9. For customers active before June 10, 2026, the benchmark provisions take effect June 24, 2026 (14 days after our email notice); nothing benchmark-related is enabled before then.
Ad-Aura helps small businesses run and optimize advertising campaigns on Google, Microsoft, Meta, TikTok, and Reddit. We collect the minimum information needed to do that, we do not sell your data, and we do not track you with marketing pixels. The only analytics we use is Google Analytics, and only if you opt in via the cookie banner. This page explains exactly what we collect, why, who we share it with, and the rights you have under GDPR, the UK GDPR, and CCPA.
1. Who we are
Ad-Aura is operated as a sole proprietorship out of Washington State, USA. We are the controller of the personal data described in this policy, except where we act as a processor on your behalf (see “How we handle ad-account data” below). You can reach us any time at hello@ad-aura.com.
2. What we collect
When you create an account and use Ad-Aura, we collect:
- Account data: your email address, your name, and the profile picture returned by your identity provider (Google or Facebook). We do not store passwords — authentication is delegated to your OAuth provider.
- Company profile: business name, industry, product or service description, location, optional website and phone number, optional logo (uploaded as a small image), target audience, and advertising goals. You choose what to provide; the more detail you give, the better our agents can optimize your campaigns.
- Connected ad-account metadata: when you link a Google Ads, Microsoft Ads, Meta Ads, TikTok Ads, or Reddit Ads account, we store the account ID and display name so we can call the right API on your behalf.
- Campaign data: the campaigns, creatives, budgets, and ad copy you create through Ad-Aura, plus the performance metrics returned by the ad platforms (impressions, clicks, spend, conversions).
- Billing reference: a Stripe customer ID linking your account to your Stripe subscription. We never see or store your full payment-card number — Stripe handles that directly.
- Session data: a signed JSON Web Token (JWT) issued after you log in, used to authenticate your subsequent API calls.
- Operational logs: server logs containing IP address, request path, and timestamp, retained for security and debugging.
3. Analytics and cookies
We use Google Analytics 4 to understand how visitors use our website — but only with your consent. The analytics script does not load, and no analytics cookie is set, unless you click “Allow analytics” in the cookie banner; declining (or ignoring the banner) means zero third-party analytics JavaScript runs. You can clear your browser's site data to be asked again. We do not embed any marketing or advertising pixels, we do not run any other analytics (no Segment, no Mixpanel), and your session is held in a JWT — not a cross-site tracking cookie. We do not buy, rent, or enrich your data with third-party data brokers.
Separately from analytics, if you arrive from a link that identifies where you came from (for example an ad click or a referring site), we keep that origin — campaign tags, the ad platform's click identifier, and the referring page — in a first-party cookie (aa_attr) for up to 90 days. It contains nothing about you, only how the visit reached us. If you create an account, we store that origin with your account once so we know which channels bring customers, and the cookie is deleted; if you never sign up, it simply expires. No third party reads it.
4. Why we collect it (legal basis under GDPR)
- To perform our contract with you — running your campaigns, billing your subscription, and providing customer support.
- Our legitimate interests — preventing fraud and abuse, securing the service, and improving the product, including computing the anonymous, aggregated category benchmarks described in section 5 so our recommendations get better for every customer.
- Your consent — where required, for example before sending optional product-update emails. You can withdraw consent at any time.
- Legal obligation — to comply with tax, accounting, and law-enforcement requirements.
5. How we handle ad-account data (processor disclosure)
When you connect your Google, Microsoft, Meta, TikTok, or Reddit ad accounts to Ad-Aura, those platforms return data about your end customers — for example, the count of users who saw or clicked your ads, what audience segments responded, and how many conversions occurred. This data is generally aggregated and pseudonymous and never includes the names, emails, or addresses of your end customers.
For this data, Ad-Aura acts as a data processor on your behalf — you are the controller. We use it to render your dashboards, to let our AI agents recommend or apply optimizations to your campaigns, and — in irreversibly anonymized, aggregated form only — to compute the category benchmarks described below. We do not contact your end customers, do not build a profile of any identifiable customer or business, and do not remarket to anyone on your behalf.
Anonymous category benchmarks (effective June 24, 2026). To give our AI agents category context — for example, the median cost-per-click for restaurants on Google Search, or the typical channel mix for a brand-new account in your industry — we compute aggregated, anonymous statistics across the Ad-Aura customer base. These are census-style category figures, never a window into another business, and they are bounded by hard rules:
- A benchmark is computed only when at least 10 distinct businesses contribute to it. Cohorts below that threshold are discarded at computation time — never stored, never shown.
- Benchmarks are never sliced by city or any geography finer than nationwide, so a benchmark can never be narrowed to “the other business like yours in your town.”
- Benchmarks contain only aggregate statistics (medians and quartiles of metrics such as CPC, CTR, and CPA) — never keywords, ad copy, creatives, audiences, or any content you created, and never any identifier of a contributing business.
- No customer's individual numbers are ever shown to, sent to, or recoverable by another customer — including in prompts to our AI sub-processors, which only ever receive your own data plus these de-identified aggregates.
If you prefer that your data not contribute to benchmark computation at all, email hello@ad-aura.com and we will exclude your account; you keep full access to the product either way.
6. Sub-processors
We rely on a small set of trusted vendors to operate the service. Each is a processor acting under our written instructions. The current list:
| Vendor | Purpose | Region |
|---|---|---|
| OAuth sign-in, Google Ads API, Gemini AI (campaign optimization) | Global | |
| Meta Platforms | Facebook OAuth sign-in, Meta Ads API | Global |
| TikTok | TikTok Ads API | Global |
| OAuth sign-in for ad accounts, Reddit Ads API | Global | |
| Microsoft | Sign-in with Microsoft (identity platform), Microsoft Advertising API | Global |
| Stripe | Subscription billing and payment processing | United States |
| Neon | Managed Postgres database | United States — Azure East US 2 (Virginia) |
| Cloudflare R2 | Storage for your uploaded ad creatives and media assets | Global edge |
| Sentry | Error monitoring and performance diagnostics | United States |
We will update this list and notify active customers by email before adding a new sub-processor that materially changes how we handle your data.
7. AI processing of your content
Ad-Aura uses Google's Gemini model (gemini-2.5-flash) to generate campaign optimizations, ad copy suggestions, and audience recommendations. We send the relevant campaign context — for example, your product description, audience description, recent performance metrics, and the ad copy you are iterating on — to Gemini for inference. We do not send your customer-list data or personally identifiable end-customer data.
Google's API terms state that prompts sent to the Gemini API are not used to train Google's models. You can review Google's data-handling commitments at ai.google.dev/gemini-api/terms.
8. Where your data is stored
Your account data and campaign data are stored in our Neon Postgres database in the United States (Azure East US 2, Virginia). Creative-asset uploads are stored in Cloudflare R2's global object store. Backups are kept in the same region as the primary database.
If you access Ad-Aura from outside the United States — including from the European Economic Area, the United Kingdom, or Canada — your data will be transferred to and processed in the United States. Where required, we rely on the Standard Contractual Clauses (SCCs) and equivalent transfer mechanisms with our sub-processors.
9. How long we keep your data
We keep your account data for as long as your Ad-Aura account is active. If you request deletion, we will remove your personal data from our active systems within 30 days and from our backups within the following backup-rotation cycle (typically up to a further 30 days). If you cancel your subscription and do not return, we automatically anonymize your account 90 days after the subscription ends — campaigns, platform connections, and profile details are erased, and we email you a heads-up two weeks beforehand. We may retain a minimal record of the transaction history for tax and accounting purposes for the period required by law (typically 7 years).
Server logs are retained for up to 90 days. Aggregated, fully anonymized metrics may be kept indefinitely for product analysis and for the anonymous category benchmarks described in section 5, which we use to improve strategy and optimization recommendations across the customer base. Those aggregates contain no customer identifiers and are subject to section 5's minimum-cohort and geography rules, so they persist unchanged through account deletion and anonymization.
10. Your rights
Depending on where you live, you have some or all of the following rights over your personal data:
California residents (CCPA/CPRA): we do not sell your personal information, and we do not share it for cross-context behavioral advertising — and we have not done either in the preceding 12 months, so there is nothing to opt out of. You additionally have the rights to know, correct, and delete described below, and the right not to be discriminated against for exercising them.
- The right to access a copy of the personal data we hold about you.
- The right to correct inaccurate or incomplete data.
- The right to delete your data (the “right to be forgotten”).
- The right to export your data in a portable, machine-readable format.
- The right to restrict or object to certain kinds of processing.
- The right to withdraw consent where processing is based on consent.
- The right to lodge a complaint with your local data-protection supervisory authority.
Access, export, and deletion are self-serve from inside the product. Sign in and go to Settings → Danger Zone: “Download my data (JSON)” produces the same JSON bundle a manual request would return, and “Delete my account” runs the full cascade (cancelling your Stripe subscription, removing your rows, and clearing your uploaded media) once you confirm by typing your account email.
If you can't log in, email hello@ad-aura.com from the address associated with your account. We will verify your identity (by confirming you control the account email) and respond within 30 days. There is no fee for the first request in any 12-month period.
Stripe invoice history is retained for tax purposes and is available directly from your Stripe customer billing portal — Ad-Aura does not duplicate that data in its own export bundle.
11. Children
Ad-Aura is a business-to-business product and is not directed at children. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, please contact us and we will delete it.
12. Security
All traffic to Ad-Aura is encrypted in transit using TLS. Authentication is delegated to Google or Meta — we never see your password. Database backups are encrypted at rest by our hosting provider. Payment information is handled entirely by Stripe, which is PCI-DSS Level 1 certified. We follow the principle of least privilege internally and review access regularly.
No service can guarantee perfect security. If we ever experience a personal-data breach that is likely to result in a risk to your rights, we will notify affected users and the appropriate supervisory authority within 72 hours, as required by GDPR.
13. Changes to this policy
We may update this policy from time to time. The “Last updated” date at the top of the page reflects the most recent change. If we make a material change — for example, adding a new category of data we collect or a new sub-processor that handles personal data — we will notify active customers by email at least 14 days before the change takes effect.
14. Contact
Questions, concerns, or requests about your data: email hello@ad-aura.com. We aim to respond within 5 business days for general questions and within 30 days for formal data-subject requests.