Privacy Policy — Ads Direction
Effective: 12 May 2026 Last updated: 12 May 2026 Operated by: Omar Rashid (sole proprietor; entity registration in progress)
Drafted to comply with India's DPDP Act 2023 and the EU GDPR.
1. Who we are
Ads Direction is a weekly performance-marketing audit subscription for Indian D2C founders. We connect to your Google Ads, Shopify, Merchant Center, and Meta Ads via OAuth, analyze your paid-acquisition performance daily, and deliver a fresh audit every Monday morning.
Contact: privacy@adsdirection.com | Founder: Omar Rashid
2. What data we collect
When you sign up and connect your accounts, we receive:
Account metadata
- Your email address
- Your Shopify store URL
- Self-reported monthly Google Ads + Meta Ads spend bands
- The 5-question founder questionnaire answers (stated competitors, differentiator, recent failed campaign, etc.)
Connected platform data (read-only OAuth scopes)
- Google Ads: campaign performance, asset groups, search terms, auction insights, conversion data. Up to 24 months of history on the first audit so we can detect seasonality and quarterly trends (clamped to 12 months for accounts under the heaviest-spend tier). Subsequent weekly runs read the last 30 days plus daily snapshots we've collected since.
- Shopify: orders, products, customers, inventory, abandoned carts. Same lookback policy.
- Merchant Center: product feed health, disapprovals, product metadata.
- Meta Ads: campaigns, ad sets, ad performance, primary text. Required since v0 onboarding.
- Optional connectors (Klaviyo / Mailchimp / GA4 / Search Console): if you connect them, read-only analogous scopes.
Brand-asset uploads (optional onboarding step) If you provide them during onboarding or via Settings → Brand Assets, we store:
- Your logo (PNG/SVG)
- Brand guidelines PDF (parsed by Vision LLM to extract colors, typography, voice rules, banned phrases)
- Up to 5 product photos
- Brand color hex codes
- Brand voice notes + tone descriptors
- Banned phrases list
All assets are stored in Cloudflare R2 (India edge). The brand guidelines PDF is sent to the Anthropic Vision LLM once for parsing; the extracted structured fields are stored, the PDF stays in R2 for re-parsing if you update it.
Daily metric snapshots Once subscribed, we pull a small daily snapshot from your connected platforms (campaign-level spend, conversions, CPA, ROAS, key Shopify metrics). This is what powers the day-of-week anomaly detection and the "what shifted this week" surface in the Monday audit. Snapshots are retained 24 months.
Operational data
- IP address and user agent at sign-up (fraud prevention)
- Timestamps of connections, weekly runs, deliveries, downloads, dashboard sessions
What we do NOT collect
- We do not store credit-card information. Razorpay handles all payment data.
- We do not access write/edit scopes on your platforms.
- We do not collect end-customer PII beyond what's necessary for aggregate analysis (e.g., AOV bands, repeat-purchase rates, cohort retention curves).
3. Why we collect it
Primary purpose: to deliver YOUR weekly audit. We pull your data, run analyzers, generate your weekly to-do list, and deliver it Monday morning.
Secondary purpose (the data layer — fully disclosed): to improve Ads Direction by aggregating anonymized, cohort-level signals across customers. Specifically:
- We may combine anonymized findings across many brands ("Indian D2C skincare brands spending ₹1–5L/month most commonly have Merchant Center disapprovals on Y") to publish industry insights, license category playbooks to agencies, or train vertical-specific recommendation systems.
- Your brand is never named, identifiable, or attributable in any aggregated output.
What we will never do:
- Sell your raw account data to anyone.
- Reveal your specific brand's performance to any third party without your explicit written permission.
- Share your specific recommendations with agencies, acquirers, or competitors.
- Use your private data to advantage another named customer.
This stance is a hard architectural rule, not a marketing claim. We treat it as binding policy across the product.
4. How we share data
We use the following sub-processors, each governed by their own privacy policies:
| Vendor | Purpose | Data shared |
|---|---|---|
| Supabase (Singapore region) | Database + authentication | All structured data |
| Cloudflare R2 (India edge) | File storage | Brand-asset uploads, generated audit Word docs, raw API extracts |
| Anthropic | LLM inference for audit synthesis + Vision LLM for brand-guideline PDF parsing | Anonymized + structured account data within prompts; PDF bytes for the Vision pass. Per Anthropic's API terms, this data is not used to train Anthropic's models. |
| Resend | Transactional email | Email address + audit-ready notification |
| Razorpay (Subscriptions API) | Recurring payments | Email + payment metadata (no card details touch our servers) |
| Vercel | Web hosting | Web traffic + server logs |
| Railway | Audit-engine hosting | Same data as Supabase, transient during audit runs |
| Inngest | Background job queue | Job IDs + event payloads (audit metadata, not raw account data) |
| Sentry | Error tracking | Non-PII error stack traces |
We do not sell or rent your data to advertisers.
5. Data residency
Per your DPDP Act 2023 expectations:
- Primary database: Supabase Singapore region (closest to India outside India until Supabase ships an India region)
- File storage: Cloudflare R2 with India edge
- LLM inference: Anthropic API (US-based; your data is sent in API calls but not retained per Anthropic's API terms; PDFs are processed and the response stored, the source PDF stays in R2 India edge)
- Audit-engine compute: Railway Southeast Asia region
If India-residency is a hard requirement for your compliance, contact us before subscribing — we can discuss in-country data routing for enterprise plans.
6. How long we keep it
- Account data: until you delete your account, then 30 days for backup hygiene, then permanently deleted.
- Weekly run history: 24 months by default. Deletable on request.
- Raw API extracts: 30 days, then deleted.
- Daily metric snapshots: 24 months (to power year-over-year baselines).
- Brand-asset uploads: until you delete them or your account, whichever comes first.
- Aggregated/anonymized cohort signals: retained indefinitely (no PII, no brand-identifying data).
- OAuth tokens: revoked immediately on account deletion, subscription cancellation, or scope revocation from your platform's settings.
7. Your rights (DPDP + GDPR aligned)
You have the right to:
- Access all data we hold about you (export from Settings → Privacy, or email)
- Correct inaccurate data (the brand-profile confirm step at onboarding is the primary correction surface; email for other fields)
- Delete your account and all associated data (Settings → Account → Delete, or email privacy@adsdirection.com)
- Withdraw consent to OAuth connections at any time (revokes our access; weekly runs pause)
- Portability — request your data in JSON
- Object to processing for the data layer (your weekly audit will still run, but your brand's data is excluded from aggregated cohort analysis)
- Pause processing — cancel your subscription to stop weekly runs without deleting history; resume any time
To exercise any of these, email privacy@adsdirection.com. We respond within 7 days.
8. Cookies + tracking
The Ads Direction website uses minimal cookies:
- Authentication session (essential, first-party)
- No analytics cookies on the marketing site as of v1.
We do not use Google Analytics, Meta Pixel, or any retargeting cookies on our own site. We are an audit tool, not an ad platform.
9. Security
- All OAuth tokens encrypted at rest with AES-256 (key in Supabase Vault, rotated quarterly).
- HTTPS everywhere; HSTS preload on adsdirection.com.
- No PII in error logs (Sentry receives stack traces only, not request bodies).
- Service-role database access only from the audit-engine and the Next.js server; no client-side service role.
- 2FA available on customer accounts.
If you discover a security issue, email security@adsdirection.com. Public bounty program TBD.
10. Children
Ads Direction is a B2B tool for business operators. We do not knowingly collect data from anyone under 18.
11. Changes to this policy
If we change this policy in a material way (data-use stance, vendor changes, scope expansions), we email you at least 14 days before the change takes effect. Non-material changes (typos, vendor name updates) post here without notice.
12. Data deletion
You can delete your Ads Direction account and all data we hold for you at any time.
From the app (immediate): sign in to https://adsdirection.com → Account / Settings → Delete account. This:
- Permanently removes your user row, brand profile, audits, insights, recommendations, and uploaded brand assets
- Revokes OAuth tokens with Google Ads, Shopify, and Meta (your data on those platforms is untouched)
- Cancels any active Razorpay subscription
- Stops weekly audit emails on the next delivery cycle
By email (if you cannot sign in): email privacy@adsdirection.com with subject "Account deletion request" from the email associated with your account. We confirm within 2 business days and complete the deletion within 7 business days.
Meta-specific: when you disconnect Meta Ads from /onboarding/connect (or delete your account), we immediately call Meta's token-revocation endpoint and purge all cached campaign, ad set, audience, insight, and Pixel data from our database within 1 hour. We retain only a deletion-confirmation record (your user_id + timestamp) for 90 days for compliance audit, then purge that too.
Google-specific and Shopify-specific: same flow — token revocation against the platform's revoke endpoint, plus immediate purge of all extracted data within 1 hour of disconnection.
If you have questions about your deletion request or want confirmation that it completed, email privacy@adsdirection.com.
13. Contact
- General privacy questions: privacy@adsdirection.com
- Security disclosures: security@adsdirection.com
- Operating entity: Omar Rashid, sole proprietor (entity registration in progress; this section updates when registered)
Reviewed against the current product mechanics on 12 May 2026. Drafted to comply with India's DPDP Act 2023 and the EU GDPR. The data-use stance in §3 is locked architecturally — we treat it as a binding rule, not a marketing claim.