Privacy Policy · Ads Direction

# Privacy Policy — Ads Direction

**Effective:** [TO BE FILLED ON LAUNCH DATE]
**Last updated:** 2 May 2026 (v0 draft, not yet lawyer-reviewed)
**Operated by:** Ads Direction (operating name of Raasa Oils India / [TO BE CONFIRMED — likely a separate legal entity by audit #50])

This is the v0 draft. It bakes in DECISIONS.md D-014 (data-use stance) and is written to be DPDP Act 2023 (India) and GDPR-aligned for EU traffic. Replace bracketed placeholders before going live.

---

## 1. Who we are

Ads Direction is a marketing audit tool for Indian D2C Shopify brands. We connect to your Google Ads, Shopify, and (optionally) Merchant Center accounts via OAuth, analyze your paid-acquisition performance, and deliver an audit report.

Contact: **privacy@adsdirection.com** | Founder: Omar Rashid

## 2. What data we collect

When you sign up and connect your accounts, we receive:

**Account metadata**
- Your email address
- Your Shopify store URL
- Self-reported monthly Google Ads spend band
- The 5-question founder questionnaire answers (your stated competitors, differentiator, recent failed campaign, etc.)

**Connected platform data (read-only OAuth scopes)**
- **Google Ads:** campaign performance, asset groups, search terms, auction insights, conversion data — last 90 days
- **Shopify:** orders, products, customers, inventory, abandoned carts — last 90 days
- **Merchant Center:** product feed health, disapprovals, product metadata
- **Meta Ads, Search Console, Clarity (v1+):** read-only analogous scopes

**Operational data**
- IP address and user agent at sign-up (for fraud prevention)
- Timestamps of connections, audit runs, downloads

**What we do NOT collect**
- We do not collect or store credit-card information directly. Razorpay handles payments.
- We do not access write/edit scopes on your platforms in v0.
- We do not collect customer-of-customer data (your end-customer's PII) beyond what's necessary for aggregate analysis (e.g., AOV bands, repeat-purchase rates).

## 3. Why we collect it

**Primary purpose:** to deliver YOUR audit. We pull your data, analyze it, generate your report, and deliver it to you.

**Secondary purpose (the data layer — be transparent about this):** to improve Ads Direction's product by aggregating anonymized, cohort-level signals across audits. Specifically:
- We may combine anonymized findings across many brands ("In Indian D2C skincare brands at ₹1–5L monthly spend, the most common Merchant Center issue is X") to publish industry insights, license category playbooks to agencies, or train vertical-specific recommendation systems.
- Your brand is never named, identifiable, or attributable in any aggregated output.

**What we will never do:**
- Sell your raw account data to anyone.
- Reveal your specific brand's performance to any third party without your explicit written permission.
- Share your specific recommendations with agencies, acquirers, or competitors.
- Use your private data to advantage another named customer.

This stance is a hard rule, not a marketing claim. See DECISIONS.md D-014 in our public planning docs for the architectural commitment.

## 4. How we share data

We use the following sub-processors, each governed by their own privacy policies:

| Vendor | Purpose | Data shared |
|---|---|---|
| Supabase (Singapore region) | Database + authentication | All structured data |
| Cloudflare R2 | File storage | Generated audit Word docs, raw API extracts |
| Anthropic | LLM inference for audit synthesis | Anonymized + structured account data within prompts; not used to train Anthropic's models per Anthropic's API terms |
| Resend | Transactional email | Email address + audit-ready notification |
| Razorpay | Payments | Email + payment metadata (no card details touch our servers) |
| Vercel | Hosting | Web traffic + logs |
| Sentry | Error tracking | Non-PII error stack traces |

We do not sell or rent your data to advertisers.

## 5. Data residency

Per your DPDP Act 2023 expectations:
- Primary database: Supabase Singapore region (closest to India outside India until Supabase ships an India region)
- File storage: Cloudflare R2 with India edge
- LLM inference: Anthropic API (US-based; your data is sent in API calls but not retained per Anthropic's API terms)

If India-residency is a hard requirement for you, contact us — we can discuss an in-country data plan for ₹15,000/quarter+ tier customers.

## 6. How long we keep it

- Account data: until you delete your account, then 30 days for backup hygiene, then permanently deleted.
- Audit reports + raw extracts: 12 months by default. Deletable on request.
- Aggregated/anonymized cohort signals: retained indefinitely (no PII, no brand-identifying data).
- OAuth tokens: revoked immediately on account deletion or scope revocation.

## 7. Your rights (DPDP + GDPR aligned)

You have the right to:
- **Access** all data we hold about you (export endpoint coming v1; email until then)
- **Correct** inaccurate data
- **Delete** your account and all associated data (`Account → Delete` in dashboard, or email privacy@adsdirection.com)
- **Withdraw consent** to OAuth connections at any time (revokes our access)
- **Portability** — request your data in JSON
- **Object** to processing for the data layer (your audit will still run, but your brand's data is excluded from aggregated cohort analysis)

To exercise any of these, email **privacy@adsdirection.com**. We respond within 7 days.

## 8. Cookies + tracking

The Ads Direction website uses minimal cookies:
- Authentication session (essential)
- Anonymized analytics via [Plausible/Fathom — TBD; both are privacy-respecting, no third-party cookies, no IP storage]

We do not use Google Analytics, Meta Pixel, or any retargeting cookies on our own site. We are an audit tool, not an ad platform.

## 9. Security

- All OAuth tokens encrypted at rest with AES-256 (key in Supabase Vault, rotated quarterly)
- HTTPS everywhere
- No PII in error logs (Sentry receives stack traces only, not request bodies)
- 2FA available on customer accounts
- Annual penetration test starting [TBD — likely v1, before quarterly recurring tier launch]

If you discover a security issue, email **security@adsdirection.com**. Bounty program TBD.

## 10. Children

Ads Direction is a B2B tool for business operators. We do not knowingly collect data from anyone under 18. If you're 18 and somehow operating a Shopify store spending ₹50k+/month on ads, congratulations, but please get parental consent first.

## 11. Changes to this policy

If we change this policy in a material way, we email you at least 14 days before the change takes effect. Non-material changes (typos, vendor name updates) post here without notice.

## 12. Contact

- General privacy questions: **privacy@adsdirection.com**
- Security disclosures: **security@adsdirection.com**
- Postal: [TO BE FILLED — Raasa Oils India address until separate legal entity exists]

---

*Drafted to comply with India's DPDP Act 2023 and EU GDPR. Not yet reviewed by counsel. v1 draft will be reviewed before audit #11 (paid-tier launch).*