Legal
Data Handling & Security
How we handle the data you trust us with — scopes, routing, retention, and the controls around it.
Last updated: July 13, 2026
This page explains, in practical terms, how Ad Spend Technologies, Inc. handles data across the Service. It supplements our Privacy Policy and Terms & Conditions.
1. Our role
For Connected Platform Data and other content customers route through the Service, we act as a processor / service provider: we process it on the customer's behalf and documented instructions to deliver the Service. We do not use it for our own independent purposes, do not use it to train generalized AI models, and do not build cross-customer benchmarks or datasets from it. Customers remain controllers of that data and are responsible for the rights, notices, and consents their own use requires.
2. Connected Platforms: what we access and why
We access each platform only through its official API, with the customer's OAuth authorization, requesting the minimum scopes needed. Data is used solely to provide the Service to the customer that connected it.
| Platform | Access | Data elements | Purpose |
|---|---|---|---|
| Google Ads | Read; write only for customer-approved actions | Campaign/ad group/ad settings, change history, performance metrics, conversions | Change tracking, analysis, reporting; approved optimizations |
| Meta (Facebook/Instagram) Ads | Read; write only for customer-approved actions | Campaign/ad set/ad settings, change history, performance metrics, conversions, creative metadata | Change tracking, analysis, reporting; approved optimizations |
| LinkedIn Ads | Read; write only for customer-approved actions | Campaign settings, performance metrics, conversions | Change tracking, analysis, reporting; approved optimizations |
| TikTok Ads | Read; write only for customer-approved actions | Campaign settings, performance metrics, conversions, creative metadata | Change tracking, analysis, reporting; approved optimizations |
| Reddit Ads | Read | Campaign settings, performance metrics, conversions | Change tracking, analysis, reporting |
| OpenAI Ads (ChatGPT advertising) | Read (as support launches) | Campaign settings, aggregate performance metrics | Analysis and reporting. We never access or receive ChatGPT conversation data |
3. AI processing, platform by platform
The Service uses automated systems and contracted AI Service Providers to help generate analysis and recommendations. Our AI Service Providers are contractually prohibited from training their models on customer data. Connected Platform Data reaches an AI Service Provider only where the applicable platform's terms permit it and only as necessary for a customer-facing feature the customer uses:
| Platform | Processed by AI Service Providers? |
|---|---|
| Google Ads | Only as permitted by Google's API policies (including Limited Use) and necessary for the customer's enabled analysis features |
| Meta Ads | Only as permitted by Meta's Platform Terms and necessary for the customer's enabled analysis features |
| LinkedIn Ads | Only as permitted under our approved Marketing API use case |
| TikTok Ads | Only as permitted under our approved scopes and review description |
| Reddit Ads | Only as permitted by Reddit's Ads API terms and necessary for the customer's enabled analysis features |
| OpenAI Ads | Aggregate campaign metrics only, as permitted by OpenAI's advertiser terms |
4. Service providers
We use a limited set of vetted providers to run the Service, each bound by contract to protect data and process it only to provide its service to us:
| Purpose | Role | Receives Connected Platform Data? |
|---|---|---|
| Cloud hosting, application delivery, and data storage | Processor | Yes (to host the Service) |
| AI / model processing | Processor (no training on customer data) | Only per the platform-by-platform table above |
| Payment processing (Stripe) | Independent controller for payment processing and fraud prevention | No |
| CRM, support, and customer communications | Processor | No |
| Meeting notes and recordings (with participant consent) | Processor | No |
| Team messaging delivery (Slack / Microsoft Teams) | Processor for delivery; workspace providers operate under their own terms with the customer | Only the analysis the customer routes to their own workspace |
5. Disconnecting and deletion
- Disconnect a platform: Settings → Integrations → Disconnect, or email privacy@theadspend.com. Disconnection stops ingestion and results in revocation and deletion of the stored OAuth tokens.
- Deletion: raw Connected Platform Data is deleted from production systems promptly following disconnection or account closure — and in any event within the timeframes the applicable platform's terms require — with backup copies removed in the ordinary course of our standard backup cycles.
- Account deletion: closing an account triggers the retention schedule published in our Privacy Policy — platform data on the timeline above; audit, billing, and acceptance records retained only as narrow legal evidence.
- Platform-initiated revocation: revoking our app's access from the platform's side has the same effect as disconnecting in-product.
6. Security measures
We use technical and organizational measures designed to protect data, including: encryption in transit and at rest; encrypted storage of OAuth tokens with access restricted to the systems that need them, and revocation on disconnect; role-based access controls and least-privilege access for personnel; tenant isolation between customer workspaces; logging and monitoring across the Service; and an incident-response process that includes notification of affected customers as required by applicable law.
We describe our practices accurately and do not claim certifications we do not hold; where we obtain formal attestations, we will make them available to eligible customers. Suspected vulnerabilities can be reported to security@theadspend.com and will be acknowledged promptly; we ask reporters to practice responsible disclosure.
7. Data location
Production data is processed and stored in the United States. Where personal data is transferred from the EU/UK, we use appropriate safeguards, such as the EU Standard Contractual Clauses, where required.
8. No cross-customer data products
We do not use Connected Platform Data or customer content to create cross-customer benchmarks, train generalized models, or develop datasets or offerings for anyone other than the customer that connected the data, unless that customer separately opts in in writing and the applicable platform permits it. We may use operational data — usage counts, performance and security telemetry, feedback, and fully de-identified statistics that do not contain or derive from platform data — to operate and improve the Service. We do not sell personal information.
9. Data processing terms
For Customer Data that is personal data, we act as the customer's service provider / processor under our Terms and Privacy Policy. Customers that require separate data-processing terms may contact privacy@theadspend.com.
10. Contact
Data-handling questions: privacy@theadspend.com · Security reports: security@theadspend.com · Mail: Ad Spend Technologies, Inc., 1460 Broadway, New York, NY 10036, USA.