Privacy Policy

OVS ("we," "us," or "our") operates AdControlCenter (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

1. Information We Collect

Account Information: When you sign up, we collect your name, email address, and authentication credentials through our authentication provider (Clerk).

Business Information: You may provide your business name, website URL, industry, and advertising goals to help us tailor campaign recommendations.

Ad Platform Data: When you connect advertising accounts (Google Ads, Meta, TikTok, LinkedIn, X, Reddit), we access campaign data, performance metrics, and account information through official platform APIs using OAuth authorization. We store encrypted access tokens to maintain these connections.

Usage Data: We collect information about how you interact with the Service, including pages visited, features used, and session duration.

2. How We Use Your Information

• To provide, operate, and maintain the Service
• To manage your ad campaigns across connected platforms
• To generate AI-powered campaign recommendations and optimizations
• To send you notifications about your campaigns, account status, and important alerts
• To process transactions and manage your subscription
• To improve and develop the Service
• To comply with legal obligations

3. How We Protect Your Information

We take security seriously:

• All ad platform tokens are encrypted at rest using AES-256 encryption
• Data is transmitted over HTTPS with strict transport security
• We use rate limiting and audit logging to detect and prevent unauthorized access
• Database access is restricted and monitored

4. Third-Party Services

We use the following third-party services to operate the Service:

• Clerk — Authentication and user management
• Supabase — Database hosting and file storage
• Vercel — Application hosting
• Resend — Transactional email delivery
• LemonSqueezy / Stripe — Payment processing
• Google Analytics — Usage analytics
• AI Providers (Anthropic, OpenAI, Google) — Campaign analysis and recommendations

Each of these services has their own privacy policy governing how they handle data.

5. Google User Data

When you connect a Google Ads account, we access Google user data through the Google Ads API using OAuth 2.0. We request only the minimum scope required to provide the Service:

• https://www.googleapis.com/auth/adwords — read and manage Google Ads campaigns, ad groups, ads, keywords, and performance metrics on your behalf

Data Accessed:

• Google Ads account information (customer ID, account name, currency, time zone)
• Campaign, ad group, ad, and keyword data (names, statuses, budgets, bids, match types, final URLs, headlines, descriptions)
• Performance metrics (impressions, clicks, cost, conversions, conversion value, search terms)
• Keyword Planner data (search volume, competition, suggested CPC) — used only when you explicitly run keyword research in our Service

How We Use Google User Data: We use Google user data solely to display, manage, and optimize your advertising campaigns inside the Service. Specifically:

• Show your campaigns, ad groups, ads, keywords, and metrics in our dashboard
• Generate AI-assisted recommendations and campaign drafts that you review and approve before any change is published
• Execute campaign changes (pause, budget update, keyword changes, ad creation) only after your explicit approval in the Service UI

What We Do Not Do With Google User Data:

• We do not sell, rent, or trade Google user data
• We do not use Google user data to serve, target, or personalize advertisements
• We do not use Google user data to train, fine-tune, or improve generalized or third-party AI/ML models. Campaign data and metrics may be sent to AI providers (Anthropic, OpenAI, Google) at inference time to generate recommendations for your account; these providers operate under zero-retention or no-training contractual terms and the data is not retained for model training
• We do not use Google user data for credit-worthiness, lending, or any purpose unrelated to operating the Service for you
• We do not transfer Google user data to third parties except: (a) the infrastructure providers listed in Section 4 strictly to operate the Service, (b) when required by law, or (c) as part of a merger or acquisition with notice to you

Storage & Protection: Google OAuth refresh tokens are encrypted at rest using AES-256-GCM with a key held outside the database. Tokens are transmitted only over TLS. Access to the production database is restricted to authorized personnel and audit-logged.

Retention & Deletion: You can disconnect your Google Ads account at any time from Settings. On disconnection or account deletion request: (1) we immediately revoke the OAuth refresh token via Google's token revocation endpoint, (2) we delete the encrypted token from our database, and (3) we delete cached campaign, ad group, ad, keyword, and metrics data associated with that account within 30 days. You can also revoke our access directly at myaccount.google.com/permissions.

Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

6. Facebook / Meta Data

When you connect a Meta (Facebook/Instagram) advertising account, we access the following data through the Meta Marketing API:

• Ad account information (name, ID, currency, status)
• Campaign, ad set, and ad data (names, statuses, budgets, targeting)
• Performance metrics (impressions, clicks, spend, conversions)
• Facebook Page information (name, ID) for ad creation

We use this data solely to display, manage, and optimize your advertising campaigns within our Service. We do not sell Meta data, do not use it to target ads outside your own connected Meta accounts, and do not use it to train generalized or third-party AI/ML models. We do not use Meta data for any purpose unrelated to providing the Service to you.

Data Deletion: You can request deletion of all data obtained from Meta by disconnecting your Meta account in Settings, or by contacting us. Upon disconnection or deletion request, we revoke all Meta access tokens and delete associated campaign data within 30 days. Meta can also initiate data deletion via our callback endpoint, and we will process such requests immediately.

7. WordPress Plugin

We offer a free WordPress plugin ("AdControlCenter for WooCommerce") that connects a merchant's WordPress / WooCommerce site to the Service to generate ad creatives from their product images. This section discloses exactly what data the plugin sends to our servers and how it is used.

Data sent by the plugin:

• Site URL — the merchant's WordPress site origin. Used to scope the free weekly credit allowance, validate ownership of the plugin install via a public verify file at /wp-content/plugins/creative-studio-ai-ad-image-generator/verify.txt, and bind paid credit packs to a single site.
• Product image URLs — public URLs of WooCommerce product images the merchant selects in the plugin. We fetch them at generation time and pass them as a reference to the AI model that produces the enhanced creative.
• Product metadata — product name, product ID, description, categories, and tags for the product the merchant chose to generate from. Used as styling context for the AI model; never rendered as text in the output image.
• License key — only when the merchant has redeemed a paid credit pack. Used to authenticate the credit balance and confirm the calling site matches the key's bound site.
• Plugin telemetry — plugin version, WordPress version, PHP version, and an optional client-supplied request id used to deduplicate retries. Used to debug compatibility issues and prevent double-billing on network retries.

What the plugin does NOT send:

• WordPress administrator names, emails, or user accounts
• WooCommerce customer data — no names, addresses, emails, phone numbers, or order history
• Order, transaction, or payment data
• Visitor analytics, page-view, or tracking data
• Any other content from the WordPress site beyond the product images and product metadata listed above

Storage & retention (plugin data): Generated images are stored in Supabase Storage and remain available for 30 days. Per-request metadata (site URL, product id, credits consumed, generation outcome) is retained for audit and billing reconciliation. Per-site credit balances and redeemed license keys are retained indefinitely while the merchant maintains an active relationship with the Service. Merchants can request deletion of all plugin-related data by emailing support@adcontrolcenter.com.

Third-party processors (plugin path): Product images and metadata are sent to AI model providers at inference time — Google Gemini (via fal.ai) for image generation, Anthropic Claude for ad-message interpretation. Both providers operate under zero-retention / no-training contractual terms; data is not retained beyond the inference request and is not used to train generalized or third-party AI/ML models. Paid credit-pack purchases are processed by Lemon Squeezy. The infrastructure providers listed in Section 4 also apply to the plugin path.

8. Data Sharing

We do not sell, rent, or trade your personal information. We may share information only in the following circumstances:

• With third-party service providers listed above, solely to operate the Service
• When required by law, regulation, or legal process
• To protect the rights, property, or safety of our users or the public

9. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. When you delete your account, we remove your personal data within 30 days, except where we are required to retain it for legal or compliance purposes.

10. Your Rights

You have the right to:

• Access and review the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your account and associated data
• Disconnect any ad platform at any time, which revokes our access to that platform's data

11. Cookies

We use only essential cookies required for authentication and session management. We do not use third-party tracking cookies.

12. Children's Privacy

The Service is not intended for use by anyone under the age of 13. We do not knowingly collect personal information from children under 13.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date.

14. Contact Us

If you have questions about this Privacy Policy, please contact us at support@adcontrolcenter.com.