Privacy Policy

AdAegis ("we," "us," or "our") operates an enterprise-grade AI-powered advertising operations platform available at adaegis.ai (the "Platform"). This Privacy Policy explains how we collect, use, store, and protect information when you use the Platform and any related services.

AdAegis operates on a Bring Your Own Keys (BYOK) model. You provide your own AI provider API keys (such as Anthropic, OpenAI, or Google Gemini) and your own advertising platform credentials (Google Ads, Microsoft Ads). We provide the orchestration infrastructure, user interface, guardrail engine, and automation framework. We do not resell AI inference or act as an intermediary for your ad spend.

By using the Platform, you agree to the collection and use of information in accordance with this policy. If you do not agree with this policy, please do not use the Platform.

Account Information

When you create an account, we collect information necessary to establish and manage your identity on the Platform:

• Full name and email address used during registration
• Hashed password (we never store plaintext passwords)
• Organization name, billing address, and subscription details
• Role assignments within your organization (admin, operator, viewer)

Client Configuration Data

Within your organization, you create "clients" representing the advertisers you manage. For each client, we store:

• Client name, notes, and organizational metadata
• AI provider configuration (which providers are enabled, model routing preferences, and primary/fallback settings)
• Guardrail policies (budget limits, allowed action types, confidence thresholds, protected entities, execution time windows)
• Automation rules (trigger conditions and associated actions)
• Notification preferences (which events trigger alerts and through which channels)

Credentials You Provide

To connect to external services on your behalf, you provide credentials that we encrypt and store:

• AI provider API keys — keys for Anthropic, OpenAI, Google Gemini, or other supported AI providers
• Ad platform OAuth tokens — authorization tokens obtained through standard OAuth flows with Google Ads and Microsoft Ads
• Notification webhook URLs — Slack or Microsoft Teams webhook endpoints for alert delivery

Usage & Technical Data

We automatically collect certain technical information when you use the Platform:

• Browser type, operating system, IP address, and device information
• Pages viewed, features used, and actions taken within the Platform
• Timestamps for login events, session duration, and feature interactions
• Error reports and performance diagnostics

We use the information we collect to:

• Operate the Platform — authenticate your identity, enforce role-based access control, manage your organization and client configurations
• Orchestrate AI analysis — route your ad account data to AI providers using your API keys, assemble prompts, parse structured outputs, and generate typed recommendations
• Execute approved changes — submit approved recommendations to your connected ad platforms via their APIs, respecting your guardrail policies and circuit breaker limits
• Maintain audit trails — log every recommendation, approval, execution, and rollback action for your review and compliance needs
• Track AI usage — record token consumption and estimated costs per provider, per model, and per client so you can monitor your own AI inference spending
• Deliver notifications — send in-app alerts, emails, or webhook messages based on your configured notification preferences
• Improve the Platform — analyze aggregate usage patterns to identify bugs, improve performance, and develop new features
• Provide support — respond to your inquiries, troubleshoot issues, and assist with onboarding

A core principle of AdAegis is that you own and control your external service credentials. This has important privacy implications:

• Your AI API keys are yours. When AdAegis sends data to an AI provider for analysis, it does so using your API key. The inference costs are billed directly to your account with that provider. AdAegis does not mark up, resell, or subsidize AI inference.
• Your ad platform credentials are yours. AdAegis connects to Google Ads and Microsoft Ads using OAuth tokens you authorize. We never access ad accounts beyond the scope you grant. We do not control your ad spend — we are a control plane, not a billing intermediary.
• Key storage. All API keys and OAuth tokens are encrypted at rest using AES-256 encryption. They are decrypted only at the moment of use (when making an API call to the respective service) and are never logged in plaintext.
• Key revocation. You can revoke or rotate your API keys and OAuth connections at any time through the Platform. Revoking a key immediately stops all associated AI inference or ad platform operations for that client.

When you connect an ad platform account, AdAegis syncs and stores a normalized copy of your advertising data. This includes:

• Account structure: campaigns, ad groups, keywords, ads, and assets
• Performance metrics: impressions, clicks, conversions, cost, conversion values, and derived ratios (CTR, CPA, ROAS)
• Search term reports showing actual queries triggering your ads
• Targeting settings: geographic, device, audience, and schedule configurations
• Budget and bidding strategy configurations
• Historical snapshots of account state used for before/after comparison and rollback capability

This data is stored in our database, scoped to your organization. It is never shared with other tenants, used to train AI models, or exposed to any party beyond your authorized organization members.

Monetary values are stored with their original currency code (ISO 4217). Cross-account reporting uses a base currency you configure per client.

When AdAegis performs AI analysis on your ad account data, the following occurs:

• Prompt assembly: We construct prompts containing your ad performance data, account structure, and relevant context. Prompts are assembled from versioned templates scoped to specific task types (analysis, recommendation generation, ad copy writing, keyword research, budget strategy, targeting analysis).
• Data sent to AI providers: The assembled prompt — which includes your ad account data — is sent to the AI provider using your API key. AdAegis acts as a conduit; the data relationship is between you and the AI provider.
• AI provider privacy policies apply: Each AI provider has its own data handling and retention policies. We encourage you to review the privacy policies of Anthropic, OpenAI, and Google for their respective AI services. AdAegis has no control over how these providers handle data once it reaches their APIs.
• Response capture: We store the structured output returned by the AI provider (the recommendation objects) as part of your audit trail. Raw model responses may be stored temporarily for debugging and are purged according to our data retention schedule.
• Token and cost logging: We log the number of input and output tokens consumed and the estimated cost for each AI call, broken down by provider, model, client, and task type.

We implement multiple layers of security to protect your data:

• Encryption at rest: All sensitive credentials (API keys, OAuth tokens) are encrypted using AES-256 before storage. Database connections use TLS encryption.
• Encryption in transit: All communication between your browser and our servers, and between our servers and external APIs, is encrypted using TLS 1.2 or higher.
• Tenant isolation:Every database query is scoped by organization ID. There is no mechanism by which one tenant can access another tenant's data. This isolation is enforced at the data access layer, not just the application layer.
• Role-based access control: Access within an organization is governed by roles (admin, operator, viewer) enforced at the API level. Member-to-client assignments control which team members can see which advertiser data.
• Input validation: All API endpoints validate and sanitize input to prevent injection attacks (SQL injection, XSS, CSRF).
• Rate limiting: API endpoints are rate-limited to prevent abuse and protect platform stability.
• Audit logging: Every significant action — logins, configuration changes, approvals, executions, rollbacks — is recorded in an immutable audit log.
• Infrastructure security: Our infrastructure runs on Fly.io with production secrets managed through their secure secrets management system. Database services run on Neon (serverless PostgreSQL) with built-in encryption and access controls.

We retain your data according to the following schedule:

• Account information: Retained for the duration of your account. Upon account deletion, personal data is purged within 30 days, except where retention is required by law.
• Ad platform data (metrics, snapshots): Hot storage for the most recent 90 days (fast queries). Warm storage from 90 days to 1 year (queryable but slower). Data older than 1 year is archived to cold storage or purged based on your configured retention preferences.
• Recommendations and executions: Never hard-deleted. These records use soft-deletion with archival to preserve audit trail integrity. Archived records older than 1 year are moved to cold storage.
• Audit logs: Retained for a minimum of 2 years for compliance purposes. Exportable in CSV and JSON formats.
• AI inference logs: Token usage and cost data retained for 1 year. Raw model response references retained for 90 days, then purged.
• Encrypted credentials: Retained only while the associated connection is active. When you disconnect a provider or delete a client, the encrypted keys are permanently deleted.

AdAegis relies on the following third-party services to operate. Each has its own privacy practices:

• Neon (neon.tech) — Serverless PostgreSQL database hosting and user authentication infrastructure
• Fly.io (fly.io) — Application hosting and deployment infrastructure
• Upstash (upstash.com) — Managed Redis for job queuing, caching, and real-time event delivery
• Cloudflare (cloudflare.com) — DNS, CDN, and DDoS protection
• GitHub (github.com) — Source code hosting and CI/CD pipeline execution (does not process user data)

Additionally, through your BYOK configuration, data is sent to the AI providers and ad platforms you choose to connect. These are not our sub-processors — they are services you engage directly through your own credentials:

• Anthropic (anthropic.com) — Claude AI models
• OpenAI (openai.com) — GPT models
• Google (google.com) — Gemini AI models and Google Ads API
• Microsoft (microsoft.com) — Microsoft Advertising API

We do not sell, rent, or trade your personal information or advertising data. We may share information only in the following circumstances:

• With your AI providers and ad platforms — as directed by your configuration, using your own credentials. This is the core function of the Platform.
• With infrastructure providers — our hosting, database, and caching providers process data as necessary to operate the Platform. They act as data processors under our direction and are bound by their own security and privacy commitments.
• To comply with law — if required by a valid legal process (court order, subpoena, or regulatory request), we may disclose information to the extent legally required. We will notify you of such requests where legally permitted.
• To protect rights and safety — if necessary to enforce our Terms of Service, protect the security of the Platform, or protect the rights and safety of our users or the public.
• In a business transfer — if AdAegis is involved in a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction. We will notify you before your data becomes subject to a different privacy policy.

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete personal data.
• Deletion: Request deletion of your personal data, subject to legal retention requirements and audit trail preservation obligations.
• Data portability: Request your data in a structured, machine-readable format. Audit logs and recommendation history are exportable in CSV and JSON formats directly from the Platform.
• Objection: Object to processing of your personal data for certain purposes.
• Withdrawal of consent: Where processing is based on consent, withdraw your consent at any time.

To exercise any of these rights, contact us at the address listed below. We will respond to verified requests within 30 days.

AdAegis uses a minimal set of cookies necessary for platform operation:

• Session cookies: Required for authentication and maintaining your logged-in state. These are essential cookies and cannot be disabled while using the Platform.
• Theme preference: A local storage entry recording your dark/light mode preference. This does not leave your browser.

We do not use third-party advertising trackers, social media pixels, or cross-site tracking cookies. We do not serve advertisements on the Platform.

AdAegis is a business-to-business platform designed for advertising professionals and agencies. The Platform is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will promptly delete it.

Your data may be processed and stored in data centers located in the United States and other regions where our infrastructure providers operate. By using the Platform, you consent to the transfer of your data to these locations. We ensure that all data transfers comply with applicable data protection regulations and that appropriate safeguards are in place.

For users subject to the General Data Protection Regulation (GDPR) or similar regulations, we rely on Standard Contractual Clauses and other approved transfer mechanisms where required.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will:

• Update the "Effective date" at the top of this page
• Notify you via email or in-app notification at least 14 days before material changes take effect
• Maintain a change log of policy revisions upon request

Your continued use of the Platform after changes become effective constitutes acceptance of the updated policy.

If you have questions about this Privacy Policy, wish to exercise your data rights, or need to report a security concern, please contact us:

• Email: [email protected]
• Security issues: [email protected]
• Mailing address: AdAegis, Attn: Privacy, contact us via email for our current mailing address

We aim to respond to all inquiries within 5 business days.