Privacy Policy
Last Updated: February 2026
Effective Date: February 2026
Operator: Darren Morgan ("we", "us", "our")
Contact: privacy@adrocketx.ai
Meta App ID: 2022818185151020
1. Overview
AdRocketX is a web application that helps business owners create and manage Facebook and Instagram advertising campaigns through an AI-assisted wizard interface. This privacy policy explains what data we collect, why we collect it, how we store it, and your rights regarding that data.
We take your privacy seriously. We do not sell your data. We do not share your data with third parties beyond what is strictly necessary to operate the service.
2. Data We Collect
2.1 Account Data (Provided by You)
| Data | Purpose | Retention |
|---|---|---|
| Email address | Account creation, login via magic link, communications | Until account deletion |
| Subscription/plan selection | Billing and feature access | Until account deletion |
2.2 Meta Platform Data (Accessed via OAuth)
When you connect your Meta (Facebook) account, we request access to the following data through Meta's OAuth flow. You explicitly grant each permission during the connection process.
| Data Category | Meta Permission | What We Access | Purpose |
|---|---|---|---|
| Ad account list | ads_read | Account IDs, names, currency, status | Display your ad accounts for campaign creation |
| Campaign data | ads_read | Campaign names, objectives, budgets, status, performance metrics | Show campaign status and performance in the dashboard |
| Campaign management | ads_management | Create campaigns, ad sets, and ads; modify budgets and status | Execute campaigns you configure through the wizard |
| Facebook Pages list | pages_show_list | Page names and IDs you manage | Let you select which Page to run ads from |
| Page access tokens | pages_read_engagement | Page-level access tokens | Required by Meta's API to publish ads on your selected Page |
We only access data necessary to perform the actions you initiate. We do not access your personal Facebook profile, friends list, posts, messages, photos, or any data unrelated to advertising.
2.3 Website Analysis Data (Provided by You)
When you enter a website URL in the campaign wizard, we analyse the publicly accessible content of that URL to extract brand colours, logos, business descriptions, value propositions, and competitor suggestions. This data is used solely to generate relevant ad copy and creative for your campaigns.
2.4 AI-Generated Content
During campaign creation, our AI agents generate ad copy variations, ad creative images, and targeting recommendations. This generated content is stored in association with your account and campaigns.
2.5 Payment Data
Payments are processed by Stripe (stripe.com). We do not store credit card numbers, CVVs, or full card details. Stripe provides us with subscription status, payment history, and a truncated card identifier (last 4 digits). See Stripe's privacy policy.
2.6 Technical Data
- IP address (for rate limiting and security)
- Browser user agent (for compatibility)
- Session tokens (authentication)
- API request logs (debugging, retained 30 days)
3. How We Use Your Data
- Campaign Management — Creating, modifying, monitoring, and pausing Meta ad campaigns as directed by you.
- AI Content Generation — Generating ad copy, images, and targeting suggestions based on your business information.
- Account Management — Authenticating your identity, managing your subscription, enforcing usage limits.
- Service Improvement — Aggregated, anonymised usage patterns. We do not use your Meta ad data for this.
- Communication — Transactional emails only (login links, payment receipts). No marketing emails without opt-in.
4. Data Storage and Security
| Component | Provider | Purpose |
|---|---|---|
| Application database | Supabase (PostgreSQL) | User accounts, OAuth tokens, campaign configurations |
| Payment processing | Stripe | Subscription billing |
| Application hosting | Vercel / Coolify | Next.js application |
| MCP Server | Coolify (self-hosted) | Meta API orchestration |
Security Measures
- OAuth tokens stored encrypted, transmitted only over HTTPS
- Row Level Security (RLS) on all Supabase tables
- Service role keys used only server-side, never exposed to browser
- PKCE used in Meta OAuth flow
- Rate limiting on all API endpoints
- All Meta API communication uses HTTPS with OAuth 2.0 bearer tokens
Token Management
- Meta access tokens exchanged for long-lived tokens (60-day expiry)
- Expired tokens detected; users prompted to re-authenticate
- Token revocation supported via /api/auth/revoke
5. Data Sharing
| Recipient | What | Why |
|---|---|---|
| Meta Platforms, Inc. | Campaign configurations, ad content, targeting parameters | To create and manage your ad campaigns via Meta's Marketing API |
| Stripe, Inc. | Email, subscription plan | To process your payments |
| AI Model Providers (Anthropic, Google) | Website content you provide, campaign preferences | To generate ad copy and images. We do NOT send Meta account data or OAuth tokens to AI providers. |
We do NOT: sell your data, share ad performance data with other users, use your data for our own advertising, or provide data to data brokers.
Legal obligations: We may disclose data if required by Australian law, court order, or regulatory requirement.
6. Data Retention
| Data | Retention Period |
|---|---|
| Account data (email, preferences) | Until you delete your account |
| Meta OAuth tokens | Until you disconnect Meta or tokens expire |
| Campaign configurations and generated content | Until you delete your account |
| Meta ad performance data | Fetched on-demand; cached for session duration only |
| Payment records | 7 years (Australian tax law) |
| API request logs | 30 days |
| Website analysis results | 90 days of inactivity |
7. Your Rights
All Users
- Access your data via account dashboard or privacy@adrocketx.ai
- Export your data in machine-readable format
- Delete your data — we will also revoke your Meta OAuth token
- Disconnect Meta — revoke access any time via the app or Facebook app settings
- Withdraw consent — stop using the service at any time
EU/EEA Residents (GDPR)
Rectification, restriction, portability, objection, and right to lodge a complaint with your local DPA. Legal basis: contract performance, legitimate interest, consent.
California Residents (CCPA)
Right to know, delete, and opt-out of sale (we do not sell personal information).
8. Cookies
| Cookie | Purpose | Duration |
|---|---|---|
| bearer_token | Session authentication | Session |
| user_email | Identify logged-in user | Session |
We do not use advertising cookies, tracking pixels, or cross-site analytics.
9. Children's Privacy
AdRocketX is not intended for anyone under 18. We do not knowingly collect data from minors.
10. Data Deletion
You may request deletion of all your data at any time by:
- Disconnecting your Meta account from AdRocketX settings
- Emailing privacy@adrocketx.ai
- Using Meta's data deletion callback (we respond automatically)
Upon deletion, we will delete OAuth tokens immediately, delete cached API responses, and delete your account within 30 days.
11. Meta Platform Terms
Our use of data received from Meta APIs complies with the Meta Platform Terms and Developer Policies. We only request permissions necessary for core functionality, do not use Meta data for unrelated purposes, delete Meta data upon request, and do not transfer Meta data to data brokers or advertising networks.
12. Data Breach Notification
In the event of a breach, we will notify affected users within 72 hours, notify relevant authorities as required, and take immediate remediation steps.
13. Changes to This Policy
Material changes communicated via email at least 14 days before taking effect. Continued use constitutes acceptance.
14. Contact
Email: privacy@adrocketx.ai
Address: South Australia, Australia