1. Information We Collect
When you sign in with Google, we collect your name, email address, and profile picture. We also collect data you provide when setting up your business profile (URLs, descriptions, preferences).
2. How We Use Your Information
We use your information to provide the Service: generating content, sending emails, posting to social media, and managing ad campaigns on your behalf. We also use your email to send daily digest summaries of your business activity.
3. Third-Party Services
We integrate with the following services to operate:
- Anthropic (Claude AI) — content generation and review
- Supabase — database and authentication
- Stripe — payment processing
- SendGrid — email delivery
- X API — social media posting
- Google Ads — advertising management
- Meta Marketing API — Facebook/Instagram ad management
- Google Search Console — search performance data
- Vercel — hosting and deployment
4. Connected Advertising and Search Console Accounts
When you connect a Google Ads, Meta Ads, or Google Search Console account to Let It Run, you grant us OAuth-scoped access to perform specific actions on your behalf. We disclose exactly what we read, write, and store for each provider below.
4.1 Google Ads API
Scope requested: https://www.googleapis.com/auth/adwords.
- What we read:account hierarchy (manager & client account IDs), campaign / ad-group / ad / keyword configuration, performance metrics (impressions, clicks, cost, conversions), and search-term reports. We never access account billing details beyond what GAQL exposes.
- What we write: only the resources you explicitly authorize from the dashboard — creating campaigns, updating bids, pausing ads, applying recommendations. Every write is logged to your audit trail.
- What we store: your refresh token (encrypted at rest), customer IDs, and a 90-day cache of performance reports. We do not store individual click-level data.
- How we share it: we do not sell, transfer, or use this data for advertising. It is processed solely to operate the features you enabled. Use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
4.2 Meta Marketing API (Facebook & Instagram Ads)
Permissions requested: ads_management, ads_read, business_management, pages_show_list.
- What we read: ad-account list, campaign / ad-set / ad configuration and creatives, audience definitions, insights metrics (reach, impressions, conversions, spend), and the Facebook Pages you grant us access to.
- What we write: campaign / ad-set / ad create-update-pause operations and creative uploads, only when triggered from the dashboard. We never post organic content without your explicit per-post approval.
- What we store: your long-lived access token and ad-account / page IDs (encrypted at rest), and a 90-day cache of insights for charting.
- How we share it: we do not sell, license, or re-purpose Meta Platform data. Disconnecting our app from your Facebook account triggers an immediate data-deletion request via our Data Deletion endpoint.
4.3 Google Search Console
Scope requested: https://www.googleapis.com/auth/webmasters.readonly.
- What we read: the list of properties you own, search-analytics reports (queries, clicks, impressions, CTR, position), and the URL inspection index status.
- What we write: nothing — the scope is read-only.
- What we store: a 90-day cache of search-analytics rows that drives the SEO content planner; raw query logs are not persisted.
- How we share it: Search Console data is used only to inform AI-generated content suggestions inside your project. It is not aggregated, anonymized, or shared with any third party.
You can revoke any of these connections at any time from your dashboard's Connect Accounts panel; revocation triggers immediate token deletion and a backfill purge of cached metrics.
5. Data Storage
Your data is stored in Supabase (PostgreSQL) hosted in the United States with row-level security enabled. OAuth refresh tokens, API keys, and other credentials are encrypted at rest using AES-256 envelope encryption.
6. Data Retention
We retain account-level data as long as your account is active. Audit logs are retained for 7-90 days depending on your plan. Cached advertising and Search Console performance data is retained for up to 90 days. After account deletion all associated data is purged within 30 days, except where applicable law (e.g. tax records held by Stripe) requires longer retention.
7. Your Rights
You can export your data at any time from the dashboard, delete individual projects (which archives all associated data), revoke any connected third-party account, or submit a full deletion request at /data-deletion. Disconnecting our app from Meta directly via Facebook Settings also triggers a deletion request automatically.