Legal

Privacy Policy

This policy explains what data AdGenz.ai collects, how we use it, who we share it with, and the choices you have. It also covers our obligations under the Meta Platform Terms and how we handle data from Facebook and Instagram.

Last updated: 10 June 2026Effective: 10 June 2026Version: 1.0

The short version

We use your data to run the AdGenz.ai service — generating ads, managing brands, and (if you connect your account) publishing to Meta.
We never sell your personal information. We never sell or share Meta Platform Data.
We process content with AI providers (Anthropic, Google, Fal AI). They act as processors on our instructions and do not train their public models on your inputs.
You can export or delete your data at any time. Email privacy@adgenz.ai or use the in-app deletion tools in Settings.

1. Overview

AdGenz.ai ("AdGenz," "we," "us," or "our") operates an AI-powered Meta advertising platform that helps marketing teams research, generate, edit, and publish ad creative. This Privacy Policy describes the personal information we collect, how we use it, the third-party services that help us deliver the product, and the rights you have over your data.

This policy applies to adgenz.ai, the AdGenz dashboard, our APIs, marketing pages, and any other product we describe as covered by this policy (together, the "Service").

Where AdGenz processes information about your end-customers (for example, contacts in your knowledge-base files), AdGenz acts as a data processor and you (or your employer) are the data controller. Where AdGenz processes information about you as an account holder, AdGenz acts as the data controller.

2. Who we are

AdGenz.ai is operated by the entity that has entered into the AdGenz Terms of Service with you. For privacy-related contact, write to:

Role	Contact
Data controller / privacy contact	privacy@adgenz.ai
Security disclosures	security@adgenz.ai
General support	support@adgenz.ai

3. Information we collect

3.1 Account information

When you create an account, we collect your email address, display name, and (if you use single sign-on) the profile photo URL returned by your identity provider. Authentication is handled by Supabase Auth. If you sign in with Google, Google returns your basic profile information (name, email, avatar) to us.

3.2 Workspace & team information

We store the workspaces you create, the members you invite (email, role, capabilities, and an audit log of activity), and the invitations you send. Workspace owners and admins can see activity logs of who took which action — generation, approval, publishing, etc. — under their workspace.

3.3 Brand & content data

When you build a brand, we store everything you provide: brand name, product description, landing-page URL, brand assets (logos, images), knowledge-base documents (PDFs, text, scraped URLs), ICPs (ideal customer profiles), voice profiles, angles, generated ads, edit history, and any creative briefs. Files you upload are stored in Supabase Storage.

3.4 Source ads & competitor research

When you point AdGenz at a competitor ad URL or upload a reference image, we fetch and process that public content to generate similar or contrasting creative. We do not use your competitor research to train models for other customers.

3.5 Meta Platform Data (after you connect Meta)

If you connect a Facebook or Instagram account, we receive and store the information described in section 7. Meta Platform Data below. We request only the scopes needed to deliver the product and explain each one there.

3.6 Billing & usage data

Paid plans are billed through Polar.sh. Polar collects payment card and billing-address details directly — AdGenz never sees or stores your full card number. We receive and store: your plan, subscription status, customer ID, invoice metadata, and credit balances/transactions. We also log per-feature credit usage to enforce plan limits and show you transparent usage reports.

3.7 Telemetry & logs

We log the following to operate, secure, and improve the Service:

API request metadata — endpoint, status, timing, IP address, user-agent.
Background job records (Inngest run IDs, status, duration, errors).
Per-call AI provider usage — model name, token counts, latency, cost estimates — used for admin metering and billing reconciliation. We do not log prompt or completion content for telemetry purposes.
Application errors and stack traces, with personal identifiers minimized.

3.8 Cookies & local storage

See section 13 below. We use a small set of strictly necessary cookies and use sessionStorage for short-lived state such as the Meta OAuth nonce used to prevent CSRF.

4. How we use your information

We use information for the following purposes and legal bases (where the GDPR or comparable law applies):

Purpose	Categories used	Legal basis
Provide the Service — sign-in, workspaces, brands, ad generation, publishing.	Account, workspace, brand, content, Meta Platform Data.	Performance of a contract.
Process AI workflows: vision analysis, copy generation, image generation, image editing, semantic retrieval, quality assurance.	Brand content, knowledge base, source ads, prompts, generated outputs.	Performance of a contract.
Send transactional emails (workspace invites, job-complete notifications, billing receipts).	Account email, workspace data, job metadata.	Performance of a contract.
Bill and meter usage; prevent abuse and fraud.	Billing data, credit ledger, request telemetry.	Performance of a contract; legitimate interest in preventing abuse.
Secure the Service: rate-limit, detect malicious activity, investigate incidents.	Telemetry, IP, user-agent, request logs.	Legitimate interest in security; legal obligation.
Maintain admin dashboards (job monitoring, API usage, costs).	Aggregated and per-record telemetry.	Legitimate interest in operating the Service.
Comply with law, respond to lawful requests, defend our rights.	Any of the above as needed.	Legal obligation; legitimate interest.

We do not use your account, brand, knowledge base, generated content, or Meta Platform Data to train our own foundation models or sell access to third parties. We do not perform automated decision-making that produces legal or similarly significant effects about you.

5. AI & machine-learning processing

AdGenz is an AI-first product. To generate ads, copy, images, and analyses, we send your inputs (prompts, brand data, knowledge-base excerpts, source images) to third-party AI providers acting as our processors. We have configured each provider to act on our instructions only.

Providers and what they receive

Provider	Use	Data sent
Anthropic (Claude)	Text generation, vision analysis, copy frameworks, creative briefs.	Prompts, brand profile, knowledge-base excerpts, ICPs, source-ad images for vision analysis.
Google (Gemini)	Vision QA on generated images; brand intelligence extraction.	Generated images, reference imagery, structured prompts.
Fal AI	Image generation, editing, upscaling, background removal, aspect-ratio adaptation.	Prompts, brand assets, source images, generated images.
Supermemory	Semantic memory layer for retrieving prior brand context, winners, and avoid-lists.	Knowledge-base text, brand profile, ICPs, angles, generated copy, approval signals.
Firecrawl	Optional: scrape landing-page URLs you submit for knowledge-base building.	URLs you submit; the public page content fetched.

What does not happen

We do not authorize providers to use your inputs or outputs to train their public foundation models. Anthropic, Google, and Fal AI offer enterprise/API terms that exclude API content from model training by default; we rely on those terms.
Generated outputs are linked to your workspace only. They are not surfaced to other AdGenz customers.
Semantic memory containers in Supermemory are scoped per workspace and per brand. Retrieval cannot cross workspace boundaries.

Generative AI can produce inaccurate or misleading output. Review all generated copy and images before publishing. Do not include sensitive personal data, regulated information, or third-party confidential material in prompts or knowledge bases.

6. Sub-processors & service providers

We rely on the sub-processors listed below to operate the Service. Each is bound by a written agreement that limits their use of data to providing services on our instructions.

Service provider	Purpose	Location
Supabase Inc.	Authentication, Postgres database, file storage, realtime updates.	United States / EU regions.
Anthropic, PBC	Claude LLM and vision models for copy and analysis.	United States.
Google LLC	Gemini models for vision QA and brand intelligence; OAuth for sign-in.	United States / Global.
Fal.ai, Inc.	Image generation and editing models.	United States.
Supermemory, Inc.	Semantic memory layer for retrieval-augmented generation.	United States.
Inngest, Inc.	Background job orchestration and retries.	United States.
Resend, Inc.	Transactional email delivery (invitations, notifications).	United States.
Polar Software Inc.	Subscription billing, checkout, invoices, payment processing.	United States; payments via Stripe.
Upstash, Inc.	Redis-based rate limiting (optional, when configured).	United States / Global edge.
Firecrawl (Mendable Labs, Inc.)	Optional: enhanced URL scraping for knowledge bases.	United States.
Meta Platforms, Inc.	Graph API and Marketing API for ad publishing and insights (only after you connect).	United States / Global.
Vercel Inc.	Hosting, CDN, edge runtime for the AdGenz web application.	United States / Global edge.

We update this list as our processing changes. Material additions will be announced in this document and, where required, by email to workspace owners.

7. Meta Platform Data (Facebook, Instagram, Business Manager)

When you connect a Meta account, AdGenz integrates with Facebook Login for Business and the Meta Graph & Marketing APIs (currently v24.0). This section is provided to comply with the Meta Platform Terms and Developer Policies.

7.1 Permissions we request and why

Permission	Why we request it
`ads_management`	Create and update paused ads, ad sets, and creatives in the ad accounts you select. We never launch ads as active without your action.
`pages_show_list`	List Pages you administer so you can pick the one that should appear as the ad’s page identity.
`pages_read_engagement`	Read minimal Page metadata (name, category) required to associate the Page with creatives.
`pages_manage_ads`	Associate ad creatives with the Page identity you select.
`business_management`	Enumerate Business Manager assets so we can show the right ad accounts and Pages.

7.2 Data we receive from Meta

Your Meta user ID and display name (to identify which account is connected).
The ad accounts you administer, with account ID, name, status, and currency.
The Pages you administer, with Page ID, name, and category.
Campaigns, ad sets, and ads in the selected ad account, plus their insights (spend, impressions, clicks, CTR, CPC, CPM, reach, frequency, purchase and link-click actions, revenue, ROAS).
A short-lived access token, which we exchange for a long-lived token and store encrypted at rest.

7.3 What we do not do with Meta Platform Data

We do not sell, license, or transfer Meta Platform Data to data brokers or advertisers.
We do not use Meta Platform Data to build profiles of individuals or for surveillance.
We do not use Meta Platform Data to determine eligibility for housing, employment, insurance, education, credit, or government benefits.
We do not use Meta Platform Data to discriminate or to encourage discrimination.
We do not attempt to re-identify de-identified data or decode anonymized data.
We do not request, store, or use Meta user passwords.

7.4 Token storage and security

Long-lived Meta access tokens are stored in our Supabase Postgres database with row-level security and access scoped to the workspace that connected the token. Tokens are transmitted only over TLS, and only to the Meta Graph API. You can revoke our access at any time from Facebook → Settings → Business Integrations or by disconnecting Meta from the brand’s settings page.

7.5 Deleting Meta Platform Data

You can ask us to delete Meta Platform Data we hold for you at any time by:

Disconnecting Meta from the brand settings page (clears the token);
Deleting the brand or workspace from Settings (cascades all related Meta data);
Emailing privacy@adgenz.ai from the address tied to your account.

We will action verified deletion requests within 30 days. If you remove the AdGenz app from your Meta account, Meta will notify us; we treat that signal as a deletion request for the affected user’s Platform Data.

7.6 Compliance commitments

We maintain administrative, technical, and physical safeguards designed to meet or exceed industry standards. We will report qualifying incidents to Meta as required by the Platform Terms. We do not change the functionality of the app materially without resubmission through Meta App Review when required.

9. Data retention

Data	Retention
Account profile (email, name, avatar URL).	For the life of the account; 30 days after account deletion for backups.
Brand data, KB documents, generated ads, edit history.	Until you delete the brand or workspace, or close the account.
Meta Platform Data (tokens, ad account IDs, insights).	Until you disconnect Meta, delete the brand, or request deletion. Tokens are also invalidated when their natural expiry is reached.
Background job records, activity logs.	180 days from creation for diagnostic and audit purposes.
Billing records, invoices, credit-transaction ledger.	Up to 7 years, or longer where required by tax/accounting law.
Security and request logs.	Up to 12 months.
Backups.	Encrypted, rolling, retained up to 30 days.

When the retention period expires or you request deletion, we delete the data or irreversibly de-identify it, except where a longer period is required by law or for the establishment, exercise, or defence of legal claims.

10. Data security

Encryption in transit: TLS 1.2+ for all client-to-server and server-to-provider traffic.
Encryption at rest: Supabase Postgres and Storage encrypt data at rest using AES-256.
Access control: Postgres row-level security restricts row visibility to the owning workspace; admin APIs require an authenticated super admin and audit each request.
Authentication: Email/password and Google SSO via Supabase Auth. Sessions use short-lived JWTs with refresh rotation.
Application security: rate limiting, CSRF protection on OAuth flows, server-side validation of workspace and brand authorisation on every request, secret rotation for third-party API keys.
Vulnerability reporting: please report security issues to security@adgenz.ai. We acknowledge reports within 3 business days and will not pursue legal action against good-faith researchers who follow coordinated disclosure.

No method of transmission or storage is perfectly secure. While we work hard to protect your information, we cannot guarantee absolute security.

11. Your rights & choices

Depending on where you live, you may have the following rights over your personal information:

Access — request a copy of the personal data we hold about you.
Rectification — correct inaccurate or incomplete data.
Erasure — request deletion of your data (see section 12).
Restriction — restrict processing in specific circumstances.
Portability — receive your data in a structured, machine-readable format.
Object — object to processing based on legitimate interests.
Withdraw consent — where processing is based on consent.
Lodge a complaint — with your local data protection authority. In the EU/UK, you can find your authority on the European Data Protection Board’s website.

U.S. residents (California, Colorado, Connecticut, Virginia, Utah, and other applicable states)

You have rights to know, access, correct, delete, and (where applicable) opt out of the sale or sharing of personal information, and to limit the use of sensitive personal information. AdGenz does not sell personal information and does not process sensitive information for purposes beyond providing the Service. You may exercise these rights using the contact details in section 17. We will not discriminate against you for exercising your rights.

We will verify your identity before responding to rights requests, typically by matching the request to the email on file and, where needed, asking you to confirm details only the account holder would know.

12. How to delete your data

Self-service deletion

You can delete your own data at any time:

Delete a brand from Brands → brand → Settings → Delete brand. Cascades knowledge base, ICPs, angles, ads, scripts, products, and Meta config.
Disconnect Meta from a brand’s settings to revoke and erase the token and connected account references.
Delete your account / workspace by emailing privacy@adgenz.ai from the address on the account.

Meta data deletion callback

For Meta's data-deletion request flow, please email privacy@adgenz.ai with the subject line "Meta data deletion request" and include your Meta user ID. We will respond with a confirmation code and complete deletion within 30 days.

We may retain limited information after deletion where required for legal, accounting, anti-fraud, or security purposes — described in section 9.

13. Cookies & local storage

We use a small number of strictly necessary cookies and browser storage items. We do not use advertising or cross-site tracking cookies.

Item	Purpose	Lifetime
Supabase auth cookies / local storage	Keep you signed in to your AdGenz workspace.	Session + refresh token rotation.
Workspace preference cookies / local storage	Remember the active workspace and UI preferences.	12 months.
meta_oauth_nonce (sessionStorage)	CSRF protection during the Meta OAuth flow.	Cleared on completion of the OAuth round-trip.
CDN / hosting cookies (Vercel)	Load-balancing and request integrity.	Session.

Most browsers let you block or delete cookies. Blocking strictly-necessary cookies will break sign-in and ad-publishing flows.

14. International data transfers

AdGenz is operated from, and stores data primarily in, the United States. Several of our sub-processors are located in the United States or operate globally distributed infrastructure. When data is transferred from the EEA, UK, or Switzerland to a country that has not received an adequacy decision, we rely on the European Commission’s Standard Contractual Clauses and the UK International Data Transfer Addendum, supplemented by technical and organisational measures such as encryption in transit and at rest, and access-control reviews.

15. Children

AdGenz is a business tool intended for users aged 16 and older. We do not knowingly collect personal data from children under 16. If we learn that we have collected data from a child, we will delete it. If you believe a child has used the Service, please contact privacy@adgenz.ai.

16. Changes to this policy

We may update this policy when our product, technology, or legal obligations change. The "Last updated" date at the top of this page reflects the latest revision. For material changes, we will notify workspace owners by email at least 14 days before the change takes effect, or as required by law.

Continued use of the Service after a change becomes effective constitutes acceptance of the revised policy.

17. Contact

Questions, requests, or complaints about this policy or our handling of your data:

Topic	Email
Privacy, rights requests, deletion (incl. Meta)	privacy@adgenz.ai
Security vulnerability disclosure	security@adgenz.ai
General support	support@adgenz.ai

If we cannot resolve a concern, you can lodge a complaint with your local data protection authority.

Document version 1.0 · Effective 10 June 2026↑ Back to top