last updated may 30, 2026
Privacy policy.
The short version: your data is yours. Encrypted at rest, never sold, never used to train external models. You can export or delete everything in two clicks.
TL;DR
We collect: your ad data, account info, and what you ask the bird. We use it: only to run Adsly for you. We share it: with Anthropic (Claude) for AI recommendations only — they don't train on it — and nobody else.
1. What we collect
Email, name, and hashed password when you create an account. Ad account metadata (account IDs, account names, linked pages) pulled via Meta and Google OAuth. Campaign performance data — spend, impressions, clicks, conversions, ROAS, and CPA — synced hourly. Anything you type to the bird (your prompts and queries to the AI assistant). We do NOT collect payment card details (handled entirely by Stripe), any data from outside Adsly, or cross-site behavioral data.
2. Google API Limited Use
Adsly's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Google user data — including campaign performance metrics, keyword data, bid data, campaign settings, and account IDs — is used solely to provide the Adsly service to you. It is never used for advertising, re-targeting, profiling, re-sale, or to develop, improve, or train any AI or ML model. All data is transmitted over 128-bit SSL encryption. We will not sell, redistribute, sublicense, or disclose your Google Ads account-specific data (keywords, bids, campaign settings, or performance data) to any third party without your explicit written consent. Where campaign metrics are sent to our AI sub-processor (Anthropic Claude) to generate recommendations, this is governed by Section 5 and no end-user PII is included in those transmissions.
3. Meta Platform Data
Data obtained via the Meta Marketing API — including ad account IDs, campaign names, performance metrics (spend, ROAS, impressions, clicks, CPA), and ad creative metadata — is used exclusively to provide the Adsly service to you. Meta Platform Data is never used to: train or improve any AI or machine learning model (ours or any third party's, including our AI recommendation engine); build profiles of or target users outside your own ad account; track users across unrelated apps or services; or be sold, licensed, rented, or transferred to any third party for their own purposes. We request only the minimum OAuth scopes necessary — ads_read and ads_management — and do not request access to personal profile data, messages, or any data beyond campaign performance. Campaign metrics sent to our AI sub-processor (Anthropic) for recommendation generation contain no end-user PII from your ad audiences.
4. How we store it
All data is stored in a PostgreSQL database hosted on Neon (US-East-1). OAuth tokens are encrypted at rest using AES-256-CBC. All data in transit is protected by TLS. Database backups are encrypted at rest. SOC 2 Type II certification is in planning.
5. Who we share it with (sub-processors)
Anthropic — We use Claude's Messages API to generate campaign optimization recommendations. Data sent to Anthropic includes campaign performance metrics (spend, ROAS, CPA, campaign names) and anything you type directly into Adsly's chat. We do not send end-user PII, ad audience data, or demographic data from your campaigns. Under Anthropic's standard API terms, inputs and outputs are retained by Anthropic for up to 7 days for safety purposes, then permanently deleted. Anthropic does not use API data to train its models. · Neon — PostgreSQL database hosting, United States. · AWS — cloud infrastructure, United States. · Stripe — billing and subscription management; no ad performance data is shared. · Sentry — error monitoring; data is anonymized before transmission. · Upstash — job queues; data is transient and not persisted beyond task execution. We do not share your data with ad networks, analytics resellers, data brokers, or any party not listed above. We do not sell or license your data.
6. GDPR legal basis
We process your data under the following legal bases: (a) Contract performance — processing your ad account data to deliver the Adsly service you requested. (b) Legitimate interests — error monitoring, security incident response, and abuse prevention. (c) Consent — marketing emails and product updates, which are opt-in only. You may withdraw consent for (c) at any time via the unsubscribe link or by emailing hello@flyadsly.com. Automated processing: AI recommendations are generated for your review only. No budget change or campaign action executes without your explicit approval, satisfying the Article 22 safeguard against solely automated decisions with legal effect. For EU/EEA users: data transferred to the United States is covered by the EU-US Data Privacy Framework adequacy decision. You may lodge a complaint with your local data protection authority at any time.
7. Your rights (GDPR + CCPA)
You have the right to access, correct, delete, export, restrict processing of, and object to processing of your personal data. California residents: the categories of personal information collected are described in section 1. We do not sell or share personal information as defined under the CPRA. To exercise any of these rights, email hello@flyadsly.com or use the Data Deletion form at /data-deletion. We respond within 30 days (GDPR) or 45 days (CCPA).
8. How long we keep it
We retain your data while your account is active. After account deletion: data is purged from primary systems within 30 days, after which encrypted backups are permanently destroyed. Billing records are retained for 7 years to satisfy legal and tax obligations. AI prompt and token usage logs are retained on a 12-month rolling basis.
9. Cookies
We use strictly necessary cookies only: session management and authentication tokens. We do not use marketing cookies, retargeting pixels, or third-party ad trackers. Error monitoring via Sentry does not enable session replay.
10. Data breach notification
In the event of a data breach that affects your personal data, we will notify you within 72 hours of discovery as required by GDPR Article 33, or within any shorter timeframe required by applicable law.
11. Changes to this policy
We will email you at least 30 days before any material change to this policy. Continued use of Adsly after the effective date constitutes your acceptance of the updated policy.
Questions?
hello@flyadsly.com · or use the Data deletion form for an immediate purge request.