Privacy Policy

AdStack (“AdStack,” “we,” “us”) provides an AI-powered platform that helps marketers plan, generate, and publish advertising content and organic posts across third-party platforms including Meta (Facebook and Instagram), TikTok, and X.

This Privacy Policy explains what information we collect, how we use it, who we share it with, how long we keep it, and the rights you have over it. It applies to anyone who uses our website or service.

Questions about this policy? Email legal@adstack.studio.

We collect the following categories of information:

Account information

• Email address, name, and authentication identifiers, supplied through our auth provider (Clerk) when you create an account.
• Profile information you optionally provide, such as a display name or company name.

Connected platform data

• OAuth access and refresh tokens for the third-party platforms you connect (e.g. Meta, TikTok, Higgsfield). Stored encrypted at rest using AES-256-GCM.
• Metadata about your ad accounts, advertisers, campaigns, posts, audiences, and creative assets, retrieved from those platforms when you use AdStack features.

Content you create

• Briefs, prompts, and instructions you submit to the chat agent.
• Generated images and videos produced by our AI providers on your behalf, plus the metadata describing how they were generated.
• Images you upload as references when planning campaigns.

Usage and operational data

• Which features you use, which tools the agent invokes on your behalf, timestamps, credit consumption, and approval actions you take.
• Standard server logs: IP address, browser user agent, request paths, and error stack traces (the latter routed through Sentry for debugging).

Payment information

• Billing details, subscription status, and transaction history. Card numbers and payment instruments are processed and stored by Stripe; we never see or store full card data ourselves.

We use the information described above to:

• Operate, maintain, and improve the AdStack service.
• Execute the actions you instruct the agent to take on connected platforms (e.g. creating a campaign, publishing a post).
• Bill you and process payments, including tax and revenue reconciliation.
• Send service communications (account, security, billing) and, if you opt in, occasional product updates.
• Detect, prevent, and investigate abuse, fraud, and security incidents.
• Comply with legal obligations, respond to lawful requests, and enforce our Terms of Service.

We do not sell your personal information. We do not use the content you create or the data we retrieve from your connected platforms to train AI models.

AdStack relies on the following sub-processors to deliver the service. Each operates under a written data-processing agreement and handles only the data necessary to perform their function:

• Anthropic— powers the chat agent (Claude). Your prompts and conversation context are sent to Anthropic's API to generate responses.
• Higgsfield — generates images and videos on your behalf.
• Meta Platforms — Facebook and Instagram Graph APIs for campaign management and organic posting.
• TikTok — Marketing API and Content Posting API for campaign management and organic publishing.
• Clerk — authentication, session management, and user profile storage.
• Stripe — payment processing and subscription management.
• Vercel — application hosting and content delivery.
• Neon — managed PostgreSQL database.
• Sentry — error and exception monitoring.
• Resend (when enabled) — transactional email delivery.

We do not share your information with third parties for their own marketing purposes. Aggregated, anonymized statistics about feature usage may be shared publicly or with investors.

AdStack is operated from the United States. By using the service, you understand that your information may be transferred to, processed in, and stored in the United States and other countries where our sub-processors operate. We rely on Standard Contractual Clauses and other lawful transfer mechanisms where required.

• Account data: while your account is active, then 30 days after deletion to allow for recovery of accidental deletions, then permanently removed.
• OAuth tokens: only while the connection is active. Tokens are deleted within 24 hours of disconnect.
• Generated content: retained for the lifetime of your account; deleted on account deletion (subject to legal hold).
• Audit logs: 12 months, for security and compliance.
• Payment records: 7 years, as required by tax and accounting law.

Depending on where you live, you may have the following rights regarding your personal information:

• Access — request a copy of the information we hold about you.
• Correction — ask us to fix inaccurate or incomplete information.
• Deletion — request that we erase your account and associated data.
• Portability — receive your data in a structured, machine-readable format.
• Restriction and objection — limit or object to certain processing activities.
• Withdraw consent — where processing is based on consent, withdraw it at any time.

To exercise any of these rights, email legal@adstack.studio or use the controls under Settings → Account in the app. We will respond within 30 days.

California residents have additional rights under the CCPA / CPRA, including the right to know what categories of personal information we have collected, sold, or disclosed, and the right to opt out of “sales” of personal information (which we do not engage in).

You also have the right to lodge a complaint with a supervisory authority in your country of residence.

We implement technical and organizational measures designed to protect your information, including:

• Encryption in transit (TLS 1.2 or higher).
• Encryption at rest for sensitive credentials (AES-256-GCM with per-application key separation).
• Principle-of-least-privilege access controls.
• Automated dependency vulnerability scanning and regular security reviews.
• Two-factor authentication available on all accounts.
• Audit logging of sensitive actions.

No system is perfectly secure. If you believe your account has been compromised, contact us immediately at security@adstack.studio.

AdStack is not directed to children under 16, and we do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us and we will delete it.

We use a small number of strictly necessary cookies for authentication and session management (set by Clerk) and, where applicable, analytics cookies to understand aggregate product usage. You can control cookies through your browser settings; disabling essential cookies will prevent you from signing in.

We may update this Privacy Policy from time to time. When we do, we will revise the “Last updated” date at the top and, for material changes, notify you by email or by an in-app banner before the change takes effect.

AdStack
Email: legal@adstack.studio
Security: security@adstack.studio