Privacy Policy

Effective date: April 23, 2026 · SyncMetrics (syncmetrics.io)

SyncMetrics connects your advertising accounts — Meta Ads and Google Ads — to AI tools (Claude via MCP) and reporting tools (Looker Studio), so you can analyse performance data in plain language. This policy explains what data we access, how we protect it, and your rights.

1. Information We Collect

Account Information

When you create an account we collect your email address and a hashed password. We never store your password in plain text.

Ad Platform Tokens Meta & Google

When you connect an ad account, we store the OAuth access token issued by that platform. All tokens are encrypted at rest using AES-256 (Fernet). We never store your platform password.

Ad Performance Data Meta & Google

We fetch campaign performance data (spend, impressions, clicks, CTR, CPC, CPM, ROAS, etc.) on your behalf when you request it. We do not permanently store this data. It is fetched live from the platform API and returned directly to you or your connected tool (Claude, Looker Studio). Nothing is cached or retained after the response is delivered.

Usage & Technical Logs

Standard server access logs (IP address, endpoint called, HTTP status, timestamp) are retained for up to 30 days for security and debugging. These are not shared with third parties.

2. Permissions We Request

Meta Ads Meta

ads_read — read your ad account campaign performance data (spend, impressions, clicks, etc.)

We request only the minimum permissions needed. We do not request permission to create, edit, or delete ads, or to post on your behalf.

Google Ads Google

Google Ads read-only — read campaign, ad group, keyword, and performance data from your Google Ads account

Google API Services disclosure: SyncMetrics's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not sell, share, or transfer Google user data to third parties. Google user data is used solely to provide the SyncMetrics service to you and is never used for advertising, AI training, or any secondary purpose.

3. How We Use Your Data

To authenticate you and manage your account
To connect to Meta Ads and Google Ads on your behalf using the permissions you granted
To fetch and display your ad performance data in Claude (via MCP) and Looker Studio (via our connector)
To send transactional emails (account confirmation, password reset)
To investigate security incidents and maintain service reliability

We do not: sell your data, use your ad data for advertising or profiling, share it with other users, or use it to train AI models.

4. Data Sharing

We share data only with the following sub-processors, solely to deliver the service:

Supabase — database and authentication (data stored encrypted in their infrastructure)
Render — server hosting (processes data to serve API requests)
Meta (Facebook) — we call Meta's Marketing API on your behalf using your access token
Google — we call Google Ads API on your behalf using your access token

We do not share your data with any other third parties. We do not sell data. We do not disclose data unless required by law.

5. Data Retention

Account & tokens — retained until you delete your account or disconnect the platform
Ad performance data — not stored; fetched live on each request
Server logs — retained for up to 30 days, then automatically deleted
Looker Studio auth codes — single-use codes deleted immediately after exchange; expire after 5 minutes if unused

6. Data Deletion

You can delete your data at any time:

Disconnect a platform — click "Disconnect" on your dashboard. Your access token is deleted immediately from our systems.
Delete your account — email support@syncmetrics.io. All your data will be permanently deleted within 7 days.
Via Meta (deauthorize) — removing SyncMetrics from your Facebook App Settings automatically triggers our deauthorize callback (POST /deauthorize), which deletes your Meta access token from our systems immediately.
Via Meta (full data deletion) — submitting a data deletion request through Facebook triggers our data deletion callback (POST /data-deletion), which deletes your Meta token and all associated account settings. You can verify deletion status at syncmetrics.io/data-deletion.
Via Google — revoking access from your Google Account Permissions page. Email us to confirm full deletion.

7. Security

All access tokens encrypted at rest with AES-256 (Fernet)
All data transmitted over HTTPS/TLS
Database Row Level Security (RLS) prevents any cross-user data access
Ad performance data is never persisted — no risk of data breach for your campaign data
OAuth state parameters and auth codes verified to prevent CSRF attacks

8. Cookies

We use only essential session cookies required for authentication. We do not use advertising cookies, tracking pixels, or third-party analytics cookies.

9. Children's Privacy

SyncMetrics is not directed at children under 16. We do not knowingly collect personal data from children.

10. Your Rights

You have the right to:

Access — request a copy of the personal data we hold about you
Correction — request correction of inaccurate data
Deletion — request deletion of your data (see Section 6)
Portability — request your data in a machine-readable format
Withdraw consent — disconnect any platform at any time from your dashboard

To exercise these rights, email support@syncmetrics.io.

11. Changes to This Policy

We may update this policy. We will notify you by updating the "Effective date" above and, for material changes, by email. Continued use of the service after changes constitutes acceptance.

12. Contact

Questions or concerns about this policy:
📧 support@syncmetrics.io
🌐 syncmetrics.io