Privacy Policy
Last updated: February 13, 2026
1. Introduction
Welcome to aubado. We respect your privacy and are committed to protecting your personal data. This privacy policy explains how we collect, use, and safeguard your information when you use our website and services.
aubado is a SaaS platform that helps performance marketers manage their campaigns, budgets, and reporting. This policy applies to:
- Our marketing website at www.aubado.com
- Our application at app.aubado.com
- Any related services we provide
2. Information We Collect
Account Information
When you create an account, we collect:
- Email address
- Name (if provided)
- Password (stored securely, never in plain text)
Connected Platform Data
When you connect advertising platforms through OAuth, we request read-only access to your account data. We only request the minimum permissions needed to display your performance metrics. We cannot modify your campaigns, change your settings, or spend your budget.
- Google Ads: Read-only access to campaign performance data, spend, and account structure
- Google Search Console: Read-only access to search performance data
- LinkedIn Ads: Read-only access to campaign metrics
Meta (Facebook) Ads Data
When you connect your Meta (Facebook) ad account, we request the ads_read and business_management permissions through Meta's OAuth flow. These are read-only permissions. We do not request ads_management or any permission that would allow us to create, edit, or delete your campaigns.
Data we access:
- Ad account name, ID, and currency
- Campaign names and IDs
- Performance metrics: spend, impressions, clicks, conversions (actions), cost per click, cost per thousand impressions, click-through rate, and cost per action
- Daily spend breakdowns for the date range you select
How we use this data:
- Displayed only to you, the authenticated account owner, within your aubado dashboard
- Used to calculate budget pacing, performance trends, and campaign summaries
- Never used for profiling, advertising, or any purpose beyond showing you your own data
How we store your credentials:
- Your Meta access token is encrypted at rest using AES-256-CBC before being stored in our database
- Tokens are decrypted only at the moment of an API request and are never exposed in client-side code or API responses
- All communication with Meta's API happens server-side over HTTPS
Caching and data retention:
- API responses are cached for up to 24 hours to reduce load on Meta's API and improve performance
- Cached data refreshes automatically each morning
- When you disconnect your Meta account, your cached data and stored tokens are deleted immediately
- If you delete your aubado account, all Meta data (tokens, cached responses, and account references) is permanently removed within 30 days
Third-party sharing:
We do not sell, share, or transfer your Meta Ads data to any third party. Your data is used solely to provide the aubado service to you.
Disconnecting your Meta account:
You can disconnect your Meta ad account at any time from your aubado settings. When you disconnect, we immediately delete your stored Meta access token and all cached Meta performance data from our systems. You can also revoke aubado's access directly from your Facebook Business Integrations settings.
Usage Data
We automatically collect:
- Pages you visit and features you use
- Time spent in the application
- Actions you take (creating reports, viewing dashboards)
Technical Data
We collect standard technical information:
- IP address
- Browser type and version
- Device type and operating system
- Referring website
3. How We Use Your Information
We use your information to:
- Provide our services: Display your marketing data, generate reports, and power dashboard features
- Improve the product: Understand how features are used so we can make them better
- Communicate with you: Send service updates, respond to support requests, and share product news (you can opt out)
- Ensure security: Detect and prevent fraud, abuse, and security issues
- Meet legal obligations: Comply with applicable laws and regulations
4. Legal Basis for Processing
Under GDPR, we process your data based on:
- Contract performance: Processing necessary to provide the services you signed up for
- Legitimate interests: Improving our services, ensuring security, and understanding usage patterns
- Consent: For marketing communications and optional analytics (you can withdraw consent anytime)
- Legal obligation: When required by law
5. Data Sharing
We do not sell your personal data. We share data only with:
Service Providers
- Supabase: Database hosting and authentication (EU-based)
- Vercel: Website and application hosting
- Google Analytics: Website analytics
- Sentry: Error tracking and performance monitoring
These providers process data on our behalf and are bound by data processing agreements.
Legal Requirements
We may disclose data if required by law, court order, or to protect our rights and safety.
7. Data Retention
We retain your data for as long as your account is active or as needed to provide services. Specifically:
- Account data: Kept while your account is active
- Marketing performance data: Kept for the duration of your subscription
- Analytics data: Aggregated and anonymized after 26 months
- Deleted accounts: Personal data removed within 30 days of account deletion
Some data may be retained longer if required by law or for legitimate business purposes (like resolving disputes).
8. Your Rights
Under GDPR, you have the right to:
- Access: Request a copy of your personal data
- Rectification: Correct inaccurate or incomplete data
- Erasure: Request deletion of your data ("right to be forgotten")
- Restrict processing: Limit how we use your data
- Data portability: Receive your data in a machine-readable format
- Object: Object to processing based on legitimate interests
- Withdraw consent: Withdraw consent for processing based on consent
To exercise these rights, contact us at maxim@aubado.com. We will respond within 30 days.
You also have the right to lodge a complaint with your local data protection authority.
9. Data Security
We implement appropriate security measures to protect your data:
- Encryption in transit: All data transmitted using TLS 1.3
- Encryption at rest: Database encrypted using AES-256
- Row Level Security: Database policies ensure users can only access their own data
- Access controls: Strict access controls for internal systems
- Regular monitoring: Continuous monitoring for security threats
While we take security seriously, no system is completely secure. We encourage you to use strong passwords and keep your account credentials safe.
10. International Transfers
Your data is primarily processed within the European Union:
- Database: Hosted on Supabase in EU data centers
- Application hosting: Vercel with EU edge locations
Some service providers (like Google Analytics and Sentry) may process data outside the EU. These transfers are protected by appropriate safeguards including Standard Contractual Clauses.
11. Children's Privacy
aubado is not intended for users under 16 years of age. We do not knowingly collect data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.
12. Changes to This Policy
We may update this privacy policy from time to time. We will notify you of significant changes by email or through a notice on our website. The "Last updated" date at the top of this policy indicates when it was last revised.
13. Contact Us
If you have questions about this privacy policy or how we handle your data, contact us at:
- Email: maxim@aubado.com
- Website: www.aubado.com