01Privacy at a Glance
Before anything else — the short version. This is what actually matters about how AdLeakIQ handles your data.
check_circleWe collect only what we need to run your audit and deliver results.
check_circleWe connect to your ad accounts with read-only API tokens. We cannot make changes without your explicit approval.
check_circleWe never sell your data. Not to advertisers, not to data brokers, not to anyone.
check_circleWe never use your account data to train AI models or benchmark other clients.
check_circleAccount data is deleted when your engagement closes. Contact data is deleted within 30 days of close or on request.
cancelWe do not run retargeting ads against visitors to this website.
cancelWe do not share audit findings or business performance data with any third party without your written consent.
The Core Commitment
Your data exists to serve your audit. The moment it stops serving that purpose, it gets deleted. We have no interest in accumulating data about your business beyond what's necessary to find and verify waste in your ad accounts.
02What We Collect
We collect data in three contexts: when you submit an audit request, when you connect your ad accounts, and when you use this website. Here's exactly what that means.
1. Audit Request Information
When you submit a free audit request, we collect your first name, last name, work email address, company name, website URL, the platforms you run ads on, your monthly spend range, your role, and any optional context you provide in the free-text field. This information is used to deliver your Leak Map, send the API connection guide, and follow up during the engagement.
2. Ad Account Performance Data
When you connect your ad accounts, our audit engine reads campaign performance data from the platforms you authorize. This includes spend, ROAS, CPM, CTR, audience definitions, frequency metrics, keyword performance, organic rankings from Google Search Console, aggregated Shopify revenue and conversion data, and GA4 session aggregates. We access aggregated performance data only — we never read individual customer orders, customer names, email addresses, or any personally identifiable information about your end customers.
3. Website Usage Data
When you visit adleakiq.com, we collect standard server log data — IP address, browser type, referring URL, pages visited, and time on site. This data is used for basic analytics and security monitoring only. We do not build behavioral profiles of website visitors or use this data for advertising.
What We Do Not Collect
We do not collect payment information (handled by Stripe). We do not collect your customers' personal data. We do not collect social security numbers, government ID numbers, or financial account credentials. We do not access the billing sections of any connected ad platform.
03How We Use It
We use your data for four purposes, and only these four purposes.
Delivering Your Audit
Ad account data is used exclusively to identify waste patterns, generate the Leak Map report, run geo-holdout measurement, and calculate the verified savings figure. This is the primary and predominant use of all data we collect from connected accounts.
Engagement Communication
Your name and email are used to send the Leak Map, the API connection guide, fix approval requests, implementation updates, Monthly Recovery Reports, and invoices. We do not add you to unrelated marketing lists or newsletters without your explicit opt-in.
Billing Verification
Monthly Recovery Reports retain the verified savings calculation — the geo-holdout delta, Revenue Health Multiplier applied, and Seasonal Index — for 12 months as a record supporting the invoice. This is required for accounting and dispute resolution purposes.
Security & Fraud Prevention
Website log data and access logs are used to detect unauthorized access, monitor API token usage, and ensure the Security Sentinel can flag any scope drift or anomalous behavior in connected accounts.
We Never Use Your Data For
Training AI models · Building advertising profiles · Benchmarking your account against other clients · Selling or licensing to third parties · Retargeting you on other platforms · Any purpose not listed above.
04Who We Share With
We share data with a small number of infrastructure providers that are necessary to operate the service. We do not share with advertisers, data brokers, or analytics platforms that would use your data for their own purposes.
AWS (Amazon Web Services)
Our cloud infrastructure provider. API tokens are stored in AWS Secrets Manager. Monthly Recovery Reports are archived in encrypted S3 storage. AWS processes data under their BAA and DPA, with encryption at rest and in transit. AWS does not have access to the content of secrets stored in Secrets Manager.
Anthropic
Our AI model provider. Audit analysis and scoring is performed using Claude via the Anthropic API. Data passed to the model includes structured performance metrics — never raw credentials, customer PII, or identifiable company names in production. Anthropic's API usage policy prohibits using submitted data to train their models without consent.
Stripe
Payment processing for invoices. We pass your company name and email to Stripe to generate invoices. Stripe handles all payment card data directly — we never receive or store payment card numbers. Stripe is PCI DSS Level 1 certified.
DocuSign
Electronic signature for Recovery Engagement Letters and NDAs. Name and email are passed to DocuSign to generate and deliver signature requests. Signed documents are stored in your DocuSign account and ours.
We may also disclose data if required by law — for example, in response to a valid court order or subpoena. In those cases, we will notify you before disclosure if legally permitted to do so.
Business Transfers
If AdLeakIQ is acquired or merges with another company, your data may transfer to the new entity. We will provide at least 30 days notice before any such transfer, and you will have the right to request deletion of your data before the transfer occurs.
05How Long We Keep It
Every data type has a defined retention period. Nothing is kept indefinitely. Here's the full schedule.
Ad platform performance data
Processed in memory only during the audit cycle. Not written to persistent storage. Cleared on process completion. Retention: zero — not persisted.
Shopify revenue aggregates
Retained in encrypted storage for 30 days after the geo-holdout measurement period closes, to support any dispute about the verified savings figure. Automatically deleted at the 30-day mark. Retention: 30 days post-measurement.
Monthly Recovery Reports and invoices
Retained for 12 months as financial records supporting each invoice issued. Required for accounting compliance and dispute resolution. Securely deleted at 12 months unless you request earlier deletion. Retention: 12 months.
API tokens and credentials
Active only for the duration of the engagement. Revoked and deleted from AWS Secrets Manager within 24 hours of engagement close. Revocation confirmation sent by email. Retention: active engagement only.
Contact and company information
Retained for the duration of the engagement plus 30 days. Deleted on request at any time. Deleted automatically 30 days after engagement close if no deletion request has been received. Retention: engagement + 30 days.
Website log data
Standard server logs retained for 90 days for security monitoring purposes. Not used for any analytics beyond basic traffic measurement. Automatically rotated at 90 days. Retention: 90 days.
06Your Rights
You have the following rights with respect to your personal data. These apply regardless of where you're located — we don't selectively honor privacy rights based on geography.
manage_searchRight to Access
You can request a copy of all personal data we hold about you at any time. We'll respond within 30 days.
deleteRight to Deletion
You can request deletion of your data at any time. We'll confirm deletion within 14 days, subject to legal retention requirements for invoices.
editRight to Correction
If any information we hold about you is inaccurate, you can request a correction and we'll update it within 7 days.
pause_circleRight to Restrict Processing
You can ask us to stop processing your data while keeping it on file — for example, during a dispute about its accuracy.
downloadRight to Portability
You can request your data in a structured, machine-readable format (JSON or CSV) at any time.
blockRight to Object
You can object to any processing of your data that isn't strictly necessary to deliver the service you requested.
To exercise any of these rights, email privacy@adleakiq.com with your request. We do not require you to create an account or jump through verification hoops — a simple email from the address associated with your engagement is sufficient. We'll respond within 30 days.
California Residents (CCPA)
California residents have additional rights under CCPA, including the right to know what personal information is sold or disclosed (we don't sell or disclose it), and the right to opt out of the sale of personal information (there is nothing to opt out of). If you have CCPA-specific questions, email privacy@adleakiq.com.
EEA / UK Residents (GDPR)
If you are located in the European Economic Area or the United Kingdom, you have rights under GDPR including the right to lodge a complaint with your local supervisory authority. Our lawful basis for processing contact information is contractual necessity. Our lawful basis for processing ad account data is contractual necessity and legitimate interests (providing the service you requested). We do not transfer EEA/UK personal data to countries without adequate data protection unless standard contractual clauses are in place.
07Cookies
We use cookies minimally and only for functional purposes. Here's the complete list.
Session cookie (functional)
Used to maintain your state on the audit request form across steps. Contains no personal data — only a session token. Expires when you close your browser. Cannot be disabled without breaking the form.
Security cookie (functional)
CSRF protection token used to prevent cross-site request forgery on form submissions. Contains no personal data. Required for security. Expires with session.
What We Don't Use
No advertising cookies. No third-party tracking pixels. No Google Analytics. No Meta Pixel. No retargeting cookies of any kind. We do not track you across other websites after you leave adleakiq.com.
08Children's Privacy
AdLeakIQ is a B2B service intended for business operators and marketing professionals. We do not knowingly collect personal information from anyone under the age of 18. If you believe we have inadvertently collected information from a minor, please contact us at privacy@adleakiq.com and we will delete it immediately.
09Policy Changes
If we make material changes to this policy — changes that meaningfully affect how we collect, use, or share your data — we will notify active clients by email at least 30 days before the changes take effect. Non-material changes (typos, clarifications, formatting) will be updated without notice.
The "Last Updated" date at the top of this page reflects when the policy was last changed. You can always find the current version at adleakiq.com/privacy.