Privacy Policy

1. Introduction

Orchestra ADS ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our marketing automation and advertising management platform.

By using Orchestra ADS, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

• Name and email address
• Password (encrypted)
• Profile information
• Billing information (processed securely via Stripe)

2.2 Social Media Account Data

When you connect your social media accounts for content publishing, we collect:

• Facebook Pages: Page ID, name, profile picture, and access tokens for publishing
• Instagram Business: Account ID, username, profile picture, follower count, and access tokens for publishing

We only request the minimum permissions necessary to provide our services. Access tokens are encrypted at rest using AES-256-GCM encryption.

2.3 Meta (Facebook) Advertising Data

When you connect your Meta Ads account, we request the following permissions and collect the associated data:

• ads_management: Allows us to create, edit, and manage ad campaigns, ad sets, and ads on your behalf within your Meta ad accounts
• ads_read: Allows us to read your ad campaign performance data, including impressions, clicks, spend, conversions, and other ad metrics
• business_management: Allows us to access the list of ad accounts available to you in your Meta Business Manager

Specifically, the Meta advertising data we collect and store includes:

• Ad account IDs, names, currencies, and timezone settings
• Campaign, ad set, and ad names, statuses, budgets, and configurations
• Ad performance metrics (impressions, clicks, spend, CTR, CPC, conversions, conversion values)
• Targeting configurations (geographic, demographic, interest-based)
• Access tokens and refresh tokens (encrypted at rest)

We do not collect or store personal data about the individuals who see or interact with your ads (ad viewers/clickers). We only access aggregate performance metrics.

2.4 Google Ads Data

When you connect your Google Ads account, we access and collect:

• Google Ads customer/account IDs, names, and currency settings
• Campaign, ad group, and ad configurations (names, statuses, budgets, bidding strategies)
• Keyword lists and match types
• Ad performance metrics (impressions, clicks, spend, conversions, conversion values, CTR, CPC)
• Geographic targeting settings
• OAuth access tokens and refresh tokens (encrypted at rest)

We do not collect or store personal data about individuals who see or click on your ads. We only access aggregate campaign performance data.

2.5 Content and Media

We store content you create or upload, including:

• Images and videos you upload
• Marketing copy, headlines, and ad descriptions
• Campaign configurations and creative assets
• Content generated using AI tools

2.6 Landing Page Data

When you provide a landing page URL for ad campaign planning, we may fetch and analyze publicly available content from that page (page title, headings, descriptions, calls-to-action) to generate relevant ad copy and targeting suggestions. This data is cached temporarily and not shared with third parties.

2.7 Usage Data

We automatically collect:

• Log data (IP address, browser type, pages visited)
• Device information
• Feature usage analytics

2.8 Mobile App Analytics and SDKs

Our iOS mobile application integrates the following third-party SDKs to provide core functionality and measure app performance:

• Meta (Facebook) SDK: We use the Meta SDK (FBSDKCoreKit) to measure app install attribution and in-app events (such as sign-ups) for advertising campaign optimization. This SDK may collect your device's advertising identifier (IDFA, subject to your App Tracking Transparency consent), app events, and anonymized usage data. This data is shared with Meta to measure the effectiveness of advertising campaigns. See Meta Privacy Policy.
• Google Firebase (Analytics): We use Firebase Analytics to collect anonymized app usage data including screen views, session duration, crash reports, and in-app events. This data helps us improve app stability and user experience. Firebase may collect your device's advertising identifier (IDFA, subject to your consent), app instance ID, and anonymized device information. See Firebase Privacy Information and Google Privacy Policy.

On iOS 14.5 and later, we request your consent via Apple's App Tracking Transparency (ATT) framework before any cross-app tracking occurs. You may decline this request, and the app will continue to function normally. You can change your tracking preference at any time in your device's Settings → Privacy & Security → Tracking.

3. How We Use Your Information

We use your information to:

• Provide and maintain our services
• Publish content to your connected social media accounts on your behalf
• Create, manage, and optimize advertising campaigns on Meta and Google Ads on your behalf
• Display your ad campaign performance metrics and analytics within the platform
• Generate AI-powered ad copy, headlines, descriptions, and targeting recommendations
• Provide campaign optimization suggestions based on your ad performance data
• Process payments and manage subscriptions
• Send service-related communications
• Improve our platform and develop new features
• Detect and prevent fraud or abuse
• Comply with legal obligations

3.1 How We Use Advertising Data

Your Meta Ads and Google Ads data is used exclusively to:

• Display your ad accounts and let you choose which accounts to manage
• Create and launch ad campaigns, ad sets/groups, and ads based on your instructions
• Monitor and display campaign performance metrics in your dashboard
• Generate optimization recommendations (e.g., budget adjustments, pausing underperforming ads)
• Apply approved optimizations to your campaigns via platform APIs

We do not use your advertising data to target ads to you, build advertising profiles, or for any purpose unrelated to providing the Orchestra ADS service.

4. Data Sharing and Disclosure

We do not sell your personal information or advertising data. We may share data with:

• Service Providers: Third parties that help us operate our platform (Stripe for payments, Clerk for authentication, cloud hosting providers)
• Meta Platforms: We send campaign creation and management requests to Meta's Marketing API on your behalf. This includes ad creative content, targeting parameters, and budget settings that you configure in Orchestra ADS.
• Google Ads: We send campaign creation and management requests to the Google Ads API on your behalf. This includes ad content, keywords, targeting settings, and budget configurations that you set up in Orchestra ADS.
• AI Service Providers: We may send anonymized landing page content and campaign context to AI providers (OpenAI) to generate ad copy suggestions. No personal data or ad account credentials are shared with AI providers.
• Legal Requirements: When required by law or to protect our rights
• Business Transfers: In connection with a merger, acquisition, or sale of assets

We do not share your Meta Ads or Google Ads account data, access tokens, or performance metrics with any other advertisers, data brokers, or third parties for their own purposes.

5. Data Security

We implement industry-standard security measures including:

• Encryption of data in transit (TLS/SSL) and at rest
• AES-256-GCM encryption for all social media and advertising platform access tokens
• Secure storage of OAuth refresh tokens with encryption
• Regular security audits and updates
• Access controls and authentication (via Clerk)
• Automatic token refresh and secure rotation
• Separation of advertising credentials from general application data

6. Data Retention

We retain your data for as long as your account is active or as needed to provide services. Specific retention periods:

• Account data: Retained while your account is active and for 30 days after deletion request
• Access tokens: Retained while the platform connection is active. Immediately deleted upon disconnection.
• Ad performance metrics: Retained while your account is active to provide historical analytics. Deleted upon account deletion.
• Campaign configurations: Retained while your account is active. Deleted upon account deletion.
• Landing page cache: Temporarily cached for up to 30 minutes, then automatically purged
• Transaction records: Retained as required by tax and accounting regulations

When you disconnect a social media or advertising account, we immediately revoke and delete the associated access tokens and refresh tokens.

7. Your Rights

You have the right to:

• Access: Request a copy of your personal data, including advertising account data we store
• Correction: Update or correct inaccurate data
• Deletion: Request deletion of your data (see Section 8)
• Portability: Receive your data in a portable format
• Withdraw Consent: Disconnect social media and advertising accounts or close your account at any time
• Restrict Processing: Request that we limit how we use your data
• Object: Object to certain types of data processing

To exercise any of these rights, contact us at support@orchestra-ads.ai. We will respond within 30 days.

8. Data Deletion

To request deletion of your data:

1. Go to Account Settings → Data & Privacy
2. Click "Delete My Data" or "Delete Account"
3. Confirm your request

Alternatively, email us at support@orchestra-ads.ai with your deletion request.

When you delete your account, we will:

• Delete all stored access tokens and refresh tokens for connected advertising and social media platforms
• Delete all stored ad account data, campaign configurations, and performance metrics
• Delete all uploaded media, content, and AI-generated assets
• Delete your profile and account information
• Remove all data from active systems within 30 days

You can also delete specific platform data without deleting your entire account by disconnecting the platform from Account → Ads Connections. This immediately deletes all tokens and account data for that platform.

Some data may be retained for legal or legitimate business purposes (e.g., transaction records for tax compliance). Backup systems may take up to 90 days to fully purge deleted data.

9. Cookies, Tracking, and Mobile Identifiers

We use essential cookies for authentication and session management. We may also use analytics cookies to improve our service. You can manage cookie preferences in your browser settings.

In our iOS mobile application, the Meta SDK and Firebase Analytics SDK may access your device's advertising identifier (IDFA) to measure install attribution and app events. Access to the IDFA requires your explicit consent via Apple's App Tracking Transparency prompt. If you decline, these SDKs will still function using anonymized, non-cross-app data only.

10. Third-Party Services

Our platform integrates with the following third-party services:

• Meta (Facebook/Instagram) — Social Publishing: For publishing content to your Facebook Pages and Instagram Business accounts. See Meta Privacy Policy
• Meta (Facebook) — Advertising: For creating and managing ad campaigns via the Meta Marketing API, and reading ad performance data. Your use of Meta Ads through Orchestra ADS is also subject to Meta Terms of Service and Meta Advertising Policies
• Google Ads: For creating and managing search ad campaigns via the Google Ads API, and reading ad performance data. Your use of Google Ads through Orchestra ADS is also subject to Google Privacy Policy and Google Ads Terms
• Stripe: For payment processing. See Stripe Privacy Policy
• Clerk: For authentication. See Clerk Privacy Policy
• OpenAI: For AI-powered ad copy generation. No personal data or advertising credentials are shared with OpenAI. See OpenAI Privacy Policy
• Meta SDK (iOS App): For measuring app install attribution and in-app conversion events for advertising campaign optimization. See Meta Privacy Policy
• Google Firebase (iOS App): For app analytics, crash reporting, and performance monitoring. See Firebase Privacy and Google Privacy Policy

11. Google API Services — Limited Use Disclosure

Orchestra ADS's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, Orchestra ADS:

• Only uses Google Ads data to provide and improve the advertising management features you see in the Orchestra ADS platform
• Does not transfer Google Ads data to third parties unless necessary to provide the service, required by law, or with your explicit consent
• Does not use Google Ads data to serve advertisements
• Does not use Google Ads data to build user profiles for advertising or marketing purposes
• Does not sell Google Ads data to data brokers or any third party
• Allows you to revoke access at any time by disconnecting your Google Ads account from Orchestra ADS

Human access to Google Ads data is limited to debugging and support purposes, and only when you request assistance.

12. Meta Platform Terms Compliance

Orchestra ADS complies with the Meta Platform Terms and Developer Policies. With respect to data obtained via the Meta Marketing API:

• We only access Meta Ads data with your explicit authorization via the OAuth consent flow
• We request only the minimum permissions necessary to provide the advertising management service
• You can select which ad accounts to connect and manage
• We do not share your Meta Ads data with other advertisers or third parties for their own use
• We do not use Meta Ads data for purposes unrelated to providing the Orchestra ADS service
• We delete all Meta Ads data associated with your account upon your request or account deletion
• You can revoke access at any time by disconnecting your Meta Ads account or revoking access in your Facebook Settings under Apps and Websites

13. Advertising Data and Consent

By connecting your Meta Ads or Google Ads account to Orchestra ADS, you consent to:

• Orchestra ADS accessing your ad account data as described in Section 2
• Orchestra ADS creating and managing ad campaigns on your behalf based on your instructions
• Orchestra ADS reading and displaying your ad performance metrics
• Orchestra ADS storing your encrypted access tokens to maintain the connection

You can withdraw this consent at any time by:

• Disconnecting the advertising account from Orchestra ADS (Account → Ads Connections → Disconnect)
• Revoking app access in the respective platform settings (Facebook Settings → Apps and Websites, or Google Account → Security → Third-party apps)
• Requesting full data deletion by contacting us at support@orchestra-ads.ai

14. Children's Privacy

Orchestra ADS is not intended for users under 18 years of age. We do not knowingly collect information from children.

15. International Data Transfers

Your data may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place for such transfers, including:

• Standard Contractual Clauses (SCCs) for transfers outside the EEA
• Data processing agreements with all sub-processors
• Encryption of data in transit and at rest

16. GDPR and EU User Rights

If you are a resident of the European Economic Area (EEA), you have additional rights under the General Data Protection Regulation (GDPR):

• Legal Basis: We process your data based on your consent (connecting ad accounts), contractual necessity (providing the service), and legitimate interest (improving our platform)
• Data Controller: Orchestra ADS is the data controller for data collected through our platform
• DPA: You may request a Data Processing Agreement by contacting us
• Supervisory Authority: You have the right to lodge a complaint with your local data protection supervisory authority

17. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or through the platform. Your continued use after changes constitutes acceptance. The "Last updated" date at the top of this page indicates when the policy was last revised.