Privacy Policy

The short version: We don't sell your data. We don't do anything sketchy with your data. We're building a tool for ourselves and people like us, not a surveillance capitalism machine.

1. Who We Are

Data Controller: Mixed Strategy LLC (DBA ROAS Reports)

ELI5: "Data controller" means we're responsible for your account info (email, name, etc.). "Data processor" means we only process your advertising data on your behalf—you're the boss of that data.

Contact for Privacy Questions: privacy@roasreports.com

2. What We Collect

Account Information

• What: Email address, full name, organization details
• Why: To create and manage your account, send important updates
• Legal Basis (GDPR): Contract with you (Article 6(1)(b))

Advertising Platform Data

• What: Performance metrics from Google Ads, Meta Ads, etc. (spend, ROAS, conversions)
• Why: To show you reporting and analytics—literally the whole point of the product
• Legal Basis (GDPR): Contract with you (Article 6(1)(b))
• ELI5: We fetch your ad data from platforms using OAuth (no passwords) and display it in dashboards

Usage Analytics (Marketing Site Only)

• What: Page views, button clicks, time on site via Google Analytics
• Where: Public marketing pages only (NOT inside the authenticated app)
• Why: To understand which features people care about and improve the product
• Legal Basis (GDPR): Legitimate interest (Article 6(1)(f)) with your consent via cookie banner
• ELI5: We use Google Analytics on our marketing site to see if people like the "Features" page more than the "Pricing" page. We DON'T track what you do inside the app with your data—that's none of our business.

Technical & Security Logs

• What: IP addresses, browser info, request logs, security events
• Why: Security, debugging, preventing abuse, legal compliance
• Legal Basis (GDPR): Legitimate interest (Article 6(1)(f))
• Retention: 90 days for security logs, 30 days for API logs

3. What We DON'T Do

4. How We Protect Your Data

OAuth (No Passwords): All platform connections use OAuth 2.0, which means we never see your Google Ads or Meta passwords.

Encryption at Rest: OAuth tokens are encrypted using AES-256-GCM (military-grade encryption) before being stored in the database.

Encryption in Transit: All data transmitted between you and our servers uses HTTPS/TLS encryption.

Access Controls: Row-Level Security (RLS) ensures you can only see your own data. Even our team can't access your data without your permission.

Security Monitoring: We log security events, rate limit API requests, and use bot protection (Cloudflare Turnstile, HaveIBeenPwned password checks).

ELI5: We use industry-standard security because getting hacked would be embarrassing for everyone. See our Security page for nerdy details.

5. Who We Share Data With

Service Providers (Data Processors)

We use third-party services to run the product. They process data on our behalf under strict contracts:

• Supabase (Database & Auth): Stores your account data and advertising metrics (US-based)
• Vercel (Hosting): Hosts the application (US-based)
• Upstash (Redis): Rate limiting and caching (US-based)
• Resend (Email): Sends transactional emails (US-based)
• Google Analytics: Website analytics on marketing site only (US-based, covered by Google's DPA)

Data Processing Agreements: All vendors have GDPR-compliant DPAs and use Standard Contractual Clauses (SCCs) for international transfers.

Your Team Members

If you invite team members to your organization, they can see the data you explicitly share with them (based on their role: owner, admin, member).

Legal Requirements

We'll only share data if legally required (court order, subpoena, national security request). If possible, we'll notify you first unless prohibited by law.

6. International Data Transfers

Where Your Data Lives: Our servers are in the United States (Vercel, Supabase).

For EU/UK Users: We use Standard Contractual Clauses (SCCs) approved by the European Commission for GDPR compliance when transferring data to the US.

ELI5: If you're in Europe, your data crosses the ocean to US servers, but we have legal contracts that require US-level protection equivalent to GDPR.

7. How Long We Keep Your Data

After Deletion: We may retain anonymized/aggregated data for analytics (e.g., "50 users connected Google Ads in October"), but this can never identify you.

8. Your Rights (GDPR & CCPA)

Rights for Everyone

• Access: Request a copy of all your data (coming soon: self-service export)
• Correction: Update your account info anytime in Settings
• Deletion: Delete your account and all associated data (coming soon: self-service deletion)
• Data Portability: Export your data in machine-readable format (JSON)
• Revoke Consent: Disconnect platforms, opt-out of cookies anytime

Additional Rights (GDPR - EU/UK/EEA)

• Right to Object: Object to processing based on legitimate interest
• Right to Restrict Processing: Limit how we use your data in certain circumstances
• Right to Lodge a Complaint: File a complaint with your local data protection authority

Additional Rights (CCPA - California Residents)

• Right to Know: What data we collect and why
• Right to Delete: Request deletion of your personal information
• Right to Opt-Out of Sale: We don't sell data, so this doesn't apply, but you have the right anyway
• Right to Non-Discrimination: We won't treat you differently for exercising your rights

How to Exercise Your Rights: Email privacy@roasreports.com with your request. We'll respond within 30 days (GDPR) or 45 days (CCPA).

9. Cookies & Tracking

We use cookies to keep you logged in and remember your preferences. On our public marketing site, we also use Google Analytics to understand how visitors use the site.

What We DON'T Use: No Facebook Pixel, no retargeting ads, no creepy cross-site tracking. The cookie consent banner gives you full control.

For Details: See our Cookie Policy.

10. Children's Privacy

ROAS Reports is not intended for anyone under 18. We don't knowingly collect data from children. If we discover we've collected data from a child, we'll delete it immediately.

11. Changes to This Policy

If we make changes to this privacy policy, we'll update the date at the top and notify you via email if it's something material (like changing how we use your data). We're not going to sneak in weird clauses hoping you won't notice.

Material Changes: 30 days notice via email before effective date.

12. Contact Us

Privacy Questions: privacy@roasreports.com
Security Issues: security@roasreports.com
General Support: support@roasreports.com

Mailing Address:
Mixed Strategy LLC
30 N Gould St Ste N
Sheridan, WY 82801

13. Data Protection Officer

We don't currently have a dedicated Data Protection Officer (DPO) as we're not required to under GDPR (small team, no large-scale processing of sensitive data). For privacy matters, contact privacy@roasreports.com.