Privacy Policy

Last updated: January 2025

OfferArc ("we", "our", or "us") operates the OfferArc platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

Information We Collect

Account Information

When you create an account, we collect:

  • Name and email address
  • Organization information
  • Authentication credentials (managed securely by Clerk)
  • Profile information you choose to provide

Campaign and Ad Data

When you use our platform, we collect:

  • Campaign names, descriptions, and configurations
  • Ad copy, media files, and targeting information
  • Performance metrics and analytics data
  • AI-generated content and prompts

Facebook Ads Integration

If you connect your Facebook Ads account:

  • System User access tokens (encrypted and stored securely)
  • Ad account IDs and Business Manager information
  • Campaign performance metrics synced from Facebook

Usage Information

We automatically collect:

  • Device information (browser, operating system)
  • Log data (IP address, access times, pages viewed)
  • Usage analytics through Vercel Analytics
  • Performance and error monitoring data

How We Use Your Information

We use your information to:

  • Provide, maintain, and improve our services
  • Create and manage your account
  • Generate AI-powered ad copy and campaign suggestions
  • Publish campaigns to your Facebook Ads account (when authorized)
  • Send transactional emails (account notifications, password resets)
  • Process background jobs for image generation and bulk operations
  • Analyze usage patterns and improve user experience
  • Comply with legal obligations and enforce our Terms of Service

Data Storage and Security

Storage Locations

  • Database: PostgreSQL (hosted on Neon or compatible provider)
  • Media Files: Vercel Blob Storage (or optional Cloudflare R2/AWS S3)
  • Authentication: Clerk (SOC 2 Type II compliant)

Security Measures

We implement industry-standard security practices:

  • All data transmitted over HTTPS/TLS encryption
  • Facebook access tokens encrypted using AES-256-GCM
  • Role-based access controls for organization data
  • Regular security updates and monitoring
  • Secure password policies enforced by Clerk

Third-Party Services

We integrate with the following third-party services:

Authentication and User Management

  • Clerk: Authentication, user management, and organization features

AI and Content Generation

  • Vercel AI SDK: AI-powered ad copy generation and content improvement
  • Google Gemini: Image generation for campaigns

Advertising Platforms

  • Facebook Marketing API: Publishing campaigns to Facebook Ads (when you connect your account)

Infrastructure and Services

  • Vercel: Hosting, analytics, and blob storage
  • Trigger.dev: Background job processing
  • Resend: Transactional email delivery
  • Neon (or compatible): PostgreSQL database hosting

Each of these services has their own privacy policies and security practices. We recommend reviewing their policies if you have concerns about specific services.

Data Retention

We retain your information for as long as:

  • Your account remains active
  • Necessary to provide our services
  • Required to comply with legal obligations
  • Necessary to resolve disputes and enforce our agreements

You may delete your account at any time, which will remove your personal information from our active databases. Some information may be retained in backups for a limited period.

Your Rights and Choices

Access and Correction

You have the right to:

  • Access your personal information
  • Correct inaccurate data
  • Update your profile and preferences
  • Export your campaign and ad data

Data Deletion

You can request deletion of:

  • Your account and associated data
  • Specific campaigns or ads
  • Connected Facebook Ads integration

Communication Preferences

You can control:

  • Email notification settings
  • Marketing communications (if applicable)

Children's Privacy

Our service is not intended for users under the age of 18. We do not knowingly collect information from children under 18. If you believe we have collected information from a child, please contact us immediately.

International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. We ensure appropriate safeguards are in place to protect your information in accordance with this Privacy Policy.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last updated" date.

Contact Us

If you have questions or concerns about this Privacy Policy, please contact us at:

GDPR Compliance (EU Users)

If you are located in the European Economic Area (EEA), you have additional rights:

  • Right to access your data
  • Right to rectification of inaccurate data
  • Right to erasure ("right to be forgotten")
  • Right to restrict processing
  • Right to data portability
  • Right to object to processing
  • Right to withdraw consent

Our legal basis for processing your data includes:

  • Consent: When you authorize Facebook Ads integration
  • Contract: To provide our services to you
  • Legitimate interests: To improve our services and prevent fraud
  • Legal obligations: To comply with applicable laws

CCPA Compliance (California Users)

California residents have the right to:

  • Know what personal information is collected
  • Know whether personal information is sold or disclosed
  • Access their personal information
  • Request deletion of personal information
  • Opt-out of the sale of personal information (we do not sell personal information)
  • Non-discrimination for exercising CCPA rights
Privacy Policy