← Back to Creative First

Privacy Policy

Last updated: March 2026

1. What we collect

When you connect your Meta ad account, Creative First accesses:

  • Ad performance data — impressions, clicks, CTR, CPC, spend, frequency, conversions, and video retention metrics for your ads.
  • Ad creative data — ad names, copy text, images, and video thumbnails for AI analysis.
  • Account structure — campaign names, ad set names, optimization goals, and targeting settings.
  • Basic profile info — your Meta user ID and name (from OAuth).

We access this data read-only. We never modify your ads, budgets, or account settings.

2. How we use your data

  • AI analysis — your ad images and copy are sent to Google Gemini for creative scoring and recommendations. This data is processed in real-time and not stored by the AI provider.
  • Performance metrics — stored in our database (Supabase) to enable dashboard features, reports, and historical tracking.
  • Session cookie — an encrypted httpOnly cookie stores your Meta access token for the session (expires after 60 days).

3. Data storage & security

  • Data is stored on Supabase (hosted on AWS) with row-level security enabled.
  • API access requires authentication on every request.
  • Meta access tokens are stored in httpOnly, secure, sameSite cookies — never in JavaScript-accessible storage.
  • All API routes are rate-limited to prevent abuse.
  • We use HTTPS for all connections.

4. Data sharing

We do not sell, rent, or share your ad data with third parties, except:

  • Google Gemini — ad images and copy are sent for AI analysis. Google's API data usage policy applies.
  • Shared reports — if you create a share link, anyone with that link can view the report data for 30 days.

5. Data retention

  • Analysis data is stored as long as your account is active.
  • Shared reports expire after 30 days.
  • Session cookies expire after 60 days.
  • You can request deletion of all your data by contacting us.

6. Your rights (GDPR)

If you're in the EU/EEA, you have the right to:

  • Access your data
  • Correct inaccurate data
  • Delete your data
  • Export your data
  • Withdraw consent at any time

To exercise these rights, contact us at the email below.

7. Cookies

We use the following cookies:

  • meta_session — authentication cookie (httpOnly, secure, 60-day expiry)
  • meta_oauth_state — CSRF protection during login (httpOnly, deleted after use)

We do not use analytics cookies, advertising cookies, or third-party tracking.

8. Contact

For privacy questions or data requests, email: privacy@creativefirst.ai