Neo ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform at neo-ads.app, our web application at web.neo-ads.app, and all related services (collectively, the "Service"). Please read this policy carefully. By using the Service, you consent to the practices described herein.
01 Information We Collect
1.1 Account Information
When you register for an account, we collect:
- Full name and email address.
- Password (stored in hashed form; we never store plaintext passwords).
- Organization name and role within your organization (owner, admin, or member).
- Billing and payment information (processed and stored by our payment processor; we do not store full credit card numbers).
1.2 Advertising Platform Data
When you connect your advertising accounts (currently Meta Ads), we access and store:
- Ad account identifiers and names.
- Campaign, ad set, and ad structures, configurations, and statuses.
- Performance metrics including impressions, clicks, conversions, spend, revenue, CPA, ROAS, CTR, and CPM.
- Audience targeting information associated with your campaigns.
- Creative assets linked to your ads (images, videos, copy text).
- Historical performance data for trend analysis and reporting.
1.3 User-Generated Content
We store content you create or upload through the Service, including:
- Creative assets uploaded for ad generation (images, videos, logos, brand materials).
- Business context information you provide (business description, target audience, value propositions).
- Threshold and rule configurations.
- Strategy plans and notes.
- Team invitations and communications initiated through the Service.
1.4 Usage and Technical Data
We automatically collect certain information when you use the Service:
- IP address and approximate geolocation.
- Browser type, version, and operating system.
- Pages visited, features used, and actions taken within the Service.
- Date, time, and duration of sessions.
- Referring URLs and search terms that led you to our site.
- Device identifiers and screen resolution.
1.5 AI Interaction Data
When the AI agent operates on your behalf, we log:
- Monitoring reports generated for your campaigns.
- Recommendations made and actions taken (e.g., pausing, scaling, budget adjustments).
- Decision audit trails including timestamps, reasoning, and outcomes.
- Prompts and parameters used in creative generation.
02 How We Use Your Information
We use the information we collect for the following purposes:
| Purpose |
Data Used |
| Provide the Service |
Account info, ad platform data, user content |
| AI monitoring & optimization |
Ad platform data, threshold rules, business context |
| Generate creative assets |
Uploaded assets, business context, template parameters |
| Send reports & notifications |
Email address, campaign performance data |
| Process payments |
Billing information, subscription tier |
| Improve the Service |
Usage data, aggregated performance metrics |
| Ensure security |
IP addresses, session data, authentication logs |
| Communicate with you |
Email address, account preferences |
| Comply with legal obligations |
As required by applicable law |
03 AI Processing of Your Data
A core component of Neo is the use of artificial intelligence to analyze and act on your advertising data. It is important that you understand how this works:
- Data Analysis: Your campaign performance data, business context, and configured thresholds are processed by AI models to generate insights, reports, and optimization recommendations.
- Third-Party AI Providers: We use OpenRouter to route AI requests to large language models. When processing your data, campaign metrics, business context, and relevant configuration are sent to these AI providers as part of structured prompts. These providers process the data according to their own privacy policies and data processing agreements.
- Automated Decision-Making: When AI auto-actions are enabled (Pro and Agency tiers), the AI agent may automatically modify your campaign settings based on your configured thresholds and rules. All automated actions are logged in the decision audit log for your review.
- Creative Generation: When generating ad creatives, your uploaded assets and provided parameters are processed through our rendering pipeline. AI may be used to suggest copy, layouts, or optimizations.
- Data Minimization: We transmit only the data necessary for each AI operation. We do not transmit your full account data for every AI interaction.
04 Third-Party Services
We share data with the following categories of third-party services to operate the platform:
| Service |
Purpose |
Data Shared |
| Meta (Facebook) |
Ad platform API integration |
API credentials, campaign management commands |
| OpenRouter |
AI model routing |
Campaign metrics, business context for AI analysis |
| UploadThing |
File storage and asset management |
Uploaded creative files, generated assets |
| Resend |
Transactional email delivery |
Email addresses, email content (invitations, reports) |
| Railway |
Infrastructure hosting |
All application data (hosted on their infrastructure) |
| Payment Processor |
Subscription billing |
Billing details, subscription status |
We require all third-party service providers to maintain appropriate security measures and to process data only as necessary to provide their services to us. We do not sell your personal information to third parties.
05 Data Retention
We retain your data as follows:
- Account Data: Retained for as long as your account is active. Upon account deletion, personal data is removed within 30 days, except where retention is required by law.
- Campaign & Insights Data: Performance metrics and campaign data are retained for the duration of your account plus 90 days after deletion to allow for data export.
- AI Decision Logs: Audit logs of AI actions are retained for 12 months from the date of the action, or longer if required for dispute resolution.
- Creative Assets: Uploaded and generated creative files are retained for the duration of your account. Upon deletion, files are removed from storage within 30 days.
- Usage Logs: Technical and usage logs are retained for 12 months for security and analytical purposes.
- Billing Records: Payment and billing records are retained for 7 years as required by tax and financial regulations.
06 Cookies & Tracking Technologies
We use the following cookies and tracking technologies:
- Essential Cookies: Required for authentication (JWT tokens stored in localStorage) and core functionality. These cannot be disabled without affecting the Service.
- Analytical Cookies: Used to understand how you interact with the Service, including page views and feature usage. These help us improve the platform.
- Preference Cookies: Store your settings and preferences (such as theme and dashboard layout) for a better user experience.
We do not use advertising or tracking cookies. You can manage cookie preferences through your browser settings, though disabling essential cookies may impair functionality.
07 Your Rights
7.1 General Rights
Regardless of your location, you have the right to:
- Access: Request a copy of the personal data we hold about you.
- Correction: Request correction of inaccurate or incomplete personal data.
- Deletion: Request deletion of your personal data, subject to legal retention requirements.
- Export: Request your data in a portable, machine-readable format.
- Objection: Object to certain processing of your personal data.
- Withdraw Consent: Where processing is based on consent, you may withdraw it at any time.
7.2 European Economic Area (GDPR)
If you are located in the EEA, United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):
- Legal Basis: We process your data based on: (a) your consent, (b) performance of our contract with you, (c) our legitimate interests (such as platform improvement and security), or (d) legal obligations.
- Data Portability: You may request transfer of your data to another service provider in a structured, commonly used format.
- Restriction: You may request restriction of processing while we verify accuracy or assess an objection.
- Supervisory Authority: You have the right to lodge a complaint with your local data protection authority.
- International Transfers: Your data may be transferred to and processed in the United States. We implement appropriate safeguards, including standard contractual clauses, to protect your data during international transfers.
7.3 California Residents (CCPA/CPRA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act and California Privacy Rights Act:
- Right to Know: You may request details about the categories and specific pieces of personal information we collect, the purposes of collection, and the categories of third parties with whom we share data.
- Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
- Right to Opt Out: We do not sell personal information. We do not use personal information for cross-context behavioral advertising.
- Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
- Categories of Information: We collect identifiers, commercial information (subscription data), internet activity (usage data), and professional information (business context). We do not collect sensitive personal information as defined by the CPRA.
To exercise any of these rights, please contact us at [email protected]. We will respond to verified requests within 30 days (or within the timeframe required by applicable law).
08 Security Measures
We implement industry-standard technical and organizational measures to protect your data, including:
- Encryption: All data transmitted between your browser and our servers is encrypted using TLS/SSL. Database connections are encrypted in transit.
- Authentication: JWT-based authentication with secure token handling. Passwords are hashed using industry-standard algorithms before storage.
- Access Control: Role-based access controls ensure team members only access data appropriate to their role. All API endpoints are authenticated and authorized.
- Infrastructure: Our application is hosted on Railway with managed PostgreSQL and Redis instances that include automated backups and security patches.
- Data Isolation: Multi-tenant architecture with organization-level data scoping ensures your data is logically isolated from other customers' data.
- Monitoring: We monitor for security incidents and unauthorized access attempts.
While we strive to protect your data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we commit to promptly notifying affected users in the event of a data breach as required by applicable law.
09 Children's Privacy
The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected data from a person under 18, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us at [email protected].
10 International Data Transfers
Neo is based in the United States, and our primary data processing occurs in the United States. If you access the Service from outside the United States, your data will be transferred to and processed in the United States. We implement appropriate safeguards for international data transfers, including:
- Standard Contractual Clauses approved by the European Commission.
- Data processing agreements with all sub-processors.
- Regular assessment of the legal frameworks in recipient countries.
11 Do Not Track Signals
Some browsers include a "Do Not Track" (DNT) feature that signals to websites that you do not want to be tracked. Since there is no accepted standard for how to respond to DNT signals, we do not currently respond to them. However, we do not engage in cross-site tracking of our users.
12 Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
- Update the "Last Updated" date at the top of this policy.
- Notify you by email or through a prominent notice in the Service at least 30 days before changes take effect.
- Where required by law, obtain your consent before implementing material changes.
We encourage you to review this Privacy Policy periodically for any changes. Your continued use of the Service after the effective date of the revised policy constitutes your acceptance of the changes.
13 Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
For data protection inquiries from the European Economic Area, you may also contact our designated representative at the email address above. We will respond to all privacy-related inquiries within 30 days.