TryAdCortex.com

Data Safety

We take the security and privacy of your data seriously. This page explains the technical and organizational measures we use to protect your information, how your advertising data is handled, and the controls you have over it.

Last updated: May 5, 2026 Contact: nicolas@mindfulconversion.com

1. Encryption & Data in Transit

All communication between your browser and AdCortex is encrypted using HTTPS/TLS. This applies to:

  • Every page load and API call within the app.
  • OAuth token exchanges with Google during account authorization.
  • Outbound requests from AdCortex servers to Google Ads APIs and other third-party services.

We do not serve any AdCortex page or endpoint over unencrypted HTTP in production.

2. Data at Rest

Your advertising data and account information are stored on Microsoft Azure infrastructure. Sensitive credentials — including OAuth tokens and service account keys — are stored using server-side protections and are never exposed in logs, API responses, or client-side code.

Report outputs and cached data are stored in Azure Blob Storage with access scoped to authorized application services only.

3. Authentication & Access Controls

Access to AdCortex is controlled at multiple levels:

  • Google OAuth 2.0 — Users sign in via Google. We never store your Google password.
  • Workspace isolation — Each workspace is siloed. Users in one workspace cannot access data from another.
  • Role-based access — Workspaces enforce user roles (admin, member, read-only), restricting which features and data each user can reach.
  • Domain allowlisting — Workspace admins can restrict access to specific email domains, preventing unauthorized sign-ups.
  • CSRF protection — All state-changing requests are protected against cross-site request forgery using per-session tokens.
  • Session security — Sessions are server-managed, cryptographically signed, and expire after inactivity.

4. Google API Data — Limited Use

AdCortex's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

  • Google Ads data is used only to generate reports, dashboards, and alerts within your AdCortex workspace.
  • We do not sell, transfer, or disclose Google user data to any third party for advertising, data brokering, or any purpose unrelated to delivering the service.
  • We do not use Google user data to train or improve AI or machine learning models.
  • Gmail send access is used exclusively to dispatch reports you configure — we never read the contents of your inbox.

5. AI Features & Third-Party Inference

Certain optional features (such as AI Copy and Negative Keyword suggestions) send a limited subset of your advertising data to OpenAI's API to generate a response. When this happens:

  • Only the data necessary to fulfill your specific request is sent.
  • Data is not retained by OpenAI beyond what is required to return a response, consistent with OpenAI's API data usage policies.
  • These features are opt-in and clearly labeled within the app.

No Google user data is sent to OpenAI without your direct action triggering an AI feature.

6. Infrastructure & Operational Security

Our infrastructure and operational practices include:

  • Cloud hosting on Microsoft Azure — benefiting from Azure's physical and network security controls, availability zones, and compliance certifications.
  • Least-privilege access — Application services access only the resources they need. No overly permissive service accounts.
  • Dependency management — We keep third-party libraries updated and monitor for known vulnerabilities.
  • Error logging and monitoring — Application errors are logged server-side for rapid diagnosis. Logs do not capture sensitive user data or OAuth tokens.
  • No shared credentials — Each workspace's OAuth tokens are stored and accessed separately. A compromise of one account does not expose another.

7. Data Minimization

We request only the Google API scopes required to deliver the service. We do not request access to your personal Google Drive, Gmail inbox, Contacts, Calendar, or any other Google service beyond Google Ads (read) and Gmail (send-only).

Within Google Ads, we access campaign performance data, keywords, search terms, geographies, conversions, and account structure — strictly for the purpose of generating the reports you use.

8. Incident Response

In the event of a security incident that may affect your data, we will notify affected users promptly and take immediate steps to contain and remediate the issue. We will provide clear information about what happened, what data was involved, and what actions you should take.

To report a suspected security vulnerability or incident, contact us directly at nicolas@mindfulconversion.com.

9. Your Controls

You have direct control over your data:

  • Revoke Google access — You can disconnect AdCortex from your Google account at any time via your Google Account permissions page. This immediately stops all data access.
  • Request deletion — Contact us to request deletion of your account and associated data.
  • Workspace admin controls — Admins can manage users, revoke access, and configure domain restrictions directly within the app.
  • Email report controls — Manage report recipients and scheduling from within the app without needing to contact us.

10. Contact

Questions about our data safety practices or to report a concern: nicolas@mindfulconversion.com

For more detail on how we collect and use data, see our Privacy Policy.