Privacy Policy

SpendSignoff is an MCP server that connects AI assistants — such as Claude, ChatGPT, and Cursor — to ad platforms including Google Ads and Meta. You manage campaigns in plain English from inside your AI client. This policy covers the SpendSignoff dashboard, the MCP server at https://mcp.spendsignoff.com/mcp, the REST API, and the marketing site.

It does not cover the AI clients you connect from, or the ad platforms you link. Those services run under their own privacy policies. When you act through SpendSignoff, your organization is the controller of the ad-account data we process on your behalf; SpendSignoff is the processor.

We collect only what is needed to run the operator and bill the account:

• Account & identity. Your name, email, and organization membership, handled by Clerk. We do not store your password — Clerk does.
• Ad-platform OAuth tokens. When you link a Google Ads or Meta account, we store the OAuth access and refresh tokens. These are encrypted at rest in a KMS vault and are never returned to the AI model or to any AI client.
• Ad metrics & campaign structure. We read the accounts, campaigns, ad groups, budgets, bids, and performance metrics needed to draft and report on changes. We read this data; we do not change it without an approved action.
• Product usage & telemetry. Drafts you create, approvals you make, audit entries, API request logs, and error traces — used to operate the service and keep the audit ledger accurate.
• Billing data. Plan, subscription state, and payment metadata are held by Stripe. We never see or store full card numbers.

We use the data above to:

• Read your ad accounts so the operator can draft budget reallocations, bid changes, and pacing fixes.
• Show you the before-and-after diff of a proposed change and run the two-step approve-and-push control.
• Write every read, draft, approval, push, and rollback to the KMS-signed append-only audit log.
• Send notifications for anomalies, token-health issues, and approval requests.
• Bill your plan, enforce free-tier limits, and provide support.

We do not sell your data, and we do not use your ad-account data to train models. Model inference (see section 6) processes only the specific context needed for a request and is not used by the provider to train on your data.

Every connection starts read-only. You link each ad account over the platform’s own OAuth, and SpendSignoff requests read access first. The MCP server is only ever issued two scopes — mcp.read and mcp.draft. There is no mcp.approve scope, so no AI client can push spend live.

Going live is a separate, server-enforced step that only a signed-in human can take. The platform write call happens inside our policy core, using a token that is decrypted only at the moment of an approved action. This is the guarantee the whole architecture keeps: your AI can read and draft — it can never spend without your approval. The full safety model is documented in the safety docs.

Ad-platform OAuth tokens are protected with envelope encryption: each token is sealed with a data key, and that data key is wrapped by a master key held in Google Cloud KMS. The plaintext token exists only transiently inside the policy core at the moment of an approved action, and is never logged, returned to a model, or exposed to an AI client.

Service credentials and API keys live in Google Cloud Secret Manager, with access scoped to the workloads that need them. The audit ledger is signed with a KMS key so entries are tamper-evident — they can be appended, never edited or deleted. More detail is on the security page.

We use a small set of subprocessors to run the service. Each handles a specific function under its own data-protection terms:

When we add or change a subprocessor, we update this list before the change takes effect. Ad-account data is shared with a subprocessor only as needed for the function above — for example, the specific campaign context sent to a model provider for a single inference request.

Retention is set per organization through a server-enforced retention policy. By default we keep ad-metric snapshots and product telemetry for the rolling window your plan defines, and the append-only audit log for the life of the account so the record of who approved what stays intact.

When you delete a linked ad account, its OAuth tokens are destroyed and the operator loses access. When you close your organization, we delete or irreversibly anonymize your data within 30 days, except records we must keep for legal, tax, or fraud-prevention reasons. Backups age out on a fixed rolling schedule.

Depending on where you live, you have rights under the GDPR, the UK GDPR, and the CCPA/CPRA, including the right to:

• Access the personal data we hold about you and get a copy.
• Export your account and ad-account data in a portable format.
• Correct inaccurate data or request deletion.
• Object to or restrict certain processing, and withdraw consent.

You can manage your profile from the dashboard or write to privacy@spendsignoff.com. We do not sell or share personal information for cross-context behavioral advertising, so there is no opt-out to exercise on that front. We will not discriminate against you for using any of these rights.

The dashboard uses cookies that are strictly necessary to keep you signed in and to keep your session secure — these are set by Clerk and by SpendSignoff itself. We use first-party, privacy-respecting product analytics to understand which features are used and to fix problems; we do not run third-party advertising trackers, and we do not build advertising profiles of you.

SpendSignoff is hosted on Google Cloud in the United States, and several subprocessors operate there too. If you access the service from outside the US, your data is transferred to and processed in the US. Where required, we rely on Standard Contractual Clauses and equivalent safeguards to cover those transfers.

SpendSignoff is a business tool and is not directed to children. The service is not intended for anyone under 16, and we do not knowingly collect personal data from anyone under 16. If you believe a minor has given us data, contact us and we will delete it.

We may update this policy as the product changes. When we make a material change, we update the effective date at the top and, for significant changes, give notice in the dashboard or by email before the change takes effect. Continued use after the effective date means you accept the updated policy.

Questions about this policy or your data? Write to privacy@spendsignoff.com. For how spend is kept safe end to end, see the security page and the safety docs.