Privacy Policy

1. Introduction

VibeFly ("we", "us", or "our") provides a software-as-a-service platform that enables users to connect their advertising accounts on Meta (Facebook) and Google (Google Ads) to AI tools via the Model Context Protocol (MCP). This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our website and services.

By creating an account or using our services, you agree to the practices described in this policy. If you do not agree, please do not use our services.

2. Information We Collect

2.1 Account Information

• Email address
• Display name
• Password (stored as a secure hash — we never store plain-text passwords)
• Profile avatar URL (optional)

2.2 Workspace & Organization Data

• Workspace name and slug
• Meta Business Manager ID and name
• Membership roles and invitations

2.3 Data Collected via Facebook Login & Meta API

When you connect your Meta (Facebook) account through Facebook Login, we collect the following:

• Public profile name and Facebook user ID (via the public_profile permission)
• Permissions you grant for access to Ads and Business Manager
• Meta access tokens (encrypted at rest — see Section 5)
• Token scopes, type, and expiration
• Campaign, ad set, ad, and creative data retrieved from the Meta Graph API on your behalf

2.4 Data Collected via Google OAuth & Google Ads API

When you connect your Google account through Sign in with Google to access the Google Ads (formerly AdWords) Marketing API, we collect the following:

• Basic profile information — email address, name, and Google account ID — via the openid, email, and profile scopes
• Google Ads access via the https://www.googleapis.com/auth/adwords scope (read and, when explicitly authorized by you, write operations on your Google Ads accounts)
• Google OAuth access tokens and refresh tokens (encrypted at rest — see Section 5)
• Token scopes, type, and expiration
• Google Ads customer IDs (CID), manager account (MCC) hierarchy, campaigns, ad groups, ads, keywords, audiences, conversions, budgets, bidding strategies, and reporting metrics retrieved from the Google Ads API on your behalf

2.4.1 Limited Use of Google User Data

VibeFly's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Userequirements. Specifically, data obtained from Google APIs is used only to provide and improve user-facing features that are prominent in the requesting application's user interface, and is not used for serving advertising, sold or transferred for unrelated purposes, used for credit-worthiness or lending purposes, or read by humans except (a) with your explicit consent, (b) for security or to comply with applicable law, or (c) on an aggregated and anonymized basis for internal operations.

2.5 API Keys

• API key hashes (we never store your full API key after initial generation)
• Key prefix, creation date, expiration, and last-used timestamp

2.6 Usage & Analytics Data

• API tool names invoked
• HTTP method, status codes, and response times
• Error types (if any)
• Timestamps of each request

2.7 Billing Information

If you subscribe to a paid plan, payment processing is handled entirely by Stripe. We store only your Stripe customer ID and subscription ID — we do not store credit card numbers, bank account details, or other payment credentials.

3. How We Use Your Information

• To provide, operate, and maintain the platform
• To authenticate your identity and manage workspace access
• To connect to the Meta Graph API and the Google Ads Marketing API on your behalf and retrieve or modify your advertising data as instructed
• To enforce rate limits and prevent abuse
• To monitor service health and troubleshoot errors
• To process payments and manage subscriptions
• To communicate important service updates, security alerts, or changes to this policy

We do not sell, rent, or share your personal data, Meta advertising data, or Google advertising data with third parties for marketing, advertising, or any other commercial purpose unrelated to providing the Service.

4. Third-Party Service Providers

We use the following third-party services to operate our platform. Each provider processes data in accordance with their own privacy policies:

5. Data Security

We implement multiple layers of security to protect your data:

• Token encryption:Meta access tokens and Google OAuth access & refresh tokens are encrypted at rest using PGP symmetric encryption (pgcrypto). They are decrypted only at the moment of use and are never stored in plain text.
• API key hashing: API keys are stored as bcrypt hashes. The full key is shown only once at creation and cannot be retrieved afterward.
• Row-Level Security (RLS): Database access policies ensure users can only access data within their own workspaces.
• Workspace isolation: All data is scoped to individual workspaces. Members can only access workspaces they belong to.
• Short-lived caches: Cached token data in Cloudflare KV expires after 5 minutes; API key validations expire after 60 seconds.
• HTTPS: All data in transit is encrypted via TLS/HTTPS.

6. Data Retention

• Account data is retained for as long as your account is active. When you delete your account, all associated profile data is removed.
• Workspace data (including usage logs, API keys, and token records) is deleted when the workspace is deleted, through cascading database deletions.
• Meta and Google tokens are marked as invalid and the encrypted token records are deleted when you disconnect the corresponding integration. Historical token metadata (scope, prefix, last-used timestamp) may be retained for audit purposes but cannot be used to access your Meta or Google account.
• Usage logs are retained to provide you with analytics and to help us monitor service health. You may request deletion at any time.

6.1 Data Deletion & Revoking Access

You can revoke VibeFly's access to your Meta and Google data and request deletion at any time through the following methods:

• Disconnect Meta Account:Go to your workspace dashboard and click "Disconnect Meta Account". This immediately revokes our access to your Meta API tokens and deletes the encrypted tokens from our database.
• Revoke via Facebook Settings: Visit Facebook Settings > Business Integrations and remove VibeFly. This will invalidate all tokens issued to our application.
• Disconnect Google Account:Go to your workspace dashboard and click "Disconnect Google Account". This immediately revokes our access to your Google Ads API tokens and deletes the encrypted access and refresh tokens from our database.
• Revoke via Google Account Settings: Visit Google Account > Third-party apps with account access and remove VibeFly. This will invalidate all OAuth tokens issued to our application.
• Delete Account: Delete your VibeFly account entirely through your account settings. This triggers cascading deletion of all associated workspaces, tokens, API keys, and usage logs.
• Data Deletion Request: You may also request data deletion by contacting us at contato@vibefly.app or visiting our Data Deletion Instructions page.

7. Your Rights & LGPD Compliance

VibeFly is committed to complying with the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados — LGPD, Law No. 13,709/2018), as well as the GDPR and CCPA where applicable. Below are your rights under these regulations:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Request correction of inaccurate data.
• Deletion: Request deletion of your account and associated data.
• Portability: Request your data in a machine-readable format.
• Restriction: Request that we limit the processing of your data.
• Objection: Object to certain types of data processing.
• Revocation of consent: Withdraw consent at any time by disconnecting your Meta account or deleting your VibeFly account (see Section 6.1 for instructions).

7.1 Legal Basis for Data Processing (LGPD Art. 7)

We process your personal data based on the following legal grounds:

• Consent: When you authorize VibeFly via Facebook Login or Sign in with Google (OAuth), you provide explicit consent for us to access your Meta and/or Google Ads advertising data within the scope of the permissions granted. You may revoke this consent at any time as described in Section 6.1.
• Contract performance: Processing necessary to provide the VibeFly service as described in our Terms of Service.
• Legitimate interest: Service monitoring, security, and fraud prevention.

7.2 Data Protection Officer (DPO / Encarregado de Dados)

For questions regarding data protection or to exercise any of your rights under the LGPD, GDPR, or CCPA, please contact our Data Protection Officer:

Email: contato@vibefly.app

8. International Data Transfers

Our service providers (Supabase, Cloudflare, Vercel, Stripe) may process data in data centers located outside your country of residence, including in the United States. These providers maintain appropriate safeguards for international data transfers, including Standard Contractual Clauses (SCCs) where applicable.

9. Cookies & Tracking

We use only essential cookies required for authentication and session management. We do not use third-party advertising trackers, analytics pixels, or social media tracking cookies.

10. Children's Privacy

Our services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us so we can delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or through a prominent notice on our platform. Your continued use of the service after any changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us:

Email: contato@vibefly.app