What we collect
Creative content you submit β TikTok URLs, uploaded video keyframes, uploaded images, scripts, planned captions.
Account info if you sign in β your email address and, optionally, a display name you set in your account.
Usage signals β your IP address (used only for rate limiting), the timestamps of your reports, and the share-link IDs you created.
Email opt-ins β if you give us your email via a signup form (cap modal, partner program), we save it to our Mailchimp audience tagged by source so we can email you product updates and relevant offers.
What we donβt collect
- β No advertising or retargeting pixels (no Facebook Pixel).
- β No fingerprinting beyond IP-for-rate-limit.
- β No Mixpanel and no cross-site ad trackers.
- β No advertising cookies.
We do use Google Analytics 4 for first-party page analytics β IP-anonymized, consent-gated, and off when you opt out or send Global Privacy Control. Details in Cookies above.
Where your data goes
Video uploads: the original file never leaves your browser. Frames are extracted client-side; only the JPEG keyframes upload to Vercel Blob storage at unguessable URLs. Audio is extracted client-side, sent to OpenAI Whisper for transcription, then dropped.
Analysis content:sent to Anthropic's commercial API for the actual review. Anthropic's commercial API terms forbid training on submitted data.
Saved reports: stored in Vercel Marketplace Redis, keyed by your account email or by an unguessable share-link ID. Share-link payloads expire after 1 year.
Sub-processors: Vercel (hosting, edge, storage), Upstash (Redis via Vercel Marketplace), Anthropic (analysis), OpenAI (voiceover transcription), Resend (sign-in emails), Mailchimp (marketing email lists), Stripe (billing).
Cookies
Necessary: one cookie, tab_sessβ set when you sign in, holds your signed JWT, httpOnly + Secure + SameSite=Lax, 30-day expiry. Strictly necessary under ePrivacy / GDPR (without it we can't tell who you are after a page reload).
Analytics:we use Google Analytics 4 (GA4) with IP anonymization, loaded in Google's consent mode. When analytics is allowed, GA4 sets first-party _ga / _ga_*cookies; when you opt out (Privacy choices in the footer, or a Global Privacy Control browser signal) analytics storage is denied and those cookies aren't set. We don't use Mixpanel, the Facebook Pixel, or any cross-site advertising cookies.
The admin-bypass cookie (tab_admin) is opt-in and only set if you visit ?admin=<your-token> with a token we issued.
How long we keep it
- β Anonymous reports: uploaded keyframes auto-purge after 24 hours.
- β Share links: 1 year from creation, then deleted.
- β Account Value Score links + cached estimate: 90 days from creation, then deleted.
- β Saved reports: kept until you delete them or your account.
- β Account email: kept until you ask us to delete it.
- β Rate-limit counters: auto-expire within 24 hours.
How to delete your data
Email legal@theadbench.ai with your account email or a specific share-link ID. We action deletions within 7 days and confirm by email when complete.
You can also remove your saved reports yourself from /account/reports if you're signed in.
Your data rights
You have the right to access, correct, delete, or export your data, and to object to or restrict processing. These rights apply globally (we don't gate them by jurisdiction) and align with GDPR Articles 15β22, the CCPA/CPRA, and similar regimes.
How to exercise them: email legal@theadbench.ai from the address on your account. We verify identity by replying to that same address before actioning. Response window: 7 days for deletion, up to 30 days for an export.
Authorized agents:if you're acting on someone's behalf, include a copy of the written authorization. We may still verify directly with the underlying user before responding.
No retaliation:exercising these rights doesn't affect your access to The Ad Bench or pricing plan.
Do not sell or share
We do not sell your personal information. We do not share it with third parties for cross-context behavioral advertising. The only third parties that touch your data are the sub-processors listed above, each acting on our behalf to deliver the service you asked for.
We honor the Global Privacy Control browser signal β see /.well-known/gpc.json. There's nothing to opt out of operationally, but if you'd like written confirmation, email legal@theadbench.ai.
Security
Sessions are signed JWTs (HS256) in httpOnly cookies with a 30-day expiry. Magic-link tokens are 32 bytes of randomness, single-use, expire in 15 minutes. We use HSTS preload, CSP, X-Frame-Options DENY, and the rest of the security-header set. Storage is encrypted at rest by our sub-processors; transport is TLS 1.2+.
Children
The Ad Bench is not directed at children under 13. If you believe we have data on a child under 13, email legal@theadbench.ai and we'll delete it.
Changes to this policy
We'll update the "last updated" date and, for any change that materially affects user rights, email everyone on our account / Mailchimp lists before the change takes effect.
Contact
Privacy / data deletion: legal@theadbench.ai
Security disclosures: security@theadbench.ai (see /.well-known/security.txt)
Operator: Bloody Finger Software (Oakland, CA).