Privacy policy.

Creative content you submit — TikTok URLs, uploaded video keyframes, uploaded images, scripts, planned captions.

Account info if you sign in — your email address and, optionally, a display name you set in your account.

Usage signals — your IP address (used only for rate limiting), the timestamps of your reports, and the share-link IDs you created.

Email opt-ins — if you give us your email via a signup form (cap modal, partner program, DFY review request), we save it to our Mailchimp audience tagged by source so we can email you product updates and relevant offers.

• — No tracking pixels and no third-party analytics for ads.
• — No fingerprinting beyond IP-for-rate-limit.
• — No third-party analytics or trackers (no GA, no Mixpanel, no FB Pixel).
• — No advertising cookies.

Video uploads: the original file never leaves your browser. Frames are extracted client-side; only the JPEG keyframes upload to Vercel Blob storage at unguessable URLs. Audio is extracted client-side, sent to OpenAI Whisper for transcription, then dropped.

Analysis content:sent to Anthropic's commercial API for the actual review. Anthropic's commercial API terms forbid training on submitted data.

Saved reports: stored in Vercel Marketplace Redis, keyed by your account email or by an unguessable share-link ID. Share-link payloads expire after 1 year.

Sub-processors: Vercel (hosting, edge, storage), Upstash (Redis via Vercel Marketplace), Anthropic (analysis), OpenAI (voiceover transcription), Resend (sign-in emails), Mailchimp (marketing email lists), Stripe (billing).

We use exactly one cookie: tok_session — set when you sign in, holds your signed JWT, httpOnly + Secure + SameSite=Lax, 30-day expiry. It's a strictly-necessary cookie under ePrivacy / GDPR — without it we can't tell who you are after page reload.

We don't set advertising, analytics, or cross-site cookies. We don't use Google Analytics, Mixpanel, Facebook Pixel, or any third-party tag manager. The admin-bypass cookie (tab_admin) is opt-in and only set if you visit ?admin=<your-token> with a token we issued.

• — Anonymous reports: uploaded keyframes auto-purge after 24 hours.
• — Share links: 1 year from creation, then deleted.
• — Saved reports: kept until you delete them or your account.
• — Account email: kept until you ask us to delete it.
• — Rate-limit counters: auto-expire within 24 hours.

Email legal@theadbench.ai with your account email or a specific share-link ID. We action deletions within 7 days and confirm by email when complete.

You can also remove your saved reports yourself from /account/reports if you're signed in.

You have the right to access, correct, delete, or export your data, and to object to or restrict processing. These rights apply globally (we don't gate them by jurisdiction) and align with GDPR Articles 15–22, the CCPA/CPRA, and similar regimes.

How to exercise them: email legal@theadbench.ai from the address on your account. We verify identity by replying to that same address before actioning. Response window: 7 days for deletion, up to 30 days for an export.

Authorized agents:if you're acting on someone's behalf, include a copy of the written authorization. We may still verify directly with the underlying user before responding.

No retaliation:exercising these rights doesn't affect your access to The Ad Bench or pricing plan.

We do not sell your personal information. We do not share it with third parties for cross-context behavioral advertising. The only third parties that touch your data are the sub-processors listed above, each acting on our behalf to deliver the service you asked for.

We honor the Global Privacy Control browser signal — see /.well-known/gpc.json. There's nothing to opt out of operationally, but if you'd like written confirmation, email legal@theadbench.ai.

Sessions are signed JWTs (HS256) in httpOnly cookies with a 30-day expiry. Magic-link tokens are 32 bytes of randomness, single-use, expire in 15 minutes. We use HSTS preload, CSP, X-Frame-Options DENY, and the rest of the security-header set. Storage is encrypted at rest by our sub-processors; transport is TLS 1.2+.

The Ad Bench is not directed at children under 13. If you believe we have data on a child under 13, email legal@theadbench.ai and we'll delete it.

We'll update the "last updated" date and, for any change that materially affects user rights, email everyone on our account / Mailchimp lists before the change takes effect.

Privacy / data deletion: legal@theadbench.ai
Security disclosures: security@theadbench.ai (see /.well-known/security.txt)
Operator: Bloody Finger Software (Oakland, CA).