BoostadLast updated: May 25, 2025

Privacy Policy

This Privacy Policy explains how Boostad ("we", "our", "us") collects, uses, and protects information when you use our platform.

1. What Is Boostad

Boostad is a web-based tool designed for marketing teams. It allows users to bulk-upload ad creatives, manage Facebook advertising campaigns, and publish content to Facebook Pages — all from a single interface. Access to Boostad is invite-only and restricted to approved team members.

2. Information We Collect

2.1 Account Information

When you register or are invited to Boostad, we collect:

  • Full name
  • Email address
  • Password (stored as a bcrypt hash — we never store your plain-text password)
  • Team membership and role (e.g. Media Buyer, Team Admin)

2.2 Facebook Connection Data

When you connect your Facebook account via OAuth, we store:

  • Facebook User ID
  • Facebook display name and email (if provided by Meta)
  • Facebook access token — encrypted with AES-256-GCM before being written to our database
  • Token expiry timestamp

We use this token solely to make Marketing API calls on your behalf (create campaigns, upload creatives, manage Pages) when you initiate an action inside Boostad.

2.3 Google Connection Data

When you connect your Google account to use Google Drive or Sheets, we store:

  • Google User ID
  • Google display name and email
  • Short-lived access token and long-lived refresh token — both encrypted with AES-256-GCM
  • Token expiry timestamp

We use this solely to read files and spreadsheets from Google Drive that you explicitly select inside the app.

2.4 Uploaded Creatives

When you upload images or videos to Facebook ad accounts through Boostad, we store metadata about the upload:

  • File name and MIME type
  • Facebook image hash or video ID returned by the Facebook API
  • Image preview URL provided by Facebook
  • Associated ad account ID

We do not store the actual image or video files on our servers. Files are transferred directly to Facebook's infrastructure.

2.5 Campaign Activity Logs

Every time a campaign is launched through Boostad, we record a log entry containing:

  • Campaign name and Facebook Campaign ID
  • Facebook ad account ID and name
  • Launch mode (new campaign / add ad sets / add creatives)
  • Number of ad sets and ads created
  • Status (publishing / published / error) and error message if applicable
  • Timestamp
  • Which user and team triggered the action

This log is used to display campaign history in the dashboard.

2.6 Templates

Users may save ad templates (campaign/adset/ad structure) and Facebook Page design templates. These are stored in our database and associated with the user's account and team.

2.7 Technical Data

We may collect standard web server logs including:

  • IP address
  • Browser type and version
  • Pages visited and timestamps

This data is used for security monitoring and debugging only.

3. How We Use Your Information

We use the collected information exclusively to:

  • Authenticate and authorize you to access Boostad
  • Execute Facebook Marketing API actions you initiate (creating campaigns, uploading creatives, publishing posts)
  • Read Google Drive / Sheets files you select for use in ad creation
  • Display your team's campaign history and activity logs
  • Maintain saved templates and preferences
  • Detect and prevent unauthorized access or abuse

We do not use your data for advertising, profiling, or any purpose beyond operating the Boostad platform for your team.

4. Data Sharing and Third Parties

We do not sell, rent, or trade your personal data. Data is shared with third parties only as follows:

Meta (Facebook)

When you perform actions in Boostad (launch a campaign, upload a creative, publish a post), we transmit the necessary data to the Facebook Marketing API on your behalf. This is governed by Meta's Privacy Policy.

Google

When you connect Google Drive or Sheets, we communicate with Google APIs to read files you select. This is governed by Google's Privacy Policy.

Railway (Infrastructure)

Our application and database are hosted on Railway. Your data resides on Railway-managed PostgreSQL servers. Railway does not access your data for any purpose other than infrastructure operation.

5. Data Security

We implement the following security measures:

  • All OAuth access tokens (Facebook and Google) are encrypted with AES-256-GCM before being stored in the database
  • Passwords are hashed using bcrypt and never stored in plain text
  • All data in transit is protected by TLS (HTTPS)
  • Access to the platform requires authentication; access to team resources is role-gated
  • Database credentials and encryption keys are stored as environment variables, never in source code

While we take reasonable steps to secure your data, no system is completely immune to security risks. We recommend connecting only Facebook accounts that you control and have authorized for use with Boostad.

6. Data Retention

  • Account data is retained for as long as your account is active
  • OAuth tokens are retained until you disconnect the integration in Settings, after which they are deleted from our database
  • Campaign logs are retained indefinitely to provide historical records to your team
  • Uploaded creative metadata is retained to avoid re-uploading duplicate files
  • You may request deletion of your data at any time (see Section 8)

7. Cookies and Session Storage

Boostad uses a single session cookie to maintain your authenticated session (NextAuth.js JWT). We do not use tracking cookies, analytics cookies, or third-party advertising cookies.

8. Your Rights

You have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Request deletion of your account and associated data
  • Disconnect your Facebook or Google integration at any time from the Settings page — this immediately removes the stored tokens from our database
  • Revoke Boostad's access to your Facebook account at any time via Facebook's App Settings
  • Revoke Boostad's access to your Google account at any time via Google Account Permissions

To exercise any of these rights, contact us at [email protected].

9. Children's Privacy

Boostad is intended for professional marketing teams and is not directed at anyone under the age of 18. We do not knowingly collect data from minors.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. Continued use of Boostad after changes are posted constitutes your acceptance of the revised policy.

11. Contact

If you have any questions about this Privacy Policy or your data, please contact us:

Product
Boostad
Email
[email protected]