Privacy Policy

• Account registration: First name, last name, email address, phone number (E.164 format), country, and hashed password.
• Business profile: Company name, website URL, and industry sector provided during onboarding.
• Campaign brief: Monthly ad budget, business description, ideal customer profile, primary campaign objective (lead generation, purchases, or awareness), competitor information, historical performance data, creative asset URLs, geographic targeting preferences, and campaign launch deadline.
• Communications: Content of messages submitted via our contact form or sent directly by email, including any attachments.
• Support requests: Information you provide when contacting us for help or feedback.

All payments are processed by Stripe, Inc. We do not directly receive, store, or process full card numbers, CVV codes, or bank account details. We retain only Stripe-issued customer IDs, subscription IDs, and subscription status (active, past-due, cancelled).

• Attribution data: On first visit we capture UTM parameters (source, medium, campaign, term, content), HTTP referrer, landing page path, Google Click ID (gclid), and Facebook Click ID (fbclid), stored in a first-party cookie (er_attribution) for 12 months.
• Usage analytics: Via Google Tag Manager (GTM-M2TNQ4J9) we collect pages visited, session duration, click events, browser type, OS, screen resolution, and approximate location (country/city level derived from IP).
• Server logs: Vercel logs IP addresses, request timestamps, HTTP status codes, and user-agent strings for security and diagnostics. Retained up to 30 days.
• Session tokens: Supabase issues session tokens stored in secure, HttpOnly cookies to maintain authenticated state.

When you connect your Meta (Facebook/Instagram) Ads account, we receive OAuth access tokens and ad account identifiers solely to manage your campaigns. We do not access your personal Meta profile beyond what campaign management requires.

• Legal compliance: When required by law, court order, regulatory authority, or governmental request, or to protect ElevateRank's legal rights.
• Business transfers: In connection with a merger, acquisition, or asset sale, provided the acquiring entity honours this Policy's commitments.
• Protection of rights: When necessary to prevent harm, fraud, or illegal activity, or to enforce our Terms and Conditions.
• With your consent: For any other purpose with your explicit prior consent.

• Right of access (Art. 15): Obtain confirmation of whether we process your data and receive a copy.
• Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.
• Right to erasure (Art. 17): Request deletion where no legitimate processing ground persists.
• Right to restriction (Art. 18): Request that we limit processing in certain circumstances.
• Right to portability (Art. 20): Receive your data in a structured, machine-readable format.
• Right to object (Art. 21): Object to processing based on legitimate interests or for direct marketing.
• Automated decision-making (Art. 22): We do not make solely automated decisions with legal or similarly significant effects.
• Right to complain: Lodge a complaint with your local supervisory authority (e.g., ICO in the UK).

Notice at Collection. At or before the point of collection, California residents are entitled to know what personal information will be collected and the purposes for which it will be used. Our collection, categories, sources, and purposes are described in full in Sections 2 and 4 above; a summary follows here for convenience.

Categories of personal information we collect: identifiers (name, email, phone, IP address), commercial information (plan selected, ad-spend budget), internet activity (attribution, UTMs, click IDs, referrer), professional or employment-related information (company name, role, website), geolocation (country from signup), and inferences drawn from the above for service delivery. We do not collect biometric data, precise geolocation, union membership, health data, racial or ethnic origin, or other sensitive categories beyond what is required to authenticate you (email + phone).

Purposes of use: to provide the Services, authenticate you, communicate with you about your account, process payments via Stripe, deliver the advertising services you have purchased on Meta and Google ad platforms, detect and prevent fraud or abuse, comply with legal obligations, and improve the Services.

Retention: as described in Section 8. Sale / share of personal information: ElevateRank does not sell personal information and does not share personal information for cross-context behavioural advertising in exchange for monetary consideration.

• Right to know: Request disclosure of categories and specific pieces of personal information collected, sources, purposes, and third parties.
• Right to delete: Request deletion of personal information, subject to certain exceptions.
• Right to correct: Request correction of inaccurate personal information.
• Right to opt out of sale or sharing: ElevateRank does not sell personal information. You may submit an opt-out request at any time.
• Right to limit sensitive data use: We do not use sensitive personal information beyond purposes disclosed in this Policy.
• Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights.

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Iowa (ICDPA), Delaware (DPDPA), New Hampshire (NHPA), New Jersey (NJDPA), Tennessee (TIPA), Indiana (INCDPA), and Minnesota (MCDPA) have comparable rights to those described in the California section above, including the right to access, correct, delete, and obtain a portable copy of personal data; the right to opt out of targeted advertising, sale, or profiling for decisions that produce legal or similarly significant effects; and, where applicable, the right to appeal a refusal to act on a request.

To exercise any of these rights, use the same contact method described below. Where the law of the requesting resident's state provides for an appeals process, we will acknowledge appeals within the statutory window and explain our reasoning in writing.

We collect phone numbers during signup to let our account team reach clients for onboarding and service questions. We do not use your phone number for automated dialing, pre-recorded calls, ringless voicemails, or SMS marketing campaigns. When we contact you by phone, it is a live operator on a call you are expected to receive (onboarding handoffs, ops questions tied to your own request). You can ask us to stop calling at any time by replying to any email from us.