Data and security

How Hero Marketer handles the data you give it.

What we store

Roughly four categories:

Authentication

Your Hero Marketer login. Email, name, hashed credentials. Managed through Supabase, our auth provider.
OAuth tokens for Google Ads. Encrypted at rest. Used only to make API calls to Google Ads on your behalf. Refresh tokens are stored to keep the connection alive; access tokens are short lived and refreshed transparently.

Product information

Product descriptions you wrote during onboarding or product setup.
Product analysis derived from those descriptions.
Website URLs you've configured.

Campaign records

Campaigns built through Hero Marketer. What was targeted, what keywords were chosen, what ad copy was generated, when it was created.
Drafts of in flight campaigns (the wizard saves your progress).

Hero AI conversation history

The chat transcripts between you and Hero AI, plus metadata about which queries were run and what credits were consumed.

What we don't store

Live campaign performance metrics. Pulled from Google Ads on demand and not cached beyond short term performance optimization.
Your Google Ads payment method or billing details. Held by Google.
Your Hero Marketer card details. Held by Paddle (our billing provider). We see only what Paddle exposes (last four digits, expiration, billing address).
Anything outside Google Ads. We don't have access to your CRM, email, calendar, or other tools.

Where data lives

Application database. Supabase (Postgres). Hosted in US data centers.
AI providers. Google (for the AI subagents in Hero AI) and a few specific AI providers for specific tasks like analysis. Hero AI inputs are sent to AI providers per query; their data handling is bound by our agreements with them.
Billing. Paddle. Handles cards, invoices, tax, region specific compliance.
Auth. Supabase auth.

We pick providers with strong privacy and security practices. SOC 2 Type II reports from major providers (Google Cloud, Supabase, Paddle) are available on request through their normal channels.

Encryption

In transit. All connections use HTTPS/TLS.
At rest. OAuth tokens are encrypted before being stored. Database storage is encrypted at the disk level by our hosting provider.

Access controls

Internally:

Engineering and customer support staff can access account level data when investigating issues. Access is logged.
No one else has access to your data without your explicit consent.

We do not sell, rent, or share your data with third parties for marketing purposes.

Google Ads scopes

Hero Marketer requests two OAuth scopes:

adwords scope. Required to read account info, fetch keyword data, and create campaigns. This is the standard scope for Google Ads API access.
openid and email. Used to identify which Google identity is connecting and match the connection to your Hero Marketer user.

We do not request access to Gmail, Drive, Calendar, or any other Google service.

You can revoke our access at any time at myaccount.google.com/permissions. See Disconnect Google Ads.

Compliance

GDPR. We comply with GDPR for EU users. Right to access, right to deletion, and data portability are honored. Contact support to exercise.
CCPA. We comply with CCPA for California users. Same rights as GDPR plus the right to opt out of sale of personal information (we don't sell data anyway).
SOC 2. Our hosting providers (Google Cloud, Supabase) are SOC 2 Type II certified. Hero Marketer itself isn't yet SOC 2 certified; that's on the roadmap.

Data retention

Active subscription. Data retained for the life of your subscription.
After cancellation. Retained for 90 days, after which accounts may be archived.
After deletion request. Removed within 30 days, including from backups.

Exporting your data

You can request export of:

Your product descriptions and analysis.
Your campaign records and metadata.
Your Hero AI conversation history.

Contact support with the request. We deliver as a JSON or CSV bundle within 5 business days.

Note: live performance metrics aren't part of the export because they're not stored. Pull those from Google Ads directly using their report export tools.

Deletion

To fully delete your account and data:

Contact support with a deletion request.
We confirm by email and remove access immediately.
Data is purged from production systems within 7 days.
Backups containing the data are aged out within 30 days.

After deletion, your data cannot be recovered. Reactivation requires starting fresh.

Reporting a security issue

If you believe you've found a security vulnerability in Hero Marketer:

Contact support and prefix the subject with "Security:". We treat security reports as the highest priority. Please don't post details publicly until we've had a chance to investigate and respond.

Data Processing Agreement (DPA)

For customers who require a signed DPA (under GDPR or other regulations):

Contact support and request the DPA template. We countersign and send back a signed copy.

What we store​

Authentication​

Product information​

Campaign records​

Hero AI conversation history​

What we don't store​

Where data lives​

Encryption​

Access controls​

Google Ads scopes​

Compliance​

Data retention​

Exporting your data​

Deletion​

Reporting a security issue​

Data Processing Agreement (DPA)​