Privacy Policy

How ROASt Labs handles your data

Last updated: 15 May 2026 · Effective: 15 May 2026

ROASt Labs (app.roast-labs.com) is a multi-platform paid-media portfolio management and budget optimisation tool covering Google Ads, Microsoft Advertising, and Meta Ads, operated by Tom Johnson (“we”, “us”, “our”). This Privacy Policy explains how we collect, use, store, and protect your data when you use the ROASt Labs service.

By connecting any advertising or analytics account to ROASt Labs, you consent to the data practices described in this policy. The service is available at roast-labs.com (marketing site) and app.roast-labs.com (application).

1. What Data We Collect

1a. Advertising Platform Data

When you connect a Google Ads, Microsoft Advertising, or Meta Ads account via OAuth 2.0, ROASt Labs accesses the following data through the relevant platform’s API:

Campaign, ad-group, ad, keyword, and asset names, IDs, statuses, bid strategies, and daily budgets
Performance metrics: spend, revenue (conversion value), conversions, impression share, lost impression share (budget and rank), click-through rate, and other aggregated platform metrics
For Meta Ads specifically: ad-level creative metadata, video-completion buckets, quality and engagement ranking scores, and (where opted in) placement-level performance breakdowns
For Google Ads specifically: RSA asset performance, Performance Max asset-group performance, Shopping product performance, and (where applicable) auction insights and search-term reports
Portfolio budget names and amounts
Account structure (manager-account hierarchy and sub-account names/IDs)

We do not collect personal information about your ad viewers, click-level data tied to identifiable individuals, or any personally identifiable information (PII) from your advertising accounts.

1b. Goal-Source Data (Optional Integrations)

If you choose to route a portfolio’s success metric to one of the following sources, ROASt Labs accesses the data required to compute that goal:

Google Analytics 4 (GA4): Property name, measurement ID, and reported revenue/conversion data filtered by Google Ads campaign and date range. Read-only.
Shopify: Order totals and UTM parameters used to attribute orders back to specific campaigns. We do not collect customer names, email addresses, shipping addresses, or product-level personal data.
HubSpot: Deal stages, deal amounts, deal close dates, and UTM parameters used to attribute closed-won revenue back to specific campaigns. We do not collect contact-level personal data (names, emails, phone numbers).

Each integration is opt-in. You can revoke any goal-source connection at any time from the Accounts tab.

1c. Account and Authentication Data

Your email address and chosen display name (used to identify your account and for transactional emails)
OAuth 2.0 refresh tokens for each connected platform (used to maintain API access on your behalf). Encrypted at rest.
Password hash (for email-and-password sign-in; passwords are never stored in plaintext)

1d. Billing Data

Subscription tier, plan status, billing-period end date, and a Stripe customer/subscription identifier. Payment card details are handled exclusively by Stripe; ROASt Labs never sees or stores your card number.
Invoice and billing-event history for finance and tax compliance.

1e. Locally Stored Data

UI preferences (theme, navigation state, active tab, column visibility) stored in your browser’s localStorage
Session cookies for authentication (see Section 6)
Cookie consent decision (Analytics on/off) stored in localStorage

2. How We Use Your Data

Your advertising and goal-source data is used solely to:

Display campaign and portfolio performance within the ROASt Labs interface
Generate budget optimisation recommendations through our statistical engine
Compute pacing analysis, performance trends, and account-health diagnostics
Power the in-app AI agent (“Flume”) when you choose to use it (see Section 4b)
Push budget, bid-target, keyword, negative-keyword, and creative-pause changes back to your connected advertising accounts — either through your explicit per-change approval, or through opt-in autonomous schedules that you configure and can pause at any time via a kill switch in Settings (see Section 2a).

We do not use your data for advertising, profiling, remarketing, creditworthiness assessment, or any purpose other than providing the ROASt Labs service to you.

2a. Autonomous Mode Disclosure

ROASt Labs offers an optional autonomous mode in which the optimisation engine runs nightly and applies recommended changes without per-change approval. This mode is disabled by default. When you enable it:

You retain a global kill switch in Settings that halts all autonomous mutations instantly across your workspace
Every autonomous change is logged with full audit trail (timestamp, before/after values, the reasoning behind the change)
You can review and roll back any autonomous change from the Change History tab
You can revert to per-change approval mode at any time

You remain responsible for the performance of your advertising campaigns. See our Terms of Service for the full responsibility allocation.

3. Platform API Compliance and OAuth Scopes

3a. OAuth Scopes Requested

ROASt Labs requests only the OAuth scopes needed to provide the service. By platform:

Google Ads: https://www.googleapis.com/auth/adwords — read campaign data and push approved budget/target/keyword/asset changes
Google Analytics 4: https://www.googleapis.com/auth/analytics.readonly — read-only access to GA4 properties and reports for goal-source routing
Microsoft Advertising: https://ads.microsoft.com/msads.manage — read campaign data and push approved changes
Meta Ads: ads_read and ads_management — read campaign/ad/creative data and push approved changes
Shopify: read_orders — read-only order data for revenue attribution
HubSpot: crm.objects.deals.read — read-only deal data for revenue attribution

You can revoke any platform’s OAuth grant at any time from the relevant platform’s account settings (e.g. Google permissions) or by disconnecting the account from the ROASt Labs Accounts tab.

3b. Google API Services User Data Policy — Limited Use Disclosure

ROASt Labs’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

Limited to providing user-facing features: Google Ads data is used only to power the campaign dashboard, optimisation engine, pacing analysis, and budget recommendations visible within the ROASt Labs interface.
No third-party transfers except as necessary to provide the service: We do not sell, rent, or share your Google Ads data with any third parties, except as described in Section 4 (AI Processing) where aggregated, non-PII campaign metrics may be sent to an AI sub-processor solely to generate optimisation insights displayed within ROASt Labs.
No use for advertising: We do not use your Google Ads data to serve ads, including retargeting, personalised, or interest-based advertising.
No use for AI/ML model training: Your Google Ads data is never used to train, improve, or fine-tune generalised or foundational AI/ML models. Any AI processing is limited to generating personalised, per-session insights for your account only.
Restricted human access: We do not allow humans to read your Google Ads data unless (a) you have given affirmative consent (e.g. for technical support), (b) it is necessary for security purposes such as investigating a bug or abuse, (c) it is required to comply with applicable law, or (d) the data is aggregated and anonymised for internal operations.

4. Data Sharing and Sub-Processors

4a. General Position

We do not sell, rent, or share your advertising or goal-source data with any third parties for their own marketing or commercial purposes. Your data is accessible only to:

You, through the ROASt Labs interface
Our server infrastructure, for storing your data and running the optimisation engine
The sub-processors listed below, each of which provides a specific service necessary to operate ROASt Labs

4b. Sub-Processors

We use the following sub-processors. Each is bound by a written agreement that requires them to process your data only on our instructions and to apply appropriate security measures:

Sub-processor	Purpose	Location
Render	Application hosting and managed Postgres database	EU (Frankfurt)
Stripe	Subscription billing and payment processing	USA / Ireland
Anthropic	AI agent (Flume) and report generation	USA
Cloudflare	Marketing site hosting (Pages), DNS, CDN, R2 encrypted backups	Global edge / EU

We will provide reasonable advance notice via the ROASt Labs interface before adding any new sub-processor that materially changes how your data is processed.

4c. AI Processing (Anthropic)

ROASt Labs includes an in-app AI agent (Flume) and AI-generated reports. When you use these features, the following data may be sent to Anthropic’s API to generate the response or report:

Aggregated campaign and portfolio performance metrics (spend, revenue, ROAS, impression share, conversion counts)
Your business-context notes from the Context Hub (if you have provided them) — these are explicitly entered by you to inform AI-generated narratives
The conversation or report request itself

These requests:

Contain no payment-card details, OAuth tokens, or account passwords
Are processed in real time by Anthropic under their commercial Privacy Policy — Anthropic does not retain commercial API inputs/outputs to train their generalised models
Are used solely to generate the response or report displayed within ROASt Labs

If you do not wish to use AI features, simply do not invoke the Flume agent or AI-generated reports. The rest of the service operates independently.

4d. International Transfers

Some of our sub-processors (Stripe, Anthropic) are located in the United States. Where personal data is transferred outside the UK or EEA, we rely on appropriate safeguards under UK GDPR Article 46, including the UK International Data Transfer Agreement (IDTA) and/or the European Commission’s Standard Contractual Clauses (SCCs), supplemented by the UK Addendum where applicable. Our sub-processors offer these mechanisms as standard. You can request copies of the relevant agreements by contacting us at the address in Section 11.

4e. Infrastructure Security

All data in transit is encrypted via HTTPS (TLS). The application database (Postgres on Render) is encrypted at rest. Encrypted backups are stored in Cloudflare R2 with AES-256-GCM application-side encryption (the encryption key is held only by us, not by the storage provider). See Section 7 for full security details.

5. Data Storage and Retention

Campaign and portfolio data: Stored in our managed Postgres database (hosted on Render, Frankfurt). Retained for the duration of your account connection, subject to the tier-based limits below.
OAuth refresh tokens: Stored server-side and encrypted at rest (never exposed to the browser). Deleted when you disconnect the relevant platform.
Optimisation logs and historical data: Budget and target change records, daily campaign performance, audit history, and report data are retained according to your subscription tier: 90 days on Starter, 1 year on Agency, 3 years on Scale. Older data is automatically deleted by a nightly retention sweep. Records are also deleted on account deletion (subject to a 30-day grace period for reactivation).
Billing records: Subscription, invoice, and payment events are retained indefinitely for finance and tax compliance, even after account deletion. This is a legal obligation under UK tax law and overrides the right to erasure to the extent strictly necessary.
Encrypted backups: Daily encrypted database backups are stored in Cloudflare R2 (AES-256-GCM, application-side encrypted). Backups are retained for 30 days then rotated out.
UI preferences and session data: Stored in your browser’s localStorage. You can clear these at any time through your browser settings.

Data deletion: You can disconnect any platform (Google Ads, Microsoft Advertising, Meta Ads, GA4, Shopify, HubSpot) at any time from the Accounts tab. Disconnecting a platform removes that platform’s OAuth tokens and the synced data scoped to that platform (campaigns, daily metrics, conversion actions, account configuration). Other connected platforms in the same workspace stay intact. Once you disconnect the last remaining platform on a workspace, all per-workspace synced data is wiped from our servers. To erase your entire account at once instead, use the self-service deletion flow described in Section 8.

6. Cookies and Tracking

6a. Inside the Application (`app.roast-labs.com`)

The application uses only strictly necessary browser storage:

Session cookie: A single HttpOnly, SameSite=Strict cookie with 24-hour expiry, used for authentication.
localStorage: UI preferences (theme, navigation state, column visibility). Contains no personal data or advertising data.

The application itself does not use third-party cookies, analytics scripts, advertising cookies, retargeting pixels, or browser fingerprinting.

6b. Marketing Site (`roast-labs.com`)

The marketing site may use Google Analytics 4 (measurement ID G-WQJHG1ZPSD) to understand visitor behaviour and measure marketing effectiveness. Analytics cookies are loaded only after you accept them via the consent banner shown on first visit. If you reject or have not yet decided, no analytics cookies are set.

Accept all: Loads the GA4 tag, which sets _ga and _ga_* cookies for visitor and session identification. Data is processed by Google; see Google’s Privacy Policy.
Reject all: No analytics scripts load. Only the strictly necessary cookies (e.g. consent preference itself) are stored.
Change your mind later: The “Cookie settings” link in the marketing-site footer reopens the consent panel at any time. Withdrawing consent clears existing _ga* cookies.

7. Security

All communication between your browser and our server uses HTTPS (TLS) encryption
OAuth tokens are stored server-side and never exposed to the browser or client-side code
Session cookies are HttpOnly, SameSite=Strict, with 24-hour expiry
Sensitive operations (sync, push, execute) require authenticated sessions
Google Ads API credentials (developer token, client ID, client secret) are stored as encrypted server-side environment variables and are never committed to source code
The application codebase is version-controlled on GitHub with no secrets in the repository

7a. Incident Response

In the event of a data breach affecting your Google Ads data or account credentials, we will:

Notify affected users within 72 hours of becoming aware of the breach
Provide details of the data affected and the steps we are taking to remediate
Report the breach to relevant authorities where required by applicable law (including the ICO under UK GDPR)

8. Your Rights

You can at any time:

Revoke access: Disconnect your Google Ads account from the Accounts tab, or revoke ROASt Labs’s access directly from your Google Account permissions
Delete data per platform: Disconnecting one platform removes that platform’s OAuth tokens and platform-scoped synced data. The full per-workspace data wipe runs only after the last connected platform is disconnected.
Right to erasure (UK GDPR Article 17): Delete your entire account from Settings → Billing → Danger zone → Delete my account. Your subscription is cancelled immediately and your data is scheduled for permanent deletion. A 30-day grace period lets you reactivate by logging in before the deletion is final. Billing records are retained indefinitely for finance and tax compliance.
Export data: Use the Export CSV features in the Portfolios, Campaigns, and Optimiser Logs tabs to download your data.
Access your data: Contact us to request a copy of all data we hold about your account.
Rectification: Contact us to request correction of any inaccurate data we hold.
Object to processing: You may object to any processing of your data by disconnecting your account.

8a. Legal Basis for Processing (UK GDPR / EU GDPR)

We process your Google Ads data under the following legal bases:

Performance of a contract: Processing is necessary to provide the ROASt Labs service you have signed up to use.
Legitimate interest: Processing aggregated, anonymised usage data to improve the service, provided this does not override your rights and freedoms.
Consent: You provide explicit consent when connecting your Google Ads account via OAuth. You may withdraw consent at any time by disconnecting your account.

9. Children’s Privacy

ROASt Labs is a business-to-business tool designed for professional advertisers and agencies. The service is not directed at children under the age of 16 (or 13 where applicable). We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected data from a child, we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. If we make material changes to how we use your Google Ads data, we will notify you via the ROASt Labs interface and prompt you to consent to the updated policy before continuing to use your data in any new way.

We encourage you to review this page periodically. The “Last updated” date at the top indicates when the policy was most recently revised.

11. Contact

For privacy questions, data access requests, or concerns about how we handle your data, contact us at:

Email: support@roast-labs.com
Operator: Tom Johnson
Website: app.roast-labs.com

If you are located in the UK or EU and are unsatisfied with our response to a privacy concern, you have the right to lodge a complaint with your local data protection authority. In the UK, this is the Information Commissioner’s Office (ICO).