← Back to ROASt Labs

Privacy Policy

How ROASt Labs handles your data

Last updated: 9 March 2026 · Effective: 9 March 2026

ROASt Labs (adportfolio-5loq.onrender.com) is a Google, Microsoft, and Meta Ads portfolio management and budget optimisation tool operated by Tom Johnson (“we”, “us”, “our”). This Privacy Policy explains how we collect, use, store, and protect your data when you use the ROASt Labs service.

By connecting your Google Ads account to ROASt Labs, you consent to the data practices described in this policy. The service is available at roast-labs.com.

1. What Data We Collect

1a. Google Ads Data

When you connect your Google Ads account via OAuth 2.0, ROASt Labs accesses the following data through the Google Ads API:

• Campaign names, IDs, statuses, bid strategies, and daily budgets
• Performance metrics: spend, revenue (conversion value), orders (conversions), impression share, and lost impression share (budget and rank)
• Portfolio budget names and amounts
• Account structure (MCC hierarchy and sub-account names/IDs)

We do not collect personal information about your ad viewers, click-level data, search queries, or any personally identifiable information (PII) from your Google Ads account.

1b. Account and Authentication Data

• Your Google account email address (used to identify your session)
• OAuth 2.0 refresh tokens (used to maintain your Google Ads API connection)

1c. Locally Stored Data

• UI preferences (theme, navigation state, active tab) stored in your browser’s localStorage
• Session cookies for authentication

2. How We Use Your Data

Your Google Ads data is used solely to:

• Display campaign and portfolio performance within the ROASt Labs interface
• Generate budget optimisation recommendations through our rule-based engine
• Compute pacing analysis and performance trends
• Push approved budget and bid target changes back to your Google Ads account — all write operations require your explicit approval before execution. Longer term, we will look to implement scheduled execution.

We do not use your data for advertising, profiling, remarketing, creditworthiness assessment, or any purpose other than providing the ROASt Labs service to you.

3. Google API Services Compliance

3a. OAuth Scope

ROASt Labs requests the following OAuth scope:

• https://www.googleapis.com/auth/adwords — required to read campaign data and push approved budget/target changes

3b. Limited Use Disclosure

ROASt Labs’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• Limited to providing user-facing features: Google Ads data is used only to power the campaign dashboard, optimisation engine, pacing analysis, and budget recommendations visible within the ROASt Labs interface.
• No third-party transfers except as necessary to provide the service: We do not sell, rent, or share your Google Ads data with any third parties, except as described in Section 4 (AI Processing) where aggregated, non-PII campaign metrics may be sent to an AI sub-processor solely to generate optimisation insights displayed within ROASt Labs.
• No use for advertising: We do not use your Google Ads data to serve ads, including retargeting, personalised, or interest-based advertising.
• No use for AI/ML model training: Your Google Ads data is never used to train, improve, or fine-tune generalised or foundational AI/ML models. Any AI processing is limited to generating personalised, per-session insights for your account only.
• Restricted human access: We do not allow humans to read your Google Ads data unless (a) you have given affirmative consent (e.g. for technical support), (b) it is necessary for security purposes such as investigating a bug or abuse, (c) it is required to comply with applicable law, or (d) the data is aggregated and anonymised for internal operations.

4. Data Sharing and Sub-Processors

4a. General Position

We do not sell, rent, or share your Google Ads data with any third parties. Your data is only accessible to:

• You, through the ROASt Labs interface
• Our server, for processing optimisation calculations and syncing with Google Ads

4b. AI Processing

ROASt Labs includes an optional AI-powered chat feature. When you use this feature, aggregated campaign performance metrics (spend, revenue, ROAS, impression share) may be sent to Anthropic’s API to generate optimisation insights. These requests:

• Contain no personally identifiable information
• Contain no Google account credentials or OAuth tokens
• Are processed in real-time and not retained by the sub-processor for model training
• Are used solely to generate responses displayed within the ROASt Labs interface

4c. Infrastructure

ROASt Labs is hosted on Render.com (US-based cloud infrastructure). All data in transit is encrypted via HTTPS. See Section 7 (Security) for details.

5. Data Storage and Retention

• Campaign and portfolio data: Stored in a SQLite database on our server. Retained for the duration of your account connection.
• OAuth refresh tokens: Stored server-side (never exposed to the browser). Deleted when you disconnect your account.
• Optimisation logs and historical data: Budget and target change records, daily campaign performance, audit history, and report data are retained according to your subscription tier: 90 days on Starter, 1 year on Agency, 3 years on Scale. Older data is automatically deleted by a nightly retention sweep. Records are also deleted on account deletion (subject to a 30-day grace period for reactivation).
• Billing records: Subscription, invoice, and payment events are retained indefinitely for finance and tax compliance, even after account deletion.
• UI preferences and session data: Stored in your browser’s localStorage. You can clear these at any time through your browser settings.

Data deletion: You can disconnect any platform (Google Ads, Microsoft Advertising, Meta) at any time from the Accounts tab. Disconnecting a platform removes that platform’s OAuth tokens and the synced data scoped to that platform (campaigns, daily metrics, conversion actions, account configuration). Other connected platforms in the same workspace stay intact. Once you disconnect the last remaining platform on a workspace, all per-workspace synced data is wiped from our servers. To erase your entire account at once instead, use the self-service deletion flow described in Section 8.

6. Cookies and Tracking

ROASt Labs uses the following browser storage:

• Session cookie: A single HttpOnly, SameSite=Strict cookie with 24-hour expiry, used for authentication. This is a strictly necessary cookie.
• localStorage: Used to persist UI preferences (theme, navigation state, column visibility). Contains no personal data or Google Ads data.

ROASt Labs does not use:

• Third-party cookies
• Analytics or tracking scripts (e.g. Google Analytics, Facebook Pixel)
• Advertising cookies or retargeting pixels
• Browser fingerprinting

7. Security

• All communication between your browser and our server uses HTTPS (TLS) encryption
• OAuth tokens are stored server-side and never exposed to the browser or client-side code
• Session cookies are HttpOnly, SameSite=Strict, with 24-hour expiry
• Sensitive operations (sync, push, execute) require authenticated sessions
• Google Ads API credentials (developer token, client ID, client secret) are stored as encrypted server-side environment variables and are never committed to source code
• The application codebase is version-controlled on GitHub with no secrets in the repository

7a. Incident Response

In the event of a data breach affecting your Google Ads data or account credentials, we will:

• Notify affected users within 72 hours of becoming aware of the breach
• Provide details of the data affected and the steps we are taking to remediate
• Report the breach to relevant authorities where required by applicable law (including the ICO under UK GDPR)

8. Your Rights

You can at any time:

• Revoke access: Disconnect your Google Ads account from the Accounts tab, or revoke ROASt Labs’s access directly from your Google Account permissions
• Delete data per platform: Disconnecting one platform removes that platform’s OAuth tokens and platform-scoped synced data. The full per-workspace data wipe runs only after the last connected platform is disconnected.
• Right to erasure (UK GDPR Article 17): Delete your entire account from Settings → Billing → Danger zone → Delete my account. Your subscription is cancelled immediately and your data is scheduled for permanent deletion. A 30-day grace period lets you reactivate by logging in before the deletion is final. Billing records are retained indefinitely for finance and tax compliance.
• Export data: Use the Export CSV features in the Portfolios, Campaigns, and Optimiser Logs tabs to download your data.
• Access your data: Contact us to request a copy of all data we hold about your account.
• Rectification: Contact us to request correction of any inaccurate data we hold.
• Object to processing: You may object to any processing of your data by disconnecting your account.

8a. Legal Basis for Processing (UK GDPR / EU GDPR)

We process your Google Ads data under the following legal bases:

• Performance of a contract: Processing is necessary to provide the ROASt Labs service you have signed up to use.
• Legitimate interest: Processing aggregated, anonymised usage data to improve the service, provided this does not override your rights and freedoms.
• Consent: You provide explicit consent when connecting your Google Ads account via OAuth. You may withdraw consent at any time by disconnecting your account.

9. Children’s Privacy

ROASt Labs is a business-to-business tool designed for professional advertisers and agencies. The service is not directed at children under the age of 16 (or 13 where applicable). We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected data from a child, we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. If we make material changes to how we use your Google Ads data, we will notify you via the ROASt Labs interface and prompt you to consent to the updated policy before continuing to use your data in any new way.

We encourage you to review this page periodically. The “Last updated” date at the top indicates when the policy was most recently revised.

11. Contact

For privacy questions, data access requests, or concerns about how we handle your data, contact us at:

• Email: tomjohnsonads91@gmail.com
• Operator: Tom Johnson
• Website: adportfolio-5loq.onrender.com

If you are located in the UK or EU and are unsatisfied with our response to a privacy concern, you have the right to lodge a complaint with your local data protection authority. In the UK, this is the Information Commissioner’s Office (ICO).