Features Ad Monitoring Reports Trends & Insights Google Ads Audit Creative Intelligence Industries SaaS E-commerce B2B Agencies Agency Resources Blog Case Studies Help Center Content Libraries CRO Guides Analytics Hub WooCommerce Shopify Pricing Log In Get Started Free
All Services PPC Management Paid Social SEO Technical SEO Google Ads Audit Analytics & Tracking Content Marketing CRO AI Search Optimization Copywriting
Blog Contact

Legal

Privacy Policy

Plain English, not legalese. Here is what we collect, why we collect it, and what we do with it.

What this policy covers

This policy applies to two things: the COREPPC website (coreppc.com) and the COREPPC audit tool, our PPC audit and reporting platform available at app.coreppc.com.

The audit tool connects to your Google Ads, Google Sheets, and Meta Ads accounts to run automated audits and export reports. Because it handles OAuth tokens and reads ad account data, it is the part of our system where data handling matters most. This policy explains exactly what we access, what we store, and what we do not.

Data collected through the audit tool

Google Ads

When you connect Google Ads, we request access to your Google Ads account via OAuth. We use this access exclusively to retrieve data needed to generate audit reports: campaign structure, keyword lists, bidding settings, conversion tracking configuration, audience targeting, and budget information. We do not modify your campaigns. We do not access creative assets, customer match lists, or any data belonging to your end customers.

Your Google OAuth access and refresh tokens are stored server-side in an encrypted database (Turso, US East), associated with your COREPPC account, and used only to make Google Ads API calls on your behalf when you run an audit or refresh a report. Tokens are never exposed to client-side JavaScript and never shared with third parties. You can revoke our access at any time by visiting myaccount.google.com/permissions.

Google Sheets (via Drive)

If you choose to export an audit report to Google Sheets, we use the drive.file scope to create a new spreadsheet in your Google Drive and write the audit data into it. This scope limits our access to only files that your application creates or that you explicitly select - we cannot see, list, read, modify, or delete any other files in your Drive. We only create spreadsheets that you explicitly request through the Export button. The exported spreadsheet stays in your Drive after creation - we do not retain a copy.

Meta Ads

When you connect Meta Ads, we request read access to your ad accounts. We use this access to retrieve campaign names, ad sets, budget information, and basic performance metrics. We do not modify your campaigns, access creative assets, or read customer data. Your Meta OAuth tokens are stored server-side in the same encrypted database and used only to make Meta Graph API calls on your behalf.

Email address

If you sign in with email only (no Google account), we collect your email address to authenticate your session. Your email is stored in our database, which runs on Turso (a SQLite-based service hosted in US East). We use your email to send your audit report when it is ready, and to send team collaboration invitations if you choose to share access with colleagues.

Audit reports

When you run an audit, the results are stored in our database so you can access your report later and share it with others. Reports contain aggregated scores and findings derived from your ad account data. They do not contain raw campaign data, creatives, or customer information.

Data collected through the website

If you submit a contact form on coreppc.com, we receive your name, email address, and message. We use this information to respond to your inquiry. We do not add you to any mailing list without your consent.

What we do not do with your data

  • We do not sell your data to third parties.
  • We do not use your Google Ads, Google Drive, or Meta Ads data for any purpose other than providing the audit service you requested.
  • We do not use your data to train machine learning models.
  • We do not share your report with any third party unless you explicitly share it yourself.
  • OAuth tokens are encrypted at rest, used only to make API calls on your behalf, and never transmitted to third parties.

How we protect your data

We implement the following technical and organizational measures to protect sensitive data, including data received from Google APIs:

  • Encryption in transit: All communication between your browser and our servers uses TLS 1.2+ (HTTPS). API calls to Google, Meta, and Stripe are made exclusively over HTTPS.
  • Encryption at rest: OAuth tokens and authentication credentials are stored in an encrypted database (Turso, hosted in a US East data center with encryption at rest enabled). Passwords are hashed using PBKDF2 with unique salts before storage.
  • Minimal data storage: We do not store raw Google Ads or Meta Ads performance data on our servers. Data is fetched live from the platform APIs when you request a report, processed in memory, and returned to your browser. Only the final audit scores and report metadata are persisted.
  • Access controls: OAuth tokens are scoped per user and per platform. Staff accounts use role-based access (member, admin, owner). Session cookies are httpOnly and cannot be accessed by client-side scripts.
  • Token isolation: Each user's OAuth tokens are stored separately and cannot be accessed by other users. Tokens are used only to make API calls on behalf of the authenticated user.
  • No third-party sharing: We do not transmit your Google or Meta account data to any third party. Data flows only between your browser, our servers, and the respective platform APIs.
  • Secure infrastructure: Our application runs on Vercel (serverless, SOC 2 Type II compliant). Our database runs on Turso (SOC 2 compliant). Payment processing is handled by Stripe (PCI DSS Level 1 certified).

Google API Services disclosure

COREPPC's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

We request the following Google OAuth scopes, each used exclusively for the purposes listed below:

  • Google Ads API (https://www.googleapis.com/auth/adwords) - to read your Google Ads account structure, campaigns, ad groups, keywords, conversion settings, and performance metrics so we can generate automated audit reports. We do not create, modify, or delete campaigns, ads, or keywords through this scope.
  • Google Drive (https://www.googleapis.com/auth/drive.file) - to create a new Google Sheets spreadsheet in your Google Drive and write audit report data into it, only when you click the Export button. This scope is limited to files created by our application or explicitly selected by you. We cannot access, list, or modify any other files in your Drive.
  • OpenID, email, profile - to identify you, display your name and profile picture in the COREPPC dashboard, and associate your audit reports with your account.

We use Google API data solely to provide the COREPPC audit service to the user who authorized access. We do not transfer Google user data to any third party except as necessary to provide this service, and only with your prior consent. We do not use Google user data for advertising, and we do not sell Google user data.

Cookies

We use httpOnly cookies to store your authentication session. These cookies are not accessible to JavaScript and cannot be read by third-party scripts. We do not use advertising cookies, tracking pixels, or third-party analytics on the audit tool.

The main website (coreppc.com) may load fonts from Google Fonts and analytics from standard web tools. No personally identifiable information is shared with these services.

Data retention

Session cookies expire automatically: 30 days for Google sessions, 60 days for Meta sessions, 24 hours for report viewer sessions.

Audit reports are retained in our database indefinitely so you can access them. If you want your reports deleted, contact us at the address below and we will remove them.

If you connected via Google OAuth and later revoke access through your Google account settings, your access token becomes invalid. We will no longer be able to fetch data from your account.

Your rights

You can revoke Google Ads access at any time by visiting myaccount.google.com/permissions and removing COREPPC from the list of connected apps.

You can revoke Meta Ads access by visiting facebook.com/settings/apps and removing the COREPPC app.

To request deletion of your account data, email us at [email protected]. We will confirm deletion within 10 business days.

Contact

For questions about this policy or to request data deletion, email [email protected].

This policy was last updated February 2026.