Pixel Theory← Back to site

Privacy Policy

Last updated: 2026-04-22

Introduction

Pixel Theory ("we", "us") is an advertising agency headquartered in the United States. The Creative Ops platform (the "App") is an internal tool we use to plan, produce, and deploy Meta ad campaigns on behalf of our clients. This policy explains what data the App collects, how we use it, and the choices available to the individuals whose data we handle.

The App is not a public consumer service. Access is limited to Pixel Theory staff and a small set of invited client contacts.

Data We Collect

Account information

Name, work email address, and the role assigned to you within the App (e.g., Growth Strategist, Creative Director, Client Reviewer).

Meta OAuth data

When a Pixel Theory team member connects a client's Meta Business Manager to the App, we receive and store:

  • OAuth access tokens granted by the connecting user
  • Meta Ad Account IDs the Business Manager has access to
  • Facebook Page IDs
  • Meta Pixel IDs
  • Instagram account IDs linked to those Pages

All OAuth access tokens are encrypted at rest using AES-256-GCM.

App usage data

Creative briefs you author, asset files you upload, ad drafts and campaigns you push to Meta, comments and approvals you leave, and audit-log records of privileged actions you take.

Performance metrics

Aggregate ad-performance data (impressions, clicks, spend, CTR, CPM, CPC, CPA) synced from the Meta Marketing API for campaigns we help manage on a client's behalf.

How We Use It

  • To plan, produce, and execute Meta ad campaigns on behalf of Pixel Theory clients under the terms of their service agreements.
  • To operate internal analytics that help us improve the App (e.g., how long briefs take to move from draft to publish).
  • To keep compliance and audit records of privileged actions taken within the App.

We do not sell personal data. We do not use Meta data for advertising targeting outside the client account it came from.

Where It's Stored

The App relies on the following third-party subprocessors, each bound by their own privacy and security commitments:

  • Supabase — primary Postgres database and authentication (US region)
  • Vercel — application hosting and serverless compute
  • Cloudflare R2 — object storage for uploaded creative assets
  • Mux — video transcoding and streaming for video creative
  • Meta Marketing API — we send only the fields required to create, update, read, or pause campaigns, ad sets, and ads in the connected ad account

Data Retention

  • Account and Meta-connection data: retained for as long as the account is active.
  • After account deactivation: up to 90 days before full deletion, during which the account can be reactivated on request.
  • Audit-log records: retained up to 2 years for compliance purposes. These records describe actions taken in the App and do not contain Meta-derived personal data.

Your Rights

You may request:

  • Access to the data we hold about you
  • An export of that data in a portable format
  • Correction of inaccurate information
  • Deletion of your account and associated data

For deletion specifically, see our Data Deletion Instructions.

Children's Privacy

The App is a business-to-business tool and is not directed at individuals under 18. We do not knowingly collect data from minors. If we learn we have, we will delete it.

International Transfers

Data is primarily stored and processed in the United States via the subprocessors listed above. Where data crosses jurisdictions to reach those providers, the transfer is governed by the provider's own contractual safeguards.

Changes to This Policy

We may update this policy from time to time. The "Last updated" date at the top of this page reflects the latest revision. Material changes will be announced via email to account holders before they take effect.

Contact

Questions about this policy or about the data we hold can be directed to baraka@thepixeltheory.com.