Safe & trusted

You manage ad accounts. Here is how we treat them.

Adlio connects with Meta once and after that only touches the accounts you choose, and never without your go-ahead. Below you can read exactly how we protect your data and your connected account.

You stay in control

Adlio only ever puts ads in a paused state. Only you set an ad live in Meta Ads Manager. See also our terms.

Ads always paused

Every ad is created paused. We publish nothing, activate nothing and never spend budget.

You decide the launch

You review the batch in Ads Manager and set it live when you're ready.

Disconnect in one click

We delete your token and revoke it with Meta immediately, so access stops at once.

Encryption & storage

  • All traffic runs over HTTPS, enforced with HSTS.
  • Your Facebook token is stored encrypted with AES-256-GCM and only decrypted server-side to call the Meta Marketing API on your behalf.
  • We don't store payment details ourselves: they are securely processed by Stripe.

Access & isolation

  • Your data is fully isolated: thanks to Row Level Security no other user can reach your accounts, creatives or token at the database level.
  • Login goes through Supabase with Facebook login (OAuth); we store no passwords.
  • Admin keys and secrets run server-side only and never reach the browser.
  • We only request the Meta permissions we truly need to upload your ads.

Protection against abuse

  • Security headers including a Content Security Policy, HSTS and clickjacking protection.
  • Verified signatures on all incoming webhooks and Meta callbacks.
  • Per-user rate limiting on upload and launch actions, plus blocking of suspicious requests.
  • Limits on upload sizes and modern, maintained dependencies.

Disconnect & delete

  • Disconnect from Meta with one click: we delete your token and revoke it with Meta immediately.
  • Request deletion of all your data via your settings, account deletion or the Facebook app settings, see the Data deletion page.
  • We handle deletion requests within 30 days.

Infrastructure & processors

We only work with trusted providers and share only the data needed to deliver the service. Where data is processed outside the EEA, we rely on appropriate safeguards (such as standard contractual clauses / the Data Privacy Framework).

  • Supabase: database, authentication and media storage
  • Vercel: hosting
  • Stripe: payments
  • Meta: creating your ads via the Marketing API
  • OpenPanel & Microsoft Clarity: product analytics (only after your cookie consent)
  • Resend: transactional email

Privacy & GDPR

We comply with the GDPR. You can access or delete your data at any time, disconnect your Meta connection with one click, and change your cookie consent whenever you want. In the event of a data breach with risk to individuals, we report it within 72 hours. Read more in our privacy policy.

Report a vulnerability

Found a security issue? Email privacy@adlio.ai (see also our security.txt). We confirm receipt within 5 business days and ask you to give us reasonable time to fix it before you disclose it publicly.

Security | Adlio - Adlio