Privacy Policy

Who we are

SourceIQ ("we," "us," or "our") is a marketing performance dashboard operated by D. Wooster at sourceiq.app. This policy explains what information we collect when you use SourceIQ, how we use it, and your rights regarding that information. If you have questions, email us at privacy@sourceiq.app.

Information we collect

We collect the following categories of information:

• Account information — your email address and password (hashed, never stored in plain text) when you create a SourceIQ account.
• Organization information — your company name and any details you enter during onboarding.
• OAuth tokens— when you connect a third-party platform (Meta, GoHighLevel, etc.), we store an OAuth access token and refresh token so we can fetch data on your behalf. We also store your user ID on that platform ("provider user ID") for identity purposes and compliance.
• Ad performance data — when you connect a Meta Ads account, we retrieve ad spend, impressions, clicks, leads, and purchase revenue via the Meta Marketing API. This data is displayed in your dashboard and is not stored persistently beyond our short-lived server cache.
• CRM data — when you connect GoHighLevel, we retrieve contact counts, opportunity pipeline data, and calendar appointments for locations you authorize. This data is cached for up to 2 hours and stored as aggregate KPI snapshots in our database.
• Billing information — we use Stripe to process payments. We store your Stripe customer ID and subscription status. We never see or store your full card number.
• Usage data — standard server logs including IP addresses, browser type, and pages visited. These are used for debugging and security, not sold or shared.

How we use your information

• To authenticate you and secure your account.
• To fetch and display marketing performance data from connected third-party platforms in your SourceIQ dashboard.
• To generate shareable client reports on your behalf.
• To process subscription payments via Stripe.
• To send transactional emails (password reset, email confirmation). We do not send marketing emails without your explicit consent.
• To comply with legal obligations, including responding to verified data deletion requests.

How we share your information

We do not sell your personal information. We share data only as follows:

• Supabase — our database and authentication provider. Your account data and OAuth tokens are stored in Supabase (hosted on AWS). Data is encrypted at rest and in transit.
• Stripe— payment processor. We share your email address with Stripe when you subscribe. Stripe's privacy policy governs their use of your data.
• Vercel — our hosting provider. Vercel processes incoming requests and may log standard HTTP metadata.
• Meta (Facebook) — we make API calls to Meta on your behalf using your OAuth token. We do not share your SourceIQ data back to Meta.
• Legal requirements — we may disclose information if required by law, subpoena, or to protect our legal rights.

Cookies and session storage

We use cookies strictly for functionality — not for advertising or cross-site tracking. Specifically:

• Session cookies — Supabase sets a cookie to keep you logged in across page loads. This cookie is HttpOnly and is cleared when you log out.
• OAuth nonce cookie — when you initiate a third-party connection (e.g., Connect Facebook), we set a short-lived (10-minute) HttpOnly cookie containing a CSRF nonce. It is deleted after the OAuth callback completes.

We do not use third-party advertising cookies, tracking pixels, or analytics services that share your data externally.

Data retention

We retain your account data for as long as your account is active. OAuth tokens are stored until you disconnect the integration or delete your account. Aggregate KPI snapshots (from the cron sync) are retained indefinitely to support historical reporting — these contain no personal information. If you delete your account, all associated data is permanently removed within 30 days.

Your rights

Depending on your location, you may have rights to access, correct, export, or delete your personal data. To exercise any of these rights:

• Delete your account — from within SourceIQ under Settings → Account → Delete Account.
• Delete your Facebook data — see our Data Deletion page.
• Any other request — email privacy@sourceiq.app and we will respond within 30 days.

Security

We use industry-standard security measures: TLS encryption in transit, encryption at rest via Supabase, row-level security policies so users can only access their own organization's data, and HttpOnly cookies to prevent token theft via XSS. OAuth tokens are stored server-side and never exposed to the browser. Webhook signatures (e.g., from Meta and Stripe) are verified before processing.

Children's privacy

SourceIQ is a business tool intended for adults. We do not knowingly collect personal information from anyone under 18. If you believe a minor has created an account, contact us and we will delete it.

Changes to this policy

We may update this policy from time to time. When we do, we will update the "Last updated" date at the top. Material changes will be communicated by email to active account holders.