Legal notice: This Privacy Policy constitutes a legally binding agreement. NaqlaHub recommends final review by qualified legal counsel, particularly if you operate in or serve users from the European Union, United Kingdom, or California. Specific provisions for those jurisdictions are included below.
1. Who We Are (Data Controller)
NaqlaHub ("we," "our," "us") is the data controller responsible for your personal information collected through our website at NaqlaHub.com and the NaqlaHub marketing analytics platform (collectively, the "Service").
NaqlaHub is a multi-platform marketing analytics dashboard that connects to your advertising accounts on Google Ads, Meta (Facebook/Instagram), TikTok, Snapchat, Salla, and Zid to aggregate and display campaign performance data.
For privacy inquiries: privacy@NaqlaHub.com
2. Data We Collect
We collect only what is necessary to provide and improve the Service. Below is an explicit list of every category of personal data we collect.
Account & Identity Data
- Email address (required to create an account)
- Full name and professional position/role (provided by you during registration)
- Password (stored as a cryptographic hash — we never store plain-text passwords)
- Authentication session tokens issued by Supabase Auth
Workspace & Configuration Data
- Workspace/store names you create within the Service
- User preferences and settings (chart type preferences stored in your browser's localStorage)
Ad Platform Credential Data
- OAuth access tokens and refresh tokens for Google Ads (obtained through Google's OAuth 2.0 flow)
- API access tokens for Meta (Facebook/Instagram Ads), TikTok for Business, Snapchat Marketing API, Salla, and Zid — provided manually by you
- Associated advertiser IDs and account identifiers from these platforms
Important: These credentials are stored encrypted in our database and are used solely to retrieve your advertising performance data on your behalf. We do not use these credentials for any other purpose. See Section 7 for more details.
Ad Performance Data
- Campaign names, statuses, and platform identifiers retrieved from your connected ad platforms
- Aggregated daily metrics: ad spend, revenue, impressions, clicks, conversions — as reported by your connected platforms
- Calculated metrics derived from the above (ROAS, CPA, CTR, CPC, CVR)
This data belongs to you. It is your advertising data, retrieved from platforms you own accounts on, and stored in your isolated workspace within our Service.
Usage & Technical Data
- IP address and approximate geographic location (country/city level) — collected via server logs
- Browser type, operating system, and device type
- Pages visited, features used, and click interactions within the Service
- Date and time of access, session duration
- Error logs and crash reports
Data We Do NOT Collect
- Payment card numbers or billing details [Note: Payment processing is not yet implemented. This section will be updated when payment features are added.]
- Health, biometric, or sensitive personal data
- Precise real-time geolocation
- Data from anyone under 18 years of age (our Service is restricted to adults — see Section 11)
3. How We Collect Your Data
Directly from you
- Registration form (email, name, position)
- Settings and configuration within the platform (workspace names, API tokens you paste)
- Google Ads OAuth authorization flow (we receive tokens from Google's servers)
Automatically when you use the Service
- Server-side logs capture IP address, browser, and device information with each request
- Client-side localStorage stores your display preferences (chart types, UI settings) — this data never leaves your browser
From third-party ad platforms (on your behalf)
- When you initiate a data sync, we call the APIs of your connected platforms (Google, Meta, TikTok, Snapchat, Salla, Zid) using credentials you have provided, and retrieve your advertising performance data
- We act as your agent for this retrieval — the data retrieved belongs to you
From Supabase (our infrastructure provider)
- Supabase processes authentication events and database operations on our behalf as a data processor
4. Why We Use Your Data (Purpose & Legal Basis)
We process your personal data for the following purposes. For users in jurisdictions requiring a legal basis for processing, the applicable basis is noted.
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Creating and managing your account | Email, name, position, password hash | Contract necessity |
| Authenticating your identity and sessions | Email, session tokens | Contract necessity |
| Retrieving your ad platform data on your behalf | Ad platform credentials, advertiser IDs | Contract necessity |
| Displaying your dashboard and analytics | Ad performance data, campaign data | Contract necessity |
| Isolating your workspace from other users | Workspace ID, user ID, Row Level Security rules | Contract necessity / Legitimate interest (security) |
| Improving the Service (debugging, analytics, feature development) | Usage data, error logs, IP address | Legitimate interest |
| Communicating service notices, updates, and security alerts | Email address | Legitimate interest / Legal obligation |
| Complying with legal obligations (law enforcement requests, tax/audit records) | Account data, as required by law | Legal obligation |
We do not use your personal data for targeted advertising, data brokerage, or any purpose unrelated to providing the Service.
5. Who We Share Your Data With
We do not sell your personal data. We do not share your personal data with third parties for their own marketing purposes. We share data only with the following categories of recipients, and only to the extent necessary to provide the Service:
Infrastructure & Database
- Supabase Inc. (United States) — Database hosting, authentication services, and Row Level Security enforcement. Supabase acts as a data processor under our instructions. Their privacy policy is at supabase.com/privacy.
Ad Platform APIs (as your agent)
When you connect a platform and trigger a sync, we communicate with the following platforms using credentials you have provided. These API calls retrieve your data — we send minimal identifying information (your credentials) to authenticate:
- Google LLC — Google Ads API, Google OAuth 2.0. Their privacy policy: policies.google.com/privacy
- Meta Platforms Ireland Ltd — Meta Graph API (Facebook/Instagram Ads). Their privacy policy: facebook.com/privacy/policy
- TikTok Ltd / TikTok Inc. — TikTok Business API. Their privacy policy: tiktok.com privacy policy
- Snap Inc. — Snapchat Marketing API. Their privacy policy: snap.com privacy policy
- Zid Commerce Co. (Saudi Arabia) — Zid e-commerce API. Their privacy policy: zid.sa
- Salla Commerce Co. (Saudi Arabia) — Salla e-commerce API. Their privacy policy: salla.com/privacy
Legal & Regulatory Disclosure
- We may disclose personal data if required by applicable law, court order, or government authority, or if we reasonably believe disclosure is necessary to protect our rights, your safety, or the safety of others.
Business Transfers
- If NaqlaHub is acquired, merged, or undergoes a substantial asset transfer, your data may be transferred to the successor entity. We will notify you via email or prominent notice on the Service before this occurs, and you will retain the rights described in this policy.
6. Third-Party Services & Advertising
NaqlaHub is a business tool, not a consumer advertising platform. We do not display third-party advertisements within the Service. We do not use your data or your advertising performance data to serve ads to you or anyone else.
The Service may contain links to third-party websites or services (e.g., documentation for Google Ads API, Meta Business Help Center). We are not responsible for the privacy practices of these external sites. We encourage you to review their privacy policies before providing any personal information.
7. How We Handle Your Ad Platform Credentials
This section provides additional transparency specific to the most sensitive data we store: your advertising platform API tokens and OAuth credentials.
Storage
- All tokens (OAuth access tokens, refresh tokens, API access tokens) are stored in our Supabase database with encryption at rest.
- Each credential is stored within your workspace and is protected by Row Level Security (RLS) policies that prevent any other user or workspace from accessing it — this is enforced at the database level, not just the application level.
Use
- Credentials are used exclusively to call the respective platform's API on your behalf when you initiate a sync.
- Credentials are never logged in plaintext, included in error reports visible to other users, or used for any purpose other than fetching your data.
Access
- NaqlaHub engineering staff may access encrypted credential records solely for debugging specific support issues you have raised. Such access is logged.
- We never read or use your credentials to make changes to your ad platform accounts (no campaign creation, modification, or deletion — read-only access).
Revocation
- You can revoke Google Ads access at any time from your Google Account security settings at myaccount.google.com/permissions.
- You can disconnect any platform and delete its stored credentials from your NaqlaHub workspace Settings page.
- Deleting your NaqlaHub account permanently deletes all stored credentials. See Section 8.
8. Data Retention
| Data Type | Retention Period | Rationale |
|---|---|---|
| Account data (email, name, position) | Duration of account + 30 days after deletion | Contract necessity; grace period for recovery |
| Ad platform credentials (tokens) | Until you disconnect the platform or delete your account | Required for on-demand sync functionality |
| Ad performance metrics | Duration of account + 30 days after deletion | Historical analysis functionality |
| Campaign data | Duration of account + 30 days after deletion | Historical analysis functionality |
| Server access logs (IP, browser) | 90 days | Security monitoring and fraud prevention |
| Error logs | 30 days | Debugging and service stability |
| Legal obligation records | As required by applicable law (typically 5–7 years) | Legal obligation |
When you delete your account, all personal data in the categories above (except those subject to legal obligations) will be permanently deleted within 30 days of your deletion request. You will receive an email confirmation when deletion is complete.
9. Security
We implement technical and organizational measures appropriate to the risk level of the data we process:
- Encryption at rest: All database data, including credentials, is encrypted at rest using AES-256 via Supabase's managed encryption.
- Encryption in transit: All data transmitted between your browser and our servers uses TLS 1.2 or higher (HTTPS enforced).
- Row Level Security: Database-enforced isolation ensures one workspace cannot query another workspace's data — even in the event of an application-layer bug.
- Authentication: Passwords are hashed using bcrypt. Session tokens expire and are rotated on each session.
- Access control: Internal staff access to production data is restricted, logged, and requires multi-factor authentication.
No security measure is 100% effective. If you suspect unauthorized access to your account, please contact us immediately at security@NaqlaHub.com.
10. Your Rights
Depending on your location, you have the following rights over your personal data. To exercise any of these rights, email privacy@NaqlaHub.com with your account email address and the specific right you wish to exercise. We will respond within 30 days (or within the statutory period required by your jurisdiction's law).
Rights available to all users
- Access: Request a copy of the personal data we hold about you.
- Correction: Request correction of inaccurate personal data. (Most profile data can be updated directly in your account settings.)
- Deletion: Request deletion of your account and all associated personal data. This can also be initiated from within the Service.
- Data portability: Request your ad performance data exported in a machine-readable format (CSV). This is also available directly in the Service.
Additional rights for EU/EEA/UK users (GDPR / UK GDPR)
If you are located in the European Union, European Economic Area, or the United Kingdom, you have additional rights under the General Data Protection Regulation (GDPR) or UK GDPR:
- Restriction of processing: Request that we limit how we use your data in certain circumstances.
- Objection: Object to processing based on legitimate interest.
- Withdraw consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
- Complaint to supervisory authority: You have the right to lodge a complaint with your local data protection authority. A list of EU supervisory authorities is at edpb.europa.eu. UK users may contact the ICO at ico.org.uk.
Additional rights for California users (CCPA/CPRA)
California residents have the following additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
- Know: The right to know what personal information we collect, use, disclose, and sell.
- Delete: The right to request deletion of your personal information.
- Opt out of sale or sharing: We do not sell or share your personal information for cross-context behavioral advertising. No opt-out is currently required, but we honor any Global Privacy Control (GPC) signal.
- Non-discrimination: You will not be discriminated against for exercising your CCPA rights.
Saudi Arabia users (PDPL)
If you are located in the Kingdom of Saudi Arabia, you have rights under the Personal Data Protection Law (PDPL), including the right to access, correct, and request deletion of your personal data. Contact us at privacy@NaqlaHub.com.
11. Children's Privacy
Age restriction: The NaqlaHub Service is strictly intended for use by individuals who are at least 18 years of age (or the age of legal majority in their jurisdiction, whichever is higher). The Service requires users to hold active advertising platform accounts and operate in a commercial capacity.
We do not knowingly collect personal data from individuals under 18. If you are a parent or guardian and believe your child has created an account with us, please contact us immediately at privacy@NaqlaHub.com and we will promptly delete the account and all associated data.
Users under 18 are prohibited from using the Service. If we become aware that a user is under 18, we will immediately suspend the account pending verification and delete it if confirmed.
12. Cookies & Local Storage
Cookies set by NaqlaHub
| Name | Type | Purpose | Retention |
|---|---|---|---|
sb-access-token | Essential | Supabase authentication session token | Session / ~1 hour |
sb-refresh-token | Essential | Supabase session refresh — keeps you logged in | Up to 7 days |
Browser localStorage (not cookies)
We use your browser's localStorage (not server-side cookies) to store display preferences such as your selected chart type, mock mode toggle, and language preference. This data never leaves your browser and is not transmitted to our servers.
Third-party cookies
We do not currently load any third-party analytics, advertising, or tracking scripts on the Service. If this changes, this policy will be updated and a cookie consent mechanism will be implemented before any non-essential tracking is activated.
Managing cookies
You can control or delete cookies through your browser settings. Deleting essential cookies will require you to log in again. Instructions for major browsers: Chrome · Firefox · Safari.
13. Do Not Track
Some browsers offer a "Do Not Track" (DNT) signal. Because we do not currently engage in cross-site tracking or behavioral advertising, our Service does not alter its behavior based on DNT signals — there is nothing to turn off. We do honor the Global Privacy Control (GPC) signal as an opt-out of sale/sharing under CCPA/CPRA (though we do not currently sell data).
14. International Data Transfers
NaqlaHub uses Supabase for data storage. Supabase's infrastructure may be hosted in the United States and other jurisdictions. If you are located in a jurisdiction with data transfer restrictions (such as the EU or Saudi Arabia), your data may be transferred to servers in these regions.
For transfers from the EU/EEA/UK, we rely on:
- Standard Contractual Clauses (SCCs) incorporated into our Data Processing Agreement with Supabase
- Supabase's EU data residency options, which we intend to configure as our EU user base grows
Flag for legal review: If NaqlaHub actively begins marketing to EU users, a full GDPR Transfer Impact Assessment (TIA) should be conducted by qualified legal counsel to verify the adequacy of current transfer safeguards.
15. Policy Updates
We may update this Privacy Policy from time to time. When we make material changes (changes that affect how we collect, use, or share your data), we will:
- Update the "Last updated" date at the top of this page
- Send an email notification to all registered users at least 14 days before the changes take effect
- Display a prominent notice within the Service
Continued use of the Service after the effective date of any updated Privacy Policy constitutes acceptance of the updated terms. If you do not agree, you may delete your account before the effective date.
16. Contact Us
For any privacy-related questions, to exercise your data rights, or to report a suspected data breach, please contact:
Privacy Inquiries
privacy@NaqlaHub.comSecurity Issues
security@NaqlaHub.comResponse Time
Within 30 days (statutory obligations may require faster)
Escalation
EU users may escalate unresolved complaints to their national DPA
Disclaimer: This Privacy Policy is provided for informational purposes and represents NaqlaHub's current privacy practices. It is not legal advice. NaqlaHub recommends that users with specific legal concerns consult qualified legal counsel in their jurisdiction. This policy should be reviewed by legal counsel before relying on it for compliance purposes in regulated jurisdictions (EU, UK, California, Saudi Arabia).