Privacy Policy

1. Who We Are (Data Controller)

NaqlaHub ("we," "our," "us") is the data controller responsible for your personal information collected through our website at NaqlaHub.com and the NaqlaHub marketing analytics platform (collectively, the "Service").

NaqlaHub is a multi-platform marketing analytics dashboard that connects to your advertising accounts on Google Ads, Meta (Facebook/Instagram), TikTok, Snapchat, Salla, and Zid to aggregate and display campaign performance data.

For privacy inquiries: privacy@NaqlaHub.com

2. Data We Collect

We collect only what is necessary to provide and improve the Service. Below is an explicit list of every category of personal data we collect.

Account & Identity Data

• Email address (required to create an account)
• Full name and professional position/role (provided by you during registration)
• Password (stored as a cryptographic hash — we never store plain-text passwords)
• Authentication session tokens issued by Supabase Auth

Workspace & Configuration Data

• Workspace/store names you create within the Service
• User preferences and settings (chart type preferences stored in your browser's localStorage)

Ad Platform Credential Data

• OAuth access tokens and refresh tokens for Google Ads (obtained through Google's OAuth 2.0 flow)
• API access tokens for Meta (Facebook/Instagram Ads), TikTok for Business, Snapchat Marketing API, Salla, and Zid — provided manually by you
• Associated advertiser IDs and account identifiers from these platforms

Important: These credentials are stored encrypted in our database and are used solely to retrieve your advertising performance data on your behalf. We do not use these credentials for any other purpose. See Section 7 for more details.

Ad Performance Data

• Campaign names, statuses, and platform identifiers retrieved from your connected ad platforms
• Aggregated daily metrics: ad spend, revenue, impressions, clicks, conversions — as reported by your connected platforms
• Calculated metrics derived from the above (ROAS, CPA, CTR, CPC, CVR)

This data belongs to you. It is your advertising data, retrieved from platforms you own accounts on, and stored in your isolated workspace within our Service.

Usage & Technical Data

• IP address and approximate geographic location (country/city level) — collected via server logs
• Browser type, operating system, and device type
• Pages visited, features used, and click interactions within the Service
• Date and time of access, session duration
• Error logs and crash reports

Data We Do NOT Collect

• Raw payment card numbers. If paid billing is activated in the future, payment details will be handled by our designated payment processor and not stored by NaqlaHub in raw form.
• Health, biometric, or sensitive personal data
• Precise real-time geolocation
• Data from anyone under 18 years of age (our Service is restricted to adults — see Section 11)

3. How We Collect Your Data

Directly from you

• Registration form (email, name, position)
• Settings and configuration within the platform (workspace names, API tokens you paste)
• Google Ads OAuth authorization flow (we receive tokens from Google's servers)

Automatically when you use the Service

• Server-side logs capture IP address, browser, and device information with each request
• Client-side localStorage stores your display preferences (chart types, UI settings) — this data never leaves your browser

From third-party ad platforms (on your behalf)

• When you initiate a data sync, we call the APIs of your connected platforms (Google, Meta, TikTok, Snapchat, Salla, Zid) using credentials you have provided, and retrieve your advertising performance data
• We act as your agent for this retrieval — the data retrieved belongs to you

From Supabase (our infrastructure provider)

• Supabase processes authentication events and database operations on our behalf as a data processor

4. Why We Use Your Data (Purpose & Legal Basis)

We process your personal data for the following purposes. For users in jurisdictions requiring a legal basis for processing, the applicable basis is noted.

We do not use your personal data for targeted advertising, data brokerage, or any purpose unrelated to providing the Service.

5. Who We Share Your Data With

We do not sell your personal data. We do not share your personal data with third parties for their own marketing purposes. We share data only with the following categories of recipients, and only to the extent necessary to provide the Service:

Infrastructure & Database

• Supabase Inc. (United States) — Database hosting, authentication services, and Row Level Security enforcement. Supabase acts as a data processor under our instructions. Their privacy policy is at supabase.com/privacy.

Ad Platform APIs (as your agent)

When you connect a platform and trigger a sync, we communicate with the following platforms using credentials you have provided. These API calls retrieve your data — we send minimal identifying information (your credentials) to authenticate. For a plain-English overview of each platform connection, see our Platform Access page.

• Google LLC — Google Ads API, Google OAuth 2.0. Their privacy policy: policies.google.com/privacy
• Meta Platforms Ireland Ltd — Meta Graph API (Facebook/Instagram Ads). Their privacy policy: facebook.com/privacy/policy
• TikTok Ltd / TikTok Inc. — TikTok Business API. Their privacy policy: tiktok.com privacy policy
• Snap Inc. — Snapchat Marketing API. Their privacy policy: snap.com privacy policy
• Zid Commerce Co. (Saudi Arabia) — Zid e-commerce API. Their privacy policy: zid.sa
• Salla Commerce Co. (Saudi Arabia) — Salla e-commerce API. Their privacy policy: salla.com/privacy

Legal & Regulatory Disclosure

• We may disclose personal data if required by applicable law, court order, or government authority, or if we reasonably believe disclosure is necessary to protect our rights, your safety, or the safety of others.

Business Transfers

• If NaqlaHub is acquired, merged, or undergoes a substantial asset transfer, your data may be transferred to the successor entity. We will notify you via email or prominent notice on the Service before this occurs, and you will retain the rights described in this policy.

6. Third-Party Services & Advertising

The Service may contain links to third-party websites or services (e.g., documentation for Google Ads API, Meta Business Help Center). We are not responsible for the privacy practices of these external sites. We encourage you to review their privacy policies before providing any personal information.

7. How We Handle Your Ad Platform Credentials

This section covers the most sensitive data we store: advertising platform API tokens and OAuth credentials. For a public-facing summary of how each platform connection works, see our Platform Access page.

General Principles (All Platforms)

• Platform credentials are stored in our Supabase-backed infrastructure with access controls intended to keep each workspace isolated from other workspaces.
• Credentials are used to retrieve data from the platform account you connect into your workspace when you initiate or maintain a sync.
• NaqlaHub presents these connections as read-only reporting access. We do not describe the product as creating, editing, pausing, or deleting campaigns on your behalf.
• You can disconnect any platform and remove its stored credentials from your NaqlaHub workspace settings.
• Deleting your NaqlaHub account triggers deletion of stored credentials and associated workspace data in accordance with our retention and deletion processes. See Section 8.

7a. Google Ads — Data Handling

OAuth Scope Requested

• https://www.googleapis.com/auth/adwords — used to retrieve Google Ads reporting data for accounts you authorize in your workspace. NaqlaHub does not describe this scope as campaign-management access on the public site.

What We Access

• Campaign names, statuses, and platform identifiers
• Daily reporting metrics such as spend, impressions, clicks, and conversions
• Derived reporting metrics such as ROAS, CPA, CTR, and CPC

What We Do Not Do With Google Data

• We do not use Google user data to serve advertisements.
• We do not sell Google user data.
• We do not use Google user data for purposes unrelated to displaying and analyzing reporting data inside your authorized workspace.
• We do not describe NaqlaHub as using Google Ads data to create, edit, pause, or delete campaigns on your behalf.

Data Deletion And Revocation

• You can disconnect Google Ads from your NaqlaHub workspace settings.
• You can revoke NaqlaHub's access in your Google Account at myaccount.google.com/permissions.
• When Google access is disconnected or your account is deleted, Google-related credentials and data are removed from our systems in accordance with our deletion and credential-removal processes.

7b. Meta (Facebook / Instagram Ads) — Data Handling

How The Connection Works

Meta connections are configured in the product using a platform credential you provide, where applicable, for the workspace you want to connect.

How We Use Meta Data

• To retrieve ad-account reporting data and display it inside your workspace
• To support cross-platform visibility alongside other connected reporting sources
• As read-only reporting access rather than campaign-management functionality

Revocation

• Disconnect Meta in your NaqlaHub workspace settings to remove the stored credential from active use in the product.
• You may also revoke the connected access from the source Meta account environment that issued the credential.

7c. TikTok For Business — Data Handling

How The Connection Works

TikTok connections are configured in the product using a manual platform credential, where applicable, for the workspace you want to connect.

How We Use TikTok Data

• To retrieve reporting data tied to the connected TikTok advertising environment
• To display that data in your workspace alongside other supported platforms
• As read-only reporting access rather than campaign-management functionality

Revocation

• Disconnect TikTok in your NaqlaHub workspace settings to remove the stored credential from active use in the product.
• You may also revoke the connected access from the source TikTok business account that issued the credential.

7d. Snapchat — Data Handling

How The Connection Works

Snapchat connections may use manual OAuth-related credentials or other platform credentials, where applicable, for the workspace you want to connect.

How We Use Snapchat Data

• To retrieve reporting data from the connected Snapchat advertising environment
• To display that data inside your workspace for review, comparison, and export workflows
• As read-only reporting access rather than campaign-management functionality

Revocation

• Disconnect Snapchat in your NaqlaHub workspace settings to remove the stored credential from active use in the product.
• You may also revoke the connected access from the source Snapchat business account that issued the credential.

7e. Salla — Data Handling

How The Connection Works

Salla connections use a platform credential you provide for the workspace you want to connect.

How We Use Salla Data

• To retrieve store-side commerce data made available through the connected Salla environment
• To show commerce context alongside ad-platform reporting in the same workspace
• As read-only reporting access rather than store-management functionality

Revocation

• Disconnect Salla in your NaqlaHub workspace settings to remove the stored credential from active use in the product.
• You may also revoke the connected access from the source Salla account that issued the credential.

7f. Zid — Data Handling

How The Connection Works

Zid connections use a platform credential you provide for the workspace you want to connect.

How We Use Zid Data

• To retrieve store-side commerce and performance data made available through the connected Zid environment
• To show commerce context alongside ad-platform reporting in the same workspace
• As read-only reporting access rather than store-management functionality

Revocation

• Disconnect Zid in your NaqlaHub workspace settings to remove the stored credential from active use in the product.
• You may also revoke the connected access from the source Zid account that issued the credential.

8. Data Retention

When you delete your account, all personal data in the categories above (except those subject to legal obligations) will be permanently deleted within 30 days of your deletion request. You will receive an email confirmation when deletion is complete.

9. Security

We implement technical and organizational measures appropriate to the risk level of the data we process:

• Encryption at rest: All database data, including credentials, is encrypted at rest using AES-256 via Supabase's managed encryption.
• Encryption in transit: All data transmitted between your browser and our servers uses TLS 1.2 or higher (HTTPS enforced).
• Row Level Security: Database-enforced isolation ensures one workspace cannot query another workspace's data — even in the event of an application-layer bug.
• Authentication: Passwords are hashed using bcrypt. Session tokens expire and are rotated on each session.
• Access control: Internal staff access to production data is restricted, logged, and requires multi-factor authentication.

No security measure is 100% effective. If you suspect unauthorized access to your account, please contact us immediately at security@NaqlaHub.com.

10. Your Rights

Depending on your location, you have the following rights over your personal data. To exercise any of these rights, email privacy@NaqlaHub.com with your account email address and the specific right you wish to exercise. We will respond within 30 days (or within the statutory period required by your jurisdiction's law).

Rights available to all users

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate personal data. (Most profile data can be updated directly in your account settings.)
• Deletion: Request deletion of your account and all associated personal data. This can also be initiated from within the Service.
• Data portability: Request your ad performance data exported in a machine-readable format (CSV). This is also available directly in the Service.

Additional rights for EU/EEA/UK users (GDPR / UK GDPR)

If you are located in the European Union, European Economic Area, or the United Kingdom, you have additional rights under the General Data Protection Regulation (GDPR) or UK GDPR:

• Restriction of processing: Request that we limit how we use your data in certain circumstances.
• Objection: Object to processing based on legitimate interest.
• Withdraw consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
• Complaint to supervisory authority: You have the right to lodge a complaint with your local data protection authority. A list of EU supervisory authorities is at edpb.europa.eu. UK users may contact the ICO at ico.org.uk.

Additional rights for California users (CCPA/CPRA)

California residents have the following additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Know: The right to know what personal information we collect, use, disclose, and sell.
• Delete: The right to request deletion of your personal information.
• Opt out of sale or sharing: We do not sell or share your personal information for cross-context behavioral advertising. No opt-out is currently required, but we honor any Global Privacy Control (GPC) signal.
• Non-discrimination: You will not be discriminated against for exercising your CCPA rights.

Saudi Arabia users (PDPL)

If you are located in the Kingdom of Saudi Arabia, you have rights under the Personal Data Protection Law (PDPL), including the right to access, correct, and request deletion of your personal data. Contact us at privacy@NaqlaHub.com.

11. Children's Privacy

We do not knowingly collect personal data from individuals under 18. If you are a parent or guardian and believe your child has created an account with us, please contact us immediately at privacy@NaqlaHub.com and we will promptly delete the account and all associated data.

Users under 18 are prohibited from using the Service. If we become aware that a user is under 18, we will immediately suspend the account pending verification and delete it if confirmed.

12. Cookies & Local Storage

Cookies set by NaqlaHub

Browser localStorage (not cookies)

We use your browser's localStorage (not server-side cookies) to store display preferences such as your selected chart type, mock mode toggle, and language preference. This data never leaves your browser and is not transmitted to our servers.

Third-party cookies

We do not currently load any third-party analytics, advertising, or tracking scripts on the Service. If this changes, this policy will be updated and a cookie consent mechanism will be implemented before any non-essential tracking is activated.

Managing cookies

You can control or delete cookies through your browser settings. Deleting essential cookies will require you to log in again. Instructions for major browsers: Chrome · Firefox · Safari.

13. Do Not Track

Some browsers offer a "Do Not Track" (DNT) signal. Because we do not currently engage in cross-site tracking or behavioral advertising, our Service does not alter its behavior based on DNT signals — there is nothing to turn off. We do honor the Global Privacy Control (GPC) signal as an opt-out of sale/sharing under CCPA/CPRA (though we do not currently sell data).

14. International Data Transfers

NaqlaHub uses Supabase for data storage. Supabase's infrastructure may be hosted in the United States and other jurisdictions. If you are located in a jurisdiction with data transfer restrictions (such as the EU or Saudi Arabia), your data may be transferred to servers in these regions.

For transfers from the EU/EEA/UK, we rely on:

• Standard Contractual Clauses (SCCs) incorporated into our Data Processing Agreement with Supabase
• Supabase's EU data residency options, which we intend to configure as our EU user base grows

15. Policy Updates

We may update this Privacy Policy from time to time. When we make material changes (changes that affect how we collect, use, or share your data), we will:

• Update the "Last updated" date at the top of this page
• Send an email notification to all registered users at least 14 days before the changes take effect
• Display a prominent notice within the Service

Continued use of the Service after the effective date of any updated Privacy Policy constitutes acceptance of the updated terms. If you do not agree, you may delete your account before the effective date.

16. Contact Us

For any privacy-related questions, to exercise your data rights, or to report a suspected data breach, please contact: