Security at AdFlint
A plain, verifiable description of how AdFlint protects your account, your spend, and your data. No marketing claims we can't back up.
Infrastructure
- AdFlint runs on Vercel. All traffic is served over HTTPS — there is no plain-HTTP version of the app.
- Application data lives in Supabase Postgres. Database connections from the app use TLS.
- Secrets (API keys, OAuth client secrets, platform credentials) are stored as Vercel environment variables, scoped per environment.
Authentication & access
- Auth is handled by NextAuth. Email/password accounts store passwords as bcrypt hashes — the raw password never touches the database.
- Google OAuth is supported as an alternative sign-in method, so users can avoid creating a separate password.
- Sessions are issued and validated by NextAuth; sign-out invalidates the session on the server.
Payment security
- All credit card and billing data is handled by Stripe. AdFlint never sees, stores, or logs card numbers, CVCs, or full bank details.
- Checkout and subscription billing happen through Stripe-hosted flows. AdFlint only stores Stripe customer and payment IDs needed to reconcile transactions. Your ad spend is billed by the ad platform directly to your connected account — AdFlint never processes it.
- Refunds and chargebacks for plan fees are processed through Stripe; subscription status in AdFlint is updated from Stripe webhooks.
Ad account access & token safety
- You connect your own Google, Meta, or LinkedIn ad account through each platform's official OAuth. AdFlint never sees or stores your platform password.
- The OAuth token AdFlint receives is stored encrypted server-side, never exposed to the browser, and scoped to your account. You can revoke it any time by disconnecting in Settings → Platforms or from the platform directly.
- AdFlint only manages the campaigns it launches and optimizes in your account — it does not modify, pause, or delete the campaigns you already run. By default you approve every campaign before it goes live; if you enable managed auto-launch, AdFlint launches to your approved plan.
Conversion tracking & PII
- AdFlint's conversion pixel uses opaque, base64-encoded attribution tokens. We do not put email addresses, names, or other personal identifiers into URL parameters or query strings.
- Data is isolated per user. Application queries scope campaigns, transactions, and metrics by the authenticated user's ID so accounts cannot read each other's data.
- Campaigns that you delete are soft-deleted and retained for audit and accounting reconciliation. They no longer appear in your dashboard or run any ad spend.
Reporting concerns
- Found something that looks like a vulnerability, data exposure, or suspicious account activity? Email security@adflint.com with as much detail as you can share.
- Please do not publicly disclose suspected vulnerabilities before we have had a chance to respond.
What we don't claim
AdFlint is an early-stage product. We do not currently advertise SOC 2, ISO 27001, HIPAA, or PCI-DSS certifications, and we do not operate a paid bug bounty or a 24/7 incident response rotation. If those are hard requirements for your business, please reach out before signing up so we can talk honestly about fit.
Get started
Questions? Email security@adflint.com.