Security at AdFlint

A plain, verifiable description of how AdFlint protects your account, your spend, and your data. No marketing claims we can't back up.

Infrastructure

  • AdFlint runs on Vercel. All traffic is served over HTTPS — there is no plain-HTTP version of the app.
  • Application data lives in Supabase Postgres. Database connections from the app use TLS.
  • Secrets (API keys, OAuth client secrets, platform credentials) are stored as Vercel environment variables, scoped per environment.

Authentication & access

  • Auth is handled by NextAuth. Email/password accounts store passwords as bcrypt hashes — the raw password never touches the database.
  • Google OAuth is supported as an alternative sign-in method, so users can avoid creating a separate password.
  • Sessions are issued and validated by NextAuth; sign-out invalidates the session on the server.

Payment security

  • All credit card and billing data is handled by Stripe. AdFlint never sees, stores, or logs card numbers, CVCs, or full bank details.
  • Checkout and subscription billing happen through Stripe-hosted flows. AdFlint only stores Stripe customer and payment IDs needed to reconcile transactions. Your ad spend is billed by the ad platform directly to your connected account — AdFlint never processes it.
  • Refunds and chargebacks for plan fees are processed through Stripe; subscription status in AdFlint is updated from Stripe webhooks.

Ad account access & token safety

  • You connect your own Google, Meta, or LinkedIn ad account through each platform's official OAuth. AdFlint never sees or stores your platform password.
  • The OAuth token AdFlint receives is stored encrypted server-side, never exposed to the browser, and scoped to your account. You can revoke it any time by disconnecting in Settings → Platforms or from the platform directly.
  • AdFlint only manages the campaigns it launches and optimizes in your account — it does not modify, pause, or delete the campaigns you already run. By default you approve every campaign before it goes live; if you enable managed auto-launch, AdFlint launches to your approved plan.

Conversion tracking & PII

  • AdFlint's conversion pixel uses opaque, base64-encoded attribution tokens. We do not put email addresses, names, or other personal identifiers into URL parameters or query strings.
  • Data is isolated per user. Application queries scope campaigns, transactions, and metrics by the authenticated user's ID so accounts cannot read each other's data.
  • Campaigns that you delete are soft-deleted and retained for audit and accounting reconciliation. They no longer appear in your dashboard or run any ad spend.

Reporting concerns

  • Found something that looks like a vulnerability, data exposure, or suspicious account activity? Email security@adflint.com with as much detail as you can share.
  • Please do not publicly disclose suspected vulnerabilities before we have had a chance to respond.

What we don't claim

AdFlint is an early-stage product. We do not currently advertise SOC 2, ISO 27001, HIPAA, or PCI-DSS certifications, and we do not operate a paid bug bounty or a 24/7 incident response rotation. If those are hard requirements for your business, please reach out before signing up so we can talk honestly about fit.