Security at AdFlint

A plain, verifiable description of how AdFlint protects your account, your spend, and your data. No marketing claims we can't back up.

Infrastructure

  • AdFlint runs on Vercel. All traffic is served over HTTPS — there is no plain-HTTP version of the app.
  • Application data lives in Supabase Postgres. Database connections from the app use TLS.
  • Secrets (API keys, OAuth client secrets, platform credentials) are stored as Vercel environment variables, scoped per environment.

Authentication & access

  • Auth is handled by NextAuth. Email/password accounts store passwords as bcrypt hashes — the raw password never touches the database.
  • Google OAuth is supported as an alternative sign-in method, so users can avoid creating a separate password.
  • Sessions are issued and validated by NextAuth; sign-out invalidates the session on the server.

Payment security

  • All credit card and billing data is handled by Stripe. AdFlint never sees, stores, or logs card numbers, CVCs, or full bank details.
  • Checkout and credit purchases happen through Stripe-hosted flows. AdFlint only stores Stripe customer and payment IDs needed to reconcile transactions.
  • Refunds and chargebacks are processed through Stripe; ad credit balances in AdFlint are adjusted from Stripe webhooks.

Ad account isolation

  • AdFlint runs every campaign under its own managed Google Ads, Meta, and LinkedIn ad accounts. Customers do not connect, share, or expose their own ad accounts.
  • Because customer ad accounts are not required, there are no third-party platform credentials to leak from a customer breach.
  • Platform API tokens used by AdFlint to launch and monitor campaigns are held server-side only — they are never exposed to the browser.

Conversion tracking & PII

  • AdFlint's conversion pixel uses opaque, base64-encoded attribution tokens. We do not put email addresses, names, or other personal identifiers into URL parameters or query strings.
  • Data is isolated per user. Application queries scope campaigns, transactions, and metrics by the authenticated user's ID so accounts cannot read each other's data.
  • Campaigns that you delete are soft-deleted and retained for audit and accounting reconciliation. They no longer appear in your dashboard or run any ad spend.

Reporting concerns

  • Found something that looks like a vulnerability, data exposure, or suspicious account activity? Email security@adflint.com with as much detail as you can share.
  • Please do not publicly disclose suspected vulnerabilities before we have had a chance to respond.

What we don't claim

AdFlint is an early-stage product. We do not currently advertise SOC 2, ISO 27001, HIPAA, or PCI-DSS certifications, and we do not operate a paid bug bounty or a 24/7 incident response rotation. If those are hard requirements for your business, please reach out before signing up so we can talk honestly about fit.

Get started

Questions? Email security@adflint.com.