← Back to ROASt Engine

Privacy Policy

How ROASt Engine handles your data

Last updated: 9 March 2026 · Effective: 9 March 2026

ROASt Engine (adportfolio-5loq.onrender.com) is a Google, Microsoft, and Meta Ads portfolio management and budget optimisation tool operated by Tom Johnson (“we”, “us”, “our”). This Privacy Policy explains how we collect, use, store, and protect your data when you use the ROASt Engine service.

By connecting your Google Ads account to ROASt Engine, you consent to the data practices described in this policy. The service is available at roast-engine.com.

1. What Data We Collect

1a. Google Ads Data

When you connect your Google Ads account via OAuth 2.0, ROASt Engine accesses the following data through the Google Ads API:

• Campaign names, IDs, statuses, bid strategies, and daily budgets
• Performance metrics: spend, revenue (conversion value), orders (conversions), impression share, and lost impression share (budget and rank)
• Portfolio budget names and amounts
• Account structure (MCC hierarchy and sub-account names/IDs)

We do not collect personal information about your ad viewers, click-level data, search queries, or any personally identifiable information (PII) from your Google Ads account.

1b. Account and Authentication Data

• Your Google account email address (used to identify your session)
• OAuth 2.0 refresh tokens (used to maintain your Google Ads API connection)

1c. Locally Stored Data

• UI preferences (theme, navigation state, active tab) stored in your browser’s localStorage
• Session cookies for authentication

2. How We Use Your Data

Your Google Ads data is used solely to:

• Display campaign and portfolio performance within the ROASt Engine interface
• Generate budget optimisation recommendations through our rule-based engine
• Compute pacing analysis and performance trends
• Push approved budget and bid target changes back to your Google Ads account — all write operations require your explicit approval before execution. Longer term, we will look to implement scheduled execution.

We do not use your data for advertising, profiling, remarketing, creditworthiness assessment, or any purpose other than providing the ROASt Engine service to you.

3. Google API Services Compliance

3a. OAuth Scope

ROASt Engine requests the following OAuth scope:

• https://www.googleapis.com/auth/adwords — required to read campaign data and push approved budget/target changes

3b. Limited Use Disclosure

ROASt Engine’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• Limited to providing user-facing features: Google Ads data is used only to power the campaign dashboard, optimisation engine, pacing analysis, and budget recommendations visible within the ROASt Engine interface.
• No third-party transfers except as necessary to provide the service: We do not sell, rent, or share your Google Ads data with any third parties, except as described in Section 4 (AI Processing) where aggregated, non-PII campaign metrics may be sent to an AI sub-processor solely to generate optimisation insights displayed within ROASt Engine.
• No use for advertising: We do not use your Google Ads data to serve ads, including retargeting, personalised, or interest-based advertising.
• No use for AI/ML model training: Your Google Ads data is never used to train, improve, or fine-tune generalised or foundational AI/ML models. Any AI processing is limited to generating personalised, per-session insights for your account only.
• Restricted human access: We do not allow humans to read your Google Ads data unless (a) you have given affirmative consent (e.g. for technical support), (b) it is necessary for security purposes such as investigating a bug or abuse, (c) it is required to comply with applicable law, or (d) the data is aggregated and anonymised for internal operations.

4. Data Sharing and Sub-Processors

4a. General Position

We do not sell, rent, or share your Google Ads data with any third parties. Your data is only accessible to:

• You, through the ROASt Engine interface
• Our server, for processing optimisation calculations and syncing with Google Ads

4b. AI Processing

ROASt Engine includes an optional AI-powered chat feature. When you use this feature, aggregated campaign performance metrics (spend, revenue, ROAS, impression share) may be sent to Anthropic’s API to generate optimisation insights. These requests:

• Contain no personally identifiable information
• Contain no Google account credentials or OAuth tokens
• Are processed in real-time and not retained by the sub-processor for model training
• Are used solely to generate responses displayed within the ROASt Engine interface

4c. Infrastructure

ROASt Engine is hosted on Render.com (US-based cloud infrastructure). All data in transit is encrypted via HTTPS. See Section 7 (Security) for details.

5. Data Storage and Retention

• Campaign and portfolio data: Stored in a SQLite database on our server. Retained for the duration of your account connection.
• OAuth refresh tokens: Stored server-side (never exposed to the browser). Deleted when you disconnect your account.
• Optimisation logs: Budget and target change records are retained for up to 24 months for audit and performance-tracking purposes, or until account deletion, whichever comes first.
• UI preferences and session data: Stored in your browser’s localStorage. You can clear these at any time through your browser settings.

Data deletion: You can delete all synced data at any time by disconnecting your Google Ads account from the Accounts tab. This removes all campaign data, portfolio configurations, optimisation logs, and stored OAuth tokens from our server.

6. Cookies and Tracking

ROASt Engine uses the following browser storage:

• Session cookie: A single HttpOnly, SameSite=Strict cookie with 24-hour expiry, used for authentication. This is a strictly necessary cookie.
• localStorage: Used to persist UI preferences (theme, navigation state, column visibility). Contains no personal data or Google Ads data.

ROASt Engine does not use:

• Third-party cookies
• Analytics or tracking scripts (e.g. Google Analytics, Facebook Pixel)
• Advertising cookies or retargeting pixels
• Browser fingerprinting

7. Security

• All communication between your browser and our server uses HTTPS (TLS) encryption
• OAuth tokens are stored server-side and never exposed to the browser or client-side code
• Session cookies are HttpOnly, SameSite=Strict, with 24-hour expiry
• Sensitive operations (sync, push, execute) require authenticated sessions
• Google Ads API credentials (developer token, client ID, client secret) are stored as encrypted server-side environment variables and are never committed to source code
• The application codebase is version-controlled on GitHub with no secrets in the repository

7a. Incident Response

In the event of a data breach affecting your Google Ads data or account credentials, we will:

• Notify affected users within 72 hours of becoming aware of the breach
• Provide details of the data affected and the steps we are taking to remediate
• Report the breach to relevant authorities where required by applicable law (including the ICO under UK GDPR)

8. Your Rights

You can at any time:

• Revoke access: Disconnect your Google Ads account from the Accounts tab, or revoke ROASt Engine’s access directly from your Google Account permissions
• Delete data: Disconnecting removes all synced campaign data, optimisation logs, and OAuth tokens from our server.
• Export data: Use the Export CSV features in the Portfolios, Campaigns, and Optimiser Logs tabs to download your data.
• Access your data: Contact us to request a copy of all data we hold about your account.
• Rectification: Contact us to request correction of any inaccurate data we hold.
• Object to processing: You may object to any processing of your data by disconnecting your account.

8a. Legal Basis for Processing (UK GDPR / EU GDPR)

We process your Google Ads data under the following legal bases:

• Performance of a contract: Processing is necessary to provide the ROASt Engine service you have signed up to use.
• Legitimate interest: Processing aggregated, anonymised usage data to improve the service, provided this does not override your rights and freedoms.
• Consent: You provide explicit consent when connecting your Google Ads account via OAuth. You may withdraw consent at any time by disconnecting your account.

9. Children’s Privacy

ROASt Engine is a business-to-business tool designed for professional advertisers and agencies. The service is not directed at children under the age of 16 (or 13 where applicable). We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected data from a child, we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. If we make material changes to how we use your Google Ads data, we will notify you via the ROASt Engine interface and prompt you to consent to the updated policy before continuing to use your data in any new way.

We encourage you to review this page periodically. The “Last updated” date at the top indicates when the policy was most recently revised.

11. Contact

For privacy questions, data access requests, or concerns about how we handle your data, contact us at:

• Email: tomjohnsonads91@gmail.com
• Operator: Tom Johnson
• Website: adportfolio-5loq.onrender.com

If you are located in the UK or EU and are unsatisfied with our response to a privacy concern, you have the right to lodge a complaint with your local data protection authority. In the UK, this is the Information Commissioner’s Office (ICO).