What we collect, why we collect it, and how to make it go away.

This Privacy Policy covers the Tandem Growth Site Audit application, accessible at mymetaaudit.com (the “Service”), and the Meta-integrated workflows it provides. The Service is operated by Tandem Growth (“we,” “us,” or “our”).

This policy explains what we collect, why we collect it, how it is stored, who it is shared with, and how to delete it. It applies to everyone who submits an audit request, connects a Meta Ads account, or receives a generated audit report from us.

You provide directly when you request an audit:

• Email address.
• Your website URL and up to two competitor URLs.
• Optional business context: product category, average order value, monthly visitors, monthly revenue, target customer description, current conversion rate, and selected priorities.

Collected automatically when you use the Service:

• Public data scraped from your submitted website and competitor websites (page content, metadata, screenshots) via Firecrawl.
• Public data from the Meta Ad Library for the brands you submit, via Apify.
• Basic request metadata (IP address, user agent, timestamps) used for rate-limiting and abuse prevention. We do not run third-party analytics or advertising trackers on the audit application.

Collected from Meta if you choose to connect your Meta Ads account for the deeper paid audit:

• A Meta access token issued by you through Facebook Login. Scope is limited to ads_read. We do not request, receive, or store posting permissions, page management permissions, business management permissions, or any access to your personal Facebook profile beyond identifying you for OAuth.
• The list of ad accounts you authorize, identified by Meta ad account ID and account name, so you can pick which one to audit.
• Aggregated ad performance data (spend, impressions, clicks, conversions, creative metadata, campaign and ad-set structure) read from the selected ad account through the Meta Graph API for the sole purpose of generating your audit report.

We do not collect special-category personal data (health, biometric, political, religious, sexual orientation, etc.). We do not knowingly collect data from anyone under 16.

We use the information we collect only to:

• Generate, deliver, and host the audit report you requested.
• Email you the report link and, if you opt in, follow up about a strategy call or related Tandem Growth services.
• Operate, secure, and improve the Service (rate limits, error triage, performance debugging).
• Comply with legal obligations and enforce our Terms.

We do not sell your personal information. We do not use Meta data to build advertising audiences, retarget you, or train any third-party AI model.

When you authorize the Service via Facebook Login, we receive “Platform Data” as defined by the Meta Platform Terms. Specifically:

• Use limitation. Platform Data is used only to produce your audit report and to display it to you. It is not used for advertising, ML model training, resale, or any purpose outside the Service.
• Storage. Access tokens are encrypted at rest using authenticated symmetric encryption (AES-256-GCM) before being written to our database. Encryption keys are stored separately from ciphertext and are rotated on a defined schedule.
• Transmission. All traffic between you, our application, Meta, and our infrastructure is transmitted over TLS.
• Retention.Aggregated ad data fetched from the Meta Graph API is retained only as long as needed to produce and serve your audit report (see “Data retention” below).
• Sharing. We do not share Meta Platform Data with third parties other than the infrastructure subprocessors listed below, and only to the extent necessary to operate the Service.
• Revocation.You can disconnect at any time using the Disconnect control on your audit report page, or by removing the Tandem Growth integration from your Facebook Business Settings → Integrations → Business integrations. We honor revocations immediately.
• Token expiration. If you do not disconnect, the access token issued by Meta naturally expires (typically 60 days) and we no longer have access to your ad account.

We comply with the Meta Platform Terms and Developer Policies. If we detect or suspect any unauthorized access, use, or disclosure of Platform Data, we will notify Meta and affected users without undue delay.

We use the following third-party services to operate the audit. Each is bound by their own terms and privacy policy and processes data only on our instructions.

• Vercel— web application hosting and edge delivery.
• Supabase— database, authentication infrastructure, and serverless function execution.
• Anthropic (Claude)— LLM analysis used to generate report findings. Inputs are sent through the Anthropic API with zero-retention / no-training options enabled per Anthropic’s commercial terms.
• Firecrawl— public-web scraping of submitted website URLs.
• Apify— structured retrieval of public Meta Ad Library data.
• SendGrid (Twilio)— transactional email delivery (your audit-ready email).
• Slack— internal Tandem Growth team notifications about new audits.
• Stripe— payment processing for paid audit tiers (where applicable). We never see or store full card numbers.
• Meta Platforms, Inc.— OAuth, Graph API, and Meta Ad Library access.

• Audit records and report JSON are retained for up to 24 months from the date the audit was generated, so you can return to your report link. After that period we may delete or anonymize them.
• Encrypted Meta access tokens are deleted immediately when you click Disconnect, and otherwise expire and are no longer usable approximately 60 days after issuance.
• Email logs are retained by SendGrid per their standard retention.
• Aggregated, de-identified benchmark data derived from audits may be retained indefinitely. This data does not identify you, your brand, or any individual.

Depending on where you live (including the EU/UK under GDPR and California under the CCPA/CPRA), you may have the right to:

• Access the personal data we hold about you.
• Correct inaccurate personal data.
• Request deletion of your personal data.
• Object to or restrict certain processing (including direct marketing).
• Receive a portable copy of your personal data.
• Withdraw consent at any time, including by disconnecting your Meta account.

To exercise any of these rights, email us at hello@tandemgrowth.co. We will respond within 30 days. We will not discriminate against you for exercising any of these rights.

You have three ways to remove data from the Service:

1. Disconnect Meta from inside the report. On any completed audit page that has a connected Meta account, click the Disconnectbutton. We immediately delete the encrypted access token from our database and call Meta’s permission revocation endpoint as a best-effort cleanup.
2. Remove the integration from Facebook. Go to Facebook Settings → Business Integrations, find “Tandem Growth Audit,” and click Remove. This revokes our access on Meta’s side; we then process the deauthorization callback and delete any associated tokens.
3. Email a deletion request. Email hello@tandemgrowth.co from the email address you submitted with your audit, with the subject line “Data deletion request.” We will delete your audit record, all associated Meta and scraped data, and your email address from our marketing list within 30 days and confirm completion in writing.

For Meta-mandated User Data Deletion Requests, you can also submit a request directly via the URL configured on our Meta App; we process those requests automatically and return a confirmation code per Meta’s specification.

We use industry-standard safeguards to protect your data, including TLS in transit, AES-256-GCM authenticated encryption for Meta access tokens at rest, HMAC-signed OAuth state to prevent CSRF, scoped service-role credentials, and least-privilege access for Tandem Growth team members. No system is perfectly secure; if we ever experience a breach involving your personal data, we will notify affected users and regulators as required by law.

The Service is operated from the United States. By using the Service or submitting data to us, you consent to the transfer, processing, and storage of your data in the United States and any other country where our subprocessors operate. Where required, we rely on Standard Contractual Clauses or equivalent transfer mechanisms.

The audit application uses a small number of cookies that are strictly necessary for the Service to function: a short-lived, HTTP-only cookie to protect the OAuth flow against CSRF, and session-scoped cookies set by our infrastructure providers (Supabase, Vercel) for routing and security. We do not set third-party advertising or analytics cookies on the audit application.

The Service is intended for business operators and is not directed at children. We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, contact us and we will delete it.

We may update this Privacy Policy from time to time. The “Last updated” date at the top of this page reflects the most recent revision. Material changes will be communicated via the email associated with your most recent audit.

Questions, requests, or concerns about this policy or your data? Email hello@tandemgrowth.co. For Meta-related questions, you can also use the Data Protection channels Meta provides at facebook.com/help.