Privacy Policy

Last updated: April 27, 2026

1. Introduction

Cortiv ("we", "our", or "us") is a SaaS platform that helps media buyers and agencies manage and analyse their Meta advertising accounts. This Privacy Policy explains how we collect, use, share, and protect your information when you use our service. It applies to customers ("you") who sign up for an account, and to data you authorise us to access on behalf of the advertising accounts and connected stores you manage.

2. Definitions

  • "Customer Data" means data you authorise us to access — including Meta advertising performance data, Shopify order and product data, and any settings or content you create within Cortiv. You own your Customer Data.
  • "Aggregate Data" means data that has been stripped of identifying information (account names, campaign names, creative content, customer names) and combined with data from other workspaces such that no individual customer or advertising account can be identified.
  • "Account Information" means information about you as a Cortiv user — your email, name, password hash, and workspace membership.

3. Information We Collect

  • Account Information: email address and password hash (managed via Supabase Auth), workspace name, role assignments, and any profile details you provide.
  • Meta Ads data: campaign, ad set, ad, and insights data fetched from the Meta Ads API on your behalf using OAuth access tokens you authorise. Tokens are stored encrypted at rest.
  • Shopify data: when you connect a store, order totals, product titles, and aggregated revenue data. See Section 7 for detail.
  • Operational data: records of actions Cortiv took on your behalf (campaign edits, AI evaluations, decisions, outcomes) and your interactions within the platform.
  • Usage data: standard server logs including IP address, browser type, page paths, and timestamps. Used for debugging, security, and rate-limiting only.

4. How We Use Your Information

We use Customer Data and Account Information to:

  • Provide and operate the Service — display your performance data, sync with Meta and Shopify, run AI evaluations on your accounts, and execute optimisation actions you approve.
  • Authenticate your account and protect against fraud, abuse, and unauthorised access.
  • Send transactional communications (account notifications, sync status, security alerts).
  • Improve the Service — diagnose issues, monitor performance, and develop new features.
  • Comply with legal obligations and enforce our Terms of Service.

We do not sell, rent, or share your Customer Data or Account Information with third parties for their marketing purposes.

5. AI and Machine Learning

Cortiv uses artificial intelligence — including large language models from third-party providers such as Anthropic — to evaluate advertising performance, recommend optimisations, and assist with reporting and content generation.

How we use Customer Data with AI:

  • We pass relevant Customer Data (advertising metrics, account context, prior decisions and their measured outcomes) to AI providers as part of generating recommendations and reports for you.
  • AI providers process this data on our behalf as subprocessors. We use providers whose terms commit to not training their foundation models on our customers' inputs and outputs by default.
  • Within your workspace, we use the measured outcomes of past actions to improve the AI's recommendations on your future actions. This is workspace-private learning — your data stays within your workspace and is not pooled with other customers' data unless you opt in (see Section 6).

What we don't do: we do not use your Customer Data to train our own foundation models, and we do not allow third-party AI providers to train their general-purpose models on your Customer Data. AI outputs are recommendations only — final decisions remain with you.

6. Anonymous Aggregate Data and Network Insights

Cortiv may, with your explicit opt-in, use Aggregate Data to improve the Service for all customers. Aggregate Data is data that has been stripped of identifying information (no account names, campaign names, creative content, customer names, or any data that could identify a specific account or workspace) and combined across customers such that no individual workspace, advertiser, or end customer can be identified or reverse-engineered.

Examples of Aggregate Data we may compute and use across customers (where opted in):

  • Outcome rates by action class (e.g. "scale-up actions improved performance 60% of the time across the network").
  • Statistical patterns linking advertising conditions to outcomes (e.g. "ad sets in Learning status are more likely to decline after scale-up").
  • Industry benchmarks scoped to verticals you opt into (e.g. average CPA ranges within ecommerce-fashion).

Network Insights is opt-in. By default your data is workspace-private. If you opt in, you may opt out at any time, and data already aggregated will not be retroactively un-aggregated (because it cannot be traced back to you), but no further data from your workspace will contribute. We do not sell Aggregate Data to third parties.

7. Shopify Data

When you connect a Shopify store, we access the following data through Shopify's APIs to provide revenue attribution and performance reporting:

  • Orders: order totals, product details, and purchase timestamps used to calculate true ROAS and contribution margin.
  • Products: product names and IDs used to match ad performance to product revenue.
  • Analytics: aggregated store analytics to supplement ad performance data.

We do not store individual customer PII from your Shopify store. Order data is aggregated for reporting purposes only. If you uninstall the Cortiv app from your Shopify store, all associated Shopify data is deleted from our systems within 30 days.

8. Merchant Customer Data

Cortiv does not collect, store, or process personal data from your end customers (the people who buy from your stores or click your ads). We do not place cookies or tracking technologies on your storefront. Order and revenue data accessed through Shopify APIs is aggregated at the account level and does not include individual customer names, email addresses, or other personally identifiable information.

9. Meta Platform Data

We access your Meta Ads data solely to provide the features of this platform. We do not use personal data of Meta users (the people who view or interact with your ads) for any purpose other than displaying the aggregated metrics Meta returns to us. We do not use Meta user-level data to train machine learning models or for any advertising other than the campaigns you operate within your own ad accounts. Access tokens are stored encrypted and used only to fetch your advertising data on your authorisation.

10. Data Sharing and Subprocessors

We share Customer Data with the following categories of subprocessors solely to operate the Service:

  • Cloud infrastructure: Vercel (application hosting) and Supabase (database, auth, file storage), both in the United States.
  • AI providers: Anthropic (Claude API) for language-model inference, in the United States.
  • Email and notifications: standard transactional email providers for account-related communications.
  • Source platforms: Meta Platforms (Facebook/Instagram Ads) and Shopify, both via their official APIs and only to the extent you authorise.

We do not share Customer Data or Account Information with any party for their independent marketing or advertising purposes.

11. International Data Transfers

Cortiv is based in the United States. Customer Data and Account Information are stored and processed in the United States. If you access the Service from outside the United States, your data will be transferred to, stored in, and processed in the United States. By using Cortiv, you consent to this transfer. For customers in the European Economic Area, the United Kingdom, or Switzerland, data transfers are made under applicable safeguards including, where required, Standard Contractual Clauses.

12. Data Retention

We retain Customer Data and Account Information for as long as your account is active. When you delete your account or terminate your subscription, we delete your Customer Data and Account Information within 30 days, except where we are legally required to retain certain records (for example, billing records). Aggregate Data that has been irreversibly de-identified may be retained indefinitely, as it can no longer be linked to you.

13. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate personal data.
  • Delete your personal data (subject to legal retention obligations).
  • Object to or restrict certain processing.
  • Data portability — receive your Customer Data in a structured, machine-readable format.
  • Withdraw consent for opt-in processing (e.g. Network Insights) at any time.
  • Lodge a complaint with your local data protection authority.

For California residents (CCPA / CPRA): we do not sell or share personal information as defined under California law. You have the right to know what personal information we collect, request deletion, and not be discriminated against for exercising your rights.

To exercise any of these rights, email support@cortiv.iowith the subject line "Privacy Request". We will respond within 30 days.

14. Cookies and Similar Technologies

We use a small number of strictly necessary cookies to operate the Service: an authentication cookie to keep you signed in, and session cookies for security. We do not use advertising, analytics, or third-party tracking cookies. Disabling strictly necessary cookies will prevent you from signing in.

15. Children's Privacy

Cortiv is not directed to children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us and we will delete it.

16. Security

We use industry-standard security practices including TLS-encrypted connections, encryption of sensitive credentials at rest, row-level security in our database, scoped access tokens, and principle-of-least-privilege access controls for our team. No method of transmission over the Internet or method of electronic storage is 100% secure, and we cannot guarantee absolute security. If we become aware of a security incident materially affecting your data, we will notify you without undue delay.

17. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email and update the "Last updated" date above. Continued use of the Service after changes take effect constitutes acceptance of the updated Policy.

18. Contact

For privacy-related questions or to exercise your rights, contact us at: support@cortiv.io