Privacy Policy

Effective Date: May 23, 2026
Last Updated: May 23, 2026
Legal Entity: ACE Financials Technology (operating A2 GTM)
Address: 2647 Narnia Way, Suite 101, Land O Lakes, FL 34638, United States
Privacy Contact: [email protected]

A2 GTM is a B2B platform of AI marketing and sales agents that operate paid-media campaigns, SEO programs, conversion-rate optimization, and outbound sales workflows on behalf of our business customers. To do that, we collect account information, telemetry from our own product, content our customers upload, and — where customers connect their own ad-platform, analytics, or CRM accounts — data those platforms return to us under tokens our customers authorize. This policy explains what we collect, why, how long we keep it, who we share it with, and how to control or delete it.

On this page

Information We Collect
Google User Data
Meta Platform Data
How We Use Information
AI and Machine Learning
Data Sharing and Subprocessors
Data Retention
Security
Your Rights
Revoking Access
Data Deletion Requests
Children
International Transfers
Changes to This Policy
Contact

1. Information We Collect

Account data

Name, work email, password (hashed), and the company you represent.
Job title, business phone number, and mailing or business address you choose to provide.
Billing details: payment card token (handled by our payment processor — we do not store full card numbers), billing address, tax identifier where applicable, and invoice history.
Profile photo or company logo if you upload one.

Usage and telemetry

Standard server logs: IP address, browser user agent, request paths, response status, timestamps.
In-product event telemetry: which features you used, which agents you ran, run durations, error codes, and aggregate performance counters.
Device and session metadata: screen size, locale, timezone, and a session identifier stored in a cookie or local storage.

Customer-provided content

Campaign briefs, ad copy, landing-page text, and creative assets you upload.
Prospect and lead lists you import (names, business email, business phone, company, role, and notes you add).
Email templates, voice-call scripts, and approval workflows you create.
Integration credentials you authorize (OAuth tokens for ad platforms, analytics, CRMs, etc.) — we store these encrypted and use them only to operate the agents you configured.

Cookies and similar technologies

Strictly necessary cookies — authentication session, CSRF protection, load-balancer affinity. The product will not function without these.
Analytics cookies — first-party measurement of which pages and features are used, used in aggregate to prioritize improvements.
Marketing cookies — used on our public marketing pages (not the logged-in product) to measure ad performance for our own customer acquisition. You can opt out via your browser controls or your regional cookie banner.

2. Google User Data

When you connect your Google account to A2 GTM (for advertising, analytics, or sign-in), Google asks you to grant specific OAuth scopes. The table below lists the scopes A2 GTM may request, the reason we request each one, what data Google returns to us under that scope, where we store it, how long we keep it, and whether we share it.

Scope	Purpose	Data we receive	Storage & retention	Shared with
`https://www.googleapis.com/auth/adwords`	Create, edit, pause, and report on Google Ads campaigns you authorize the agent to manage on your behalf.	Account ID, campaign and ad-group structures, keywords and bids, creative copy, performance metrics (impressions, clicks, conversions, cost), audience definitions you maintain inside Google Ads.	Encrypted at rest in our database. OAuth refresh token retained until you revoke. Performance data retained for the lifetime of your A2 GTM account plus 90 days, then deleted.	Not shared. Used only to render your dashboard, run your agents, and generate the reports you receive.
`https://www.googleapis.com/auth/analytics.readonly`	Pull website performance metrics into your A2 GTM reports so the SEO and CRO agents can act on real data.	Property ID, dimension and metric values you query (sessions, users, conversions, source/medium, page paths). We do not retrieve individual user identifiers.	Cached up to 24 hours for dashboard performance, then re-fetched. Aggregated metrics retained for the lifetime of your account plus 90 days.	Not shared.
`https://www.googleapis.com/auth/webmasters.readonly`	Pull search-query and crawl-status data from Google Search Console for the SEO agent to identify keyword and content opportunities.	Site URL, query strings, click-through rate, average position, indexing status.	Cached up to 24 hours, refreshed on demand. Aggregated metrics retained for the lifetime of your account plus 90 days.	Not shared.
`openid`, `email`, `profile`	Sign in with Google. Used only to authenticate your identity and pre-fill your A2 GTM profile.	Google account ID, email address, name, profile picture URL.	Stored on your A2 GTM user record. Retained until you delete your account.	Not shared.

We only request the scopes needed for the features you actually enable. You can review or revoke A2 GTM's access at any time at https://myaccount.google.com/permissions; see also Section 10 below.

A2 GTM's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. We do not use Google user data to train generalized AI/ML models. We do not sell Google user data. We do not transfer Google user data for advertising, retargeting, credit-worthiness, or lending purposes. Human access to Google user data is limited to (a) with the user's explicit consent, (b) for security or to comply with applicable law, (c) to operate the service when data is aggregated and anonymized.

3. Meta Platform Data

When you connect a Meta (Facebook) Business account, A2 GTM accesses the Meta Platforms on your behalf using the permissions you grant. The table below lists the permissions we request, the reason for each, the data Meta returns, retention, and sharing posture.

Permission	Purpose	Data we receive	Storage & retention	Shared with
`ads_management`	Create, edit, pause, and budget Meta Ads campaigns you authorize the agent to manage.	Ad-account ID, campaign / ad-set / ad structures, creative, targeting definitions you maintain in Meta, schedule and budget settings.	Encrypted at rest. OAuth tokens retained until you revoke. Campaign metadata retained for the lifetime of your account plus 90 days.	Not shared.
`ads_read`	Pull campaign performance metrics into A2 GTM reporting so the agent can attribute and optimize.	Aggregated impressions, reach, clicks, conversions, spend, CPM/CPC/CPA per campaign and ad. We do not retrieve individual user-level data.	Cached up to 24 hours, then re-fetched. Aggregated metrics retained for lifetime of account plus 90 days.	Not shared.
`business_management`	Operate within your Meta Business Manager so the agent can attach assets to the right ad accounts and pages.	Business ID, list of ad accounts / pages / pixels you've granted the agent access to, role assignments.	Stored encrypted; refreshed on demand.	Not shared.
`pages_read_engagement`	Read engagement metrics on Pages you authorize so the content agent can identify what's resonating.	Page-level reach, reactions, comments-count, shares-count. We do not retrieve individual commenter identities for off-platform use.	Cached up to 24 hours; aggregated trend data retained for lifetime of account plus 90 days.	Not shared.
`pages_manage_ads`	Run ads from a Page you authorize when the agent is configured to do so.	Page ID, ad assets associated with the page.	Encrypted at rest; retained until you revoke or delete the integration.	Not shared.
`pages_show_list`	List the Facebook Pages you manage so you can choose which Page to connect to A2 GTM.	Page IDs and names of Pages you administer.	Stored encrypted at rest; refreshed on demand.	Not shared.
`pages_manage_posts`	Publish text, image, and video posts to your selected Facebook Page on your behalf when you click "Publish" in A2 GTM.	Post content you create in A2 GTM, plus the Page ID you targeted.	Post payloads sent to Meta; A2 GTM retains post-id / status for analytics for the lifetime of your account plus 90 days.	Not shared.
`pages_manage_engagement`	Read and respond to comments, reactions, and messages on posts you have published through A2 GTM so you can manage engagement from the dashboard.	Comment text, reaction counts, sender IDs.	Cached up to 24 hours; aggregated metrics retained for lifetime of account plus 90 days.	Not shared.
`pages_read_user_content`	Read posts and content you have authored on your connected Page so A2 GTM can display history and let you edit drafts.	Post text, media references, timestamps.	Cached up to 24 hours; aggregated metrics retained for lifetime of account plus 90 days.	Not shared.
`read_insights`	Retrieve Page-level insights (reach, impressions) for posts you have published, used for the A2 GTM analytics dashboard.	Aggregated reach, impressions, and engagement counts.	Cached up to 24 hours; aggregated metrics retained for lifetime of account plus 90 days.	Not shared.
`public_profile`	Read your basic Facebook profile (name, profile picture) to identify the connected account inside A2 GTM.	Facebook user ID, display name, profile picture URL.	Stored encrypted at rest; refreshed on login.	Not shared.
`email`	Retrieve the email address on file for the connected Meta account, used only for account identification.	Email address.	Stored encrypted at rest.	Not shared.
`instagram_basic`	Identify the Instagram Business account linked to the connected Facebook Page so you can publish to Instagram from A2 GTM.	Instagram Business account ID and username.	Stored encrypted at rest; refreshed on demand.	Not shared.
`instagram_content_publish`	Publish image, carousel, and video content to your connected Instagram Business account on your behalf when you click "Publish" in A2 GTM.	Media payloads you upload in A2 GTM and the target Instagram account ID.	Media payloads sent to Meta; A2 GTM retains post-id / status for analytics for the lifetime of your account plus 90 days.	Not shared.
`leads_retrieval`	Retrieve leads submitted through Facebook Lead Ads on your connected Page so they appear inside A2 GTM's lead views.	Lead form fields the lead voluntarily submitted (e.g., name, email, phone) plus the lead form and ad IDs.	Stored encrypted at rest; deleted when you revoke access or delete the lead.	Not shared with parties other than the subprocessors listed in Section 6.

Meta Platform callback endpoints

A2 GTM hosts the following endpoints that Meta calls as part of the platform integration. They are documented here for transparency:

/api/social/oauth/meta/callback — OAuth callback used after you authorize the A2 GTM app on Facebook.
/api/meta/webhook — receives Meta webhook events (Page posts, leads, messaging) so we can sync activity back into the A2 GTM dashboard.
/api/meta/deauthorize — called by Meta when you remove the A2 GTM app; we use it to purge associated tokens and stop syncing data.
/api/meta/data-deletion — called by Meta when you request deletion of your data; we use it to delete your Meta-derived data from our systems and return a confirmation code (see Section 11).

Meta Platform Terms compliance. A2 GTM complies with the Meta Platform Terms and Developer Policies. Specifically:

We do not cache Meta Platform Data longer than necessary to provide the service. Aggregated metrics are kept for reporting; raw API responses are discarded after the cache TTL.
We honor user and Page deletion requests within the time frames Meta requires; see Section 11.
We do not use Meta Platform Data to build profiles, target advertising at users outside Meta's own platforms, or determine credit-worthiness or eligibility for housing, employment, insurance, or government benefits.
We do not transfer Meta Platform Data to data brokers, ad networks, or any party other than the subprocessors listed in Section 6, each of which is contractually limited to the operations described.
We do not use Meta Platform Data to train generalized AI/ML models. See Section 5.

You can review and revoke A2 GTM's access to your Meta accounts at any time at https://www.facebook.com/settings?tab=business_tools.

4. How We Use Information

Operating the agents you enabled. Reading and writing to your connected ad platforms, analytics, CRM, and email systems to execute the campaigns, reports, and workflows you've configured.
Lead management and scoring. Storing the prospect and lead lists you import; scoring and qualifying them based on rules or AI models you have authorized.
AI voice and email outreach. Generating and sending the email and call scripts you have approved; recording call outcomes (status, duration, transcript where you've enabled it) for your reporting.
Content generation. Producing draft copy, landing-page variants, and creative assets when you ask the relevant agent to generate them.
Analytics, monitoring, and improvement. Aggregated, de-identified telemetry to understand product usage and reliability; troubleshooting in response to specific support requests you initiate.
Account, billing, and notifications. Processing your subscription, sending invoices, security alerts, and service announcements.
Legal and safety. Detecting abuse, complying with subpoenas and court orders, enforcing our Terms.

5. AI and Machine Learning

Foundation model training. A2 GTM does not use customer content, Google user data, or Meta Platform Data to train generalized foundation models, whether our own or those of third-party AI providers we use. Our agents call hosted models in inference mode only.

Tenant-specific learning. When you opt in, we may use your own data to fine-tune or condition models that operate exclusively within your tenant — for example, training a per-customer copy style or a per-customer lead-scoring model. This data does not leave your tenant boundary, and you can disable per-tenant learning and request deletion of any learned weights at any time via Settings or by emailing [email protected].

Third-party AI subprocessors. We send prompts and the minimum necessary context to third-party large-language-model providers in order to operate our agents. We have data-processing agreements with these providers that prohibit them from training their models on our customers' data (zero-retention or training-disabled tier where the provider offers it). Current providers are listed in Section 6.

We do not sell personal information. We share data only with the categories of subprocessors listed below, each contracted to use data solely to deliver services to A2 GTM, with confidentiality and security obligations at least as protective as this policy.

Category	Provider	Purpose	Region
Cloud hosting and storage	Google Cloud Platform	Application servers, database, blob storage, secret management.	United States
Database hosting	PostgreSQL on Google Cloud SQL	Primary data store.	United States
Payments	Stripe, Inc.	Subscription billing, card processing. Stripe stores card data; A2 GTM stores only a tokenized reference.	United States
Transactional email	SendGrid (Twilio, Inc.)	Account, billing, and notification emails.	United States
AI voice / SMS infrastructure	Twilio, Inc.	Outbound voice calls and SMS for sales-outreach agents.	United States
AI inference (large language models)	Anthropic, PBC and Google (Gemini API)	Generates copy, scripts, summaries, and analyses on demand. Configured for zero retention / no-training where supported.	United States
Error monitoring	Sentry	Application error tracking; PII is scrubbed before transmission.	United States
Analytics (marketing site only)	Google Analytics 4	Aggregated visitor analytics on the public marketing site. Not used inside the logged-in product.	United States
SEO, CRO, ads-platform integrations	The third-party platforms you connect (Google Ads, Meta, TikTok, LinkedIn, Search Console, Hotjar, Ahrefs, HubSpot, Salesforce)	Data flows to and from these platforms only under tokens you have authorized, and only when the corresponding agent is enabled.	Per provider

We may also disclose information when required by law, when responding to lawful requests by public authorities, to protect our rights and the safety of users, or in connection with a corporate transaction (merger, acquisition, financing, or sale of assets), in which case we will require the recipient to honor this policy.

7. Data Retention

Account profile and billing records: retained for the lifetime of your account, then for 90 days after deletion to allow account recovery and tax / dispute compliance, then deleted from production systems and aged out of backups within an additional 35 days.
Customer-provided content (leads, campaigns, templates): retained for the lifetime of your account; deleted within 30 days of an account-deletion request, except where law requires longer retention.
Google and Meta OAuth tokens: retained until you revoke access (in your Google or Meta account, or by disconnecting the integration in A2 GTM Settings). Revocation triggers deletion within 24 hours.
Cached Google API and Meta Platform data: short-lived caches expire within 24 hours; aggregated derived metrics retained for the lifetime of your account plus 90 days.
Server logs and telemetry: 13 months, then deleted.
Support correspondence: 24 months for quality and abuse review.

To request deletion outside of these schedules, email [email protected]; see Section 11.

8. Security

All traffic to and from A2 GTM is encrypted with TLS 1.2 or higher.
Data at rest is encrypted with AES-256 (managed by our cloud provider).
OAuth tokens, API keys, and other credentials are encrypted with envelope encryption and stored in a managed secret store.
Access to production data is restricted to a minimal set of engineers, governed by role-based access control and multi-factor authentication, and logged for audit.
We perform periodic vendor security reviews on subprocessors and require data-processing agreements before sharing personal data.
SOC 2 Type II audit — in progress. We do not currently claim ISO 27001, HIPAA, or PCI DSS certification; payment data is handled by Stripe, which is PCI DSS Level 1 certified.

If you believe you've found a security issue, please email [email protected]. See our Data Security page for our vulnerability-disclosure process.

9. Your Rights

If you are in the European Economic Area, the United Kingdom, or Switzerland (GDPR / UK GDPR): you have the right to access the personal data we hold about you, to request correction or deletion, to restrict or object to processing, to receive your data in a portable format, and to lodge a complaint with your local supervisory authority.

If you are a California resident (CCPA / CPRA): you have the right to know what personal information we collect and how we use it, to request deletion, to request correction, to opt out of any sale or sharing of your personal information (we do not sell personal information and do not share it for cross-context behavioral advertising), to limit use of sensitive personal information, and to be free from retaliation for exercising any of these rights.

How to exercise a right. Send a request to [email protected]. We will verify your identity (typically by confirming you control the email on the account) and respond within the period required by applicable law (45 days under CCPA, 30 days under GDPR, with a possible 60-day extension if necessary).

Authorized agents. California residents may use an authorized agent. We will require written authorization signed by you and verification of the agent's identity.

10. Revoking Access

You can revoke A2 GTM's access to third-party accounts at any time:

Google: visit https://myaccount.google.com/permissions, find "A2 GTM," and click Remove Access. Revocation propagates immediately and we delete the related tokens within 24 hours.
Meta: visit https://www.facebook.com/settings?tab=business_tools, find A2 GTM under Connected Apps and Business Tools, and remove it.
In-product: sign in to A2 GTM, go to Settings → Integrations, and click Disconnect next to the relevant integration. This revokes the token on our side immediately and signals revocation to the upstream platform where the API supports it.

11. Data Deletion Requests

To request deletion of your A2 GTM account and all associated personal data:

Sign in and go to Settings → Account → Delete Account, or
Email [email protected] from the address on the account.

We will confirm receipt within 5 business days and complete deletion within 30 days, except for records we are required to retain by law (for example, tax records). Where we cannot delete a record entirely, we will anonymize it.

If you have only used A2 GTM through a Meta Login flow and never created a separate password, Meta also forwards account-deletion signals to A2 GTM via the Data Deletion Request callback. We honor those signals on receipt. For step-by-step instructions, the Meta callback URLs, and detail on what gets deleted, see our dedicated Data Deletion page.

12. Children

A2 GTM is a B2B product not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, contact [email protected] and we will delete it.

13. International Transfers

A2 GTM is operated from the United States and stores data on infrastructure located in the United States. If you access A2 GTM from outside the U.S., your information will be transferred to and processed in the U.S.

For transfers from the European Economic Area, the United Kingdom, or Switzerland, we rely on the European Commission's Standard Contractual Clauses (SCCs), the UK Addendum where applicable, and additional safeguards (encryption in transit and at rest, access logging, data-minimization, and contractual restrictions on subprocessor onward transfers). A copy of the SCCs in force can be requested from [email protected].

14. Changes to This Policy

We will revise this policy as our product, subprocessors, or applicable law change. We will post the new effective date at the top of this page. For material changes (for example, adding a new category of data we collect or a new category of recipient), we will notify account administrators by email at least 30 days before the change takes effect, and display an in-product banner.

15. Contact

ACE Financials Technology (operating A2 GTM)
2647 Narnia Way, Suite 101
Land O Lakes, FL 34638
United States

Privacy inquiries: [email protected]
Security disclosures: [email protected]
Legal / Terms: [email protected]

For privacy-related questions or to exercise your data rights (including data access, correction, or deletion), contact our privacy team at [email protected]. If A2 GTM appoints a Data Protection Officer or EU representative in the future, their name and contact details will be listed here.