ROAS.to
Start free trial

Data Deletion

Last updated: May 10, 2026

ROAS.to provides multiple deletion routes depending on who you are and what relationship you have with us. Pick the route that matches your situation.

  • Are you a ROAS.to Customer (account holder)? Use Route A, B, or C below
  • Did you authorize ROAS.to via Facebook (and want to revoke)? Use Route A — the simplest path
  • Are you an end user (a visitor to a site that uses ROAS.to)? See Section 5 — your request goes to the operator of the site, not to us
  • Exercising a GDPR / UK GDPR / CCPA / Israeli PPL right? See Section 6

Route A — Remove ROAS.to from Facebook

If you connected your Meta assets via Facebook Login for Business, removing ROAS.to from inside Facebook automatically triggers a data-deletion callback to us:

  1. Go to Facebook Settings → Apps and Websites (or Business Settings → Integrations → Connected Apps if you connected via a Business Manager)
  2. Find "ROAS.to" in the list and click "Remove"
  3. Confirm the removal

When Meta sends us the deletion callback we cryptographically verify the request, deactivate every connected Business Manager, null all stored access tokens synchronously, and schedule the associated tenant for full data deletion within ninety (90) days. You receive a confirmation code and a status URL of the form https://www.roas.to/api/facebook/deletion-status?code=YOUR_CONFIRMATION_CODE that you can use to check progress at any time.

Route B — Delete from inside the Dashboard

Account holders can permanently delete their account from inside ROAS.to:

  1. Sign in and go to Settings → Account → Delete account
  2. Confirm by typing DELETE when prompted
  3. Your subscription is cancelled at the end of the current billing period (or immediately if you have no active subscription); automation rules are paused; encrypted Facebook tokens are nulled; tenant data is permanently deleted immediately upon confirmation (no recovery window)

This is a controlled operation: we ask for confirmation because it is permanent. We send a confirmation email after the request is queued and a final email when deletion is complete.

Route C — Email request

To request deletion of all data ROAS.to has stored about your account:

  1. Email privacy@roas.to with the subject line: "Data Deletion Request"
  2. Send from the email address associated with your ROAS.to account so we can verify your identity
  3. We will acknowledge receipt within forty-eight (48) hours
  4. Deletion is completed within ninety (90) days of verified receipt, except for data subject to the residual retention windows in Section 4
  5. You will receive a final confirmation email once deletion is complete

If you cannot send from your registered email (for example, you no longer have access to it), we will require additional information to verify your identity before processing the request.

Route D — Bring Your Own App (BYOA) revocation

If you connected ROAS.to via the BYOA method using a system user token, Meta does not send us a deletion callback (your callbacks are routed to your own Developer App). To stop ROAS.to from accessing your data:

  1. Go to Facebook Business Settings → System Users
  2. Find the system user connected to ROAS.to
  3. Remove the token, or delete the system user entirely

This invalidates access immediately. To also delete the data we have stored, follow up with Route B or Route C — revoking the token alone does not delete the data we have already synced.

1. What gets deleted

On a verified deletion request, we permanently delete:

  • Encrypted Facebook access tokens and app secrets
  • All synced campaign data, ad set and ad metadata, creative content, and performance metrics
  • Automation rules, execution logs, and alert history
  • Clone rules, scaling configurations, and budget-optimizer state
  • A/B test configurations, snippet data, optimization results, and creative analysis records
  • Page-view, product-click, external-click, and conversion records (including any retained IP addresses, sub-IDs, and click identifiers)
  • Hashed contact-field caches used by the Conversions API queue
  • AI usage logs, prompts, and generated content stored on your account
  • Dayparting schedules, auto-boost configuration, and historical state
  • Facebook Page, Pixel, Instagram, and lead-form associations
  • Your account profile, preferences, team invitations, and integrations
  • API keys and webhook endpoints you created on your account

2. What we retain after deletion (and why)

A small set of records survives a deletion request because we are required by law or are protecting legitimate interests of our other Customers. None of these records contains Facebook tokens, end-user content, or campaign data:

  • Billing records: invoices, transaction history, and tax documentation are retained for the period required by Israeli tax, accounting, and anti-money-laundering law (currently 7 years)
  • Deletion request logs: we retain a record that a deletion request was received and fulfilled, including the date, the route used, and any confirmation code, for audit purposes
  • Anonymized, aggregated statistics: aggregated metrics (e.g. counts of accounts deleted in a given month) that cannot reasonably be linked back to any individual or account
  • Abuse-prevention retention (180 days):when an account is deleted, we retain a minimal record for each Facebook Business Manager the account had connected: the Business Manager's public Meta identifier, the account's email address, the Clerk user identifier, and timestamps. No campaign data, creatives, conversions, analytics, or tokens are retained. This exists solely to prevent takeover and trial-cycling abuse of those Business Managers and is automatically purged at 180 days regardless of any other signal. If you later wish to re-connect the same Business Manager to a new account, email support@roas.to from your original signup address
  • Audit and security logs: retained for up to 24 months for fraud, abuse, and security investigations. Where they include personal information, that information is access-restricted and used only for those purposes

3. Cancellation vs. deletion

Cancelling your subscription pauses automation and freezes your data. You can reactivate later without losing campaign history, rules, or configuration. We charge no further Subscription Fee, and AI features are paused.

Data deletion is permanent and irreversible. Once completed, campaigns, creatives, conversions, analytics, tokens, and configuration are removed from our systems and cannot be recovered. To use ROAS.to again after deletion, you must create a new account and reconnect every asset from scratch.

The only exception is the abuse-prevention retention described in Section 2: a minimal Business Manager identifier survives for up to 180 days. If you wish to re-connect the same Business Manager during that window, email support@roas.to from your original signup address and we will verify the re-association.

4. Timeline

  • Acknowledgement: within 48 hours of receipt of a verified request
  • Encrypted token deletion / token nulling: within minutes (synchronous in the deletion callback or in the dashboard delete flow)
  • Bulk content deletion — Route B (Dashboard): immediate upon confirmation. The deletion is permanent and irreversible
  • Bulk content deletion — Route A (Meta callback) and Route C (Email): within 90 days of a verified request. Encrypted tokens and BM access are nulled synchronously; the full tenant record is scheduled for deletion within the 90-day window
  • Backup purge: backups containing your data roll off within 30 additional days as the disaster-recovery rotation completes
  • Abuse-prevention identifiers: auto-purged at 180 days from account deletion
  • Billing and tax records: retained for the period required by Israeli law; not deletable on request

5. End users (visitors to a Customer's site)

If you are a visitor to a website, app, or landing page that uses ROAS.to's tracking technology, the operator of that site (the "Customer") is the data controller for personal data collected from you. ROAS.to acts as that Customer's processor, on the Customer's instructions and under the Customer's privacy policy.

To exercise a right of access, deletion, correction, restriction, portability, objection, or to withdraw a consent, please contact the operator of the website where the data was collected. Their privacy policy will explain how to do so. We cannot honor those requests directly because we do not maintain a relationship with you and have no reliable way to identify which records, if any, relate to you across our Customers.

If you have already contacted a Customer and they have not responded within the applicable statutory period, or if you cannot identify or reach them, you may contact us at privacy@roas.to. We will route your request to the responsible Customer and assist them as set out in our Data Processing Addendum. We will not act on the request directly without explicit instruction from the Customer.

6. Other rights (GDPR, UK GDPR, CCPA, Israeli PPL, others)

Beyond deletion, you may have additional rights under applicable data-protection law — including rights of access, rectification, restriction, portability, objection, and withdrawal of consent. These rights and how to exercise them are described in Section 13 of our Privacy Policy. To exercise them, contact privacy@roas.to from the email address associated with your account.

7. Deletion status

If you received a confirmation code via Route A, paste it below to check status:

If you used Route B or Route C, the confirmation comes by email — keep that email for your records.

8. Questions

Contact privacy@roas.to with any question about deletion, data exports, or your rights. For Customer DPA escalations specifically, write to legal@roas.to.