ROAS.to
Start free trial

Privacy Policy

Last updated: May 10, 2026

1. Introduction

ROAS.to ("ROAS.to", "we", "us", "our", "the Platform") is a Facebook ad optimization platform operated by Guru Media Int Ltd., an Israeli private company (Company Registration Number 514452465) of Bet Shemesh, Israel. This Privacy Policy describes how we collect, use, retain, share, and protect personal information when you use our website (roas.to, www.roas.to), our application, and any related services (collectively, the "Service").

This Privacy Policy applies to all users of the Service regardless of location, including users in the European Economic Area (EEA), United Kingdom (UK), Switzerland, California, Israel, and other jurisdictions with data protection laws. It is incorporated into our Terms of Service. Where you are a Customer of ROAS.to and we process personal information on your behalf, our Data Processing Addendum also applies and prevails over this Privacy Policy for that processing.

By creating an account or using the Service, you confirm that you have read and understood this Privacy Policy. If you do not agree, you must not use the Service.

2. Our Role: Controller vs. Processor

Different relationships create different legal roles. It is important that you understand which role we play for which data, because rights, remedies, and obligations differ accordingly.

2.1 ROAS.to as a Controller

We act as an independent "data controller" (or equivalent term under applicable law) for personal information that we collect to operate our own business. This includes:

  • Information about you, the account holder (your name, email address, Clerk user identifier, login activity, support correspondence)
  • Information about how you use our dashboard (pages visited, features used, error reports, performance telemetry)
  • Billing metadata (subscription state, invoices) processed via Dodo Payments
  • Limited information collected on the marketing site at www.roas.to (including cookies set by our own Meta pixel for measuring the performance of ads we run for ROAS.to itself — see the Cookie Policy)

2.2 ROAS.to as a Processor

We act as a "data processor" (or "service provider" under the CCPA) when we process personal information on behalf of you, the Customer, in the course of providing the Service. The Customer is the controller for that data and determines its purposes and means. This includes:

  • Personal information contained in your Facebook ad account (custom audiences, customer lists, lead-gen submissions, advertiser-supplied creative content)
  • Personal information transmitted by visitors to your websites and landing pages through tracking technology you choose to deploy (our pixel, our Shopify pixel, our funnel bridge, our snippet worker, our redirect tracker, or our edge worker on your custom domain) — including IP addresses, user agents, click identifiers, visitor identifiers, sub-IDs, and (where you elect to send them) hashed contact fields such as email and phone for Meta's Conversions API
  • Personal information you upload, paste, or otherwise input into the Service for processing (for example, ad copy, brand context, customer-list uploads)

For data we process as a processor, you (the Customer) are responsible for determining the lawful basis, providing required notices to data subjects, securing consents (including cookie consents on your own properties), responding to data subject requests (we will assist as set out in the Data Processing Addendum), and otherwise complying with applicable data protection laws. Our processing of that data is governed by your instructions, the Service's configuration, our Terms of Service, and the DPA.

3. How ROAS.to Works

ROAS.to connects to Facebook (Meta) ad accounts to provide campaign management, optimization, and analytics. There are two ways to connect:

  • Facebook Login for Business (recommended):You authorize ROAS.to through Meta's official OAuth flow. You select which ad accounts to share, and we receive a secure access token. You can revoke access at any time from your Facebook Business Settings or from Settings → Apps and Websites on Facebook.
  • Bring Your Own App (advanced): You create your own Facebook Developer App and connect it to ROAS.to using a system user token. You retain full control and can revoke the token at any time from your Facebook Business Manager.

Regardless of the connection method, you retain full control of your Facebook account and can disconnect ROAS.to at any time.

We also offer optional tracking technology (pixel, Shopify pixel, funnel bridge, redirect tracker, snippet worker, edge worker) that you may install on your own websites to measure ad performance and feed conversions back to Meta's Conversions API. You decide whether to deploy any of these and on which properties.

4. Information We Collect

4.1 Information you provide directly (we are controller)

  • Account registration details (email address, name)
  • Facebook connection credentials (access tokens and, where applicable, app secrets — always stored encrypted, never in plaintext)
  • Automation rules, clone rules, and campaign configurations you create
  • A/B test configurations and creative assets you upload
  • Brand context, prompt overrides, and AI configuration you supply
  • Support communications, feedback, and bug reports you send us

4.2 Information we receive from Meta (we are processor)

Through the Facebook Marketing API, we access the following data from the ad accounts you choose to connect:

  • Ad account structure and metadata (campaigns, ad sets, ads, budgets, statuses, spend caps, currency)
  • Performance metrics and insights (impressions, clicks, spend, conversions, ROAS, CPA, CTR, CPM, frequency, action breakdowns)
  • Creative content (images, videos, headlines, body text, call-to-action types, Advantage+ creative variations)
  • Facebook Page IDs, names, and post-engagement metadata
  • Pixel IDs, Conversions API datasets, and conversion event configurations
  • Audience and targeting data (demographics, interests, custom audiences, lookalike audiences, geo-targeting, behaviors, life events, languages, exclusions)
  • Business Manager IDs, system user IDs, and associated ad account lists
  • Instagram account IDs connected to your Pages (for ad placement and creative analysis)
  • Lead-form submissions (lead generation campaigns), where you have configured ROAS.to to retrieve them

We only access data from ad accounts that you explicitly connect. We do not access personal Facebook profiles, private messages, friend lists, photos, timeline posts, groups, or any data outside of your business ad accounts.

4.3 Information transmitted from visitors to your websites (we are processor)

If you choose to deploy our tracking technology — for example our pixel (pixel.js), our Shopify pixel (shopify.js), our funnel bridge (bridge.js), our snippet worker (opt.roas.to), our redirect tracker (track.roas.to), or our edge worker on your custom domain — those technologies transmit information from visitors to your websites to our infrastructure. The categories include:

  • Network and device signals: IP address, user-agent string, screen size, language, approximate geographic location derived from IP
  • Click identifiers and ad attribution parameters: fbclid, sub-IDs (campaign / ad set / ad / variant / click identifiers), UTM parameters, and a first-party visitor identifier (_roas_vid)
  • Page-context signals: page URL, referring URL, on-page test variant identifier, session timing
  • Event payloads: page views, product clicks, custom events, and conversion events (order ID, value, currency, line items) that you fire from your site
  • Where you elect to send them, hashed contact fields used by Meta's Conversions API for matching: SHA-256 hashes of email, phone, first name, last name, and an external identifier you supply. We forward these hashes to Meta on your behalf and do not retain them in plaintext at any point

For this category of data, you (the Customer) are the controller and are responsible for: providing your visitors with notice of your use of these technologies; obtaining any required consents (including under the EU ePrivacy/GDPR, UK PECR, German TTDSG/TDDDG, and similar laws); honoring opt-outs; and any other obligations imposed by applicable law. ROAS.to does not display a consent banner on your behalf and does not maintain a relationship with your visitors. See our Cookie Policy for the inventory of cookies and storage keys our technology may set on your properties.

4.4 Information collected automatically (we are controller)

  • Usage data within the dashboard (pages visited, features used, actions taken)
  • Device and browser information (browser type, operating system)
  • IP address and approximate geographic location of dashboard logins
  • Error reports and performance logs (via Sentry)
  • Authentication session metadata (managed by our authentication provider, Clerk)

5. How We Use Your Information

We use the information described above for the following purposes:

  • Operating, providing, and improving the Service
  • Displaying campaign performance dashboards, analytics, and reports
  • Executing automation rules you configure (auto-pause, auto-scale, dayparting, budget optimization, auto-boost, scheduled cloning)
  • Running landing page A/B tests and snippet optimization
  • Creating, duplicating, and managing ad campaigns, ad sets, and ads
  • Generating AI-powered ad creatives, campaign analysis, and optimization suggestions when you invoke them
  • Sending conversion data back to Meta's Conversions API on your behalf
  • Authenticating you and securing your account
  • Sending transactional and operational emails (account alerts, automation notifications, security notices, billing receipts) — these are not marketing emails and you cannot opt out of them while you have an active account
  • Sending marketing or product-update emails only with your consent, or where permitted by applicable law on a soft-opt-in basis with a clear unsubscribe in every message
  • Diagnosing technical issues, preventing fraud and abuse, and improving platform reliability and security
  • Enforcing our Terms of Service, this Privacy Policy, and applicable law
  • Complying with legal obligations (tax, accounting, lawful requests)

We do not use data obtained from Meta APIs, or data transmitted from your visitors via our tracking technology, for any purpose other than providing and improving the Service for the specific Customer who authorized access. We do not use that data to build or augment user profiles for advertising, marketing, or onward sale, and we do not combine that data with data from other Customers to produce cross-Customer products.

6. What We Do Not Do

  • We do not sell, rent, lease, or trade personal information to any third party for value
  • We do not"share" personal information for cross-context behavioral advertising as defined under the CCPA/CPRA
  • We do notuse your data, your Customer's data, or end-user data for our own advertising or marketing
  • We do not share data obtained from Meta APIs with third parties, including data brokers, ad networks, or analytics providers, except subprocessors necessary to provide the Service (see /subprocessors)
  • We do not store your Facebook login password — we use OAuth tokens or system user tokens exclusively
  • We do not access data from ad accounts you have not explicitly connected
  • We do not use data obtained from Meta APIs, end-user data transmitted through our tracking technology, or your inputs to train any general-purpose AI model. Where we use third-party AI providers (such as Anthropic, OpenAI, and Google) to fulfill features you invoke, we use their API offerings under terms that prohibit training on submitted data
  • We do not read or write to ad accounts on a schedule of our own choosing — every read or write is the result of either a Customer-initiated action, an automation rule the Customer configured, or a scheduled sync the Customer enabled
  • We do notretain plaintext copies of access tokens, app secrets, or hashed PII fields outside the encrypted column or the specific request servicing the Customer's instructions

7. Cookies and Tracking

On roas.to, we use a small number of strictly-necessary, preference, and (subject to consent in EEA/UK/CH) measurement cookies. We run our own Meta pixel on the marketing site to measure the performance of advertising we run for ROAS.to itself; this is gated by a consent banner where required and can be revoked at any time using the "Cookie preferences" link in the footer.

On your websites, our tracking technology may set its own cookies and storage entries (for example _roas_vid, _roas_sub1/2/3, and a small number of session-storage keys). You are the controller for those cookies and are responsible for surfacing them to your visitors and obtaining any consent required by law. The full inventory is published in our Cookie Policy.

8. Sharing and Subprocessors

We share personal information only with the following categories of recipients, each under contractual obligations consistent with applicable law:

  • Subprocessors we engage to host, deliver, monitor, secure, or improve the Service. The full list with locations and roles is published at /subprocessors. We update that list and notify Customers of changes as set out in the DPA.
  • Meta (Facebook), when you instruct us to call the Marketing API or the Conversions API on your behalf
  • Other third-party platforms (such as Everflow, your e-commerce platform, or a custom postback URL) only when you configure ROAS.to to send data to them
  • Professional advisors (lawyers, accountants, auditors) under duties of confidentiality
  • Acquirers and successors in connection with a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, subject to the same protections as in this Privacy Policy
  • Authorities and other parties where we are legally required to do so, where necessary to investigate or prevent fraud or imminent harm, or where necessary to establish or defend legal claims. We will challenge requests we consider overbroad or unlawful

9. AI Providers

We use third-party AI APIs from Anthropic, OpenAI, and Google (Gemini API for image generation) — and may add other providers in the future, listed at /subprocessors — to power features you invoke, including ad creative generation, image generation, audience analysis, account-health summaries, copy editing, and creative-strategy assistance.

  • We send only the inputs needed to fulfill the request you invoked (for example, ad creative text, anonymized performance metrics, brand context). We do not send Facebook tokens, app secrets, or end-user-identifying fields to AI providers
  • We use the providers' API offerings under their commercial terms, which prohibit using submitted content to train their general-purpose models
  • AI usage is metered per Customer and capped to a per-account monthly limit disclosed in our Terms of Service
  • AI outputs are produced by probabilistic models and may contain errors, fabrications, or biases. You are responsible for reviewing every AI output before publishing it to an ad account, a website, or any visitor-facing surface

10. International Data Transfers

ROAS.to is operated by an Israeli private company. Israel has been recognized by the European Commission as providing an adequate level of data protection for transfers from the EEA, and by the UK Government for transfers from the UK. Personal information may also be transferred to and processed in the United States and other countries where our subprocessors operate.

For transfers from the EEA, UK, or Switzerland to a country that has not been designated as adequate, we rely on appropriate safeguards including the European Commission's Standard Contractual Clauses (Module 2 controller-to-processor where we are processor; Module 1 controller-to-controller where applicable), the UK International Data Transfer Addendum, and (for subprocessors who are certified under the EU-US Data Privacy Framework, UK Extension, and Swiss-US extension) the Data Privacy Framework.

Customers may request a copy of the relevant transfer mechanism by contacting privacy@roas.to.

11. Data Storage and Security

We maintain administrative, technical, and physical safeguards designed to protect personal information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These include:

  • Encryption at rest:All Facebook access tokens and app secrets are encrypted using AES-256 with per-Customer (per-tenant) HKDF-derived keys. Each Customer's credentials are encrypted with a unique key that cannot decrypt any other Customer's data.
  • Encryption in transit: All data transmission uses TLS 1.2 or higher; all endpoints enforce HTTPS.
  • Tenant isolation: Every database query is scoped by tenant identifier, enforced at both the application and lint layers. Cross-tenant access is structurally not possible from the application surface.
  • Access controls: Production access is limited to authorized personnel under documented procedures, requires authenticated and encrypted connections, and is logged.
  • No plaintext credential storage: Facebook tokens and secrets are never written in plaintext to logs, error tracking, or backups.
  • Hashed-only contact fields:Where Customers send contact fields (email, phone, names) for Meta's Conversions API, we hash them at the edge before storage and forwarding; we do not retain plaintext contact fields.
  • Infrastructure: Our infrastructure runs on Vercel, Railway, Cloudflare, Neon, and Upstash, each of which maintains industry-recognized security certifications. See /subprocessors for the current list and certification posture.
  • Vulnerability management: We monitor dependencies, deploy security patches promptly, and operate a private channel for responsible disclosure (security@roas.to).

No method of transmission or storage is perfectly secure. While we strive to protect personal information, we cannot guarantee absolute security.

12. Data Retention

We retain personal information only for as long as necessary for the purpose for which it was collected, including any legal, accounting, or reporting requirements. Unless a longer period is required or permitted by law, our default schedule is:

  • Account information: retained while your account is active. Deletion is queued and irreversible once confirmed — there is no post-deletion recovery window. (Limited records survive deletion for legal or abuse-prevention reasons; see our Data Deletion page for the full list.)
  • Campaign and analytics data: retained while your account is active. Suspended or cancelled accounts: data is frozen (not deleted) for up to 90 days from the suspension or cancellation date, then permanently deleted unless you reactivate or request earlier deletion
  • Encrypted Facebook tokens: retained while the connection is active; nullified immediately on disconnect, deauthorization callback, or data deletion request
  • End-user IP addresses(collected on your sites via our tracking technology and used solely for ad-attribution measurement): IP addresses are automatically nulled from our records 30 days after collection — covering Meta's longest 28-day click-attribution window plus a small grace buffer for delayed conversion webhooks. After 30 days, the visit record is retained for analytics but the IP is gone
  • Hashed contact fields (email/phone hashes used for the Conversions API): retained only for the lifetime of the queued event and the associated retry window, then discarded
  • Audit logs and security logs: retained for up to 24 months for fraud, abuse, and security investigations
  • Billing records, invoices, and tax documentation: retained for the period required by Israeli tax, accounting, and anti-money-laundering law (currently 7 years), regardless of account status. These records do not contain Facebook data or end-user content
  • Database backups: retained for up to 30 days for disaster recovery, subject to the same encryption and access controls as production data
  • Abuse-prevention retention:When an account is deleted, we retain a minimal record for up to 180 days to prevent takeover and trial-cycling abuse of previously-connected Facebook Business Managers. The retained fields are: the Business Manager's public Meta identifier, the account's email address, the Clerk user identifier, and timestamps. No campaign data, ad creatives, conversions, analytics, access tokens, or other content is retained. These records are used solely to verify re-association requests from legitimate prior owners (via email from your original signup address) and are automatically purged at 180 days regardless of verification status
  • Inactive accounts: Accounts with no login activity for 12 months and no active subscription may be flagged for deletion. We will notify you by email at least 30 days before any deletion occurs

After the applicable retention period, we delete or irreversibly anonymize the personal information. Where a Customer has issued instructions in the DPA, those instructions prevail for processor data.

13. Your Rights

13.1 All users

  • Revoke access:You can disconnect ROAS.to at any time. If you connected via Facebook Login, go to Facebook Settings → Apps and Websites, or Business Settings → Integrations, and remove ROAS.to. If you connected via BYOA, revoke the system user token in your Facebook Business Manager
  • Data export: You can request an export of the personal information we store about your account
  • Data deletion: You can request permanent deletion of all your stored data (see our Data Deletion page)
  • Account information: You can request details about what personal information we hold about you

13.2 European Economic Area, United Kingdom, and Switzerland

If you are located in the EEA, UK, or Switzerland, you have the following rights under the EU GDPR, the UK GDPR, and the Swiss FADP, respectively:

  • Lawful basis: We process your personal data on one or more of the following bases: (a) performance of a contract with you (operating the Service); (b) your consent (for example, where you opt in to non-essential cookies on roas.to or to marketing communications); (c) our legitimate interests (improving and securing the Service, fraud prevention, internal analytics) where not overridden by your rights; (d) compliance with legal obligations (tax, accounting, lawful requests)
  • Right of access: request a copy of the personal data we process about you
  • Right to rectification: request correction of inaccurate or incomplete personal data
  • Right to erasure: request deletion of your personal data, subject to retention obligations
  • Right to restrict processing: request that we limit how we use your data
  • Right to data portability: request your data in a structured, machine-readable format
  • Right to object: object to processing based on legitimate interests, including profiling, and to direct marketing at any time
  • Right to withdraw consent: where processing is based on consent, withdraw it at any time without affecting prior lawful processing
  • Right not to be subject to automated decision-making: we do not use your personal data for solely automated decisions producing legal or similarly significant effects on you
  • Right to lodge a complaint: with your local supervisory authority. We would, however, appreciate the chance to address your concerns before you contact the authority — please write to privacy@roas.to first

Where we are processor:if you are a visitor to a Customer's website, the Customer (not ROAS.to) is the controller for your personal data and is responsible for responding to your rights requests. Please direct your request to the operator of the website on which the data was collected. If you contact us directly, we will refer your request to the relevant Customer and assist them as set out in the DPA.

13.3 California (CCPA / CPRA)

California residents have the following rights with respect to personal information that we collect as a business:

  • Right to know: the categories and specific pieces of personal information we have collected, the sources, the business or commercial purpose for collecting, and the categories of third parties with whom we share it
  • Right to delete personal information we have collected, subject to statutory exceptions
  • Right to correct inaccurate personal information we maintain
  • Right to limit use of sensitive personal information. We do not use sensitive personal information for purposes beyond those expressly permitted by the CCPA without limitation rights
  • Right to opt out of sale or sharing: we do not sell personal information and do not share it for cross-context behavioral advertising as defined under the CCPA
  • Right to non-discrimination for exercising your CCPA rights
  • Authorized agents: you may use an authorized agent to submit a request, subject to verification under §999.326 of the CCPA Regulations

Service-provider role: when we process personal information on behalf of a Customer who is a business under the CCPA, we act as a service provider, the Customer is the business, and visitor rights requests should be directed to the Customer. We will not retain, use, or disclose that personal information for any purpose other than performing the services specified in our contract with the Customer.

13.4 Israel

If you are an Israeli data subject, you have the rights set out in the Israeli Privacy Protection Law, 5741-1981 (as amended, including by Amendment No. 13 of 2024), including the right to inspect personal information held about you in a database, the right to request correction or deletion of inaccurate or unlawful information, and the right to be informed of certain processing activities. To exercise these rights, contact privacy@roas.to. You may also contact the Privacy Protection Authority (Reshut Hagana al Hapratiyut) within the Israeli Ministry of Justice.

13.5 Other jurisdictions

Residents of other jurisdictions (including Brazil under the LGPD, Canada under PIPEDA, Australia under the Privacy Act, and US states with comprehensive privacy laws including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, and others) may have similar rights under their applicable laws. Contact privacy@roas.to to exercise any rights to which you are entitled.

13.6 How to exercise your rights

To exercise any rights described in this section, contact privacy@roas.to from the email address associated with your account. We will verify your identity before responding to substantive requests, generally by requiring confirmation from your registered email and any additional information reasonably necessary to authenticate you. We will respond within the timelines required by applicable law (generally 30 days under the GDPR, 45 days under the CCPA, extendable as permitted). We will not charge a fee for reasonable requests.

14. EU and UK Representatives

Where required by Article 27 of the EU GDPR or Article 27 of the UK GDPR, ROAS.to will appoint and publish on this page a representative in the EU and in the UK who can be contacted by data subjects and supervisory authorities on matters relating to the processing of personal data of EEA or UK data subjects. Until such an appointment is published, EEA and UK data subjects may contact us directly at privacy@roas.to and we will respond as set out in Section 13.

15. Personal Data Breach Notification

If we become aware of a personal data breach affecting your personal information, we will:

  • For breaches affecting Customer-controlled data (where we are processor): notify the affected Customer without undue delay and, in any event, within seventy-two (72) hours of becoming aware of the breach, providing the information required by Article 33 GDPR (or its UK / Israeli / other equivalent) to enable the Customer to meet its own notification obligations
  • For breaches affecting our own controlled data: notify the competent supervisory authority within seventy-two (72) hours of becoming aware of the breach where required, and notify affected individuals where the breach is likely to result in a high risk to their rights and freedoms
  • Promptly take steps to contain and remediate the breach, document the facts and remedial actions, and cooperate with regulatory inquiries

16. Children's Privacy

The Service is a business-to-business product for professional advertisers and media buyers. It is not directed to, marketed to, or intended for children. We do not knowingly collect personal information from individuals under sixteen (16) years of age, or under such higher age as may be required for parental consent in a specific jurisdiction. If we become aware that we have inadvertently collected personal information from such a person, we will delete it as soon as reasonably possible. To report a concern, contact privacy@roas.to.

You, as a Customer, are responsible for ensuring that ads, websites, and tracking technology you operate using the Service comply with all applicable child protection laws, including the US Children's Online Privacy Protection Act (COPPA), the UK Age Appropriate Design Code, the EU GDPR's rules on the age of consent, and equivalents.

17. Meta Platform Compliance

ROAS.to's use of data received from Meta APIs adheres to the Meta Platform Terms, including:

  • We only request permissions necessary for features we provide
  • We do not sell, license, or purchase data obtained from Meta APIs
  • We do not transfer Meta data to data brokers, advertising networks, or data resellers
  • We do not use Meta data to discriminate against or target individuals based on race, ethnicity, religion, sexual orientation, gender identity, or other protected categories
  • We do not use Meta data to perform surveillance or build profiles for law enforcement
  • We provide a clear deletion mechanism and honor data deletion callbacks Meta sends us when a user removes our app
  • We notify Meta and affected users of relevant data breaches as required by Meta policies and applicable law

18. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through a prominent notice on the Platform at least thirty (30) days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated Privacy Policy. The "Last updated" date above indicates when the most recent changes were made.

19. Contact Us