Privacy policy
Effective Date: 1/1/2026
Privacy Policy
Effective Date: 5/19/2026
prfrm Inc. ("prfrm," "we," "our," or "us") provides a performance marketing intelligence platform used by marketing agencies and advertisers. This Privacy Policy describes how we collect, use, share, retain, and protect information when you use our website, our platform, or our integrations with third-party advertising platforms including Google and Meta.
By using prfrm, you agree to the practices described in this policy.
1. Information We Collect
We collect the following categories of information:
Account and Contact Information
Name, email address, phone number, and company name
Role or title within your organization
Authentication credentials (passwords are stored hashed; we never see them in plaintext)
Platform Usage Data
Pages viewed, features used, and actions taken within PRFRM
Device, browser, and IP address information
Cookies and similar technologies (see Section 9)
Advertising Platform Data (via Integrations)
When you or your client grants prfrm access to advertising accounts on Google Ads, Meta (Facebook and Instagram), or other supported platforms, we access and process:
Ad account identifiers, names, currency, and timezone
Campaign, ad set, and ad structures (names, objectives, budgets, status)
Ad creative metadata (headlines, descriptions, image and video references)
Performance metrics (impressions, clicks, conversions, spend, attribution data)
Audience and targeting parameters
Business Manager and Page identifiers required to access assigned assets
For Meta specifically: data accessed via the Meta Marketing API under the permissions you grant (
ads_read,ads_management,pages_read_engagement,pages_show_list)
We do not collect or store the personal data of end-users who view or interact with your ads (e.g., we do not store Custom Audience source data or individual conversion events tied to identifiable persons beyond what is required for aggregate reporting).
2. How We Use Information
We use the information we collect to:
Provide, operate, maintain, and improve the prfrm platform
Generate marketing performance insights, recommendations, and forecasts
Authenticate users and secure accounts
Enable integrations with third-party advertising platforms on your behalf
Communicate with you about your account, service updates, and support
Comply with legal obligations and enforce our Terms
We use advertising platform data solely to deliver the services described in this Policy and our Terms, and in accordance with Meta's Platform Terms, Developer Policies, and the Google Ads API Terms of Service. We do not use this data to build advertising profiles, retarget end-users, or for any purpose unrelated to the services you have engaged us to provide.
3. Legal Bases for Processing (EU/UK Users)
Where the GDPR or UK GDPR applies, we process personal data on the following legal bases:
Contractual necessity - to provide the services you have requested
Legitimate interests - to operate, secure, and improve our platform
Consent - where required, such as for non-essential cookies
Legal obligation - to comply with applicable law
4. How We Share Information
We do not sell personal data.
We share information only with the following categories of recipients:
Sub-processors and Service Providers
PRFRM relies on the following sub-processors to operate the platform. Each is bound by a written agreement requiring appropriate security and confidentiality:
Sub-processor | Purpose | Data Processed |
|---|---|---|
Supabase | Primary database and authentication | Account data, platform data, cached advertising data |
Vercel | Application hosting | Request logs, application data |
Nango | OAuth token storage and refresh | Authentication credentials for connected advertising platforms |
Leadsie | Client asset onboarding via Meta Business Manager | Email addresses of invited clients, asset assignment confirmations |
n8n Cloud | Workflow automation and data processing | Cached advertising data during processing |
Anthropic / OpenAI | AI-powered insights and analysis | Aggregated and de-identified performance data |
We maintain a current list of sub-processors and will notify customers of material changes in advance where required by applicable agreements.
Integrated Platforms
When you connect a third-party platform such as Google Ads or Meta, data flows between prfrm and that platform as required to deliver the integration. Your use of those platforms is governed by their own terms and privacy policies.
Legal Disclosures
We may disclose information when required by law, subpoena, court order, or other legal process, or to protect the rights, property, or safety of prfrm, our users, or others.
Business Transfers
If prfrm is involved in a merger, acquisition, or sale of assets, your information may be transferred. We will notify you before your information becomes subject to a different privacy policy.
5. Data Retention
We retain different categories of data for different periods:
Account information: for the duration of your account, plus 90 days after closure
Advertising platform data (Meta, Google, etc.): for the duration of the active integration plus 90 days, after which it is purged from our active systems
Platform usage logs: 12 months
Billing and tax records: 7 years, as required by law
Backups: rolling 30-day window, after which expired data is permanently deleted
You may request earlier deletion at any time (see Section 8 and our Data Deletion page).
6. Data Security
We implement administrative, technical, and physical safeguards designed to protect personal data, including:
Encryption of data in transit (TLS 1.2 or higher)
Encryption of data at rest in our primary database
Access controls and role-based permissions for PRFRM personnel
Secure credential storage via Nango for OAuth tokens
Logging and monitoring of access to production systems
Regular review of security practices
No system is perfectly secure. If we become aware of a security incident affecting your personal data, we will notify you and applicable authorities as required by law.
7. Meta Platform Data - Specific Disclosures
When you or your client grants prfrm access to Meta advertising assets:
Access is granted through Meta's Business Manager via partner assignment (typically facilitated by Leadsie) or direct OAuth, never through credential sharing
prfrm accesses Meta data using tokens scoped to the permissions you grant
You or your client may revoke access at any time via Meta Business Manager, which will cause prfrm to lose access to the relevant assets
Upon revocation or app deauthorization, prfrm ceases all access and deletes cached Meta-sourced data within 30 days
prfrm does not transfer Meta Platform Data to data brokers, ad networks, or any party for purposes prohibited by Meta's Platform Terms
8. Your Rights
Depending on your jurisdiction, you may have the following rights:
Access - request a copy of the personal data we hold about you
Rectification - request correction of inaccurate or incomplete data
Deletion - request that we delete your personal data
Portability - request your data in a structured, machine-readable format
Restriction - request that we restrict processing
Objection - object to certain processing activities
Withdrawal of consent - where processing is based on consent
To exercise any of these rights, see our Data Deletion page or email privacy@prfrm.ai. We will respond within the timeframe required by applicable law.
California residents have additional rights under the CCPA/CPRA, including the right to know what categories of personal information we collect and the right to non-discrimination for exercising privacy rights.
9. Cookies and Tracking
We use cookies and similar technologies for:
Essential platform functionality (authentication, session management)
Analytics to understand how the platform is used
Preferences and settings
You can control cookies through your browser settings. Disabling essential cookies may prevent parts of the platform from working.
10. Third-Party Platforms
prfrm integrates with platforms including Google, Meta, and others. Your use of those platforms is also subject to their respective terms and privacy policies. We are not responsible for the practices of third-party platforms.
11. International Data Transfers
prfrm is based in the United States. If you access the platform from outside the United States, your information will be transferred to, stored, and processed in the United States. Where required, we rely on Standard Contractual Clauses or other lawful transfer mechanisms.
12. Children's Privacy
prfrm is not directed to children under 16, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact privacy@prfrm.ai and we will delete it.
13. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated by email or through a notice in the platform. The "Effective Date" at the top reflects the most recent update.
14. Contact Us
For privacy questions, data requests, or to exercise your rights:
prfrm Inc.
2810 N Church St #790711
Wilmington, DE 19802-4447
privacy@prfrm.ai