Security

You connect Meta via OAuth. Campaiyn never sees your Meta password and never prompts for it.

By default, Campaiyn reads ad account data: campaigns, ad sets, ads, insights, and creative metadata. This is the minimum scope required to generate a health score, detect creative fatigue, and produce recommendations.

Write actions (pausing ad sets, pushing creative, adjusting budgets) require progressive trust. No write action executes without an explicit approval on the action itself, not a one-time blanket opt-in.

You can revoke Campaiyn's access at any time from Meta Business Settings or from your Campaiyn dashboard. Revocation removes our access immediately.

Ad account data, recommendation history, and account settings are stored in Convex, encrypted at rest and in transit.

We store the minimum Meta data required to run the product: campaign and ad set identifiers, creative metadata, insights aggregates, and the history of recommendations and approvals. We do not store Meta user access tokens in plaintext.

We do not sell your data, and we do not share your ad account data with third parties for advertising, analytics, or model training.

Accounts support email plus password, Google sign-in, and optional two-factor authentication via TOTP.

Sessions are short-lived. Sensitive surfaces (billing, Meta connection, account deletion) require a re-authentication step.

API keys issued for the public API are hashed at rest. We never display a full key again after it is generated.

Subscriptions are processed by Paystack. Campaiyn does not see or store full card numbers, CVCs, or bank credentials. Paystack is PCI DSS certified.

For subscription management we receive a subscription identifier and status. Refunds, card updates, and plan changes are handled inside your Campaiyn dashboard and reconciled to Paystack in real time.

Meta App Review: approved March 2026. Every scope we request has been reviewed and approved by Meta for the stated use case.

GDPR: data deletion requests are processed end to end. Deleting your account removes your Meta data, recommendation history, and account record from our primary database. Backups are retained for 30 days and then purged.

Compliance is an ongoing posture, not a checkbox. If you have a specific requirement (DPA, data residency, audit log export), reach out and we will scope it with you.

If you find a security issue, please email security@campaiyn.ai with a description, reproduction steps, and your contact details. We aim to acknowledge within one business day.

We do not currently run a public bounty program. Researchers who submit valid reports in good faith will be credited on this page if they wish.