Privacy Policy

AdPlug MCP ("AdPlug", "we", "us") is a hosted Model Context Protocol (MCP) platform that lets performance marketers connect their advertising accounts and manage them through AI tools such as Claude, ChatGPT, Cursor, and other MCP-compatible clients.

AdPlug is operated by MeanData IT SRL. Our website is adplug.app.

• To authenticate you and provide access to your MCP endpoint
• To execute ad platform API calls on your behalf when requested by your AI tool
• To enforce usage limits based on your subscription tier
• To display your usage history and connected accounts in your dashboard
• To send you service-related emails (connection issues, usage alerts, billing)

We do not sell your data. We do not use your ad account data for advertising, benchmarking, or any purpose other than fulfilling your MCP tool requests.

Data minimisation. AdPlug only collects data from your context that is necessary to perform the function you have requested. We do not collect AI conversation content, even for logging purposes. The structured payloads returned by ad platform APIs flow through AdPlug to your AI client and are not retained at rest.

We share data with these services only as needed to provide the product. For the full data-protection terms governing these sub-processors, including international transfer mechanisms, see our Data Processing Agreement.

• Supabase — Authentication and database hosting. Stores your profile, encrypted credentials, and usage logs. Located in US-East-2.
• Google Cloud (Cloud Run) — Hosts our API server. Processes your MCP requests. Located in US-East-1.
• Vercel — Hosts the AdPlug web frontend (adplug.app).
• Resend — Sends transactional email (service notifications, billing receipts).
• Google Ads API / LinkedIn Ads API — We make API calls to these platforms using your OAuth tokens to fulfill your requests.
• Paddle — Payment processing and subscription management. Handles billing as merchant of record.
• Cloudflare — DNS and TLS termination for adplug.app.

AdPlug's use and transfer to any other app of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. See our full Google API Services Disclosure for details.

Specifically, AdPlug:

• Only uses Google user data to provide and improve the AdPlug service — specifically, to execute Google Ads API calls on your behalf when you make requests through your MCP-compatible AI tool
• Does not transfer Google user data to third parties, except as necessary to provide the service (e.g., making API calls to Google Ads on your behalf), as required by law, or with your explicit consent
• Does not use Google user data for serving advertisements, including retargeting, personalized or interest-based advertising
• Does not allow humans to read Google user data unless: (a) we have your explicit consent, (b) it is necessary for security purposes (investigating abuse or security incidents), (c) it is necessary to comply with applicable law, or (d) the data is aggregated and anonymized for internal operations
• Does not use Google user data to develop, improve, or train generalized or non-personalized AI and/or machine learning models. Data passed between your AI tool and the Google Ads API is not retained by AdPlug, used for model training, or shared with any AI model provider for training purposes.

AdPlug supports OAuth 2.1 authentication for MCP clients (such as Claude Desktop and ChatGPT). When you authorize an MCP client:

• The client registers itself via Dynamic Client Registration (DCR)
• You see a consent screen showing the client name and requested permissions
• You can approve or deny the request
• If approved, the client receives a time-limited access token (JWT)
• You can revoke access at any time from your dashboard

We do not share your ad account data with MCP client developers. The MCP client acts as a conduit — it sends your requests to our server, and we return results directly to your AI conversation.

• Account data — retained while your account is active. Deleted within 30 days of account deletion.
• OAuth tokens — deleted immediately when you disconnect a platform or delete your account.
• Usage logs — retained for the duration of your audit log period (7 days Free, 30 days Pro, 90 days Agency). Older logs are permanently deleted.

• All OAuth tokens are encrypted at rest using Fernet (AES-128-CBC + HMAC-SHA256)
• All connections use HTTPS (TLS 1.3)
• MCP endpoint requires authentication on every request
• OAuth 2.1 with PKCE for MCP client authentication
• Row-Level Security (RLS) in the database — users can only access their own data
• Rate limiting to prevent abuse (60 requests/minute per IP)

In the event of a data breach affecting your Google account data or other personal information, we will notify you by email within 72 hours of discovery, describe the nature of the breach, and outline the steps we are taking in response.

You can:

• Access your data — view your profile, connections, and usage in the dashboard
• Delete your data — disconnect platforms or delete your account from the dashboard settings
• Revoke access — disconnect any ad platform at any time; we immediately delete the stored OAuth tokens
• Export your data — contact us at privacy@adplug.app for a data export

If you are in the EU/EEA, you have additional rights under GDPR including the right to restrict processing and the right to data portability. Contact us to exercise these rights.

We use essential cookies only for authentication (Supabase session cookies). We do not use tracking cookies, analytics cookies, or advertising cookies.

We may update this privacy policy from time to time. We will notify you of material changes by email or by posting a notice on our website. Continued use of AdPlug after changes constitutes acceptance of the updated policy.

For privacy-related questions or requests, contact us at: privacy@adplug.app

MeanData IT SRL
Chișinău, Moldova