Privacy Policy
Effective Date: April 16, 2026
OneClickAds ("we", "us", or "our") is a Chrome extension that helps Shopify
store owners generate Meta ad creatives in one click. This Privacy Policy
explains what we collect, how we use it, who we share it with, and the
rights you have. It reflects what the extension and our backend actually do.
1. Information We Collect
a) Product data you submit for generation
When you click "Generate" on a product page, the extension reads the
following fields from the page you are viewing and sends them to our
backend server:
- Product title, description, price, and currency
- Product image URLs (and the image bytes fetched from those URLs)
- The page URL the product was scraped from
No product data is sent until you click "Generate".
b) Account information (via Supabase Auth)
- Email address
- A password you create at sign-up. The password is transmitted over
TLS to Supabase Auth, which stores only a salted hash. We never see
or store your plaintext password.
- A Supabase-issued session token (JWT), stored in Chrome extension
storage on your device so you stay logged in.
c) Usage / credit data
- Your remaining credit balance and timestamps of balance changes
(stored in Supabase in the `user_credits` table, protected by
row-level security so only you can read your row).
- Generation job metadata (job ID, status, timestamps, number of
creatives requested) cached on our server so the extension can
poll for results.
d) Generated output
- The ad images and ad copy produced for your job are available for
a one-time download during your active session. We do not store
your generated creatives on our server after delivery.
We do NOT collect:
- Browsing history or the content of pages you visit
- Data from pages where you do not click "Generate"
- Keystrokes, form data, cookies, or analytics from third-party sites
- Payment card numbers (payments are handled on our website by a
PCI-compliant provider, not by the extension)
- Health, financial, location, or communications data
2. How We Use Your Data
- To generate Meta ad creatives: product data is sent to our backend,
which calls third-party AI providers (see Section 3) and returns
images and ad copy to the extension.
- To authenticate you and keep you signed in.
- To track and enforce your credit balance.
- To operate, secure, and debug the service (for example, short-lived
server logs of request metadata such as timestamps, job IDs, and
error messages).
We do NOT use your product data or account data to train our own AI
models, and we do not sell, rent, or share it for advertising.
3. Third-Party Services (Sub-processors)
We share the minimum data required with the following providers:
- Supabase (authentication and credit database) — receives your email,
password (hashed by Supabase), session tokens, user ID, and credit
balance. <https://supabase.com/privacy>
- OpenRouter (LLM routing; currently using Google's Gemma model) —
receives product title, description, price, and image URLs to produce
ad copy and concepts. <https://openrouter.ai/privacy>
- Kie.ai (image generation via the nano-banana model) — receives your
product images and text prompts to produce ad creatives.
<https://kie.ai/privacy>
- Our own VPS backend — operated by us, hosts the job queue and
generated image files.
4. Data Retention
- Session token: until you log out or clear extension storage.
- Account + credit balance: kept while your account exists; deleted on
account deletion.
- Job metadata on our server: short-lived, auto-expires.
- Generated images: not retained on our server after delivery; available
for one-time download only during the active session.
- Server logs: retained up to 30 days, then rotated out.
5. Data Security
- All network traffic between the extension, Supabase, OpenRouter,
and Kie.ai uses HTTPS/TLS.
- Backend API calls from the extension are authenticated with a
server-side API key and, for per-user operations, your Supabase JWT.
- Supabase enforces row-level security so one user cannot read another
user's credit or account data.
- Passwords are hashed by Supabase Auth; we never handle them in
plaintext beyond the TLS-encrypted sign-in request.
6. Your Rights (GDPR / CCPA / general)
You have the right to:
- Access the personal data we hold about you
- Correct inaccurate data
- Delete your account and all associated data
- Export your data in a portable format
- Withdraw consent and stop using the extension at any time
- Lodge a complaint with your local data protection authority
To exercise any of these rights, email the address in Section 9. We
respond within 30 days. You can also sign out at any time, which
removes the session token from your device.
7. Children's Privacy
OneClickAds is intended for business users operating Shopify stores and
is not directed to children under 16. We do not knowingly collect data
from children. If you believe a child has provided us data, contact us
and we will delete it.
8. Limited Use Disclosure
Our use of information received from Google APIs will adhere to the
Chrome Web Store User Data Policy, including the Limited Use
requirements. We do not transfer user data to third parties except as
necessary to provide or improve user-facing features, comply with
applicable law, or as part of a merger or acquisition.
9. Contact Us
Email: [email protected]
Website: <https://launch.oneclickads.online>
10. Changes to this Policy
We will post any changes on this page and update the Effective Date at
the top. Material changes will also be announced in the extension or
by email before they take effect.