Skip to content

Privacy Policy

This policy describes how Formation Ads collects, uses, discloses, and protects your personal information.

Updated February 27, 2026

Introduction

Formation Ads LLC ("Formation Ads," "we," "us," or "our") is a government-compliant Meta advertising platform for live entertainment. This Privacy Policy describes how we collect, use, disclose, and protect your personal information when you use our platform at formationads.com (the "Platform").

We are committed to compliance with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the Global Privacy Control (GPC) specification, and applicable United States federal and state privacy laws.

By using the Platform, you acknowledge that you have read and understood this Privacy Policy. Our legal bases for processing your personal data are described in the GDPR section below. If you do not agree with any part of this policy, please do not use the Platform.

Information We Collect

Account Information

When you create an account via Meta (Facebook) OAuth, we receive and store your name, email address, and profile image. We also generate an organization record associated with your account. If you enable multi-factor authentication (MFA), we store a hashed TOTP secret and hashed backup codes.

Campaign Data

You provide campaign details including names, objectives, budgets, targeting parameters (locations, interests, demographics), tour stop locations, and creative assets (images, videos, and ad copy). This data is necessary to create and manage your Meta advertising campaigns.

Payment Information

Credit purchases are processed by Stripe. We do not store credit card numbers, bank account details, or Government Purchase Card (GPC) numbers on our servers. Stripe handles all payment card data in accordance with PCI DSS Level 1 requirements. We store transaction records (amounts, dates, status, Stripe event IDs) for billing, credit management, and audit compliance.

Usage Data

We collect server logs including IP addresses, user agent strings, request timestamps, and error data for security monitoring, rate limiting, and debugging. We also collect structured audit logs of all user actions within the Platform for compliance record-keeping.

Meta Platform Data

When you connect your Meta account, we access campaign performance metrics (impressions, reach, clicks, spend) and ad account information via the Meta Marketing API. We cache this data for performance reporting. We also store an encrypted version of your Meta access token to manage campaigns on your behalf.

Cookies and Similar Technologies

We use essential cookies only. We do not use tracking cookies, analytics cookies, or third-party advertising cookies on our Platform.

CookieTypeDurationPurpose
__sessionEssentialSession / 30 daysAuthentication session managed by NextAuth.js. Contains an encrypted JWT with user identity and role.
__csrfEssentialSessionCross-Site Request Forgery protection token. Validated on every state-changing request.
preferencesFunctional1 yearStores user interface preferences such as theme (light/dark) and sidebar state. No personal data.

How We Use Your Information

  • To create and manage your Meta advertising campaigns
  • To process credit purchases and maintain your account balance
  • To provide campaign performance reporting and analytics
  • To maintain FAR 52.204-25 compliance records, audit logs, and attestation documents
  • To detect and prevent fraud, abuse, and security threats
  • To communicate service updates and account notifications
  • To enforce our Terms of Service and protect the rights and safety of our users
  • To comply with legal obligations, including government contract record-keeping requirements

Meta Platform Data Usage

Formation Ads accesses data through the Meta Marketing API to provide advertising management services. This section describes our specific practices regarding Meta platform data.

Data We Access

  • Ad account information (account ID, name, spend limits, currency)
  • Campaign performance metrics (impressions, reach, clicks, cost per result, spend)
  • Page information (name, ID) for ad placement
  • Instagram account information linked to your Facebook Page

How We Use Meta Data

  • To create, manage, and optimize advertising campaigns
  • To display campaign performance reports in your dashboard
  • To synchronize spend caps between your credit balance and Meta ad account
  • To reconcile actual Meta spend against reserved credits

What We Do Not Do

  • We do not sell Meta platform data to any third party under any circumstances
  • We do not use Meta data for purposes unrelated to your campaigns
  • We do not share Meta data with other advertisers or data brokers
  • We do not use Meta data to build user profiles for targeting
  • We do not retain Meta data after account deletion beyond legal requirements

Meta Data Retention

Cached campaign performance data is retained for 2 years after campaign completion. Encrypted Meta access tokens are deleted immediately upon account disconnection or deletion. Meta ad account IDs are retained in audit logs indefinitely for compliance purposes.

For information about Meta's own data practices, please review Meta's Privacy Policy. Formation Ads is not responsible for Meta's data practices beyond our use of the Meta Marketing API as described in this policy.

Information Sharing

Service Providers

We share data with the following service providers:

  • Meta Platforms, Inc. — Campaign creation, management, and reporting via the Meta Marketing API. Your campaign data, targeting parameters, and creative assets are transmitted to Meta to run your advertisements.
  • Stripe, Inc. — Payment processing. Your payment method details are handled directly by Stripe and are never stored on our servers.
  • Sentry (Functional Software, Inc.) — Error tracking and performance monitoring. We transmit anonymized error data and performance metrics. Sensitive fields (passwords, tokens, emails) are scrubbed before transmission.
  • Cloudflare, Inc. — Object storage (R2) for uploaded creative assets (images and videos). Files are stored with UUID filenames and MIME-type validation.
  • Vercel Inc. — Application hosting and serverless infrastructure. All data processing occurs within United States regions.

Legal Requirements

We may disclose your information if required by law, subpoena, court order, or government regulation. We may also disclose information when we believe disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.

Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your personal information may be transferred as part of that transaction. We will notify you via email or prominent notice on the Platform before your information becomes subject to a different privacy policy.

With Your Consent

We may share your information for other purposes with your explicit consent.

We do not sell your personal information to any third party. We do not share your data with advertisers, data brokers, or marketing companies beyond what is necessary to deliver your campaigns through Meta.

Data Retention

We retain your data only as long as necessary for the purposes described in this policy, or as required by law.

Data TypeRetention PeriodReason
Account informationLifetime of account + 30 daysRequired for service delivery; deleted upon processing of deletion request
Campaign content & creatives2 years after campaign endReporting, compliance record-keeping, dispute resolution
Payment & transaction records7 yearsFederal accounting requirements, tax compliance, audit trail
Audit logsIndefiniteFAR compliance; immutable and cannot be modified or deleted
Meta access tokensUntil disconnection or deletionRequired for campaign management; encrypted at rest (AES-256-GCM); deleted immediately on disconnect
Server & usage logs90 daysSecurity monitoring, debugging, rate limit enforcement

Webhook events are archived after 90 days (completed) or 180 days (failed). Rate limit counters are purged daily once expired.

Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access — View your account information, campaign history, and transaction records through the dashboard.
  • Rectify — Update your profile and organization information through account settings.
  • Delete — Submit a deletion request through your account settings or via our public data deletion form. We will process deletion within one calendar month of verified receipt, subject to legal retention requirements.
  • Export — Download your campaign data, reporting data, and account information in CSV format.
  • Restrict — Request restriction of processing where the accuracy of your data is contested, processing is unlawful, or we no longer need the data but you require it for legal claims.
  • Object — Object to processing based on our legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests. You may object to direct marketing at any time without needing to provide a reason.
  • Portability — Receive your personal data in a structured, commonly used, machine-readable format (CSV) and transmit it to another controller, where processing is based on consent or contract performance and carried out by automated means.
  • Disconnect Meta — Revoke Formation Ads's access to your Meta account at any time through account settings. This will prevent new campaign publishing but will not affect campaigns already running on Meta.
  • Marketing opt-out — Unsubscribe from non-essential communications at any time via the unsubscribe link in emails or through account settings.
  • Appeal — If you believe a rights request was not properly handled, you may appeal by contacting privacy@formationads.com with the subject line "Privacy Appeal." We will respond within 15 business days.

California Consumer Privacy Act (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

  • Right to Know — You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which your information was collected, the business purpose for collecting your information, and the categories of third parties with whom we share your information.
  • Right to Delete — You may request deletion of your personal information, subject to certain exceptions (e.g., legal retention requirements, ongoing transactions, security and debugging).
  • Right to Opt-Out of Sale — We do not sell your personal information. If this practice changes, we will provide an opt-out mechanism as required by law.
  • Right to Non-Discrimination — We will not discriminate against you for exercising your CCPA rights. You will not receive different pricing, quality of service, or access to the Platform based on your privacy choices.

To exercise your CCPA rights, contact us at privacy@formationads.com or submit a request through the Platform. We will verify your identity before processing any request.

General Data Protection Regulation (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the following additional provisions apply:

Legal Basis for Processing

  • Contract performance — Processing necessary to provide our advertising management services, including Meta OAuth authentication, account management, campaign creation, and credit billing.
  • Legitimate interest — Security monitoring, fraud prevention, service improvement, and compliance record-keeping.
  • Legal obligation — Tax records, audit logs, and compliance documentation required by applicable law.
  • Consent — Optional marketing communications and non-essential data processing. You may withdraw consent at any time without affecting the lawfulness of prior processing or processing based on other legal grounds.

International Data Transfers

Formation Ads is based in the United States. If you access the Platform from outside the US, your data will be transferred to and processed in the United States. We rely on Standard Contractual Clauses (SCCs) as approved by the European Commission to safeguard data transferred from the EEA. As supplementary technical measures, we implement AES-256-GCM encryption of sensitive data at rest, HTTPS encryption for all data in transit, database-level access controls, and organization-scoped data isolation to ensure a level of data protection equivalent to that required within the EEA.

Data Residency

All primary data storage and processing occurs within the United States. Our hosting provider (Vercel), database services, and object storage (Cloudflare R2) operate from US-based data centers.

Supervisory Authority

If you are located in the EEA, you have the right to lodge a complaint with your local data protection supervisory authority if you believe our processing of your personal data violates the GDPR.

Global Privacy Control

We honor the Global Privacy Control (GPC) signal. When your browser sends a GPC signal, we treat it as a valid opt-out of the sale or sharing of your personal information, consistent with applicable law including the CCPA.

Government Contracting Compliance

Formation Ads maintains compliance with FAR 52.204-25 (Section 889) for its own infrastructure and systems. Our Section 889 attestation covers Formation Ads's technology stack, hosting providers, and service integrations.

Scope limitation: Our Section 889 compliance attestation applies exclusively to Formation Ads's own systems and infrastructure. It does not extend to Meta Platforms, Inc. or any third-party advertising platform. Organizations using Formation Ads for government-related advertising should independently assess Meta's compliance status as part of their own procurement due diligence.

For details on our compliance posture, see our Section 889 Compliance Attestation.

Data Breach Notification

In the event of a data breach that affects your personal information, we will:

  • Notify affected users within 72 hours of confirmed discovery, via email and in-platform notification.
  • Report to regulatory authorities as required by applicable law, including GDPR supervisory authorities (within 72 hours) and state attorneys general per US breach notification statutes.
  • Provide breach details including the nature of the incident, categories of data affected, approximate number of affected users, likely consequences, and measures taken to address the breach.
  • Provide ongoing updates as our investigation progresses, including remediation steps and recommendations for affected users.

Children's Privacy

Formation Ads is not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us at privacy@formationads.com.

Security

We protect your data with industry-standard security measures including:

  • AES-256-GCM encryption for sensitive tokens at rest with PBKDF2 key derivation
  • HMAC-SHA256 authentication for internal services and cron jobs
  • Database-backed rate limiting on all API routes (resistant to serverless cold starts)
  • All data transmitted over HTTPS with HSTS enforcement (1-year max-age, preload)
  • Role-based access control with organization-level data isolation
  • Multi-factor authentication (TOTP) with HMAC-SHA256 hashed backup codes
  • Session inactivity timeout (30 minutes) with FedRAMP AC-12 alignment
  • Content Security Policy, X-Frame-Options: DENY, and comprehensive security headers
  • Pino structured logging with 50+ sensitive field redaction patterns
  • Sentry error tracking with automatic PII scrubbing before transmission

Automated Decision-Making

Formation Ads does not engage in automated decision-making or profiling that produces legal or similarly significant effects on you, as described in GDPR Article 22. Campaign delivery optimization is performed by Meta's advertising platform, not by Formation Ads.

Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email and through a prominent notice on the Platform at least 30 days before taking effect. The "Last updated" date at the top of this page indicates when the policy was most recently revised. Where our legal basis for processing is consent, we will seek fresh consent for material changes. For processing based on other legal grounds, continued use of the Platform after changes take effect constitutes acceptance of the updated policy. If you do not agree, you may close your account.

Contact

Data Controller

Formation Ads LLC is the data controller responsible for your personal data. Formation Ads has not appointed a Data Protection Officer as it does not meet the thresholds specified in GDPR Article 37.

For privacy-related questions, data access requests, or to exercise your rights, contact us at privacy@formationads.com.

To submit a data deletion request, visit our data deletion form.

We will respond to all privacy inquiries within one calendar month of receipt, in accordance with GDPR Article 12(3).

You may also reach us at legal@formationads.com (legal inquiries), compliance@formationads.com (Section 889), accessibility@formationads.com (accessibility), or support@formationads.com (general). Any privacy-related request sent to any of these addresses will be forwarded to our privacy team.