Relay Privacy Policy

Relay is a marketing agency that runs paid advertising and social-media-management for client businesses. We operate a private internal dashboard at vladimircuc.com that agency staff and our individual clients sign into to review their campaign performance. This policy covers how we handle data inside that dashboard.

From people who sign into the dashboard (agency staff + designated client contacts): your email address and the authentication session managed by Supabase. We do not collect passwords directly — sign-in is via Google OAuth or one-time email magic links.

From clients' advertising and social-media accounts (with the client's explicit OAuth grant): performance metrics (impressions, clicks, spend, engagement, follower counts, post analytics) and the minimum identifiers needed to fetch those metrics on the client's behalf — Facebook Page ID, Instagram Business Account ID, YouTube channel ID, TikTok user ID, LinkedIn organization URN, GoHighLevel pipeline IDs.

What we do not collect: the content of private messages or DMs, individual end-user profiles or audience PII beyond aggregate demographics, payment information, or anything unrelated to the advertising / social-media services we provide.

We use the data above for one purpose: to render performance dashboards for the client whose accounts the data came from. Each client's data is scoped to that client's view; we do not share data across clients, nor with third parties outside the processors listed below.

All data is stored in Supabase (Postgres + secrets vault) hosted on Amazon Web Services in the United States. Access tokens to third-party platforms (Meta, Google, TikTok, LinkedIn, GoHighLevel) are encrypted at rest using Supabase Vault. The application is hosted on Vercel.

We take reasonable and appropriate steps to protect the data described above against unauthorized access, use, alteration, loss, or disclosure. Security procedures are in place to protect the confidentiality of your information.

Encryption in transit. All traffic between your browser and the dashboard, and between the dashboard and the third-party APIs we read from, is encrypted using HTTPS/TLS.

Encryption at rest. Data stored in our database is held on encrypted infrastructure (Supabase on Amazon Web Services). The most sensitive data we hold — the OAuth access tokens that let us read your connected advertising and social-media accounts — is additionally encrypted in a dedicated secrets vault (Supabase Vault) and is never exposed to other clients or displayed in the dashboard.

Access controls.Access to the dashboard requires authentication (Google OAuth or a one-time email link), and each client's data is scoped so that a signed-in user can only see their own organization's reporting. Administrative access to the underlying systems is limited to authorized Relay staff on a least-privilege basis. We review these safeguards periodically and will notify affected account holders if a breach ever materially affects their data.

When you authorize Relay to connect a third-party account, we use the official APIs of that platform to read the data described above. We do not store the raw user-facing content (post videos, ad creatives, etc.) — only the analytics about that content.

• Meta (Facebook Pages + Instagram) — via the Meta Graph API
• Google / YouTube — via the YouTube Data and Analytics APIs
• TikTok — via the TikTok Login Kit and Display API. With the account holder's consent we read their public profile (display name, username, avatar, bio, verified status), account statistics (follower, following, likes, and video counts), and the list of their public videos with per-video metrics (views, likes, comments, shares). We use the user.info.basic, user.info.profile, user.info.stats, and video.listscopes for this, and only to display the account's own performance back to the account holder inside the dashboard.
• LinkedIn — via the LinkedIn Community Management API
• GoHighLevel — via the GHL API

When you connect a Google account (for example Google Search Console, Google Analytics, or YouTube), we request only the read-only reporting scopes needed to display your performance metrics inside the dashboard, and we handle that data exactly as described elsewhere in this policy.

Relay's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including its Limited Use requirements. Specifically, we do not use Google user data to serve advertising, to train generalized or non-personalized artificial-intelligence or machine-learning models, or to determine creditworthiness or for any lending purpose, and we do not sell Google user data or transfer it to data brokers or other parties.

Clients can revoke our access to any platform at any time, either by clicking “Disconnect” in the dashboard's Admin section or by revoking the OAuth grant directly in the platform's settings (e.g. Facebook Business Settings, Google Account → Security → Third-party access).

To request deletion of all data associated with your account or your client's organization, email vladimircuc007@gmail.com. We will action the request within 30 days and confirm via email when complete.

We use first-party cookies only, scoped to the dashboard domain. One cookie holds your Supabase authentication session; another remembers UI preferences (last-viewed period, simple/advanced tier toggle, recently-viewed clients). We do not use third-party tracking cookies, analytics scripts, or ad pixels on the dashboard.

If we make material changes to this policy we'll update the “Last updated” date at the top, and where appropriate email account holders.

Questions or concerns about this policy or your data:
vladimircuc007@gmail.com