Privacy policy

Effective 7 July 2026 · applies to mmm.airankia.com and api.mmm.airankia.com (the "Service")

1. Who we are

The Service is operated by Airankia ("we", "us"). We provide media mix modeling infrastructure for marketing agencies. We act as the data controller for account and audit data you submit directly, and as a data processor for advertising and analytics data that agencies connect on behalf of their clients. For anything in this policy, contact [email protected].

2. Data we collect

  • Account data — name, work email, agency name, and role, provided when an account is provisioned for you.
  • Audit submissions — the email address, optional client domain, and the weekly CSV you upload to the public audit (week dates, revenue or conversions, and spend per channel). We do not ask for, and you should not include, personal data about end customers in these files.
  • Advertising and analytics data via OAuth — when an agency connects Meta Ads, Google Ads, Google Analytics 4, or Shopify, we read aggregate campaign performance data only: spend, impressions, clicks, conversions, and revenue, by day and campaign. We never read audience lists, creative assets, personal profiles, message content, or any data about individual end users.
  • Payment data — the $99 connected audit is processed by Stripe. We receive only a checkout session reference and payment status; card details never touch our systems.
  • Technical data — server logs (IP address, user agent, timestamps) kept for security and rate limiting, and error telemetry with personal data scrubbed.

3. How we use it

  • To run the data-readiness checks and show you the verdict.
  • To build and refresh media mix models for the client workspaces an agency manages, and to render those results to the agency and to anyone the agency shares a results link with.
  • To email you the audit result and model-run notifications (delivered via Resend). We do not run marketing drip campaigns on audit emails.
  • To secure the Service, enforce rate limits, and debug faults.

We do not sell personal data, we do not use it for advertising of our own, and we do not use data obtained through platform APIs to train machine-learning models unrelated to your workspace.

4. Google user data — Limited Use disclosure

Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Google Ads and Google Analytics data is used only to provide the modeling features the connecting agency requested, is never transferred to third parties except as necessary to provide those features or comply with law, and is never used for advertising or sold.

5. Meta platform data

Data read from the Meta Marketing API is used solely to provide measurement features to the agency that connected the account, in accordance with the Meta Platform Terms. You can revoke our access at any time from your Meta Business settings; revocation stops all further reads immediately.

6. Storage and security

  • Data is stored in our hosted PostgreSQL database and object storage, hosted on servers in the European Union.
  • OAuth refresh tokens are encrypted at rest with application-level symmetric encryption, separate from database credentials. Access tokens are held only in memory during syncs.
  • All traffic is encrypted in transit (TLS 1.2+).
  • Results share links are unguessable 256-bit tokens, revocable at any time and expiring by default after 90 days.

7. Sharing and subprocessors

We share data only with the subprocessors needed to run the Service: our hosting provider (EU), Supabase (authentication and storage), Stripe (payments), Resend (transactional email), Anthropic (generating plain-language summaries from already-computed model statistics — never raw platform data), and Sentry (error monitoring, scrubbed). Each processes data solely on our instructions.

8. Retention and deletion

  • Public audit submissions (the CSV panel and verdict) are retained for 12 months, then deleted.
  • Workspace data is retained while the agency's account is active. Disconnecting a source stops syncs; archived workspaces and their raw platform data are deleted 90 days after archival.
  • You may request deletion of your data at any time by writing to [email protected]. We complete verified deletion requests within 30 days, including data pulled from platform APIs.

9. Your rights

Where the GDPR or similar law applies, you have the right to access, rectify, export, restrict, object to the processing of, and erase your personal data, and the right to lodge a complaint with your supervisory authority. Requests go to [email protected] and are answered within 30 days. Where we act as a processor for an agency, we will refer the request to that agency and assist them in fulfilling it.

10. Cookies

The public pages set no tracking cookies. The application uses only strictly necessary session cookies for authentication.

11. Changes

We will post any changes to this policy on this page and update the effective date. Material changes affecting connected platform data are additionally announced by email to affected account owners.