ATL Ads Manager

Privacy Policy

Operated by A Chance at Life Foundation, Inc., 2859 Paces Ferry Road SE, Suite 1140, Atlanta, GA 30339, USA.

Effective
January 1, 2026
Last updated
2026
Privacy contact
ahsicqzc@nietamail.com

1. Introduction

This Privacy Policy (the "Policy") describes how A Chance at Life Foundation, Inc., a company organised under the laws of the State of Georgia, USA and having its principal place of business at 2859 Paces Ferry Road SE, Suite 1140, Atlanta, GA 30339, USA (referred to in this Policy as "ATL Ads Manager", "we", "us", or "our") collects, uses, discloses and otherwise processes Personal Information about you in connection with your access to and use of the ATL Ads Managerservice (the "Service").

We respect your privacy and we take our responsibilities as a data controller and data processor very seriously. This Policy has been drafted to be transparent: it sets out (i) what information we collect, (ii) why and how we use it, (iii) the legal basis on which we process it where required by law, (iv) with whom we share it (and under what restrictions), (v) the international transfers we make and the safeguards we apply, (vi) how long we keep the information, (vii) the rights you have over your information and how to exercise them, and (viii) how to contact us.

We have used plain language wherever possible. Where legal terms are necessary we have explained them in context or in the Definitions section below. This Policy should be read alongside our Terms of Service, which govern your use of the Service.

Please read this Policy carefully. By accessing or using the Service, you acknowledge that you have read this Policy and that you understand how we handle your Personal Information. If you do not agree with any part of this Policy, you must not use the Service.

2. Definitions

The following defined terms are used throughout this Policy. For convenience, we capitalise them only on first use within each section.

  • "Personal Information" means any information that relates to an identified or identifiable natural person. This includes obvious identifiers such as name, email address and user ID, but also less obvious identifiers such as IP address, online identifiers, and information that, when combined with other data, can be used to identify you.
  • "Processing" means any operation performed on Personal Information, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure or destruction.
  • "Controller" means the entity that determines the purposes and means of the Processing. With respect to the information described in this Policy, A Chance at Life Foundation, Inc. is the Controller unless expressly stated otherwise.
  • "Processor"(or "sub-processor") means a service provider that Processes Personal Information on behalf of a Controller. Our service providers are listed in summary form in Section 11.
  • "Facebook" means Meta Platforms, Inc. and its affiliates, the operator of the Facebook platform and the Facebook Graph API on which the Service depends.
  • "User"or "you" means the natural person who accesses or uses the Service by authenticating with Facebook Login.
  • "Service" means the ATL Ads Manager web application, related APIs, back-end systems and any other software, documentation and online content provided by us in connection with the foregoing.
  • "Permission" means an OAuth scope or Graph API permission that you grant via the Facebook consent dialog. The complete list of Permissions used by the Service is set out in Section 5.
  • "EEA" means the European Economic Area. "GDPR" means Regulation (EU) 2016/679 (the General Data Protection Regulation). "UK GDPR" means the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018. "CCPA" means the California Consumer Privacy Act of 2018, as amended (including by the California Privacy Rights Act of 2020). "LGPD" means the Brazilian General Personal Data Protection Law (Lei Geral de Proteção de Dados, Federal Law no. 13.709/2018). "PIPEDA" means the Canadian Personal Information Protection and Electronic Documents Act.

3. Scope of This Policy

This Privacy Policy applies to:

  • The ATL Ads Manager web application and any related APIs and back-end systems operated by A Chance at Life Foundation, Inc. at the domain you accessed to read this Policy;
  • All Processing of Personal Information performed by A Chance at Life Foundation, Inc. as a Controller in connection with the Service, regardless of where the information is collected or stored, and regardless of the format of that information (electronic, paper, audio-visual, etc.);
  • Personal Information of Users who access the Service from any country in the world.

This Policy does not apply to:

  • The Facebook platform itself, including the Facebook Login consent flow, which is governed by Meta's Privacy Policy and Meta's Terms of Service;
  • Third-party websites or services that may be linked from within the Service. The privacy practices of such third parties are governed by their own policies;
  • Information you provide directly to third parties through channels we do not operate (for example, content posted on a Facebook Page that we did not collect through the Service).

For the avoidance of doubt, this Policy does not change the terms under which Facebook collects, uses or shares information about you. If you have a complaint specifically about Facebook's data handling, please contact Facebook directly using the channels described in the Meta Privacy Policy.

4. Information We Collect

We collect three categories of information in connection with the Service: (a) information you instruct Facebook to share with us when you log in, (b) information that you actively provide as you use the Service, and (c) information that is collected automatically when you interact with the Service.

4.1 Information shared by Facebook on your behalf

When you sign in to the Service using Facebook Login, the Facebook consent dialog asks you to grant a defined set of Permissions to the Service. If you accept, Facebook will share the following with us:

  • Profile information: your Facebook user ID (a numeric string), your display name as configured on Facebook, your primary email address (only if you grant the email Permission, and only if your Facebook account has a verified email), and a URL to your public profile picture;
  • Pages and ad accounts you manage: the identifiers, names and basic metadata of the Facebook Pages and Meta Ad Accounts you have administrative access to and that you have chosen to share with the Service;
  • Page and ad-account access tokens: OAuth tokens that allow the Service to perform actions on your behalf for the Permissions you granted. We exchange the short-lived token Facebook issues at login for a long-lived token immediately after authentication so we never persist a short-lived token. All tokens are encrypted at rest (see Section 15);
  • Permission grants: a record of which Permissions you actually approved during the consent flow. Because a User may decline individual Permissions in the Facebook dialog, the Service verifies which were actually granted and refuses to enable any feature whose Permission was not granted.

We do not ask Facebook for, and do not receive, any Permissions or data not listed in Section 5.

4.2 Information you provide to us directly

When you interact with the Service after logging in, you may choose to provide additional information by performing actions in the user interface. Examples include:

  • Text of Page posts you compose or edit through the Service;
  • Replies you publish to comments through the Service;
  • Campaign names, budgets, schedules, objectives and targeting parameters you enter when creating or editing advertising entities;
  • Edits you make to the metadata of a Facebook Page (e.g. its short description) via the Service's Page settings screen;
  • Images and videos you uploadthrough the Page-post composer or the ad-creation dialog. Files are received by our server as part of the form submission, relayed directly to Facebook's upload edges (/<page_id>/photos, /<page_id>/videos, /<ad_account_id>/adimages, /<ad_account_id>/advideos), and not persisted on our infrastructure beyond the lifetime of the request that uploaded them. Size limits are 30 MB per image and 50 MB per video (single-step upload); larger files are rejected with a clear message rather than truncated;
  • Any information you include in correspondence with us, such as bug reports or support emails sent to ahsicqzc@nietamail.com.

All such information is transmitted to Facebook through the Graph API and stored on Facebook's systems as part of the Page, post, comment, or ad object it relates to. We retain a copy of this information only to the extent described in the audit log (see Section 4.3).

4.3 Information collected automatically

When you interact with the Service we automatically collect a limited set of technical and operational information that is necessary to provide and secure the Service:

  • Connection data: your IP address as seen by our infrastructure (after any client-supplied X-Forwarded-For header has been overwritten by our reverse proxy to prevent IP spoofing) and the User-Agent string sent by your browser. Connection data is recorded only against authenticated actions, for audit and security monitoring;
  • Audit log:a structured record of every meaningful action you perform through the Service (e.g. "campaign created", "post deleted", "comment replied"). Each audit row contains the action type, an identifier for the target object, a timestamp, your IP address and User-Agent, and a boolean indicating whether the action succeeded (with an error message if not). The audit log is append-only and is the primary mechanism by which we and you can reconstruct what happened in case of dispute or incident;
  • Operational metadata cache: a small set of non-sensitive metadata cached from the Facebook Graph API — primarily the names and identifiers of the Pages and ad accounts you have access to — so the user interface can render without making a fresh API call on every page load;
  • Webhook event logs: if you (or Facebook) cause Facebook to deliver a webhook event to the Service — for example, a notification of a new comment on one of your Pages — we record the event payload after verifying its HMAC signature, for the purpose of allowing it to be replayed if downstream processing fails;
  • Session cookie: a single, encrypted, HTTP-only cookie used for authentication. The cookie is described in detail in Section 10.
  • Acquisition source (optional): if you arrived at our sign-in page via a referral link that carries a non-sensitive tag in the URL (?ref=…), we record that tag against your account row at the moment of first sign-in for the Operator's internal attribution. The tag is a short opaque string (max 64 characters, restricted to a safe ASCII subset) and is never combined with any Facebook profile data we receive. Subsequent sign-ins never overwrite the original tag, and absence of the parameter on the URL simply means no attribution is recorded.

4.4 Information we do NOT collect

For the avoidance of doubt, the Service does not collect any of the following, even though similar information may exist on Facebook's systems:

  • Your Facebook private messages (Messenger), DMs, or any conversations in any messaging surface;
  • Your friends list, friend connections, or social graph beyond what Facebook may provide in your public profile;
  • Your location, GPS coordinates, or any precise geolocation data;
  • Biometric identifiers, health data, sexual orientation, religious or philosophical beliefs, racial or ethnic origin, political opinions, or any other "special category" data within the meaning of Article 9 GDPR;
  • Financial account numbers, credit card numbers, or payment information (the Service does not charge fees and does not process payments);
  • Government-issued identifiers (passport numbers, social security numbers, tax IDs, etc.);
  • Information about your devices beyond the User-Agent string disclosed in Section 4.3;
  • Tracking pixels, advertising identifiers, third-party analytics, or telemetry of any kind;
  • Any data scraped from Facebook other than what is delivered in response to your explicit, audited actions in the UI.

We do not sell, rent, lease or trade Personal Information, and we have never done so since the inception of the Service.

5. Detailed Permissions and Data Mapping

Below is the complete list of Facebook Permissions the Service requests, the data each one grants us access to, and the specific feature(s) of the Service that exercise that Permission. We request Permissions only because each one is tied to a corresponding feature; we do not request any Permission speculatively or for unspecified future use.

PermissionData accessedHow we use it
public_profileFacebook user ID, name, profile picture URLIdentify you across sessions; display your name and avatar in the UI
emailPrimary email address from FacebookContact you regarding account, security, and service notices
ads_managementAd account metadata; campaign, ad-set and ad objectsCreate, update, pause, resume and delete advertising entities you explicitly act on within the UI
ads_readAd insights and performance metricsDisplay campaign performance dashboards and reports you request
business_managementBusiness Manager metadata; ad-account associationsList the ad accounts and businesses you have access to so you can pick one to work with
read_insightsPage and ad insights (impressions, reach, engagement, spend)Populate the dashboard and per-Page analytics screens
pages_show_listList of Pages you manageShow the list of Pages you can act on within the UI
pages_read_engagementPage posts, comments, reactions, engagement metadataDisplay posts and comment threads in the moderation UI
pages_read_user_contentUser-generated content on your Pages (visitor comments, replies)Display incoming comments so you can moderate them
pages_manage_metadataPage settings (about, description, category)Apply changes you make to Page settings in the UI
pages_manage_postsPage post objectsPublish, edit and delete posts on your behalf when you trigger those actions
pages_manage_engagementComment and reaction objectsReply to, hide, like or delete comments when you explicitly take those actions
pages_manage_adsAd creatives and ad objects tied to your PagesCreate the campaign / ad-set / ad triple when you trigger "Boost post"

If we ever wish to add a new Permission, we will (i) update this Policy to disclose the new Permission, the data it accesses, and the feature that uses it, (ii) request the additional Permission from you through Facebook's standard incremental consent flow before any associated feature becomes active, and (iii) where required by applicable law, obtain your renewed consent.

5.1 Conversions API (Test Events) and Customer Information Parameters

The Service includes a Conversions API test surface (visible at /pixels/[id] → Test events tab) that allows you, the signed-in operator, to compose and dispatch conversion events (e.g. Purchase, Lead, AddToCart) directly to Meta on behalf of your own Facebook Pixel(s). The Conversions API requires certain "Customer Information Parameters" on each event payload so Meta can match the event to a Facebook user for attribution purposes.

Customer Information Parameters that you choose to include — email, phone, first / last name, date of birth, gender, city, state, postal code, country, and external identifier — are hashed with SHA-256 on our serverimmediately before the payload leaves our infrastructure, in the exact normalisation format Meta's specification requires (lower-case and trim for most fields, digits-only for phone, ISO 2 letter lower-case for country, etc.). The unhashed values never leave our process memory; we do not store them. The audit log records only the names of the fields you included (e.g. em, ph, fn, ln, ct, country) and never the values themselves.

Identifier-style fields that Meta's specification prescribes to be sent unhashed — client IP address, client User-Agent, the FB browser cookies _fbp / _fbc, and any explicit dedupe identifiers you supply — are forwarded to Meta unmodified, exactly as Meta's API contract requires. We do not store these identifiers beyond the inbound HTTP request that produced the event.

You can disable this surface entirely by not using the Test events tab. Events you do send are routed to Meta's "Test Events" bucket by default (via test_event_code) so they do not contribute to live optimisation or audience building unless you explicitly switch the form to Live mode.

6. Sensitive Personal Information

We do not knowingly collect any "sensitive" or "special category" Personal Information as defined by GDPR Article 9, the CCPA (as amended by the CPRA), or any equivalent provision of applicable law. Specifically, the Service does not collect information about your:

  • Racial or ethnic origin;
  • Political opinions, religious or philosophical beliefs, or trade-union membership;
  • Genetic or biometric data;
  • Health, sexual orientation or sex life;
  • Criminal convictions or alleged offences;
  • Precise geolocation;
  • Social security number, driver's licence, state ID, passport or financial account information.

If we become aware that we have inadvertently received sensitive Personal Information through the Service (for example, if you include it in a free-text post we publish on your behalf), we will delete that information from our systems as soon as reasonably practicable. You should not transmit sensitive Personal Information through the Service unless absolutely necessary, and only with the lawful basis and any consents required by applicable law.

7. Aggregated and De-Identified Data

We may produce, store and use information in aggregated, anonymised or de-identified form (collectively, "De-Identified Data") — for example, counts of actions performed, error rates, average response times, and other operational statistics. De-Identified Data is not Personal Information because it does not identify (and cannot reasonably be used to identify) any individual.

We use De-Identified Data only for legitimate operational purposes, including capacity planning, debugging, quality monitoring, security analysis, and reporting. We take commercially reasonable steps to ensure that De-Identified Data cannot be re-identified, do not attempt to re-identify it, and contractually require any third party that receives De-Identified Data not to attempt re-identification.

8. How We Use Your Information

We Process the information described in Section 4 for the following purposes only:

  • Authentication and session management.To identify you across requests using an encrypted, HTTP-only session cookie issued after you log in with Facebook (see Section 10 for cookie details);
  • Service operation. To execute the actions you initiate in the user interface by calling the Facebook Graph API on your behalf with the OAuth access tokens you granted. The Service does not act on your behalf except in direct response to a UI action;
  • Personalisation. To present the user interface in a way that reflects your specific assets (which Pages and ad accounts you can act on, what campaigns you have, etc.) — purely an organisational personalisation, not behavioural targeting;
  • Security and abuse prevention. To detect, prevent and investigate fraudulent, unauthorised or unlawful activity, to enforce our Terms of Service and to apply the per-IP rate limits that protect public endpoints from automated abuse;
  • Audit and accountability. To maintain a per-action record so that you and we can reconstruct who did what and when. This is essential for accountability in the context of ads and Page management, where errors and unauthorised actions can have commercial impact;
  • Service improvement. To diagnose technical issues, debug errors, monitor performance, and improve the reliability, security and usability of the Service over time;
  • Communications. To send you operational emails such as security alerts, data-deletion confirmations, and material changes to this Policy or to our Terms. We do not send marketing emails (see Section 26);
  • Legal compliance. To comply with our legal obligations, including responding to lawful requests from authorities (see Section 28) and to defend our legal rights where necessary.

We do not Process your Personal Information for any purpose that is incompatible with the purposes described above. In particular, we do not use your information to train machine learning models, to build advertising profiles, to enrich third-party datasets, or to perform research on individuals.

9. Legal Bases for Processing (EEA / UK)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, we Process your Personal Information only when we have a valid legal basis under Article 6 of the GDPR (or the equivalent provision of the UK GDPR or Swiss law). The legal bases on which we rely are:

  • Performance of a contract (Art. 6(1)(b) GDPR). When you log in to the Service you enter into a contract with us — the Terms of Service. We Process your Personal Information as necessary to provide the Service under that contract, including authenticating you, executing the API calls you initiate, and maintaining your session;
  • Legitimate interests (Art. 6(1)(f) GDPR). Where it would be impractical or undesirable to rely on consent, and where our interests are not overridden by your fundamental rights and freedoms, we rely on legitimate interests. We rely on this basis in particular for: maintaining the audit log, detecting and preventing abuse, securing our infrastructure, and improving the Service. We have conducted a legitimate-interests assessment for each such use;
  • Consent (Art. 6(1)(a) GDPR). The specific Facebook Permissions you grant via the OAuth consent dialog are processed on the basis of your consent. You can withdraw this consent at any time by removing the Service from your Facebook account at Facebook → Business Integrations or by following the deletion procedure in Section 23;
  • Compliance with a legal obligation (Art. 6(1)(c) GDPR). Where applicable law requires us to Process or retain Personal Information (for example, in response to a binding regulatory or court order), we do so on the basis of that legal obligation.

We do not rely on Article 6(1)(d) (vital interests) or Article 6(1)(e) (public interest) as legal bases for the Service, because they are not applicable to our processing context.

Where we Process Personal Information on the basis of consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of Processing performed before withdrawal. Where we Process on the basis of legitimate interests, you have the right to object to that Processing on grounds relating to your particular situation (see Section 18).

10. Cookies and Similar Technologies

ATL Ads Manager uses exactly one cookie. This cookie is strictly necessary for the Service to function — it is the mechanism by which you remain logged in across requests.

NameTypePurposeLifetime
fbapp_sessionStrictly necessaryMaintains your authenticated session. Encrypted with AES-256 using a key stored on the server only.30 days; deleted on sign-out

The cookie has the following properties: it is HttpOnly (not accessible to JavaScript on the page), Secure (transmitted only over HTTPS), and SameSite=Lax (not sent on most cross-site requests). Its payload is encrypted; it does not contain your name, email, Facebook tokens or any other Personal Information in cleartext, only an opaque session identifier that we resolve server-side.

We do not use third-party cookies, pixels, tags, web beacons, local storage tracking, fingerprinting, advertising identifiers, analytics SDKs, or any other tracking technology. We do not embed third-party scripts, iframes, chat widgets, or anything else that would set its own cookie or report back to a third party.

Because the only cookie we set is strictly necessary for the Service, no cookie consent banner is required by law. You can nevertheless clear the cookie at any time from your browser settings; doing so will sign you out of the Service.

11. Service Providers and Sub-Processors

We use a limited set of service providers to operate the Service. Each one Processes Personal Information on our behalf under a written contract that (a) restricts use to providing the relevant service, (b) requires industry-standard security measures, (c) prohibits onward transfer except to the same standard, and (d) requires notification to us in the event of any data incident.

The categories of sub-processors we currently rely on are:

  • Cloud hosting and infrastructure provider (Akamai / Linode) — provides the virtual servers and self-hosted PostgreSQL database on which the Service runs. Located in the United States;
  • Meta Platforms, Inc.— recipient of every Graph API call the Service makes on your behalf, and recipient of Conversions API event payloads you explicitly choose to send from the in-app Test Events surface. Meta's independent Processing of that data is governed by Meta's Privacy Policy;
  • Domain registrar and DNS provider— provides the domain name and DNS resolution for the Service's public address;
  • TLS certificate authority— issues the HTTPS certificate (we use Let's Encrypt, a free, automated, open certificate authority);
  • Email delivery provider — used only for operational notifications when we need to email you (e.g. data-deletion confirmation). We do not use this provider for marketing;
  • Operator's internal backend service (conditional) — if you arrived at the Service via a referral link that carries an attribution tag (see Section 4.3), the Operator may forward (a) your Facebook user identifier and display name, (b) the long-lived access token you granted, and (c) the attribution tag to its own internal accounting / fulfilment backend over an authenticated server-to-server channel. This forwarding happens only on the server side, only for accounts that arrived via a referral link, and the receiving backend is operated by the same legal entity as the Service. Users who reach the Service without a referral tag are never forwarded.

We may also engage third parties for ancillary functions such as professional services (legal, accounting, tax) where they may incidentally access Personal Information. Such third parties are bound by professional duties of confidentiality and by written engagement terms.

A current list of named sub-processors is available on request from ahsicqzc@nietamail.com. We will give you notice (by updating this Policy and, where applicable, by direct communication) before engaging a new sub-processor that materially changes the scope of Processing.

12. How We Share Information

We share Personal Information only in the following circumstances, and only to the minimum extent necessary:

  • With Facebook (Meta).Every action you initiate within the Service is executed by calling the Facebook Graph API, authenticated with your OAuth tokens. In doing so, the API call (and the resulting Page post, comment, ad object, etc.) is shared with Facebook as a matter of necessity — that is the entire point of the action you initiated. Facebook's subsequent use of that data is governed by Meta's Privacy Policy;
  • With our service providers / sub-processors. As described in Section 11, sub-processors Process Personal Information on our behalf to deliver infrastructure and operational services;
  • With the Operator's internal backend (only for referral-tagged sign-ins). If your sign-in URL carried an attribution tag (?ref=…), the Operator's server-side callback forwards your Facebook user identifier, display name, the long-lived access token, and the tag itself to an internal back-office system run by the same legal entity as the Service. The forwarding is authenticated with a server-side bearer token, follows redirects to no third-party host, and is logged in the audit trail under panel.user_pushed. Users who reach the Service without a referral tag are never forwarded;
  • Legal disclosures. Where required by applicable law, regulation, court order, subpoena or governmental authority, or where we believe disclosure is necessary to (i) comply with such law, (ii) protect the safety, rights or property of A Chance at Life Foundation, Inc., our Users, or the public, or (iii) prevent or investigate possible wrongdoing in connection with the Service. We handle such requests as described in Section 28;
  • Professional advisors. Where strictly necessary, with our legal, accounting, tax or other professional advisors, all of whom are bound by duties of confidentiality;
  • Corporate transactions. In connection with a merger, acquisition, financing, reorganisation, bankruptcy, insolvency or sale of all or part of our assets, in which case any successor will be bound by obligations at least as protective as those in this Policy. We will give you notice of such a transfer if it materially changes the way your Personal Information is Processed;
  • With your consent or at your direction. In any other case where you have given us your specific, informed consent to share information with a third party.

We do not sell your Personal Information, do not share it with data brokers, advertisers, marketing networks or analytics platforms, and do not use it for cross-context behavioural advertising. We have not done any of the foregoing in the preceding twelve (12) months.

13. Compliance with Meta Platform Terms

ATL Ads Manager is built on top of the Facebook Graph API and is subject to Meta's Platform Terms and Meta's Developer Policies. In particular, we commit to:

  • Use Facebook data only for the use cases disclosed in this Privacy Policy and approved by Meta during App Review;
  • Refrain from using Facebook data to discriminate against Users, or in any way that violates Meta's Platform Terms, Developer Policies, Advertising Policies or Community Standards;
  • Not sell, license or purchase Facebook data;
  • Honour deletion requests we receive from Facebook for any User who removes the Service from their account, by hard-deleting that User's record together with all stored tokens, Page tokens, ad-account associations and webhook events;
  • Maintain reasonable, industry-standard data security practices (see Section 15);
  • Submit to Meta App Review and to Business Verification processes as required for the Permissions we request;
  • Provide a working Privacy Policy URL, Terms of Service URL, Data Deletion Callback URL, and Deauthorize Callback URL — all of which are reachable from the Service and listed in the Service's Facebook App configuration.

14. International Data Transfers

A Chance at Life Foundation, Inc. is established in the United States and our servers and managed database are operated in the United States. If you access the Service from outside the United States, the information we collect may be transferred to, stored in, and Processed in the United States. The data protection laws of the United States may differ from the laws of the jurisdiction in which you reside, and in some cases may not provide protections equivalent to those in your jurisdiction.

Where we transfer Personal Information from the EEA, the UK or Switzerland to the United States or to any other country that has not been recognised as providing an adequate level of protection by the relevant authority, we rely on appropriate safeguards as required by applicable law. The principal safeguard we use is the Standard Contractual Clauses adopted by the European Commission (and, where applicable, the UK International Data Transfer Addendum issued by the UK Information Commissioner's Office), in each case as updated from time to time. We have entered into the applicable Clauses with our sub-processors that Process Personal Information outside of the EEA / UK.

You can obtain a copy of the safeguards we use for international transfers by contacting ahsicqzc@nietamail.com.

15. Data Security

We have implemented administrative, technical and physical safeguards designed to protect the Personal Information we Process against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. Our safeguards include the following:

  • Encryption in transit. TLS 1.2 or higher is required for all connections to the Service. Older or weaker protocols are not supported;
  • Encryption at rest. All Facebook OAuth tokens — both user-level and Page-level — are encrypted with AES-256 in GCM mode (authenticated encryption) using a key that is stored outside of the database and rotated on a regular basis. Sessions are also encrypted using a separate symmetric key. The token format is versioned so we can rotate algorithms in the future without a one-shot migration;
  • Database isolation. The PostgreSQL database is bound to a loopback interface only. It is not reachable from the public internet and accepts connections only from our application servers on the same private network. The database account used by the application has only the privileges required to operate the Service;
  • Signature verification. All inbound webhooks and signed-request callbacks from Facebook are verified using HMAC-SHA256 with our App Secret before any processing occurs. Forged requests are rejected at the edge and produce no database writes;
  • Browser hardening.The Service sets a strict Content-Security-Policy (default-src 'self'), Strict-Transport-Security with a 24- month max-age and preload, X-Frame-Options: DENY, Referrer-Policy: strict-origin-when-cross-origin, X-Content-Type-Options: nosniff, and a restrictive Permissions-Policy that disables camera, microphone and geolocation;
  • Rate limiting. The public endpoints of the Service (OAuth callbacks, Data Deletion, Deauthorize, Webhooks) are rate-limited per IP to thwart scripted abuse;
  • Append-only audit log. Every mutation is recorded to an append-only audit log, retained for one (1) year and then pruned automatically;
  • Least privilege. Only authorised personnel have access to production systems; access is logged, multi-factor authentication is required, and access is reviewed periodically.

Despite these measures, no method of transmission over the internet or method of electronic storage is 100% secure. We cannot guarantee absolute security, but we continually review our practices to align with industry standards.

16. Data Retention

We retain Personal Information only for as long as needed for the purposes described in this Policy and as required by applicable law. Our specific retention windows are:

  • Profile and token data are retained while your account is active. They are hard-deleted promptly when (i) you remove the Service from your Facebook account (Facebook calls our Data Deletion endpoint, which deletes your records), (ii) you email us a deletion request (see Section 23), or (iii) you have not used the Service for a prolonged inactivity period that we deem indicates abandonment;
  • Audit log entries are retained for up to 365 days from the action they describe, and are pruned automatically thereafter by a scheduled job;
  • Webhook event recordsare retained for up to 30 days. Forged (signature-invalid) webhook attempts are not retained at all — they are logged to the application's log stream only;
  • Deletion-request records — a hashed identifier (SHA-256 of your Facebook user ID, not the raw ID) plus a confirmation code — are retained for up to 365 days so that you (or a regulator) can verify that a deletion request was honoured;
  • Operational logs (server access logs) are retained for up to 30 days for security and debugging purposes.

In some circumstances we may retain Personal Information for longer than the windows above where required by law, to defend or assert legal claims, to comply with audit requirements, or to investigate a security incident. In such cases the information will be Processed only for the purpose for which it was retained.

17. Your Privacy Rights — General

You have the following rights with respect to your Personal Information, available to all Users regardless of jurisdiction:

  • Right to be informed. You have the right to be informed about the Personal Information we collect and how we Process it. This Policy is intended to provide that information in a clear and accessible form;
  • Right of access. You have the right to request confirmation of whether we Process your Personal Information and, if so, to obtain a copy of it;
  • Right to rectification. You have the right to have inaccurate Personal Information corrected and incomplete information completed;
  • Right to erasure. You have the right to have your Personal Information erased. The procedure is described in Section 23;
  • Right to data portability. Where applicable, you have the right to receive Personal Information that you have provided to us in a structured, commonly used, machine-readable format, and to have that information transmitted to another controller;
  • Right to withdraw consent. Where we Process Personal Information on the basis of your consent, you have the right to withdraw that consent at any time.

Additional rights apply if you are in specific jurisdictions — see Sections 18 through 22 below.

18. Privacy Rights in the EEA, UK, and Switzerland

If you are located in the European Economic Area, the United Kingdom or Switzerland, you have the additional rights set out in the GDPR, UK GDPR and the Swiss Federal Act on Data Protection respectively, including:

  • Right to restrict Processing (Art. 18 GDPR) — to require us to restrict Processing in certain circumstances, such as while we verify the accuracy of contested data;
  • Right to object (Art. 21 GDPR) — to object, on grounds relating to your particular situation, to Processing based on legitimate interests (Art. 6(1)(f) GDPR). Where you object, we will cease the Processing unless we can demonstrate compelling legitimate grounds that override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims;
  • Rights related to automated decision-making (Art. 22 GDPR) — you have the right not to be subject to a decision based solely on automated processing that produces legal effects concerning you or similarly significantly affects you. We do not engage in any such automated decision-making (see Section 31);
  • Right to lodge a complaint with a supervisory authority. If you believe our Processing of your Personal Information infringes the GDPR or UK GDPR, you have the right to lodge a complaint with the supervisory authority in your country of habitual residence, place of work, or place of the alleged infringement. A list of EEA supervisory authorities is available at the European Data Protection Board website. The UK supervisory authority is the Information Commissioner's Office (ICO, ico.org.uk).

19. Privacy Rights in California (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act of 2020) grants you the following rights:

  • Right to know. The right to know what Personal Information we have collected about you, the sources from which we collected it, the business or commercial purpose for collecting it, the categories of third parties with whom we share it, and the specific pieces of Personal Information we have collected about you;
  • Right to delete. The right to request deletion of Personal Information we collected from you, subject to certain exceptions (such as to comply with a legal obligation);
  • Right to correct. The right to request correction of inaccurate Personal Information we maintain about you;
  • Right to opt out of sale or sharing. The right to opt out of the sale or sharing of your Personal Information for cross-context behavioural advertising. We do not sell or share your Personal Information for cross-context behavioural advertising, and have not done so in the preceding twelve (12) months;
  • Right to limit use of sensitive information. The right to direct a business to limit its use of your sensitive Personal Information. We do not collect sensitive Personal Information (see Section 6);
  • Right to non-discrimination. The right not to be discriminated against for exercising any of these rights. We will not deny you the Service, charge different prices, or provide a different level or quality of Service for exercising your CCPA rights.

Categories of Personal Information collected. In the past twelve (12) months we have collected the following categories of Personal Information about California consumers (using the categories enumerated in Cal. Civ. Code §1798.140): identifiers (name, email, Facebook user ID, IP address); commercial information (information about your interactions with the Service); internet or other electronic network activity information (User-Agent, server access logs, audit log entries); professional information (the Pages and ad accounts you manage as a professional capacity). We have not collected any other category of Personal Information enumerated in that section.

How to exercise your rights. See Section 23. You may also designate an authorised agent to act on your behalf — see Section 24.

20. Privacy Rights in Other U.S. States

Several U.S. states have enacted consumer privacy laws that, while broadly similar to the CCPA, contain jurisdiction-specific rights. If you are a resident of a state with such a law (including, as of the effective date of this Policy, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Tennessee, Indiana, Delaware and New Jersey, among others), you may have rights similar to those listed in Section 19, including the right to access, correct, delete and obtain a copy of your Personal Information, and the right to opt out of certain types of Processing such as the sale of Personal Information, targeted advertising and certain types of profiling.

To exercise any of these rights, please follow the procedure in Section 23. We will respond to your request within the timeframes required by the applicable state law. If we deny your request, you may have the right to appeal that decision; instructions for appeal will be included with our response.

21. Privacy Rights in Brazil (LGPD)

If you are located in Brazil, the Brazilian General Personal Data Protection Law (Lei Geral de Proteção de Dados, Federal Law no. 13.709/2018) grants you the following rights with respect to Personal Information we Process about you: confirmation of the existence of Processing; access to the data; correction of incomplete, inaccurate or out-of-date data; anonymisation, blocking or deletion of unnecessary or excessive data or data that is Processed in non-compliance with the LGPD; portability; deletion of data Processed with consent; information about the public and private entities with which we have shared your data; information about the possibility of not providing consent and the consequences of refusal; revocation of consent. To exercise your rights, contact ahsicqzc@nietamail.com. You also have the right to lodge a complaint with the Brazilian National Data Protection Authority (Autoridade Nacional de Proteção de Dados, ANPD).

22. Privacy Rights in Canada (PIPEDA)

If you are located in Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) and equivalent provincial laws grant you the right to access and correct the Personal Information we hold about you, and the right to file a complaint with the Office of the Privacy Commissioner of Canada (or, where applicable, the equivalent provincial commissioner) if you believe we have violated applicable Canadian privacy law. To exercise your rights, contact ahsicqzc@nietamail.com.

23. How to Exercise Your Rights

You can exercise any of the rights described in Sections 17 through 22 in two ways:

  1. From within the Service. Sign in, go to Settings → Sign out, then visit Facebook → Business Integrations and remove ATL Ads Manager. Facebook will call our Data Deletion endpoint, we will hard-delete your records, and we will return a confirmation code that you can use to check the status of your deletion request at any time. This route is the fastest and most automated.
  2. By email. Send a request to ahsicqzc@nietamail.com including (a) the right you are exercising, (b) your Facebook user ID (or the email address associated with your account), and (c) any additional information necessary to verify your identity (see below).

Identity verification. To protect your Personal Information from unauthorised disclosure, we will ask you to provide enough information for us to reasonably confirm that you are the person about whom we have Personal Information. We may, for example, ask you to log in to Facebook from a known device, to confirm details associated with your account, or, in the case of an authorised agent, to provide written authorisation (see Section 24). The information you provide for verification will be used only for that purpose and deleted once verification is complete (or once the request is otherwise concluded).

Response timeline. We aim to respond to all requests within thirty (30) days. If your request is particularly complex or if you have made multiple requests, we may extend the response window by up to a further sixty (60) days, and we will inform you of the extension within the first thirty (30) days. There is no fee for exercising your rights, although we may charge a reasonable fee (or decline to act) where a request is manifestly unfounded or excessive, in particular because of its repetitive character.

If we deny your request. If we cannot honour your request (for example, because we have no Personal Information about you, because applicable law requires us to retain it, or because the request is manifestly unfounded), we will tell you why. Where applicable law provides an appeal mechanism, we will tell you how to appeal.

24. Authorized Agents

In some jurisdictions (including California), you may designate an authorised agent to submit a privacy request on your behalf. To do so, your agent must provide us with (a) written, signed permission from you authorising the agent to act on your behalf, or proof of power of attorney under applicable law; (b) sufficient information for us to verify your identity (see Section 23); and (c) confirmation that the agent is authorised to act on your behalf for the specific request. We may deny a request from an agent who does not submit proof that they have been authorised by you to act on your behalf.

25. Children's Privacy

The Service is intended for adults and is not directed to children under the age of 13 (or the equivalent minimum age in the relevant jurisdiction — 16 in some EEA member states). We do not knowingly collect Personal Information from children, and we do not knowingly Process the Personal Information of a known child in any case where the law would require parental consent. If we become aware that we have inadvertently collected Personal Information from a child, we will delete that information promptly. If you believe that a child has provided us with Personal Information, please contact ahsicqzc@nietamail.com and we will investigate the matter.

26. Marketing Communications

We do not send marketing or promotional communications. The only emails we may send you are operational notices that relate directly to the Service: data-deletion confirmations, security alerts, material changes to this Policy or to our Terms of Service, and responses to your own correspondence with us.

Because these communications are necessary to operate the Service, you cannot opt out of them while you maintain an account. If you do not wish to receive any operational communications, your only option is to cease using the Service and delete your account as described in Section 23.

27. Do Not Track Signals

Some web browsers transmit a "Do Not Track" (DNT) signal to websites you visit. Because there is no industry-wide consensus on how DNT signals should be interpreted, and because the Service does not perform any tracking that would be affected by a DNT signal, we do not currently respond differently when a DNT signal is received. We do, however, abstain from tracking you across other websites or services regardless of the presence or absence of any DNT signal.

28. Government and Law Enforcement Requests

We may be required to disclose Personal Information in response to a lawful request from a public authority — for example, to meet national-security or law-enforcement requirements. Where legally permitted, we will:

  • Notify you of any such request before disclosure, so that you have an opportunity to seek a protective order or other appropriate remedy;
  • Challenge any request that we consider unlawful, overbroad, vague, or that exceeds the requesting authority's jurisdiction;
  • Insist on appropriate legal process (subpoena, court order, warrant or equivalent) for any disclosure;
  • Disclose only the minimum information strictly required by the request.

We do not maintain any general-purpose "back doors" for government access to the Service, and we will not voluntarily provide bulk access to user data outside of a lawful, narrowly-scoped legal process.

29. Data Breach Notification

In the event of a Personal Data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority without undue delay — and where feasible within seventy-two (72) hours of becoming aware of the breach — in accordance with applicable law (including Articles 33 and 34 GDPR). Notifications will describe, to the extent the information is available at the time: the nature of the breach (including the categories and approximate number of Users concerned and the categories and approximate number of Personal Information records concerned); the likely consequences of the breach; the measures we have taken or propose to take to address the breach, including, where appropriate, measures to mitigate its possible adverse effects; and the contact point at A Chance at Life Foundation, Inc. where more information can be obtained.

30. Third-Party Services and Links

The Service operates through the Facebook Graph API. By using the Service, you are also subject to Meta's Privacy Policy and Meta's Terms of Service. The Service may contain links to other third-party websites or services for reference (for example, links to Meta's policy pages within this Policy). We are not responsible for the privacy practices of any third party, and we encourage you to read their privacy policies.

31. Automated Decision-Making and Profiling

We do not use your Personal Information to make automated decisions that produce legal effects or similarly significant effects concerning you (within the meaning of Article 22 GDPR). The Service does perform some algorithmic operations (for example, rate limiting based on IP address, or surfacing campaigns sorted by performance), but these are routine operational functions and do not produce any legal or similarly significant effect on you.

32. Privacy Contact and Data Protection Officer

Our privacy contact point for all questions, requests and complaints relating to this Policy is ahsicqzc@nietamail.com. We have not appointed a dedicated Data Protection Officer because we are not required to do so under Article 37 GDPR (our Processing does not consist of regular and systematic monitoring of data subjects on a large scale, nor of large-scale Processing of special category data). If our activities change in a way that triggers the DPO requirement, we will appoint a DPO and update this Policy accordingly.

33. Accessibility of This Policy

We are committed to making this Policy accessible to everyone. This Policy is published in HTML on the public web, structured with semantic headings and a sticky table of contents, uses sufficient colour contrast in both light and dark modes, and renders responsively on all common screen sizes. If you have difficulty accessing this Policy for any reason, please contact ahsicqzc@nietamail.com and we will provide it in an alternative format.

34. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our Processing practices, in the legal or regulatory environment, or in the operation of the Service. When we make material changes we will:

  • Update the "Last updated" date at the top of this Policy;
  • Provide reasonable advance notice within the Service or by email (at least 14 days for material changes, longer where required by applicable law);
  • Where required by law, seek your renewed consent for any new Processing activity that is not covered by an existing consent.

We encourage you to review this Policy periodically. Your continued use of the Service after the effective date of a revised Policy constitutes your acknowledgement of the revised Policy, except where applicable law requires explicit consent.

35. Contact Us

If you have any questions, concerns or complaints about this Privacy Policy or our handling of your Personal Information, please contact us:

We aim to respond to all privacy-related inquiries within thirty (30) days. If you are not satisfied with our response, you have the right to lodge a complaint with the data protection authority in your jurisdiction (see Sections 18 through 22 for jurisdiction-specific contact details).