Privacy Policy

Maven ("Maven," "we," "us," or "our") operates the website gomaven.ai and associated services (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. Please read this policy carefully. By using Maven, you agree to the collection and use of information in accordance with this policy.

1. Information We Collect

1.1 Account Information

When you create a Maven account, we collect your full name, email address, company name (optional), and an encrypted password managed by our authentication provider, Supabase. We do not store passwords ourselves.

1.2 Connected Platform Data

When you connect third-party advertising platforms (such as Meta Ads, Google Ads, or TikTok Ads) via OAuth 2.0, we receive OAuth access tokens and refresh tokens that allow us to read your advertising data on your behalf. We request read-only access to your ad campaigns, including ad spend, clicks, impressions, click-through rate (CTR), cost per click (CPC), creative assets, and ad images. We do not modify, create, or delete campaigns in your ad account unless you explicitly use our publishing feature.

1.3 Business DNA Data

When you use our Business DNA feature, we scrape publicly available information from the website URL you provide. This data is processed in real-time by AI to extract brand identity attributes and is stored in your organization's account for use in ad generation.

1.4 Generated Content

Ad copy, images, angles, and briefs generated by Maven are stored in your organization's account and in Supabase Storage (for generated images). This content belongs to you.

1.5 Usage and Analytics Data

We collect anonymized usage analytics including page views, feature usage counts, scroll depth on our marketing site, and section view data. This helps us improve the product. We do not use third-party advertising trackers.

2. How We Protect Your Data

2.1 Encryption at Rest

All OAuth tokens (access tokens and refresh tokens) are encrypted at rest using Fernet symmetric encryption, which provides AES-128-CBC encryption with HMAC-SHA256 message authentication. This means your platform credentials are cryptographically secured before they ever reach our database. Encryption keys are stored in Google Cloud Secret Manager and are never exposed in application code or logs.

2.2 Encryption in Transit

All data transmitted between your browser and our servers is encrypted via TLS (HTTPS). Our API is served over HTTPS at api.gomaven.ai. All connections to third-party services (Supabase, OpenAI, Google Gemini, Meta API) are also encrypted via TLS.

2.3 Authentication and Access Control

Every API request is authenticated via JSON Web Tokens (JWT) issued by Supabase Auth. JWT algorithms are auto-detected from the Supabase JWKS endpoint and pinned server-side to prevent algorithm confusion attacks. Row-Level Security (RLS) is enabled on all database tables, ensuring users can only access data belonging to their organization.

2.4 Infrastructure Security

Maven runs on Google Cloud Platform (Cloud Run for the backend, Firebase App Hosting for the frontend) in the asia-southeast1 region. All production secrets are managed via GCP Secret Manager. SSRF protection blocks private IP ranges and cloud metadata endpoints on all server-side URL fetching. Input sanitization defends against prompt injection in AI interactions.

2.5 Rate Limiting and Abuse Prevention

All API endpoints are rate-limited on a per-user basis using JWT-verified identity. Monthly usage quotas are enforced server-side. Request body sizes are capped at 10MB to prevent abuse.

3. How We Use Your Information

We use your information to:

• Provide, operate, and improve the Maven Service
• Analyze your ad performance using behavioral science frameworks
• Generate AI-powered ad creative tailored to your brand
• Authenticate your identity and manage your account
• Communicate with you about the Service (product updates, security alerts)
• Enforce our Terms of Service and prevent abuse

4. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information. We share data only in these circumstances:

• AI processing: Your ad data and brand information are sent to AI model providers (OpenAI, Google Gemini) for analysis and generation. These providers process data under their respective data processing agreements and do not use your data for model training.
• Infrastructure providers: Your data is stored on Supabase (database and file storage) and Google Cloud Platform (compute and secrets). These providers act as data processors on our behalf.
• Legal requirements: We may disclose information if required by law, subpoena, or court order, or to protect the rights, safety, or property of Maven, our users, or the public.

5. Data Retention

We retain your account data for as long as your account is active. Generated ad content and analysis results are stored indefinitely until you delete them or close your account. OAuth tokens are retained only while your platform connection is active and are deleted immediately upon disconnection. Usage analytics data is retained in aggregate form.

6. Your Rights

You have the right to:

• Access the personal data we hold about you
• Correct inaccurate personal data
• Delete your account and all associated data (see our Data Deletion page)
• Disconnect any connected advertising platform at any time from your dashboard
• Export your generated content (ads, analysis, Business DNA)

7. Cookies

Maven uses essential cookies only for authentication session management via Supabase Auth. We do not use advertising cookies, tracking cookies, or third-party analytics cookies. No data is shared with advertisers.

8. Children's Privacy

Maven is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we learn we have collected data from a child under 18, we will delete it promptly.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. Continued use of the Service after changes constitutes acceptance of the revised policy.

10. Contact Us

If you have any questions or concerns about this Privacy Policy or our data practices, please contact us at support@gomaven.ai.