Privacy Policy

TrackCreatives ("Company," "we," "our," or "us") operates the TrackCreatives web application located at trackcreatives.com (the "Website") and the TrackCreatives Chrome browser extension (the "Extension"). Together, these are referred to as the "Service."

This Privacy Policy explains what information we collect, how we use and share it, how long we keep it, and what rights you have regarding your data. It applies to all users of the Service worldwide.

By installing the Extension or creating an account on the Website, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree, please uninstall the Extension and discontinue use of the Service.

2.1 Account Information

When you create a TrackCreatives account, we collect:

• Email address (required for account creation, login, and service communications)
• Name (optional, provided during onboarding)
• Role and platform preferences (optional, provided during onboarding)
• Subscription plan and billing status

Payment information (credit card numbers, billing addresses) is collected and processed directly by our payment processor, Stripe. We never receive, transmit, or store your full payment card details on our servers.

2.2 Service Usage Data

• Features accessed, pages viewed, and tools used within the Website
• Search queries and filters applied within our dashboard
• Import counts and usage metrics for rate-limiting and plan enforcement
• Timestamps of actions performed

2.3 Data Collected via the Chrome Extension

The Extension collects publicly available content metadata from supported platforms (currently TikTok and X/Twitter) while you browse those platforms. This includes:

Content and Creator Metadata:

• Post/video identifiers and URLs
• Captions, descriptions, and hashtags
• Publicly displayed engagement metrics (views, likes, comments, shares, bookmarks)
• Content duration, creation date, and thumbnail/cover image URLs
• Publicly available creator information: usernames, display names, profile images, bios, follower/following counts, and verified status
• TikTok Shop product data when you visit a product page (product title, price, rating, reviews, seller info, and related products)
• TikTok Ad Library and Creative Center data when you visit those pages

How the Extension Collects Data:

• The Extension reads publicly visible content from the web pages you visit on supported platforms ("DOM scraping")
• The Extension observes network responses from the supported platforms' own public-facing APIs while you browse, to capture structured metadata that is already being sent to your browser ("API response observation")
• If you enable the auto-scroll feature, the Extension will programmatically scroll the page to load additional content and collect the data that appears

Local Activity Log:

The Extension maintains a local activity log on your device that records the type of activity performed (e.g., "FYP pull," "profile view," "search"), a descriptive label, and a timestamp. This log is stored locally and is not transmitted to our servers.

2.4 Information We Do NOT Collect

• We do not collect your social media passwords, login credentials, or authentication tokens for TikTok, X, or any other platform
• We do not collect private or direct messages
• We do not access your browsing history, bookmarks, or activity on any website other than the supported platforms listed above
• We do not collect the content of pages you visit outside of supported platforms
• We do not use the Extension to inject advertisements, modify page content for promotional purposes, or redirect your browsing
• We do not collect keystroke data, form inputs, or any other data you type into websites

We use the information we collect for the following purposes:

• Service delivery: To provide, maintain, and improve the TrackCreatives platform, including displaying advertising intelligence data on your dashboard
• Account management: To authenticate your identity, manage your subscription, and enforce usage limits based on your plan
• Payment processing: To process subscription payments through Stripe
• AI-powered analysis: To generate ad analysis, creative briefs, and insights using third-party AI services (content metadata only; no personal user data is shared for this purpose)
• Service communications: To send transactional emails such as account confirmations, billing receipts, and important service updates
• Security and integrity: To detect and prevent fraud, abuse, and unauthorized access
• Product improvement: To analyze aggregate usage patterns to improve features and user experience

4.1 Extension to Server Transmission

When you choose to import data from the Extension to your TrackCreatives dashboard, the collected content metadata is transmitted to our servers over an encrypted HTTPS connection. Each request is authenticated using your account credentials (a secure session token). Data is only transmitted when you actively initiate an import or when the Extension syncs configuration settings.

4.2 Third-Party Service Providers

We share data with the following categories of service providers who process data on our behalf under contractual obligations:

• Supabase — Database hosting and user authentication
• Stripe — Payment processing (PCI-DSS Level 1 compliant)
• Cloudflare (R2) — Media storage and content delivery
• Anthropic (Claude AI) — AI-powered ad analysis and creative insights. Only ad/content metadata is shared for analysis; your personal account information is not sent to Anthropic
• PostHog — Product analytics to understand feature usage and improve the service
• Railway — Application hosting infrastructure

Each third-party provider maintains its own privacy policy. We encourage you to review them.

4.3 We Do NOT Sell Your Data

We do not sell, rent, lease, or trade your personal information or collected content metadata to any third party. We do not share data with data brokers or advertising networks.

4.4 Legal and Safety Disclosures

We may disclose your information if required to do so by law, or if we believe in good faith that such action is necessary to:

• Comply with a legal obligation, subpoena, court order, or government request
• Protect and defend our rights, property, or safety
• Prevent fraud or investigate potential violations of our Terms of Service
• Protect the personal safety of users or the public

The Extension requests certain browser permissions to function. Below is a complete list of each permission and why it is needed:

• sidePanel — Displays the TrackCreatives research panel alongside the pages you browse on supported platforms
• storage / unlimitedStorage — Stores collected content metadata, your preferences, session data, and cached configuration locally on your device. The "unlimitedStorage" permission allows the Extension to store more data than the default 10 MB limit, ensuring your research data is not lost during extended sessions
• activeTab — Allows the Extension to interact with the currently active tab on supported platforms to extract publicly visible content
• scripting — Enables the Extension to inject content scripts into supported platform pages to read publicly available data from the page
• tabs — Allows the Extension to detect when you navigate to a supported platform and activate the appropriate data collection scripts
• identity — Used for authenticating your TrackCreatives account within the Extension

Host Permissions

The Extension requests access to the following domains:

• tiktok.com, ads.tiktok.com, library.tiktok.com — To collect publicly available TikTok content, ad library data, and creative center data
• x.com, twitter.com — To collect publicly available posts and profile data from X/Twitter
• trackcreatives.com — To communicate with our own servers for authentication and data import

The Extension does not request or have access to any domains beyond those listed above. It cannot read or modify content on any other website.

The Extension stores collected data locally on your device using Chrome's extension storage API. This local data includes:

• Cached content metadata from your browsing sessions (video data, profile data, search results)
• Your authentication session tokens (encrypted)
• Extension configuration and preferences
• A local activity log of your research actions

To manage storage, the Extension automatically limits the number of cached entries (e.g., recent feed pulls, search results, and profile visits). Older entries are automatically removed when limits are reached. You can clear all locally stored Extension data at any time by right-clicking the Extension icon and selecting "Remove from Chrome," or through your browser's extension management settings.

Local data is stored only on your device and is not accessible to other extensions, websites, or users of your computer (unless they have access to your browser profile).

Data imported to your TrackCreatives account is stored securely using industry-standard practices:

• All data is stored in a PostgreSQL database hosted on Supabase with encrypted connections and row-level security
• Media files (images, video thumbnails) are stored on Cloudflare R2 with access controls
• All data in transit is encrypted using HTTPS/TLS (minimum TLS 1.2)
• Data at rest is encrypted using AES-256 encryption provided by our infrastructure providers
• Authentication tokens are securely generated and rotated by Supabase Auth
• Payment processing is handled entirely by Stripe, which is PCI-DSS Level 1 certified
• Access to production systems is restricted to authorized personnel only

While we implement commercially reasonable security measures, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security of your data.

Account Data

We retain your account information and imported data for as long as your account remains active. If you request account deletion:

• Your personal information (email, name, preferences) will be permanently deleted within 30 days
• Your imported content data and associated analyses will be permanently deleted within 30 days
• Stripe may retain billing records as required by financial regulations
• Data required for legal compliance, dispute resolution, or enforcement of our agreements may be retained as permitted by law

Extension Local Data

Data cached locally by the Extension is stored on your device and persists until you clear it manually or uninstall the Extension. We have no ability to access or delete data stored locally on your device.

Aggregate Data

We may retain aggregated, de-identified data that cannot reasonably be used to identify you for analytics and product improvement purposes. This data is not subject to deletion requests.

Depending on your jurisdiction, you may have the following rights regarding your personal data:

Rights Available to All Users

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate or incomplete data
• Deletion: Request deletion of your personal data and account
• Data portability: Request your data in a structured, machine-readable format
• Withdrawal of consent: Withdraw your consent to data processing at any time by discontinuing use of the Service

Additional Rights for EEA/UK Residents (GDPR)

If you are located in the European Economic Area or the United Kingdom, you have additional rights under the General Data Protection Regulation (GDPR), including:

• Restriction of processing: Request that we limit how we process your data
• Objection: Object to processing based on our legitimate interests
• Lodge a complaint: File a complaint with your local data protection authority

Our legal basis for processing personal data under the GDPR includes: (a) performance of a contract (providing the Service), (b) legitimate interests (improving the Service, preventing abuse), and (c) your consent (where applicable).

Additional Rights for California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), including:

• Right to know: Request disclosure of the categories and specific pieces of personal information we have collected
• Right to delete: Request deletion of your personal information
• Right to opt-out of sale: We do not sell personal information, so this right is already honored
• Non-discrimination: We will not discriminate against you for exercising your privacy rights

To exercise any of these rights, please contact us at support@trackcreatives.com. We will respond to verified requests within 30 days (or sooner if required by applicable law).

Our servers and third-party service providers may be located in countries other than your own. By using the Service, you consent to the transfer of your information to the United States and other jurisdictions where our service providers operate. We ensure that appropriate safeguards are in place for international transfers in compliance with applicable data protection laws.

The Extension operates on third-party platforms (TikTok, X/Twitter) that have their own terms of service and privacy policies. We encourage you to review those policies. TrackCreatives is an independent service and is not affiliated with, endorsed by, or sponsored by TikTok, ByteDance, X Corp., or any of their subsidiaries.

The data collected by the Extension consists of publicly available content that is already visible to any user browsing those platforms. We do not access private, restricted, or authenticated-only content beyond what is publicly displayed on the page you are viewing.

The Service is not directed to individuals under the age of 18 (or the age of majority in your jurisdiction). We do not knowingly collect personal information from children. If we become aware that we have collected personal data from a child without parental consent, we will take steps to delete that information promptly. If you believe a child has provided us with personal data, please contact us at support@trackcreatives.com.

Some browsers transmit "Do Not Track" (DNT) signals to websites. Because there is no common industry standard for interpreting DNT signals, our Service does not currently respond to DNT signals. However, you can control data collection by uninstalling the Extension or adjusting your account settings.

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last updated" date at the top of this page
• Post a notice on our Website or within the Extension for significant changes
• Send an email notification for changes that materially affect how we handle your personal data

Your continued use of the Service after changes are posted constitutes your acceptance of the updated Privacy Policy. If you do not agree with the changes, please discontinue use and delete your account.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

For GDPR-related inquiries, you may also contact your local data protection authority.