Privacy Policy
Effective: 2026-05-20
Last updated: 2026-05-20
Stratis Technology Inc. ("Stratis," "we," "us") operates the Stratis ad-analytics platform at https://app.stratis.technology. This Privacy Policy explains what data we collect, how we use it, and your rights.
1. Who we are
Stratis is a multi-tenant ad-analytics SaaS for digital advertising agencies. Our customers are agencies; the data we process belongs to those agencies' clients.
Contact: compliance@stratis.technology
2. Data we collect
From you as a Stratis user
- Email address, name, and password hash (via Supabase Auth)
- Agency and client metadata you enter into the dashboard (names, logos, URLs)
From the advertising platforms you connect
When you connect an advertising platform to Stratis through one of our connectors, we ingest:
- Ad-account, campaign, ad-group, and ad-level metadata (names, IDs, statuses, budgets, schedules)
- Daily performance metrics (impressions, clicks, spend, conversions, video views, engagement metrics) for the accounts you explicitly select
- Currency codes, time zones, and account-level configuration
We do NOT collect:
- Audience-level PII (no email lists, no customer match lists, no audience targeting)
- Conversion-event individual user data
- Creative assets beyond IDs and metadata
Connector credentials
For connectors that authenticate via OAuth we store the OAuth refresh token; for connectors that use direct credentials we store the API token. In both cases the credential is encrypted at rest using AES-256-GCM authenticated encryption with a dedicated 256-bit key held in our deployment environment's secret store, separate from the application database. Credentials are encrypted before they are written and decrypted only in-memory at the moment a sync runs.
3. How we use your data
- Display dashboards, reports, and AI-generated insights for the agency that connected the account
- Ingest, transform, and store the data in our Medallion-architecture data warehouse for the agency's own analytics use
- Email you about service updates, security incidents, and billing
We do NOT:
- Sell your data
- Share your data with third parties (other than the subprocessors listed below who help us operate the service)
- Use one agency's data to train or improve any model that another agency sees
- Use your data for advertising
4. Subprocessors
We use the following third-party service providers ("subprocessors") to operate the platform. Each receives only the data needed for its function, and all are bound by their own data-protection commitments. Our infrastructure is hosted in the United States.
- Supabase — application database (PostgreSQL) and user authentication
- Google BigQuery — analytics data warehouse
- Google Cloud Storage — raw ingested-data file storage
- Railway — backend application hosting
- Netlify — dashboard hosting
- Airbyte Cloud — ad-platform data ingestion
- OpenAI — AI-generated insights. Data is sent for inference only. OpenAI does not use data submitted via its API to train its models, and retains it for a limited period (up to 30 days) for abuse monitoring before deletion, per OpenAI's API data-use policy
- Sentry — error monitoring; may capture request metadata, your email, and IP address in error reports
- Tavily and Linkup — web search providers that power news and market-context insights; receive search queries that may include client names
5. Per-tenant isolation
Every record in our data warehouse and database is keyed by tenant_id
(your agency ID). Database-level Row-Level Security policies enforce that
one agency cannot read another's data. BigQuery tables are partitioned and
clustered by tenant_id; queries that lack a tenant_id
filter are rejected by application code.
6. Data from connected platforms
When you connect a platform, you authorize Stratis to read data only for the accounts you explicitly select. We request the minimum access each platform offers for read-only reporting, and we use that access solely to:
- List the accounts you have access to, so you can choose which to connect
- Read reporting and metadata for the accounts you select
We do not use data obtained from any connected platform for:
- Advertising
- Resale to third parties
- Training machine-learning models that aggregate across customers
- Any purpose other than displaying your data in your own Stratis dashboard
Where a platform's API terms impose additional data-handling obligations — such as limited-use or restricted-scope requirements — we comply with them and limit our use of that platform's data accordingly.
Google user data
Stratis's access, use, storage, and transfer of data received from Google APIs adheres to the Google API Services User Data Policy, including its Limited Use requirements. When you connect a Google account, Stratis requests only read-only access to your advertising reporting data, uses it solely to populate your own dashboards and insights, does not transfer it to others except as required to provide the service, does not use it for advertising, and does not allow humans to read it except with your consent, for security or to comply with applicable law.
7. Data retention and deletion
- We retain ingested ad data for as long as your agency maintains an active Stratis account
- On account deletion, all of your agency's data is removed from our application database, data warehouse, and object storage within 30 days
- You can request data export or deletion at any time by emailing compliance@stratis.technology
8. Security
- All data in transit is encrypted via TLS 1.2+
- All data at rest is encrypted: cloud-provider AES-256 at the storage layer, plus an additional application-level AES-256-GCM layer applied to connector credentials (OAuth tokens and API keys) before they are written to the database
- Multi-tenant isolation enforced via PostgreSQL Row-Level Security and BigQuery partition/cluster keys
- Access to production data is restricted to Stratis engineers and requires SSO
9. Changes to this policy
We will update the "Last updated" date at the top of this page and email account owners about material changes.
10. Contact
Questions, requests for deletion, or security reports: compliance@stratis.technology