Ads & Marketing Privacy Policy
Last updated: June 2026
This policy explains how Nexora Technologies ("Nexora", "we", "us") collects, uses, shares, and protects data when you use the Meta Ads features of Super CRM (the "Ads Service") at supercrm.nexoratechnologies.cloud. The Ads Service connects to Meta Platforms' Marketing API through a dedicated Meta app. It supplements our general Privacy Policy, which continues to apply to everything else in Super CRM; where the two differ for advertising data, this policy controls.
1. What this covers
The Ads Service lets you connect a Facebook account that manages advertising, select one of the ad accounts available to it, choose which of the Facebook Pages you manage an ad should run from, create and manage Click-to-WhatsApp ad campaigns (including pausing, resuming, archiving, and adjusting budgets), and view the campaigns and performance metrics (such as impressions, clicks, spend, CTR, and reach) of the ad account you select. Click-to-WhatsApp ads created through the Ads Service may be delivered across Meta surfaces, including Facebook and Instagram, and are designed to open a WhatsApp conversation with you. It is separate from the WhatsApp messaging features of Super CRM, which run on a different Meta app and are not affected by your use — or non-use — of the Ads Service.
2. Information we collect when you connect Facebook Ads
- Authentication data from Meta: an access token issued by Meta for our ads app, and your app-scoped Facebook user ID. The token is stored encrypted at rest and is used only to call the Marketing API on your behalf. We never see or store your Facebook password.
- Ad account metadata: the IDs, names, statuses, and currencies of the ad accounts your connection grants, and which one you select as active.
- Campaign data and insights: campaign names, statuses, objectives, budgets, and aggregated performance metrics returned by the Marketing API. We display this data to you; in the current version of the Ads Service we do not permanently store campaign insights — they are fetched live from Meta when you open the Ads page.
- Facebook Pages you manage: the list of Pages your connection grants — each Page's name, ID, and whether a WhatsApp number is connected to it — so you can choose which of your own Pages a Click-to-WhatsApp ad runs from and so we can confirm you manage that Page. We read this only to populate the Page selector in the ad-creation flow; we do not read your Page's posts, messages, follower lists, or other content.
- Campaigns you create: when you build or manage a campaign, the campaign, ad set, ad creative, and ad you define — including the ad copy, image, audience (country, age, gender), budget, the Facebook Page, and the WhatsApp number you specify — are created on your selected ad account via the Marketing API. This content is supplied by you and stored by Meta on your own ad account; on our side we keep only operational logs of the actions taken (e.g. "campaign created", "campaign paused") referencing your Super CRM account ID, for security, debugging, and support.
We do not collect or receive the personal data of people who see or interact with your ads. Meta provides us only aggregated, de-identified performance metrics.
Meta permissions we request, and why
- ads_read — to read the ad accounts, campaigns, and performance metrics you ask us to display.
- ads_management — to create and manage (pause, resume, archive, adjust budgets) the campaigns you build, on the ad account you authorise.
- pages_show_list and pages_read_engagement — to list the Facebook Pages you manage so you can pick one for a Click-to-WhatsApp ad and so we can confirm you manage it.
- pages_manage_ads — to create and manage the Click-to-WhatsApp ads that are associated with the Page you select.
We request only the permissions needed to provide the features you use, operate solely on the assets you authorise, and act only at your direction. We never use these permissions to access Pages, ad accounts, or assets you do not manage.
3. How we use this information
- To authenticate your connection to Meta and keep it working (token refresh and validation).
- To display your ad accounts, campaigns, and performance metrics inside Super CRM.
- To create and manage the Click-to-WhatsApp campaigns you build — the ad set, creative, audience, budget, the Facebook Page, and the WhatsApp number you choose — on the ad account you authorise, at your direction.
- To secure the Ads Service, prevent abuse, and debug faults (request logs reference your Super CRM account ID, never your access token in plain form).
We do not sell this data, use it for our own advertising, share it for cross-context behavioral advertising, or use it to train AI models. We use Meta Platform Data only to provide the Ads Service to you, as permitted by the Meta Platform Terms and Developer Policies.
4. Sharing
We share advertising-related data only with:
- Meta Platforms — every Ads Service action is a request to Meta's Marketing API on your behalf, governed by Meta's own Privacy Policy and Advertising Standards.
- Supabase — our database and authentication provider, where your encrypted token and ad account selection are stored under row-level security so only your account can access them.
- Authorities — where disclosure is required by law.
5. Data retention
Your encrypted ads access token, Facebook user ID, and ad account selection are kept for as long as your Facebook connection remains active. They are deleted immediately when you disconnect (Section 6) and within 30 days of the closure of your Super CRM account. Meta access tokens also expire on Meta's side (typically within about 60 days unless renewed by your continued use).
6. Data deletion — how to disconnect and erase your ads data
You can remove everything the Ads Service holds about your Facebook connection at any time, in any of these ways:
- In the app: open Meta Ads → Disconnect. This permanently deletes your stored access token, Facebook user ID, ad account selection, and connection timestamp.
- From Facebook: remove the app in your Facebook Business Integrations / Apps and Websites settings. This invalidates the token on Meta's side; you may additionally use the in-app Disconnect to clear our stored copy, or email us.
- By email: write to info@nexoratechnologies.cloud from your account email with the subject "Ads data deletion". We will delete the data and confirm within 30 days.
7. Security
Ads access tokens are encrypted at rest, transmitted only over HTTPS, and never returned to the browser after connection. All Marketing API calls are made server-side with app-secret proof. Access to your data is restricted by row-level security to your own account.
8. Your rights
Depending on where you live (including under the India DPDP Act, UK/EU GDPR, and US state privacy laws such as CCPA/CPRA), you may have rights to access, correct, delete, or port this data and to lodge a complaint with a supervisory authority. Exercise them via info@nexoratechnologies.cloud. The identity verification and response process in our general Privacy Policy applies.
9. Changes & contact
We will post any material changes to this policy on this page and update the date above. Questions: info@nexoratechnologies.cloud.
