Privacy Policy

Introduction

At ROI Media Partners ("RMP," "we," "us," or "our"), we are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website or use our services.

This policy applies to all visitors, users, and others who access our website at roimediapartners.com (the "Site") and our services. By using the Site or our services, you consent to the data practices described in this policy.

1. Information We Collect

1.1 Information You Provide to Us

We collect information that you voluntarily provide when you:

• Submit a contact form or inquiry through our Site
• Request information about our services
• Engage with us through email or other communication channels
• Participate in surveys, events, or promotional activities

This information may include:

• Contact Information: Name, email address, phone number, company name, job title/role
• Communication Content: Messages, inquiries, feedback, and any other information you choose to provide
• Consent Records: Your agreement to be contacted and acceptance of our privacy practices
• Business Account Credentials: When you connect your advertising accounts (such as Meta, Google Ads, or Google Analytics) to our platform, we receive and securely store authentication tokens that allow us to access your account data on your behalf. These tokens are stored in Google Cloud Secret Manager with per-customer encryption and isolation. We never store your account passwords.
• Customer Transaction Data: If you use our analytics services, we may receive customer transaction records from your point-of-sale system, e-commerce platform, or customer data platform (such as Customer.io). This data may include transaction identifiers, purchase values, timestamps, email addresses, phone numbers, and marketing attribution parameters (such as UTM tags, Google Click IDs, and Facebook Click IDs).

1.2 Information Automatically Collected

When you visit our Site, we may automatically collect certain technical information, including:

• Device and Browser Information: Device type, operating system, browser type and version, screen resolution
• Usage Data: Pages visited, time spent on pages, referring/exit pages, date and time of access
• IP Address: Your Internet Protocol (IP) address and general geographic location (country/region level only)
• User Agent: Technical information about your browser and device configuration

1.3 Cookies and Tracking Technologies

We use essential cookies and similar tracking technologies to operate our Site effectively. These technologies help us:

• Maintain security and prevent fraud
• Remember your preferences and settings
• Understand how visitors interact with our Site
• Improve Site performance and user experience

You can control cookies through your browser settings. Note that disabling certain cookies may affect Site functionality.

2. How We Use Your Information

We use the information we collect for legitimate business purposes, including:

• Service Delivery: To respond to your inquiries, provide requested information, and deliver our consulting and advisory services
• Communication: To send you service-related communications, updates, and responses to your requests
• Business Operations: To operate, maintain, and improve our Site and services
• Security: To protect against fraud, unauthorized access, and other security threats through rate limiting and spam detection
• Legal Compliance: To comply with applicable laws, regulations, legal processes, and enforceable governmental requests
• Business Analysis: To analyze trends, understand user needs, and improve our service offerings
• Marketing: To send you relevant information about our services, with your consent where required by law

2A. Advertising Platform Integrations and Data Processing

ROI Media Partners operates NavigateSocial, a marketing analytics platform that integrates with third-party advertising platforms to help businesses optimize their marketing through Customer Lifetime Value (CLV) analysis. This section describes how we process data in connection with these integrations.

2A.1 Customer Lifetime Value (CLV) Analysis

We analyze your customer transaction data to calculate Customer Lifetime Value scores. This analysis uses statistical models to predict future purchasing behavior and segment your customers into value tiers (such as high, medium, and low lifetime value). CLV analysis is performed on aggregated transaction data and does not involve profiling individual consumers for purposes unrelated to your marketing objectives.

2A.2 Meta (Facebook and Instagram) Integration

When you connect your Meta advertising account to our platform, we access and process data through Meta's Marketing API in the following ways:

Data we receive from Meta:

• Campaign, ad set, and ad performance metrics (spend, impressions, clicks, reach, conversions, and conversion value)
• Demographic performance breakdowns (age bracket, gender, platform, device, and placement)
• Ad account information (account name, status, and configuration)
• Custom Audience metadata (audience name, approximate size, and type)

Data we send to Meta:

• Customer identifiers for Custom Audiences: We transmit customer email addresses and/or phone numbers to Meta for the purpose of creating Custom Audiences. These identifiers are hashed using SHA-256 before transmission to Meta. Meta uses these hashed identifiers solely for audience matching and cannot reverse the hashing to obtain the original data. We only transmit identifiers belonging to your customers, and only when you direct us to create or update a Custom Audience.
• CLV segment assignments: When creating Custom Audiences, customer identifiers are grouped by their CLV segment (high, medium, or low value). Individual CLV scores, transaction amounts, or other financial details are never transmitted to Meta.
• Ad set configuration: When you direct us to create ad sets, we transmit targeting parameters (such as geographic area, age range, and gender), optimization settings, scheduling, and budget parameters to Meta on your behalf. Ad sets are created in a paused state by default to prevent unintended advertising spend.
• Campaign management actions: We may update campaign or ad set status (pause or activate), adjust budgets, or modify URL tracking parameters at your direction.

Data we do not send to Meta:

• Individual transaction values or purchase history
• Customer names or physical addresses
• CLV scores or predicted purchase amounts
• Any data from customers who have not been included in an audience you directed us to create

2A.3 Google Ads Integration

When you connect your Google Ads account, we retrieve campaign performance metrics (spend, impressions, clicks, conversions, and conversion value) for reporting and analysis purposes. We do not create or modify Google Ads campaigns, ad groups, or ads through this integration.

2A.4 Google Analytics 4 (GA4) Integration

When you connect your GA4 property, we retrieve aggregated e-commerce data (revenue, transaction counts, and purchaser counts) broken down by marketing channel. We do not access individual user-level data from GA4.

2A.5 Customer.io Integration

When you connect your Customer.io account, we retrieve purchase event data (transaction identifiers, values, timestamps, and marketing attribution parameters) for use in CLV analysis and conversion attribution. We do not send data to Customer.io or modify your Customer.io configuration.

3. How We Share Your Information

We do not sell, rent, or trade your personal information. We may share your information only in the following circumstances:

3.1 Service Providers

We may share information with trusted third-party service providers who assist us in operating our Site and delivering our services, including:

• Hosting and Infrastructure: Vercel (website hosting), Supabase (data storage)
• Cloud Infrastructure: Google Cloud Platform (data warehousing via BigQuery, credential storage via Secret Manager, application hosting via Cloud Run). Customer data is stored in dedicated, isolated datasets with per-customer access controls.
• Advertising Platforms: Meta (Facebook/Instagram) and Google Ads, solely for the purpose of managing your advertising accounts at your direction. Customer identifiers transmitted to Meta for audience matching are hashed using SHA-256 before transmission.
• Customer Data Platforms: Customer.io, solely for retrieving your transaction data for analytics purposes.
• Email Services: For sending communications and notifications
• Analytics: To understand Site usage and improve user experience

These service providers are contractually obligated to use your information only as necessary to provide services to us and to protect the confidentiality and security of your information.

3.2 Legal Requirements

We may disclose your information when required by law or in response to valid legal processes, such as:

• Complying with subpoenas, court orders, or other legal obligations
• Protecting our rights, property, or safety, or that of our users or the public
• Detecting, preventing, or addressing fraud, security, or technical issues

3.3 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change and the choices you may have regarding your information.

4. Data Security

We implement industry-standard security measures to protect your personal information, including:

• Encryption: All data transmitted to and from our Site is encrypted using TLS/SSL protocols
• Access Controls: Strict authentication and authorization controls limit access to personal information
• Data Encryption at Rest: Personal information is encrypted when stored in our databases
• Security Headers: HTTPS, HSTS (HTTP Strict Transport Security), and Content Security Policy (CSP)
• Rate Limiting: Protection against brute force attacks and automated abuse
• Regular Security Audits: Ongoing monitoring and vulnerability assessments
• Row Level Security (RLS): Database-level access controls to protect stored data
• Credential Isolation: Advertising platform credentials are stored in Google Cloud Secret Manager with per-customer isolation and automatic encryption. Credentials are never stored in application code, configuration files, or databases.
• Data Hashing: Customer identifiers (email addresses and phone numbers) are hashed using SHA-256 before transmission to advertising platforms for audience matching. Original identifiers are never transmitted in plaintext to third-party advertising platforms.
• Audit Logging: All modifications to your advertising accounts (budget changes, status updates, audience operations, and ad set creation) are recorded in a tamper-evident audit log with timestamps, before-and-after values, and the identity of the system or user that initiated the change.
• Multi-Tenant Isolation: Each customer's data is stored in a dedicated, isolated data warehouse with access controls that prevent cross-customer data exposure.

While we strive to protect your personal information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security but continuously work to maintain and improve our security practices.

5. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. Our retention practices include:

• Contact Inquiries: Retained for up to 3 years to maintain business relationship records and respond to follow-up questions
• Service Records: Maintained for the duration of our business relationship and up to 7 years thereafter for legal and accounting purposes
• Marketing Communications: Maintained until you unsubscribe or request deletion
• Legal Obligations: Some information may be retained longer when required by applicable law or to resolve disputes

When information is no longer needed, we securely delete or anonymize it in accordance with our data retention and deletion policies.

5A. Advertising Platform Data Retention and Deletion

5A.1 Retention of Platform Data

Data received from advertising platforms (Meta, Google Ads, GA4) is retained in your dedicated data warehouse for the duration of our business relationship. This includes campaign performance metrics, audience metadata, and CLV analysis results. All write operations performed on your advertising accounts (such as budget changes, status updates, and audience modifications) are recorded in an audit log that is retained for the duration of our business relationship and up to 7 years thereafter for accountability purposes.

5A.2 Meta Platform Data Deletion

When you disconnect your Meta account from our platform, or when you request deletion of your data, we will:

• Delete your Meta access token from our credential vault
• Remove your customer identifiers from any Custom Audiences we manage on your behalf (subject to Meta's processing timelines)
• Clear your Meta ad account association from our system
• Retain aggregated, non-personally-identifiable campaign performance metrics in accordance with our standard retention schedule (Section 5)

Meta may also notify us directly when a user requests data deletion through Meta's platform. We honor these requests by deleting all data associated with the requesting user's account within 30 days of receipt or as required by applicable law, whichever is sooner. You may check the status of a data deletion request using the confirmation code and status URL provided at the time of your request.

5A.3 Credential Deletion

When you disconnect any advertising platform from our service or when our business relationship ends, we delete the associated authentication credentials from Google Cloud Secret Manager. Credentials are never retained after disconnection.

6. Your Rights and Choices

Depending on your location, you may have certain rights regarding your personal information under applicable data protection laws, including GDPR (European Economic Area) and CCPA (California).

6.1 General Rights

• Access: Request a copy of the personal information we hold about you
• Correction: Request correction of inaccurate or incomplete information
• Deletion: Request deletion of your personal information, subject to legal retention requirements
• Opt-Out: Unsubscribe from marketing communications at any time
• Data Portability: Receive your data in a structured, machine-readable format
• Restriction: Request that we limit how we use your information
• Object: Object to our processing of your information for certain purposes
• Platform Disconnection: Disconnect your advertising accounts (Meta, Google Ads, GA4, Customer.io) from our platform at any time, which will immediately revoke our access to those accounts and trigger deletion of the associated credentials

6.2 GDPR Rights (EEA Residents)

If you are located in the European Economic Area, you have additional rights under the General Data Protection Regulation (GDPR), including:

• The right to withdraw consent at any time
• The right to lodge a complaint with your local supervisory authority
• The right to object to processing based on legitimate interests

Legal Basis for Processing: We process your personal information based on:

• Consent: When you provide explicit consent (e.g., contact form submission)
• Contract: To perform services you have requested
• Legitimate Interests: For business operations, security, and service improvement, balanced against your rights
• Legal Obligations: To comply with applicable laws and regulations

6.3 CCPA Rights (California Residents)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA):

• Right to Know: Request information about the categories and specific pieces of personal information we collect, use, and disclose
• Right to Delete: Request deletion of your personal information
• Right to Opt-Out: We do not sell personal information. If this changes, you will have the right to opt out
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights

6.4 How to Exercise Your Rights

To exercise any of these rights, please contact us at:

We will respond to your request within 30 days (or as required by applicable law). We may need to verify your identity before processing your request to protect your privacy and security.

7. International Data Transfers

ROI Media Partners is based in the United States. If you access our Site or use our services from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States where our servers and service providers are located.

By using our Site or services, you consent to the transfer of your information to the United States. We take appropriate measures to ensure that your personal information remains protected in accordance with this Privacy Policy and applicable data protection laws, including the use of Standard Contractual Clauses where appropriate.

8. Third-Party Links and Services

Our Site may contain links to third-party websites, services, or resources that are not owned or controlled by ROI Media Partners. This Privacy Policy does not apply to these external sites.

We are not responsible for the privacy practices or content of third-party sites. We encourage you to review the privacy policies of any third-party sites you visit. When you leave our Site, we recommend reading the privacy policy of every website you visit.

9. Children's Privacy

Our Site and services are not directed to children under the age of 18, and we do not knowingly collect personal information from children under 18. If you are under 18, please do not submit any personal information through our Site.

If we learn that we have collected personal information from a child under 18, we will delete that information as quickly as possible. If you believe we have collected information from a child under 18, please contact us immediately at privacy@roimediapartners.com.

10. Do Not Track Signals

Some web browsers incorporate a "Do Not Track" (DNT) or similar feature that signals to websites that a user does not want to have their online activity tracked. Because there is not yet a common understanding of how to interpret DNT signals, our Site does not currently respond to DNT signals. We will continue to monitor developments in DNT technology and reassess our position as the technology matures.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes, we will:

• Update the "Last Updated" date at the top of this policy
• Post the updated policy on this page
• Notify you of material changes via email (if we have your email address) or through a prominent notice on our Site

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information. Your continued use of our Site after changes are posted constitutes your acceptance of the updated Privacy Policy.

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

We will respond to your inquiry as promptly as possible, typically within 5-7 business days. For privacy rights requests, we will respond within the timeframes required by applicable law.