Last updated: July 3, 2026
OAuth tokens: When you connect Google Ads, Meta, TikTok, or Shopify via OAuth, we receive access and refresh tokens from the respective platform. These tokens are encrypted at rest in tenant-scoped platform token storage. We never store refresh tokens in plain text.
Ad performance data: We retrieve campaign spend, impressions, clicks, and conversions from connected ad platforms on your behalf. This data is stored in tenant-scoped OneLine storage for aggregation, with non-secret CRM/admin summaries optionally mirrored to Attio.
Order data: When Shopify is connected, order information (products, values, customer city) is stored in tenant-scoped OneLine storage for analytics, with CRM/admin summaries optionally mirrored to Attio.
Publishing and asset data: When you explicitly approve a Meta publishing or ad-management action, we send the selected creative, caption, image URL, destination URL, UTM tags, and campaign asset metadata to Meta on your behalf.
Data collected via OAuth is used to display aggregated marketing performance, prepare approved ads and social posts, upload selected creative assets, publish user-approved content, and send server-side conversion events for connected business accounts. We do not use this data for profiling, advertising our own services, or any purpose other than providing the requested OneLine service.
OAuth tokens are retained until you disconnect the platform or 30 days of inactivity. Aggregated ad performance data is retained for up to 12 months. You may request deletion of your data at any time by emailing dev@sicapo.com.
We do not sell, trade, or otherwise transfer your data to outside parties. Your data is shared only with service providers needed to operate OneLine, including Attio for CRM/admin summaries and the respective ad platforms (Google, Meta, TikTok) solely for retrieving or acting on your own connected account data.
We use HTTP-only, secure cookies only for signed account sessions. Platform OAuth tokens are stored server-side in encrypted tenant-scoped storage, are not accessible to browser JavaScript, and are revoked or deleted when you disconnect a platform. We do not use third-party tracking cookies.
OAuth tokens are encrypted before storage. All data in transit uses TLS 1.2+. Attio is GDPR-compliant. Platform OAuth follows the respective platform's official OAuth 2.0 implementation.
You have the right to access, correct, or delete any personal data we hold about you. Contact us at dev@sicapo.com to exercise these rights. Meta users can also submit a signed data deletion request to /api/meta/data-deletion; the endpoint returns a confirmation code for the request.
Sicapo
dev@sicapo.com