Legal
Privacy Policy
1. What Trueline is
Trueline is a read-only ad-spend diagnostics service. Customers connect their Meta Ads, Google Ads, and Shopify accounts; Trueline computes reporting reconciliations, efficiency metrics, and diagnostic signals from that data and delivers them in a dashboard and a weekly email brief. Trueline never modifies, creates, or deletes anything in a connected account.
2. Information we collect
Account information (from you): name, email address, company name, billing details (processed by Stripe — we never store full card numbers), and a blended margin percentage you enter.
Connected-platform data (via APIs, with your authorization):
- Meta Marketing API (read-only): campaign/ad set/ad structure and settings, spend, impressions, clicks, attributed conversions and revenue, delivery status (e.g. learning phase), and creative metadata for the ad accounts you connect.
- Google Ads API (read-only): the equivalent reporting data for connected Google Ads accounts.
- Shopify Admin API (read-only): order totals, timestamps, and order-level attribution fields needed to compute store revenue. We minimize customer personal data: we do not use or retain your customers’ names, emails, or shipping addresses for diagnostics.
OAuth tokens: access/refresh tokens for the connections above, stored encrypted at rest.
Product usage data: page views and feature usage in the Trueline app, collected via PostHog for product analytics.
3. How we use it
- To compute your reconciliation, efficiency, and diagnostic reports (deterministic rules over your own data).
- To generate plain-language narration of those computed results. Narration is produced by a large-language-model provider (Anthropic) from computed signal summaries; we do not send your customers’ personal data to the LLM provider.
- To send you the weekly brief and alert emails (via our email delivery provider).
- To bill you (Stripe) and to operate, secure, and improve the service.
We do not sell personal information, use your data to train models, use platform data for advertising of our own, or share one customer’s data with another.
4. Legal bases and consent
For Canadian customers we comply with PIPEDA; consent is obtained when you create an account and when you explicitly authorize each platform connection via that platform’s OAuth flow. For customers in the EEA/UK, processing is based on performance of contract (providing the service you signed up for) and legitimate interest (service analytics, security). You may withdraw platform consent at any time by disconnecting the integration, which stops all further syncs.
5. Service providers (sub-processors)
| Provider | Purpose | Data involved |
|---|---|---|
| Cloud infrastructure provider | Application and database hosting | All service data |
| Stripe | Billing | Billing contact and payment details |
| Transactional email provider | Weekly brief / alert email delivery | Your name, email, brief contents |
| PostHog | Product analytics | Usage events, app identifiers |
| Anthropic | Narration of computed metrics | Aggregated signal summaries only |
A customer-facing DPA with the full current sub-processor list is available on request.
6. Retention and deletion
- Platform reporting data: retained while the connection is active. When you disconnect a platform, we stop syncing immediately and delete that platform’s raw data within 30 days.
- OAuth tokens: revoked and deleted immediately on disconnect or account closure.
- Account closure: all customer data deleted within 30 days of a verified deletion request or account deletion, except invoices/records we must keep for tax and audit law.
- Backups: encrypted, rotated on a 35-day cycle; deleted data ages out of backups on that schedule.
7. Security
Encryption in transit (TLS) and at rest; OAuth tokens encrypted with a dedicated key separate from the application database credentials; least-privilege, read-only API scopes; access to production limited to authorized personnel; no write access to any connected ad account is ever requested or held.
8. Your rights
You may access, correct, export, or delete your personal information, and disconnect any platform, at any time — in-app or by emailing info@lifesafe.ca. EEA/UK users additionally have GDPR rights to restriction, objection, and portability, and may lodge a complaint with their supervisory authority. Canadian users may contact the Office of the Privacy Commissioner of Canada.
9. Platform-specific commitments
- Meta: we use Meta Marketing API data solely to provide reporting and diagnostics to the account owner who authorized access, per the Meta Platform Terms and Developer Policies. Data deletion requests are honored per §6; deletion of the Meta connection deletes Meta-sourced data.
- Google: Trueline’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
- Shopify: we access only the scopes required to read order revenue for reconciliation, and honor Shopify’s mandatory GDPR webhooks (customer data request, customer redact, shop redact).
10. Changes
We will post changes here and notify account holders by email for material changes.