PProvara AI
← Back to home

Privacy Policy

Last updated April 27, 2026

This Privacy Policy describes how Provara AI ("Provara", "we", "us") collects, uses, and shares information when you use our service. By creating an account or connecting your Shopify or advertising platform accounts to Provara, you agree to this Policy.

1. Who we are

Provara AI is a SaaS platform that helps direct-to-consumer ecommerce merchants reconcile their advertising spend across Meta, Google, and TikTok with their actual Shopify revenue in order to compute true ROAS and contribution margin per channel and produce weekly budget recommendations. We do not modify your campaigns, charge through your ad accounts, or share your data with third parties for advertising purposes.

2. What data we collect

Account information

  • Your name, email address, and password (stored as a one-way bcrypt hash)
  • Your workspace name, country, base currency, and timezone
  • For administrators: a TOTP secret (encrypted at rest)

Connected platform data (read-only)

  • Shopify: orders (line items, prices, refunds, customer-id-but-not-PII, UTM parameters from the landing site, currency, financial status, fulfillment status). We do not request access to customer email, phone, or address fields.
  • Meta Marketing API: ad account ID, campaign metadata, daily campaign insights (spend, impressions, clicks, claimed conversions, claimed revenue) via read-only scopes ads_read and business_management.
  • Google Ads API: customer ID, campaign metadata, daily campaign metrics (spend, impressions, clicks, conversions, conversion value) via the read-only https://www.googleapis.com/auth/adwords scope.
  • TikTok Marketing API: advertiser ID, campaign metadata, daily campaign metrics via the read-only ad.read scope.
  • OAuth tokens: we store your access tokens and refresh tokens encrypted with AES-256-GCM. Plaintext tokens never leave a request handler in memory.

Operational data

  • IP address and User-Agent on signup, sign-in, and admin actions (kept for at most 90 days)
  • Audit log of administrator actions (kept indefinitely for accountability)
  • Email engagement events (sends, opens, clicks) on the recommendations we send you

3. How we use your data

  • To compute true ROAS and contribution margin from your reconciled data
  • To generate the weekly recommendation we email you
  • To detect data quality issues (UTM gaps, platform overclaim) and surface them
  • To authenticate you and your team when you sign in
  • To send transactional email related to your account and the service
  • To bill you and to comply with our legal obligations

We do not use your data to train AI models, sell it to third parties, or share it with advertising networks. The only third-party AI involved is the large-language-model provider that generates the language of your weekly briefing (Anthropic Claude as primary, OpenAI as failover). Their API contracts state they do not train on input or output sent through their API. The data sent to them contains aggregated, anonymized weekly spend and revenue figures by channel — never raw orders or individual customer data.

4. How we share your data

We share data only with the following categories of vendors:

  • Cloud infrastructure: Vercel (web app hosting) and Neon (Postgres database) for application infrastructure.
  • Background jobs: Upstash QStash for scheduled-task orchestration.
  • Email delivery: Resend to send your Monday briefing and account notifications.
  • AI providers: Anthropic and OpenAI to generate the natural-language part of your briefing. Only aggregated channel-level numbers are sent.
  • Payment processing: Stripe for subscription billing. Stripe receives your name, email, and billing details directly via their hosted checkout.
  • Error tracking: Sentry, when enabled, for crash reports. PII is scrubbed from these reports before transmission.

5. How long we keep your data

  • Raw platform data: 90 days, then automatically deleted by a scheduled job.
  • Structured / cleaned data (orders, campaigns, recommendations, audit log): retained for the lifetime of your account.
  • Operational data (IP, User-Agent on auth events): 90 days.
  • Account and billing records: retained as long as the account is active, plus up to 7 years for tax and regulatory compliance.

6. Your rights

You have the right to access, export, correct, or delete the personal data we hold about you. You can do most of these directly from your account settings. For anything that isn't exposed in the UI, email support@provaraai.com with your request. We respond within 30 days.

Under GDPR and CCPA, you have additional rights including the right to object to processing, the right to data portability, and the right not to be subject to automated decision-making that produces legal effects. Provara does not make automated decisions about you in this sense — our recommendations are advisory only and you choose whether to act on them.

7. Account and data deletion

You can delete your account from Settings → Account → Delete account. On deletion:

  • Your account, workspace, and integrations are removed within 24 hours
  • OAuth tokens are revoked at the platform side
  • Raw and structured data are deleted within 60 days
  • Anonymized aggregate metrics (e.g., total signups by month) may be retained indefinitely for product analytics
  • Billing records are retained for 7 years per US tax requirements but are isolated from product data

For a faster path or to delete a specific subset of your data, see our Data Deletion Instructions.

8. Security

OAuth access and refresh tokens are encrypted at rest with AES-256-GCM using a key that is held only in our deployment environment, not in the database. Passwords are bcrypt hashed. All traffic is HTTPS. Administrators are required to use TOTP-based two-factor authentication. Every admin action is logged in an immutable audit trail. We follow the principle of least privilege internally and review access regularly.

No system is perfectly secure. If we discover a breach affecting your data, we will notify you within 72 hours per GDPR Article 33 obligations.

9. Children

Provara is not directed at children. We do not knowingly collect data from anyone under the age of 16. If you believe we have inadvertently collected such data, contact us and we will delete it.

10. International transfers

Provara is operated from the United States. If you are in the EU, UK, Canada, or another jurisdiction, your data is transferred to and processed in the United States. We rely on Standard Contractual Clauses for any vendor processing of EU/UK personal data.

11. Changes to this policy

We'll update this page when our practices change. Material changes will be announced by email at least 30 days before they take effect. Continued use after the effective date constitutes acceptance of the updated policy.

12. Contact

Email support@provaraai.com for any privacy-related request. For EU residents, you can also lodge a complaint with your local data protection authority.