Only members of your organization and any agencies you have explicitly granted access to. Data is isolated at the database level using row-level security (Supabase) and per-organization tables (BigQuery).

Data & Security

Q: Where does my data live?

Application data (accounts, settings, teams) is stored in Supabase (PostgreSQL) with row-level security. Analytics data (metrics, campaigns) is stored in Google BigQuery with per-organization table isolation.

Q: Is my data encrypted?

Yes. OAuth credentials are encrypted with AES-256-GCM before storage. All data is encrypted at rest by the underlying cloud providers (Supabase and BigQuery). All connections use HTTPS.

Where does my data live?

ROAS Reports uses two databases, each optimized for its purpose:

Supabase (PostgreSQL) — Application data: user accounts, organization settings, team members, alert rules, groupings, and segments. Protected by row-level security (RLS) policies on every table.
Google BigQuery — Analytics data: campaign metrics, performance history, and dimension tables. Each organization gets its own set of tables (e.g., prod_google.metrics_campaign_daily_[org_id]). No shared tables, no WHERE org_id = filters — structural isolation.

How often does data sync?

Data syncs on three schedules:

Initial backfill — 25 months of historical data loaded automatically when you first connect Google Ads
Daily sync — Runs at 5 AM UTC. Pulls the last 7 days of data to catch retroactive adjustments Google makes to reporting numbers
Manual sync — Editors and above can trigger a sync anytime from the Platforms settings page. Manual syncs pull the last 30 days

Is my data encrypted?

Yes, at multiple levels:

OAuth credentials — Encrypted with AES-256-GCM before storage. Each credential has a unique initialization vector. We never see your Google password.
Data at rest — Both Supabase and BigQuery encrypt all data at rest using their platform-level encryption
Data in transit — All connections use HTTPS/TLS. Internal service-to-service communication uses authenticated Pub/Sub with JWT verification

Who can see my data?

Data access is controlled at two levels:

Application level

Only members of your organization can access your data
Supabase RLS policies automatically filter queries by user membership
All API routes require authentication, CSRF verification, and role-based authorization

Analytics level

Each organization's BigQuery tables are completely separate
There is no shared analytics table — it's structurally impossible for one organization to query another's data
If you're an agency with client brands, you only see the brands you've been granted access to, with the specific platform permissions they've set

Can I export my data?

Yes. You can export data from the Data Explorer to CSV at any time. There are no restrictions on exporting your own data.

For GDPR data portability requests, contact us and we'll provide a complete export of all data associated with your account.

GDPR/CCPA compliance

ROAS Reports is designed with privacy regulations in mind:

Cookie consent — A consent banner lets users control analytics cookies. Google Analytics uses Consent Mode v2.
Data minimization — We only store advertising performance data that you explicitly connect. No tracking pixels, no cross-site data collection.
Right to export — Export your data anytime via CSV or request a full data export
Right to deletion — Request account and data deletion. We delete all associated BigQuery tables and Supabase records.
Access control — Brands control exactly who can access their data and can revoke access at any time

For more details, see our Privacy Policy and Terms of Service.