Mark
Mark

Privacy Policy

Effective date: March 11, 2026

1. Introduction

OperatorMark (“we”, “us”, or “our”) operates the OperatorMark platform, also known as “Mark”, a software as-a-service application that helps businesses manage, analyze, and optimize their digital advertising campaigns using artificial intelligence. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our services.

This policy applies to all users of operatormark.com, app.operatormark.com, and the OperatorMark API (collectively, the “Service”). By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.

If you have any questions about this Privacy Policy, please contact us at support@operatormark.com.

2. Information We Collect

2a. Information You Provide Directly

When you create an account, use the Service, or communicate with us, you may provide the following information:

  • Account information: your email address, name, company name, role, and how you heard about us (referral source).
  • Business information: business context you provide to personalize AI agent behavior, such as your industry, target audience, brand guidelines, and campaign objectives.
  • Chat messages: conversations you have with our AI assistant, including questions, instructions, and any context you share within the chat interface.
  • Creative content: images, videos, and text that you upload to or create within the platform for use in advertising campaigns.
  • Billing information: your subscription plan selections and payment details. Payment information is processed securely by our third-party payment processor and is not stored on our servers.

2b. Information Collected Automatically

When you use the Service, certain information is collected automatically:

  • Ad performance data: metrics and performance data fetched automatically from your connected advertising platforms (such as Meta/Facebook) via scheduled processes that run on daily, weekly, and monthly intervals.
  • Token usage: your consumption of AI features (including chat messages, image generation, and report generation), tracked per billing period to manage subscription limits.
  • Authentication data: tokens issued by our authentication provider, used to verify your identity and maintain your session.

2c. Information From Third Parties

When you connect a third-party platform to OperatorMark, we receive information from that platform on your behalf:

  • Meta/Facebook: when you connect your Facebook account via OAuth, we access your ad account data, campaign data, ad set data, individual ad data, performance metrics, creative assets, page data, audience data, pixel data, and lead form data. We only access data that is necessary to provide the Service and that you have authorized us to access.

3. How We Use Your Information

We use the information we collect for the following purposes:

  • Provide and operate the Service: to create and maintain your account, authenticate your sessions, and deliver the core functionality of the platform.
  • Power AI features: to enable the chat assistant, campaign recommendations, creative generation, weekly performance reports, and insights analysis that form the core of the OperatorMark experience.
  • Fetch and display ad performance data: to retrieve your advertising metrics from connected platforms and present them in an actionable format within the Service.
  • Auto-generate weekly performance reports: to produce AI-driven summaries and analyses of your advertising performance on a recurring basis.
  • Manage your subscription and billing: to process payments, enforce usage limits, and administer your subscription plan.
  • Prevent fraud: to detect and prevent abuse, including tracking ad accounts across trial periods to prevent repeated trial exploitation.
  • Send transactional communications: to deliver essential emails such as email verification, trial expiration reminders, and account-related notifications.
  • Improve the Service: to analyze usage patterns, diagnose technical issues, and develop new features that better serve our users.

Legal Basis for Processing

We process your personal information on the following legal bases:

  • Contractual necessity: processing required to provide the Service you have requested, including account management, ad platform integration, AI features, and billing.
  • Legitimate interests: processing necessary for our legitimate business interests, including fraud prevention, security, service improvement, and analytics, where those interests are not overridden by your rights.
  • Consent: where required by applicable law, such as for optional communications or specific data processing activities. You may withdraw consent at any time by contacting us.
  • Legal obligation: processing necessary to comply with applicable laws, regulations, or legal processes.

We do not sell, rent, or trade your personal information to third parties. Information is shared only with trusted third-party service providers, solely to operate and improve the Service. Your use of the Service is also governed by our Terms of Service and Refund & Cancellation Policy.

4. Third-Party Service Providers

We share information with trusted third-party service providers solely to operate and deliver the Service. Each provider receives only the minimum data necessary to perform its designated function. The categories of third-party service providers we engage include:

  • Authentication providers: to verify your identity and maintain secure sessions.
  • Advertising platform APIs: to connect to and interact with your advertising accounts on platforms such as Meta/Facebook, with Google Ads and TikTok Ads planned for the future.
  • AI providers: to power the AI chat assistant, campaign recommendations, report generation, creative generation, and contextual search features.
  • Cloud storage providers: to securely store creative files, images, and videos that you upload to the Service. Files are encrypted at rest using industry-standard encryption.
  • Bot protection services: to prevent automated abuse on login and signup forms.
  • Payment processors: to securely handle subscription billing and payment card processing.
  • Infrastructure and hosting providers: to host and operate the Service.

Our AI providers do not use data submitted via their APIs to train their models on the service tiers we use. For details, please refer to each provider's respective privacy policy and data processing terms.

We may update our third-party service providers from time to time as we add or change providers. You may request a current list of our sub-processors at any time by contacting support@operatormark.com.

5. AI Data Processing

OperatorMark uses artificial intelligence extensively to deliver its core features. It is important that you understand how your data is processed in connection with these AI capabilities:

  • Chat and recommendations: your chat conversations, ad account context, and business information are transmitted to third-party AI providers for processing when you interact with the AI assistant or when automated reports and recommendations are generated.
  • Image generation: image generation and editing requests, including any source images you provide, are transmitted to third-party AI providers for processing.
  • Vector search: text embeddings derived from your data may be transmitted to third-party vector search infrastructure to enable contextual retrieval that improves the relevance of AI responses.
  • Third-party processing: AI features are powered by third-party providers whose data processing is governed by their own terms of service and privacy policies. We encourage you to review those terms.
  • No model training: we do not use your data to train AI models, and our third-party AI providers do not use API-submitted data for training purposes on their current service tiers.
  • Accuracy disclaimer: AI-generated outputs, including recommendations, reports, creative content, and chat responses, may be inaccurate, incomplete, or inappropriate. You are solely responsible for reviewing, verifying, and approving all AI-generated content before acting on it or publishing it.

6. Data Retention

We retain your data for the periods outlined below. When data reaches the end of its retention period, it is permanently deleted.

Data TypeRetention Period
User account dataUntil account deletion
Chat conversationsLifetime of account
Daily ad insights30 days
Weekly ad insights84 days
Monthly ad insights12 months
Weekly AI reports12 months
Ad account action logs90 days
Usage records24 months
Creative filesUntil user deletes or account deletion
Facebook OAuth tokensUntil disconnect or account deletion

Accounts that remain inactive for more than 12 consecutive months may be terminated with prior notice, and all associated data will be permanently deleted in accordance with this policy. Retention periods may vary by subscription tier in the future. Any changes to retention periods will be reflected in an updated version of this Privacy Policy.

7. Data Security

We implement a variety of technical and organizational measures designed to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption at rest: sensitive credentials such as OAuth tokens are encrypted using industry-standard symmetric encryption. Creative files are encrypted at rest using industry-standard encryption provided by our cloud storage infrastructure.
  • Encryption in transit: all connections to and from the Service are encrypted via HTTPS. HTTP Strict Transport Security (HSTS) is enforced with a two-year max-age and preload directive.
  • Content Security Policy: CSP headers are implemented to mitigate cross-site scripting and other code injection attacks.
  • Rate limiting: authentication endpoints are rate-limited to prevent brute-force and credential-stuffing attacks.
  • Bot protection: bot detection and prevention measures are deployed on login and signup forms to prevent automated abuse.
  • Disposable email blocking: disposable and temporary email addresses are blocked during registration to reduce fraudulent account creation.
  • Webhook verification: incoming webhook callbacks from third-party platforms are verified using cryptographic signatures to ensure the integrity and authenticity of incoming data.
  • CSRF protection: cross-site request forgery protections are implemented on OAuth authorization flows.

While we strive to protect your information, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security, but we are committed to maintaining industry-standard protections and promptly addressing any identified vulnerabilities.

8. Data Breach Notification

In the event of a data breach that compromises the security, confidentiality, or integrity of your personal information, we will notify affected users and relevant authorities as required by applicable law. We aim to provide notification within 72 hours of becoming aware of a qualifying breach, including:

  • A description of the nature and scope of the breach.
  • The types of personal information that were or may have been affected.
  • The steps we are taking to investigate and address the breach.
  • Recommended actions you can take to protect yourself, if applicable.
  • Contact information for our support team for further inquiries.

Notification will be delivered via the email address associated with your account. We maintain incident response procedures to detect, investigate, and remediate security incidents promptly.

9. Your Rights

You have the following rights with respect to your personal information:

  • Account deletion: you may delete your account at any time from the Settings page within the application. Account deletion is permanent and irreversible. It removes all of your data, including your user profile, chat history, creative files, authentication records, and all connected platform data.
  • Data correction: you may update your account information at any time through the application. If you need to correct information that cannot be updated directly through the app, contact support@operatormark.com and we will assist you promptly.
  • Data export: you may request an export of your personal data by contacting support@operatormark.com. We will provide your data in a machine-readable format within 30 days of receiving your request.
  • Meta disconnect: you may disconnect your Meta/Facebook account at any time from the Settings page. Doing so will revoke our access to your Facebook data and clear all Facebook-related data from our systems.
  • Meta data deletion: Meta may request the deletion of your Facebook-related data via a webhook callback. Upon receiving such a request, we promptly delete all associated data and return a confirmation code to Meta as required by their platform policies.
  • Opt out of AI processing: you may request to opt out of AI-powered data processing by contacting support@operatormark.com. Please note that AI features are central to the Service, and opting out may significantly limit the functionality available to you.

10. California Privacy Rights

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights regarding your personal information:

  • Right to know: you may request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collection, and the categories of third parties with whom we share it.
  • Right to delete: you may request deletion of your personal information, subject to certain legal exceptions.
  • Right to non-discrimination: we will not discriminate against you for exercising any of your CCPA rights.
  • No sale of personal information: we do not sell your personal information, as defined under the CCPA. We have not sold personal information in the preceding 12 months.

To exercise any of these rights, contact us at support@operatormark.com. We will verify your identity before fulfilling your request and respond within 45 days as required by law.

11. International Data Transfers

Our primary infrastructure is hosted on servers located in the European Union. However, certain third-party service providers that we rely on may process your data in other regions, including the United States, to provide core functionality such as AI processing and payment handling.

Where your data is transferred outside of your jurisdiction, we ensure that appropriate safeguards are in place to protect your information in accordance with applicable data protection laws. These safeguards may include standard contractual clauses, adequacy decisions, or other legally recognized transfer mechanisms.

12. Children's Privacy

The Service is intended for use by individuals who are 18 years of age or older. We do not knowingly collect personal information from anyone under the age of 18. If we become aware that we have inadvertently collected personal data from a minor, we will take prompt steps to delete that information from our systems.

If you believe that a minor has provided us with personal information, please contact us at support@operatormark.com so that we can investigate and take appropriate action.

13. Browser Storage

OperatorMark uses browser localStorage (not cookies) to store the following information locally on your device:

  • Authentication session: tokens required to maintain your logged-in session.
  • UI theme preference: your selected light or dark mode setting.
  • Creative draft content: temporary drafts of creative content to prevent data loss during your session.
  • OAuth flow results: temporary data related to the completion of OAuth authorization flows with third-party platforms.

We do not use cookies for tracking or advertising purposes. If we introduce analytics cookies or similar technologies in the future, we will update this Privacy Policy accordingly and implement an appropriate consent mechanism prior to their deployment.

The Service does not currently respond to “Do Not Track” (DNT) browser signals. If we adopt a DNT response mechanism in the future, we will update this Privacy Policy to reflect that change.

14. Communications

We do not send marketing or promotional emails. All communications from OperatorMark are transactional in nature and directly related to your account or use of the Service, including:

  • Email verification upon registration.
  • Trial expiration reminders.
  • Account and billing notifications.
  • Security alerts (e.g., unauthorized access attempts).

If we introduce promotional communications in the future, we will obtain your explicit consent beforehand and provide a clear unsubscribe mechanism in every message, in compliance with applicable anti-spam laws including CAN-SPAM and CASL.

15. Data Processing Agreements

Enterprise customers or organizations that require a Data Processing Addendum (DPA) or other formal data processing agreement may request one by contacting support@operatormark.com. We are committed to working with you to meet your regulatory and compliance requirements.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable laws. When we make material changes, we will notify you by email or through a prominent notice within the Service prior to the changes taking effect.

Your continued use of the Service after any modifications to this Privacy Policy constitutes your acceptance of the revised terms. We encourage you to review this Privacy Policy periodically. Previous versions of this policy are available upon request by contacting support@operatormark.com.

17. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

support@operatormark.com

We will respond to your inquiry within a reasonable timeframe.