Privacy Policy

Last updated: January 2026

1. Introduction

Restless Agency ("we", "our", or "us") operates Restless OS, an internal creative intelligence platform. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our platform.

2. Data Controller

Restless Agency is the data controller responsible for your personal data. For any privacy-related inquiries, please contact us at: privacy@restless.agency

3. Information We Collect

We collect and process the following types of data:

  • User Authentication Data: Email address, name, and authentication tokens when you log in via Google OAuth.
  • Ad Performance Data: Campaign metrics, impressions, clicks, conversions, and spend data from connected advertising platforms (Meta, TikTok, Google Ads, AppsFlyer).
  • Creative Assets: Images, videos, and ad copy from your advertising campaigns for analysis purposes.
  • Creative Attributes: AI-extracted attributes from creative assets including visual elements, messaging patterns, and performance correlations.
  • Analytics Data: Web analytics from Google Analytics 4 for attribution and conversion tracking.

4. How We Store Your Data

Your data is stored securely using the following services:

  • Supabase (PostgreSQL): Primary database for structured data including user accounts, brand information, and performance metrics.
  • Pinecone: Vector database for AI embeddings and semantic search capabilities.
  • Redis (Upstash): Cache layer for session data and temporary storage.
  • Supabase Storage: File storage for uploaded documents and creative assets.

All data is encrypted in transit (TLS 1.2+) and at rest. Access is restricted to authorized team members only.

5. Third-Party Services

We integrate with the following third-party services to provide core functionality of the platform:

OpenAI

For AI-powered creative analysis and natural language processing. Data sent to OpenAI is used solely for generating insights and summaries within Restless OS and is not used to train their models or improve OpenAI's services.

Meta Marketing API

For retrieving advertising account data, performance insights, and creative assets from Facebook and Instagram advertising accounts. Meta data is accessed only with explicit user authorisation via Meta's permissions system and is used solely to provide analytics, reporting, and creative insights inside Restless OS in accordance with Meta's Platform Terms and Data Use Policy.

TikTok Marketing API

For retrieving advertising account data, performance metrics, and creative assets from TikTok advertising accounts. TikTok data is accessed only with user authorisation and is used exclusively for analytics, reporting, and creative intelligence within Restless OS.

Google Ads API

For retrieving campaign, ad group, keyword, and performance data from Google Ads accounts. Google Ads data is accessed only with user authorisation and is used solely to provide reporting, performance analysis, and creative optimisation insights inside Restless OS.

Google Analytics 4 API

For retrieving website and conversion analytics data for attribution, funnel analysis, and performance measurement. Google Analytics data is accessed only with user authorisation and is used exclusively for internal reporting and optimisation purposes within Restless OS.

AppsFlyer API

For retrieving mobile attribution, install, and conversion data for campaign performance tracking and analysis. AppsFlyer data is accessed only with user authorisation and is used exclusively for reporting, attribution, and optimisation within Restless OS.

6. Data Retention

We retain your data as follows:

  • User Account Data: Retained for the duration of your account and deleted within 30 days of account termination.
  • Performance Data: Retained for up to 24 months for trend analysis purposes.
  • Creative Assets: Retained for up to 12 months or until manually deleted.
  • AI-Generated Insights: Retained for the duration of the associated campaign data.

7. Your Rights (GDPR/CCPA)

Under applicable data protection laws, you have the following rights:

  • Right of Access: Request a copy of the personal data we hold about you.
  • Right to Rectification: Request correction of inaccurate or incomplete data.
  • Right to Erasure: Request deletion of your personal data ("right to be forgotten").
  • Right to Data Portability: Request transfer of your data in a machine-readable format.
  • Right to Object: Object to processing of your data for certain purposes.
  • Right to Restrict Processing: Request limitation of how we use your data.

To exercise any of these rights, please contact us at privacy@restless.agency. We will respond within 30 days.

Requests for deletion of Meta-connected data can also be submitted via our Data Deletion Instructions page.

8. Cookies

We use essential cookies for authentication and session management. These cookies are necessary for the platform to function and cannot be disabled. We do not use advertising or tracking cookies.

9. Security Measures

We implement appropriate technical and organizational measures to protect your data, including:

  • Encryption in transit (TLS 1.2+) and at rest
  • Row-level security (RLS) for database access control
  • Multi-factor authentication for administrative access
  • Regular security audits and vulnerability assessments
  • Access logging and monitoring

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date.

11. Contact Us

If you have any questions about this Privacy Policy, please contact us:

← Back to Home