P2P Ads Engine← Back to app
Last updated: March 5, 2026

Privacy Policy

We built P2P Ads Engine for photography businesses. This policy explains exactly what data we collect, why we collect it, and how we protect it. No legalese where we can avoid it.

Overview

P2P Ads Engine ("we," "our," or "us") is a software platform that helps photography businesses create ad copy, manage Google Business Profile listings, publish to ad platforms, review sales calls, and grow their clientele. This Privacy Policy applies to all users of our platform at photographytoprofits.com and any subdomains.

By using our platform, you agree to the collection and use of information described in this policy. We do not sell your personal data to third parties.

Data We Collect

We collect the following categories of data:

Account Information

Email address, display name, and password (hashed by Supabase Auth). Required to create and authenticate your account.

Business & Brand Information

Studio name, website URL, target audience, brand voice, genre, service descriptions, and any content you enter into the Brand Info section. Used solely to generate personalized marketing content for your business.

Generated Content

Ad copy, landing page wireframes, email sequences, quiz content, and outreach messages created by the platform. Stored in your account so you can access and edit them.

Connected Platform Data

When you connect Google Ads, Meta Ads, or Google Business Profile via OAuth, we store encrypted access tokens and the account/campaign/location data needed to operate those integrations. We do not access your ad accounts beyond what you explicitly authorize.

Call Recordings & Transcriptions

If you use the Call Reviewer feature with Twilio, phone calls routed through your monitored numbers are recorded, transcribed, and scored by our AI against your custom rubric. Recordings are stored per your retention settings.

Usage & Billing Data

Token counts, model usage, and cost data per generation. Used for internal analytics, org usage reporting, and platform optimization. Not sold or shared externally.

Website Intelligence

If you provide a website URL, we scan it to extract business context (services, testimonials, differentiators) to improve ad generation quality. Only content from your own website is collected.

How We Use Your Data

  • Generate personalized ad copy, landing pages, email sequences, quizzes, and other marketing content
  • Publish campaigns to connected ad platforms (Google Ads, Meta Ads) on your behalf
  • Manage and respond to Google Business Profile reviews and posts on your behalf
  • Score sales calls against your custom rubric and surface improvement insights
  • Send you critical service emails (account confirmation, billing, security alerts)
  • Display usage statistics within your organization dashboard
  • Improve platform performance and AI output quality using aggregated, anonymized data
  • Comply with legal obligations

We do not use your data to train AI models without explicit consent, and we do not share your content with other users or organizations.

Third-Party Services

We rely on these sub-processors to operate the platform. Each is bound by their own privacy policy and data processing agreements.

ServicePurposeData shared
SupabaseDatabase, authentication, file storageAll platform data
Anthropic (Claude)AI content generationYour prompts and brand context
OpenAIText embeddings for knowledge base searchDocument text you upload
Perplexity AIBusiness website researchYour website URL
Google (Ads API, GBP API, Vision API)Ad publishing, GBP management, image analysisOAuth tokens, campaign data, photos
Meta / Facebook (Graph API)Ad publishingOAuth tokens, campaign data, creative assets
TwilioCall recording, transcription, phone number managementPhone call audio
ApifyBusiness discovery for Dream 100 featureBusiness category and location query
FirecrawlWebsite content extractionWebsite URLs
VercelHosting and edge deliveryAll web traffic

OAuth Connections

When you connect a platform via OAuth (Google Ads, Meta Ads, Google Business Profile), the following applies:

  • We request only the minimum scopes required to operate the integration.
  • Access tokens and refresh tokens are encrypted at rest using AES-256-GCM before storage in our database.
  • We never share your OAuth tokens with other users, organizations, or third parties beyond the sub-processors listed above.
  • You can revoke any connection at any time from the platform's Settings page or directly from Google/Meta's security settings.
  • Revoking a connection immediately stops all API calls to that platform and marks the connection as inactive.

Google OAuth scopes requested: https://www.googleapis.com/auth/business.manage (GBP) and Google Ads API scopes. Meta scopes: Ads Management, Business Management.

Data Retention

We retain your data for as long as your account is active or as needed to provide services.

  • Account and business data: retained until you delete your account.
  • Generated content (ad copy, landing pages, email sequences): retained until you delete it or close your account.
  • Call recordings: retained per your organization's configured retention period. Default: 90 days.
  • OAuth tokens: deleted immediately when you disconnect an integration.
  • Usage logs: retained for 12 months for billing and analytics, then anonymized.
  • Website scan data: retained with your project. Deleted when the project is deleted.

Security

We take security seriously and apply the following measures:

Encryption at rest

All OAuth tokens and API keys are encrypted with AES-256-GCM before database storage.

Encryption in transit

All data transmitted between your browser and our servers uses TLS 1.2+.

Row-level security

Every database query is scoped to your organization — no cross-tenant data access is possible.

HMAC-signed OAuth state

All OAuth flows use HMAC-signed state parameters to prevent CSRF attacks.

SSRF protection

All user-supplied URLs are DNS-validated against private IP ranges before any server-side fetch.

Input validation

All API endpoints enforce request size caps and field-level length limits.

Despite our efforts, no system is 100% secure. If you discover a security vulnerability, please report it to security@photographytoprofits.com.

Your Rights

Depending on your location, you may have the following rights under applicable privacy laws (GDPR, CCPA, etc.):

  • Access: Request a copy of all personal data we hold about you.
  • Correction: Request correction of inaccurate or incomplete data.
  • Deletion: Request deletion of your account and associated data. You can initiate this from account settings or by emailing us.
  • Portability: Request your generated content and business data in a machine-readable format.
  • Objection: Object to processing of your data for certain purposes.
  • Withdrawal of consent: Disconnect any OAuth integration at any time from the platform settings.

To exercise any of these rights, contact us at the email below. We respond to all privacy requests within 30 days.

Contact Us

If you have questions about this policy or how we handle your data:

Photographers to Profits

Operating P2P Ads Engine

Email: support@photographytoprofits.com

Website: photographytoprofits.com

This policy was last updated on March 5, 2026. We may update this policy periodically. Continued use of the platform after changes constitutes acceptance of the updated policy. We will notify registered users of material changes via email.