This Privacy Policy describes how Hashtag Orange ("we", "us", "our") collects, uses, stores, shares, and protects personal information in connection with the AdPilot service available at https://media-analytics.hashtagorange.in (the "Service").
This policy is published in compliance with the Information Technology Act, 2000 read with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and the Digital Personal Data Protection Act, 2023 (DPDPA) of India.
By using the Service you confirm that you have read and understood this Privacy Policy. If you do not agree with it, please discontinue use of the Service.
1. Who we are
The data fiduciary (also known as the data controller in some jurisdictions) is Hashtag Orange, a company organised under the laws of India. Contact details are listed in Section 14.
2. What we collect
We collect three broad categories of information.
2.1 Account information you provide
When you sign up or accept an invitation, we collect:
a. your full name;
b. your email address;
c. your hashed password (we never see the plaintext);
d. multi factor authentication preferences and challenge artefacts (codes are short lived and are not retained after verification);
e. the agency and brand workspaces you create or are invited to;
f. role and capability assignments inside those workspaces.
2.2 Information from Connected Accounts
When you authorise the Service to access a third party advertising platform (for example Google Ads or Meta Ads), the platform's OAuth flow returns to us:
a. an access token and refresh token issued by the platform;
b. the email address of the account that granted access;
c. the platform's internal user identifier (or a hash of it) used to deduplicate connections;
d. the list of ad accounts that the granting user is permitted to manage;
e. for each ad account you choose to attach: account identifier, display name, currency, time zone, and platform status.
Access tokens, refresh tokens, and the email address are stored in encrypted form using AES GCM with a versioned key. Plaintext is never written to logs, persistent storage, or analytics events.
2.3 Advertising performance data fetched from Connected Accounts
For each attached account we fetch data on a schedule. This data typically includes:
a. campaign, ad group, ad, keyword, and audience metadata;
b. impressions, clicks, conversions, revenue, and other metrics aggregated by day or by hour;
c. demographic breakdowns (age band, gender), geographic breakdowns (state, city), device categories, and placements;
d. account and campaign configuration snapshots.
This data is processed for the purpose of providing analytics and recommendations inside the Service. It does not contain personal information about the end consumers who saw the advertising, only aggregate metrics provided by the platform.
2.4 Information collected automatically
When you use the Service we automatically collect:
a. log data such as IP address, user agent, request identifiers, response codes, and timestamps;
b. session information including authentication cookies and refresh token cookies (httpOnly and scoped to the Service domain);
c. browser and device characteristics needed to render the dashboard correctly;
d. behavioural events such as page navigations, dashboard interactions, and errors, used for product analytics and debugging.
We do not currently use third party analytics SDKs for behavioural tracking. If we add such a tool in the future, this policy will be updated and you will be notified.
3. Why we collect it
We process personal information for the following purposes:
a. to create and operate your Account, including authentication, role enforcement, and access scoping;
b. to fetch, transform, and present advertising data from your Connected Accounts;
c. to generate alerts, recommendations, and reports inside the Service;
d. to communicate with you about service announcements, security notices, and product updates;
e. to detect, investigate, and prevent fraud, abuse, unauthorised access, and breaches of our Terms and Conditions;
f. to comply with applicable law and respond to lawful requests by authorities;
g. to improve the Service, including diagnosing errors, measuring performance, and developing new features.
4. Lawful basis for processing
Under the DPDPA and the IT Rules we rely on the following lawful bases:
a. Consent which you provide when you create an Account, accept these terms, and authorise a Connected Account;
b. Performance of a contract to which you are a party, namely the agreement set out in our Terms and Conditions;
c. Legitimate uses such as preventing fraud, complying with law, and ensuring information security.
You may withdraw consent at any time as described in Section 8. Withdrawing consent may limit or prevent your continued use of the Service.
5. How we store and secure your data
5.1 The Service is hosted on Amazon Web Services in the Asia Pacific (Mumbai) region (ap-south-1). Backup and disaster recovery artefacts may be replicated to other AWS regions within India.
5.2 We apply the following technical safeguards:
a. transport encryption using TLS 1.2 or above for all traffic between you and the Service;
b. encryption at rest for the database, for OAuth credentials, and for fields containing personally identifiable information;
c. role based access controls and per agency tenancy isolation enforced at every layer of the application;
d. structured request tagging that allows traceability without retaining secrets;
e. periodic vulnerability scanning of dependencies;
f. principle of least privilege for internal staff access.
5.3 Despite our efforts, no method of transmission or storage is one hundred percent secure. We will notify you of any data breach involving your personal information as required by applicable law, including the DPDPA notification timelines.
6. How we share your data
We do not sell your personal information. We share it only as described below.
6.1 Service providers and sub processors
We rely on the following categories of sub processors to operate the Service:
a. Cloud infrastructure: Amazon Web Services (AWS) India for compute, storage, networking, and database services;
b. Source code, build, and deployment: GitHub for version control;
c. Identity and authorisation issuers: Google LLC and Meta Platforms Ireland Limited, when you connect those advertising accounts;
d. Communications: email service providers used to deliver transactional notifications.
Each sub processor is bound by terms that require them to handle personal information in accordance with applicable law and to assist us with our obligations.
6.2 Within an agency
Within your agency workspace, personal information about you (such as name, email, and role) is visible to other members of the same agency in order to support collaboration, invitations, and audit visibility. We do not expose your personal information to other agencies.
6.3 Legal requirements
We may disclose personal information if required by law, court order, or government authority, or where we believe in good faith that disclosure is necessary to protect the rights, property, or safety of us, our users, or the public.
6.4 Business transfers
In the event of a merger, acquisition, reorganisation, bankruptcy, or sale of all or part of our assets, your personal information may be transferred to the successor entity. We will notify you before such a transfer becomes effective.
7. Cross border transfers
Personal information may be processed by our sub processors in regions outside India where required for the operation of the Service (for example, where a third party advertising platform's API gateway is located outside India). Such transfers are performed only to the extent necessary, are subject to contractual safeguards with the receiving party, and comply with any restrictions imposed by Indian law from time to time.
8. Your rights
Subject to applicable law you have the following rights with respect to your personal information:
a. Right to access the personal information we hold about you;
b. Right to correction of inaccurate or incomplete personal information;
c. Right to erasure of personal information when it is no longer necessary for the purposes it was collected, subject to legal retention requirements;
d. Right to withdraw consent at any time, although doing so does not affect the lawfulness of processing performed before withdrawal;
e. Right to nomination to designate another individual to exercise your rights in the event of incapacity or death, as provided under the DPDPA;
f. Right to grievance redressal through the contact channel set out in Section 14.
To exercise any of these rights, write to us at the contact address in Section 14. We will respond within the timelines required by applicable law, typically within thirty (30) days. We may request reasonable verification of your identity before acting on the request.
9. Data retention
9.1 We retain personal information for as long as your Account is active and for a reasonable period thereafter to comply with our legal, accounting, and reporting obligations.
9.2 Default retention periods:
a. account profile data: for the lifetime of your Account, plus up to ninety (90) days after deletion to permit reactivation and to resolve disputes;
b. OAuth credentials: until the Connected Account is detached or the Account is deleted; refresh tokens are immediately revoked on detachment;
c. advertising performance data: for the longer of (i) the period during which the underlying Connected Account remains attached, or (ii) thirteen (13) months after detachment, to support year over year reporting requests;
d. server logs: rotated and pruned after ninety (90) days;
e. audit logs of security relevant events (logins, credential rotation, permission changes): up to twenty four (24) months.
9.3 After the relevant retention period expires we delete or irreversibly anonymise the data.
10. Cookies and similar technologies
10.1 We use a small set of strictly necessary cookies to support authentication and session continuity:
a. an access token cookie (short lived, httpOnly, secure);
b. a refresh token cookie (longer lived, httpOnly, secure, scoped to the Service domain);
c. a tenant slug indicator used to route requests through the correct agency context.
10.2 We do not use cookies for advertising, retargeting, or cross site profiling. We do not embed third party tracking pixels on our authenticated dashboard.
10.3 You can configure your browser to refuse cookies, but doing so will prevent you from logging in to the Service.
11. Children's privacy
The Service is not directed to individuals under the age of eighteen (18). We do not knowingly collect personal information from children. If you believe that a child has provided us with personal information, please contact us so that we can take appropriate action.
12. Automated decision making
The Service generates alerts and recommendations through automated processing of your advertising data. These outputs are informational and do not produce legal effects or similarly significant effects on any individual. You retain full discretion over any business decisions you take based on the Service.
13. Changes to this Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. The effective date at the top of the document indicates the most recent revision. Material changes will be communicated through the Service or by email at least seven (7) days before they take effect.
14. Grievance officer and contact
Pursuant to Rule 5(9) of the IT Rules, 2011 and Section 8(9) of the DPDPA, the grievance officer for the Service is:
Grievance Officer Hashtag Orange Email: privacy@hashtagorange.in
For any privacy related concern, exercise of rights, or complaint, please write to the address above with sufficient detail to allow us to identify the issue. We will acknowledge receipt within seventy two (72) hours and resolve genuine grievances within thirty (30) days, or sooner where required by law.
If you are not satisfied with our response, you may approach the Data Protection Board of India through the channels prescribed under the DPDPA.
15. Definitions
Personal information means any information that relates to an identified or identifiable individual.
Sensitive personal data or information has the meaning given in Rule 3 of the IT Rules, 2011.
Processing includes collection, recording, organisation, storage, retrieval, use, disclosure, transmission, alignment, alteration, erasure, and destruction.
Data principal has the meaning given in the DPDPA and refers to the individual to whom personal data relates.
Data fiduciary has the meaning given in the DPDPA and refers to the entity that determines the purpose and means of processing personal data. We are the data fiduciary for the personal information we collect through the Service.