Privacy Policy

• Service name: Marty
• Service URL: https://marty.staff-ai.jp
• Contact: mail@marketing-diy-lab.com

2-1. Information you provide

• Email address and password (at sign-up)
• Chat messages and instructions you enter
• Images you attach for creative generation
• Inquiry information received via a landing page (LP) form: name, email address, phone number, company name, message body, together with referral information at submission time (UTM parameters, referrer), source IP address, browser information (User-Agent), and the timestamp of consent to this Privacy Policy. We store this on the Service so the Service user (the LP operator) can respond to the inquiry.

2-2. Information from Meta (Facebook)

• Meta Ad Account ID, name, currency
• Campaigns / ad sets / ads structure (name, status, budget, targeting, creative)
• Ad performance data (impressions, clicks, spend, conversions, etc.)
• OAuth access token (stored encrypted, auto-refreshed every 60 days)

We do NOT collect personal profile information, friend lists, or post content. Only information necessary for ad management is retrieved.

• ads_read: To fetch ad performance metrics (impressions, conversions, ROAS, etc.) for the user's ad account and display them in the KPI dashboard and daily AI report.
• ads_management: To execute actions approved by the user in the Marty UI (pause/resume campaigns, change daily budget, create new ads). We never modify ads without explicit user approval(with the exception of user-configured automation rules with conditions the user has set).
• business_management: To list the ad accounts under the user's Meta Business Manager so the user can choose which account to connect to Marty.
• email, public_profile: For identity verification at connection time and display of the user's name.

• Analyze and visualize ad performance (KPI dashboard)
• Generate AI-powered operational suggestions and improvement advice
• Execute ad operations approved by the user (pause/resume/budget/create)
• Send the daily AI report by email
• Send alert emails when thresholds are exceeded
• Implicitly learn the user's decision patterns from operation logs to improve the precision of future suggestions (personalization)
• Store and display inquiry information received via LP forms(so the LP operator can respond to inquiries, conduct sales activities, and improve the service)

• Meta Marketing API (Meta Platforms, Inc.): Ad data retrieval and operations
• Anthropic Claude API (Anthropic, PBC): AI analysis and text generation
• Supabase (Supabase, Inc.): Authentication, database, file storage
• Stability AI (Stability AI Ltd.): Creative image generation and editing
• Resend (Resend, Inc.): Email delivery
• Vercel (Vercel, Inc.) / Fly.io (Fly.io, Inc.): Hosting

Each provider handles data according to their own privacy policy.

• All communication is encrypted via TLS (HTTPS).
• Meta OAuth access tokens are encrypted at rest.
• The database uses Row Level Security (RLS) to fully isolate users from each other.
• Passwords are stored as bcrypt hashes by Supabase Auth, never in plaintext.

• Ad performance data: Retained while the account is connected (for historical analysis)
• Chat history: Retained while the account is connected
• Operation logs (for personalization): Last 30 days used for aggregation; older entries may be pruned
• After account deletion: all data is deleted within 30 days (including backups)
• Inquiry information received via LP forms: While the LP operator uses the Service, we retain it for a guideline period of 3 years from the last contact (the last inquiry received or response made), after which it is progressively deleted (a period informed by Japanese commercial record-keeping practice and the GDPR principle of not retaining data longer than necessary). If an LP project is deleted, the associated inquiry history remains, detached from the LP reference, until the end of that period (for historical analysis). If the person who submitted the inquiry requests deletion, we will respond within 7 business days under the procedure in §8.5 (mail@marketing-diy-lab.com).

• Right of access: Request disclosure of your stored data
• Right of rectification: Request correction of inaccurate data
• Right of erasure: Request deletion of your data (see Data Deletion Instructions )
• Right to revoke OAuth: Disconnect Meta OAuth at any time via Facebook Settings → Business Integrations → Remove Marty
• Reset of learned data: One-click deletion of operation logs and behavior profile via the Personalization section in Settings

Requests should be sent to mail@marketing-diy-lab.com. We will respond within 7 business days.

• Access (disclosure): Request disclosure of your stored information
• Rectification: Request correction of inaccurate information
• Erasure: Request deletion of your information (deletion of personally identifying data only, or of the entire record)

Please contact us by email at contact@staff-ai.jpwith "DSR" in the subject line. After verifying your identity, we will respond within 7 business days as a rule.

For erasure requests, we delete personally identifying information (name, email address, phone number, company name, message body, etc.). We may retain only aggregate counts for service improvement in a form that cannot identify you.