Trust & Data Security

Last updated: May 2026

The short version

Aviio connects to your ad accounts to surface decisions you'd otherwise miss. To do that, we read campaign performance data from the platforms you connect — and that data is yours, not ours.

Here's what that actually means:

We only read what we need. Read-only OAuth access to your ad accounts. We don't request management or write permissions, and we don't pull audience-level PII (email lists, customer match data, phone numbers).
We never train models on your data. Your campaign data is used to generate insights for your account. That's it.
We never sell or share your data. Not with advertisers, not with partners, not with anyone. We don't have a data resale business and we never will.
You can delete everything. Account deletion anonymizes your account immediately and removes the underlying data within 30 days. Data exports are available on request.

If you have a specific question this page doesn't answer, email security@aviio.io and you'll get a real response from a real person — usually within one business day.

What data Aviio accesses

When you connect a platform, Aviio requests read-only OAuth scopes. We never request write or management permissions.

Platform	Scopes requested	What we read
Google Ads	auth/adwords	Campaign, ad group, keyword, and ad performance metrics; RSA headlines and descriptions
Meta (Facebook & Instagram Ads)	ads_read	Campaign, ad set, and ad performance metrics; ad headlines, body copy, and creative thumbnails
TikTok Ads	Standard advertiser read scopes (granted via TikTok Business app authorization)	Campaign, ad group, and ad performance metrics
LinkedIn Ads	r_ads, r_ads_reporting	Campaign and creative performance metrics

Meta connections are currently in limited rollout (admins and beta testers) pending Meta app review.

Creative content we read: Aviio surfaces ad headlines, body copy, and creative thumbnail URLs in Creative Studio so you can see which creative is performing. We do not download or store raw video files or original image source files — only the URLs the platform exposes for thumbnails.

What we explicitly do not access:

Audience-level PII (email lists, customer match data, phone numbers, customer match uploads)
Billing details or payment methods stored on the ad platform
Account-level user permissions or admin actions
CRM contact records or pipeline data

We do not request ads_management or any write-scope permissions. Aviio cannot create, edit, pause, or delete campaigns on your behalf — and we've designed the product this way intentionally.

Where your data lives

Layer	Provider	Region
Application hosting	Railway	US East (Virginia)
Database	PostgreSQL on Railway	US East (Virginia)
Frontend hosting	Vercel	Global edge, US-primary
DNS & email routing	Cloudflare	Global

All data is encrypted at rest (AES-256 via the managed Postgres storage layer) and encrypted in transit (TLS 1.3). OAuth tokens get an additional layer of application-level encryption with a dedicated key, separate from general application data.

Subprocessors

We use the following third-party services in connection with Aviio. We do not share customer ad performance data with any party beyond what's strictly required to operate the service.

Subprocessor	Purpose	Data shared
Railway	Application & database hosting	All application data
Vercel	Frontend hosting	No customer data (static assets only)
Cloudflare	DNS, email routing	None
Stripe	Payment processing	Billing details (name, email, payment method)
Anthropic	AI inference for optional natural-language prose summaries in Weekly Digest / Monthly Memo reports	Only the campaign aggregates needed to generate the summary. Anthropic does not train on API customer data per their terms.

We will notify customers in advance of any material change to this list.

How we use AI

A note on this because it's a fair question right now.

The core Aviio analytics engine is fully deterministic Python. The insights you see — anomaly detection, efficiency curve fits, campaign intent classification, allocation recommendations, action card headlines, diagnoses, and rationale prose — are produced by rule-based statistical analysis with templated copy, not by an LLM. This is intentional. We want recommendations to be auditable and consistent across runs.

We use Anthropic's Claude API in one place customers experience: optional prose generation for Weekly Digest and Monthly Memo reports, where the LLM translates the deterministic engine output into a readable narrative section. This is per-report and opt-out at the workspace level.

Per Anthropic's API terms, your data is not used to train Anthropic's models.

Compliance & certifications

SOC 2 Type II. SOC 2 Type II is on our roadmap — we're early-stage and haven't started the audit yet, but it's something we're committed to pursuing as we grow. If you need our current security posture documentation, a vendor security questionnaire response, or a DPA, email security@aviio.io.

GDPR. Aviio is operated by a Delaware C-Corp serving customers globally. If you're an EU customer or need GDPR-specific terms, contact us for our DPA.

HIPAA. Aviio is not HIPAA compliant and is not intended for use with Protected Health Information. We do not sign Business Associate Agreements at this time.

Access controls

OAuth tokens are encrypted with a dedicated key and stored separately from application data.
Customer data access is limited to Aviio engineering on a need-to-debug basis. All production access is logged.
Authentication uses industry-standard password hashing (bcrypt) and supports OAuth-based sign-in.
Internal accounts use unique credentials per individual; no shared accounts.

Data retention & deletion

While your account is active, Aviio retains campaign performance data on a rolling 3-month window, which is what the engine needs for baselines, trend detection, and anomaly thresholds.
When you delete your account, your account is anonymized immediately (email, name, and company are scrubbed) and the underlying campaign data, OAuth tokens, generated insights, and account metadata are removed within 30 days. Encrypted backups may persist for up to 30 additional days before expiring.
Data export is available on request — email support@aviio.io and we'll provide a CSV export of your data within 5 business days.

Incident response

If we identify a security incident affecting customer data, we will notify affected customers within 72 hours of confirmation, with details on scope, impact, and remediation. Our incident response process covers detection, containment, eradication, recovery, and post-incident review.

Reporting a vulnerability

If you've found a security issue in Aviio, please email security@aviio.io with details. We'll acknowledge within one business day and work with you on disclosure timing. We don't currently run a paid bug bounty program but we'll credit reporters publicly with permission.

Questions

For anything not covered here — DPAs, security questionnaires, custom contractual terms, or just a direct conversation about how we handle your data — email security@aviio.io.

— Christian
Founder, Aviio