Legal
Privacy Policy
Last updated: 2026-05-15
AdBlueprint ("we", "our", or "the Service") helps Thai small businesses generate Meta Ads campaign blueprints. This policy describes what personal data we collect, why we collect it, who we share it with, and the rights you have under Thailand's Personal Data Protection Act (PDPA, B.E. 2562).
We aim to collect as little as possible. If anything below is unclear, message us on LINE at @adblueprint.
1. Data we collect
1.1 Account data
- Email address — required to sign in, send verification, and contact you about your account.
- Full name (optional) — only if you provide it.
- Hashed password — managed by our authentication provider Supabase. We never see or store your plaintext password.
1.2 Content you create
- Interview answers — your product description, audience targeting choices, budget, and offer details that you enter to generate a blueprint.
- Generated blueprints — the AI-produced campaign plans, ad copy, and analyses. These belong to you; we store them so you can return to them later.
- Performance data you paste in — when you use the Check My Results feature, the campaign metrics you provide are stored alongside the analysis.
1.3 Payment data
We do not see or store your credit card or PromptPay details. All payment information is collected and processed directly by Stripe, our payment provider. We only receive a confirmation that a payment succeeded, the amount, and an internal reference ID, which we use to credit your points balance.
1.4 Messenger conversations (if you DM our Facebook Page)
If you message our Facebook Page on Messenger, our AI assistant will reply automatically. To make those replies coherent across multiple messages (so the bot remembers what you asked a moment ago), we store:
- Your Meta Page-Scoped User ID (PSID) — a unique identifier Meta assigns to you specifically for our Page. It cannot be used to identify you outside of Facebook/Messenger.
- The text of your messages and the assistant's replies — used as conversation context for follow-up replies.
- Timestamps for each message.
These records are stored in our Supabase database, are not linked to any AdBlueprint account (the PSID is independent of your AdBlueprint login), and are passed to OpenAI as context when generating the next reply. We do not use them to train AI models. You can request deletion at any time via Section 7 below.
1.5 Technical data
- Server logs — IP address, user agent, page path, and response status. Used to monitor service health, debug issues, and detect abuse. Retained for ~30 days.
- Error reports — when something breaks in your browser or on our server, our error monitor (Sentry) captures the error and a redacted stack trace. We configure it to scrub email addresses and payment data from these reports.
- Cookies — see Section 5.
2. Why we collect it (purpose)
Under PDPA § 24, we collect personal data only for these specific purposes:
- To create and authenticate your account
- To generate, store, and display your blueprints
- To process your point top-ups and run the points ledger
- To send transactional emails (sign-up verification, password resets, purchase receipts)
- To detect, investigate, and prevent abuse of the Service
- To improve the Service's reliability through error monitoring
We do not use your interview answers or generated blueprints to train AI models. We do not sell your data to third parties, ever.
3. Who we share it with (subprocessors)
We use a small number of trusted infrastructure providers. Each one receives only the data needed to perform its specific function:
| Provider | Function | Data shared | Region |
|---|---|---|---|
| Supabase | Database + authentication | Account, blueprints, points ledger | Singapore (ap-southeast-1) |
| OpenAI | AI blueprint generation | Interview answers (prompts) | United States |
| Stripe | Payments | Email, payment details | Global |
| Vercel | Hosting + CDN | Server logs, request metadata | Global edge |
| Sentry | Error monitoring | Stack traces (PII redacted) | Germany (EU) |
| Meta Marketing API | Targeting suggestion lookup | Search terms (no personal data) | Global |
| Meta Messenger Platform | Page DM auto-reply bot | Your PSID + message content (only if you message our Page) | Global |
Per OpenAI's API policy (effective March 2023), prompts and completions sent through the API are not used to train OpenAI's models and are retained for at most 30 days for abuse monitoring before deletion.
4. International data transfers
AdBlueprint is operated from Thailand. Your data is processed by infrastructure located in Singapore, the United States, Germany, and at global CDN edges. Each subprocessor is contractually bound by appropriate safeguards (Standard Contractual Clauses or equivalent).
By using the Service, you consent to your data being transferred to and processed in these regions, as required for the Service to function.
5. Cookies
We use a minimal set of cookies, all strictly necessary:
- Authentication cookies (Supabase) — to keep you signed in. Required for the Service to function.
- Locale preference cookie (NEXT_LOCALE) — remembers whether you prefer Thai or English.
We do not use advertising cookies, third-party tracking pixels, or behavioral analytics cookies.
6. How long we keep your data
- Account data: until you delete your account.
- Blueprints: until you delete them. Deleted blueprints are recoverable for 30 days, after which they are permanently removed.
- Payment records: kept by Stripe per their retention policy (typically 7 years for tax/audit). Our internal point-transaction records are kept for the lifetime of your account.
- Server logs: ~30 days.
- Error reports: 90 days.
- Messenger conversations: retained to provide coherent multi-message replies. Request deletion at any time via Section 7.
7. Your rights under PDPA
You have the following rights regarding your personal data:
- Access — request a copy of the data we hold about you.
- Rectification — ask us to correct inaccurate data.
- Erasure — ask us to delete your account and all associated data.
- Portability — receive your data in a machine-readable format (JSON).
- Objection — object to certain processing activities.
- Withdraw consent — at any time, for any consent-based processing.
To exercise any of these rights, message us on LINE at @adblueprint. We will respond within 30 days.
8. Security
Your data is protected by industry-standard measures: TLS 1.3 in transit, encryption at rest at Supabase, row-level security policies ensuring users can only read their own rows, and signed webhook verification on all Stripe events. Passwords are hashed by Supabase Auth using bcrypt-equivalent algorithms. We do not store payment card numbers ourselves.
9. Children's privacy
AdBlueprint is intended for business owners and is not directed at anyone under 18. We do not knowingly collect data from minors. If you believe we have collected data from a child under 18, please contact us and we will delete it promptly.
10. Changes to this policy
We may update this policy as the Service evolves. Material changes will be announced via email and the "Last updated" date above. Continued use of the Service after a policy change constitutes acceptance.
11. Contact
Privacy or data-subject requests — message us on LINE at @adblueprint.
This policy is provided in English. A Thai (ภาษาไทย) translation will be available in a future update. In case of any discrepancy, the English version governs until the Thai version is officially published.
