advinoStart free trial

Security

Last updated: June 10, 2026

A plain account of how Advino handles your credentials and your Meta Ads data. Everything below describes what the product actually does today. If something here is unclear or you want more detail, email [email protected] and a human will answer.

1. Meta permissions and what we access

When you connect Meta, Advino requests three permissions: ads_read, ads_management, and business_management. In normal use the product only reads. It pulls campaign performance, creatives, and account health so it can score and monitor them. The management permissions exist so that an action you explicitly trigger yourself, such as pausing a flagged ad set from the dashboard or through the MCP server, can run. Advino never pauses, edits, or spends on your behalf on its own.

2. Encryption

  • All traffic to and from Advino runs over HTTPS (TLS).
  • Your Meta access tokens are encrypted at rest with AES-256-GCM before they ever touch the database. They are decrypted only in memory at the moment a sync runs.
  • We never log or display raw access tokens.

3. Authentication and sessions

  • Passwords are hashed with bcrypt. We never store them in plain text and cannot recover them.
  • Your session is carried in an httpOnly cookie that JavaScript on the page cannot read, and is marked Secure in production so it only travels over HTTPS. We do not put session tokens in localStorage.
  • You can reset your password at any time from the login screen.

4. Tenant isolation

Advino is multi-tenant. Every database query is scoped to your agency using the identifier inside your signed session token, never an agency identifier sent by the browser. One agency cannot read or write another agency's data, even by tampering with a request.

5. Payments

Billing is handled by Stripe. Card numbers are entered directly with Stripe and never pass through or get stored on Advino's servers. We keep only a Stripe customer reference and your plan status.

6. Disconnecting Meta

When you disconnect Meta from Settings, Advino deactivates your ad accounts and erases the stored access token from our database in the same step. Your historical metrics stay so your past reports still load, but there is no longer a token that could call Meta on your behalf. Reconnecting issues a fresh token.

7. Data retention and deletion

You can ask us to delete your account and all of its data at any time by emailing [email protected]. When you do, we remove your agency and everything tied to it, including Meta accounts and tokens, campaigns, creatives, conversions, alerts, scores, invoices, and team members, from our live systems. Encrypted database backups roll off within 30 days. For details on what we collect and why, see our Privacy Policy.

8. Reporting a vulnerability

If you find a security issue, please tell us before disclosing it publicly. Email [email protected] with the subject line "Security report" and we will get back to you quickly. We are a small team and we take these seriously.