Security & Privacy

The architecture is the trust claim.

Your Meta access token goes from your browser directly to Meta's API and back. It never touches my server. I don't have a database. I don't have logs of your ad data. If my site got hacked tomorrow, the attackers would find nothing useful about your ad accounts, because there is nothing to find.

Three disclosures for honesty:

1. Traffic measurement. The site runs two page-view trackers side by side:

• →Vercel Analytics (va.vercel-scripts.com) — cookieless, no PII, no cross-site tracking.
• →Google Analytics 4 (googletagmanager.com) — sets a standard _ga cookie, sees your IP address and user agent. Standard web analytics. Disclosed here so it isn't a surprise when you check the Network tab.

Neither tool ever sees your Meta token or your ad numbers. Both record which pages you load, that's it.

2. Aggregate event counters. A same-origin endpoint at /api/track increments counters in Vercel KV (a small Redis-backed store this site owns). The events recorded are:

• →connected — fires once when a token validates and an account is selected.
• →report_exported — fires when an HTML report is generated.
• →ai_summary_generated — fires when an executive summary call returns. The provider name (anthropic / openai / gemini) is the only attribute attached.
• →demo_viewed — fires when someone opens the sample dashboard at /dashboard?demo=1.

What is NOT recorded: no token, no account ID, no ad numbers, no prompt content, no API key, no summary text, no IP address, no user agent. Aggregate counts only — I see how many reports got exported last week, nothing about who exported them.

3. Optional email list. After you export your first report, a one-time prompt asks if you want email updates when Sign in with Meta, Google Ads, or TikTok ship. If you submit your email, it goes to the same same-origin Vercel KV store under the key subscribers. The email is the only PII openreport ever stores. No name, no IP, no source, no other field. Skip the prompt and nothing about you persists. Reply to any future email to opt out and I delete the row.

You can verify the data flow yourself in any browser. Open DevTools, switch to the Network tab, paste your token. Your ad data flows only to graph.facebook.com. The only other outbound origins are this site itself (for the same-origin event counters and the optional email opt-in), va.vercel-scripts.com (Vercel Analytics page-view beacon), and googletagmanager.com + google-analytics.com (GA4).

When you paste your Meta access token into openreport:

1. 01The token is stored in your browser's sessionStorage.
2. 02Your browser sends the token directly to graph.facebook.com to fetch your ad data.
3. 03My server is not involved in this request. It does not see the token. It does not see the data.
4. 04When you close the browser tab, sessionStorage is wiped. The token is gone.

You can verify the same flow yourself. Open your browser's DevTools, go to the Network tab, and paste a token. Every network call goes to graph.facebook.com or the openreport domain for page loads. There is no hidden third-party request, no background ping, no analytics beacon.

If you spot a request that goes anywhere else, that's a bug. Email me at sdhilip@alloy-analytics.com and I'll fix it.

Almost nothing — and nothing about your ad data.

What I do not store:

• →No database of your ad numbers
• →No user accounts, passwords, or session tokens beyond what Next.js needs for page routing
• →No server-side logs of which campaigns you fetched, which ads, which dates
• →No error tracking services (Sentry, Rollbar — none of them)
• →No CDN that logs your requests beyond what Vercel's edge network does by default

What I do store, in the analytics tools and the same-origin store (full disclosure in Section 01):

• →Vercel Analytics page views (cookieless, no PII)
• →Google Analytics 4 page views and standard events (sets a _ga cookie, sees your IP and user agent on Google's infrastructure — not on mine)
• →Aggregate event counters in Vercel KV (e.g., total reports exported, total subscriptions). No identifying attributes.
• →Optional email opt-ins, only if you explicitly submit your email via the subscribe form.

Storing less means there is less to leak. The optional email list is the explicit single exception, kept in Vercel KV under my account, never shared.

I host the public version of openreport on Vercel. Vercel is the hosting provider, similar to how a website runs on AWS or Google Cloud.

Vercel's data retention is governed by their own privacy policy: vercel.com/legal/privacy-policy.

I'm going to be direct about realistic risks instead of pretending there are none.

If you suspect your token has been compromised:

1. 01Revoke it immediately: facebook.com/settings?tab=business_tools
2. 02Check your Meta Ads Manager for any unexpected activity
3. 03Email me: sdhilip@alloy-analytics.com

If you find a security issue in openreport: Email me directly at sdhilip@alloy-analytics.com. I will respond within 48 hours for critical issues.

I don't have a bug bounty program because this is a free project with no revenue. But I will credit you publicly and I will fix the issue fast.

This page does not say openreport is "100% secure" or "bank-grade" or any of the other phrases that security-aware people immediately distrust. Nothing is 100% secure. What I can say is:

• →I've tried to build the simplest possible architecture that minimizes the places your data can leak
• →Every request is observable in your browser's DevTools network tab — no hidden traffic
• →The token never leaves your browser except to call Meta directly
• →I will tell you the truth about risks, including the ones that are inconvenient for me

That's the trust model. If it doesn't work for your situation, don't use the tool. That's fine.