Security & Privacy

The architecture is the trust claim.

Your Meta access token goes from your browser directly to Meta's API and back. It never touches my server. I don't have a database. I don't have logs of your ad data. If my site got hacked tomorrow, the attackers would find nothing useful about your ad accounts, because there is nothing to find.

One disclosure for honesty: the site counts anonymous page views via va.vercel-scripts.com (Vercel Analytics). It uses no cookies, no fingerprinting, no PII, and no cross-site tracking. It tells me how many people visited /dashboard last week, nothing about who they are or what data they pulled.

You can verify the data flow yourself in any browser. Open DevTools, switch to the Network tab, paste your token. Your ad data flows only to graph.facebook.com. The only other outbound origins are this site itself and va.vercel-scripts.com for the page-view beacon.

When you paste your Meta access token into openreport:

1. 01The token is stored in your browser's sessionStorage.
2. 02Your browser sends the token directly to graph.facebook.com to fetch your ad data.
3. 03My server is not involved in this request. It does not see the token. It does not see the data.
4. 04When you close the browser tab, sessionStorage is wiped. The token is gone.

You can verify the same flow yourself. Open your browser's DevTools, go to the Network tab, and paste a token. Every network call goes to graph.facebook.com or the openreport domain for page loads. There is no hidden third-party request, no background ping, no analytics beacon.

If you spot a request that goes anywhere else, that's a bug. Email me at sdhilip@alloy-analytics.com and I'll fix it.

Nothing.

• →No database
• →No user accounts
• →No session cookies beyond what Next.js needs for page routing
• →No server-side logs of user activity
• →No analytics (Google Analytics, Plausible, Mixpanel — none of them)
• →No error tracking services (Sentry, Rollbar — none of them)
• →No CDN that logs your requests beyond what Vercel's edge network does by default

I made this choice on purpose. Storing less means there is less to leak.

I host the public version of openreport on Vercel. Vercel is the hosting provider, similar to how a website runs on AWS or Google Cloud.

Vercel's data retention is governed by their own privacy policy: vercel.com/legal/privacy-policy.

I'm going to be direct about realistic risks instead of pretending there are none.

If you suspect your token has been compromised:

1. 01Revoke it immediately: facebook.com/settings?tab=business_tools
2. 02Check your Meta Ads Manager for any unexpected activity
3. 03Email me: sdhilip@alloy-analytics.com

If you find a security issue in openreport: Email me directly at sdhilip@alloy-analytics.com. I will respond within 48 hours for critical issues.

I don't have a bug bounty program because this is a free project with no revenue. But I will credit you publicly and I will fix the issue fast.

This page does not say openreport is "100% secure" or "bank-grade" or any of the other phrases that security-aware people immediately distrust. Nothing is 100% secure. What I can say is:

• →I've tried to build the simplest possible architecture that minimizes the places your data can leak
• →Every request is observable in your browser's DevTools network tab — no hidden traffic
• →The token never leaves your browser except to call Meta directly
• →I will tell you the truth about risks, including the ones that are inconvenient for me

That's the trust model. If it doesn't work for your situation, don't use the tool. That's fine.

• →Email: sdhilip@alloy-analytics.com
• →X: @sdhilip