Privacy policy

Overview

Chaff is operated by Mathison Digital (trading as “Chaff”), the controller responsible for the personal data described in this policy. Chaff is a tool that connects to your Google Ads account, learns what your business sells, classifies which search terms are irrelevant, and applies negative keywords to cut wasted spend. This policy explains what data we collect, how we use it, the third parties that process it on our behalf, and how you can disconnect and delete your data.

By using Chaff at https://www.usechaff.com (the “Service”), you agree to the practices described here.

Information we collect

Account and profile information

Chaff uses Google sign-in only. We never ask you to create or store a password. When you sign in, we receive your email address and a Google account identifier from Google, which we use to create and identify your Chaff account.

Google Ads data

When you connect a Google Ads account, you grant Chaff access through Google OAuth. With that access we read and store:

• An OAuth refresh token that lets Chaff act on your behalf. It is encrypted at rest using AES-256-GCM before being stored.
• The Google login email that authorized the connection, your Google Ads account IDs (customer IDs), and account names, so we can label connected accounts.
• Campaign, search-term, and performance metric data (for example clicks, cost, and conversions) needed to score and classify search terms.
• The negative keywords Chaff applies to your account on your instruction or per your settings.

Business context we derive

During onboarding Chaff builds a short, factual description of your business to improve classification accuracy. This may be derived from your account’s landing-page URLs, publicly available content crawled from your website, a sample of your recent search terms, optional web research, and any answers you provide. You can view and edit this business context inside the app.

Cookies and session data

We use strictly necessary cookies to keep you signed in and maintain your authentication session (managed by our auth provider, Supabase). We do not use advertising cookies or third-party tracking cookies.

How we use your information

We use the information above only to operate the Service:

• Authenticate you and maintain your account.
• Read your Google Ads search terms, campaigns, and metrics to classify terms as relevant or irrelevant.
• Apply negative keywords to your Google Ads account on your instruction.
• Run scheduled analyses for accounts you have connected.
• Provide support, maintain security, and improve the reliability of the Service.

We do not sell your data. We do not use your Google user data for advertising, and we do not use it to train generalized artificial-intelligence or machine-learning models.

Google API Services User Data Policy: Limited Use

Sub-processors and third parties

We use a small set of trusted service providers to run Chaff. Each processes data only as needed to provide its part of the Service:

• Google: Google OAuth (sign-in and account connection) and the Google Ads API (reading account data and applying negative keywords).
• Supabase: authentication and our PostgreSQL database, where your account record, connected-account details, and encrypted tokens are stored.
• OpenAI: classifies search terms and synthesizes your business context. Data sent to OpenAI through the API is not used to train its models.
• Linkup: optional web research used during onboarding to help build your business context.
• Postmark: delivers our contact-form and transactional email.
• Netlify: hosts and serves the Chaff application.

Data retention

We retain your account information and connected Google Ads data for as long as your account is active and you keep an account connected, so we can provide the Service. When you disconnect an account or delete your Chaff account, the associated data is removed immediately from our live database, as described below. Residual copies in our providers’ encrypted backups are purged within 30 days, and operational logs that may reference your data are deleted within 90 days.

Disconnecting and deleting your data

You stay in control. From your Chaff dashboard you can disconnect any connected Google Ads account. When you disconnect an account, Chaff:

• Revokes the stored Google OAuth refresh token with Google, cutting our access; and
• Deletes the account record and all of its associated data: segments, business context, keyword lists, analysis runs, classifications, review items, and history.

This removal cannot be undone. Negative keywords already applied to your Google Ads account remain in your account; you can remove them in Google Ads if you wish. To delete your entire Chaff account and all remaining data, or to request a copy of your data, use our contact form. You can also revoke Chaff’s access at any time from your Google Account’s third-party access settings.

Security

We take reasonable measures to protect your data. Google Ads refresh tokens are encrypted at rest with AES-256-GCM, data is transmitted over encrypted connections, and access to your account data is restricted to operating the Service. No method of storage or transmission is completely secure, so we cannot guarantee absolute security.

Your rights

Depending on where you live, you may have rights to access, correct, export, or delete your personal data, and to object to or restrict certain processing. To exercise any of these rights, use our contact form.

Changes to this policy

We may update this policy from time to time. When we do, we will revise the “Last updated” date above. Material changes will be communicated through the Service where appropriate.

Contact

Questions about this policy or your data? Please use our contact form.